I recently fiddled around with Window’s built-in command nltest and noticed that nltest /user:, when executed as an Administrator, yields some interesting information about the requested user: The two fields LmOwfPassword and NtOwfPassword spiked my interest. The abbreviation “Owf” typically stands for one-way-function, which is synonymous with hash function or even hash value. If LmOwfPassword and NtOwfPassword corresponded to the user’s LM and NT hash, nltest might be another option for dumping the SAM 🤔