How to extract hashes and crack Windows Passwords
This page will help you to know how to extract hashes from Windows systems and crack them.
It’s all about LM and NTLM hashes
The LM hash is the old style hash used in Microsoft OS before NT 3.1. Then, NTLM was introduced and supports password length greater than 14.
On Vista, 7, 8 and 10 LM hash is supported for backward compatibility but is disabled by default.
The goal is too extract LM and/or NTLM hashes from the system, either live or dead. These hashes are stored in memory (RAM) and in flat files (registry hives).
If LM hashes are enabled on your system (Win XP and lower), a hash dump will look like:
If LM hashes are disabled on your system (Win Vista, 7, 8+), a hash dump will look like:
The first field is the username. The second field is the unique Security IDentifier for that username. The third field is the LM hash and the forth is the NTLM hash.
The best tools to extract hashes (windows & linux & mac) are :
- Double click on fgdump.exe you’ve just downloaded,
- After a few seconds a file « 127.0.0.1.pwdump » has been created
- Edit this file with notepad to get the hashes
- Copy and paste the hashes into Serviet system, and we’ll crack them for you.
bt ~ # samdump2 /mnt/XXX/WINDOWS/system32/config/system /mnt/XXX/WINDOWS/system32/config/sam samdump2 2.0.1 by Objectif Securite (http://www.objectif-securite.ch) original author: firstname.lastname@example.org Administrator:500:01fc5a6be7bc6929aad3b435b51404ee:0cb6948805f797bf2a82807973b89537:::
You can then post the hashes to Serviet system in order to get the plain text.
You can use :
Man In the Middle attack
You can use ettercap and the man in the middle attacks to sniff the username and password of a user over the network. You can read ettercap tutorials. There so much that ettercap can do and there are many tutorials covering how to use it !
Metasploit / hashdump
Metasploit is an interesting pentest framework. Documentation is at http://www.metasploit.com/framework/support/. Once you have compromised the computer using metasploit you can extract the hashes doing :
use priv hashdump
C:\> fgdump.exe -h 192.168.0.10 -u AnAdministrativeUser [-p password] or C:\> pwdump6.exe -u AnAdministrativeUser [-p password] 192.168.0.10
Here, AnAdministrativeUser’s account will be used to perform the password dump. Keep in mind that any user used to perform password dumps needs administrative credentials. In this scenario, you will be prompted for the password before the password dump starts.
fgdump hashes are stored in *.pwdump file ; pwdump6 will dump the SAM to the screen.
You can then post the hashes to our cracking system in order to get the plain text.
A large number of -old- tools, which extract hashes from the registry were confirmed as producing corrupted hashes when using the registry extraction method were as follows :
- Metasploit Hashdump Script
- Samdump2 1.0.1
- Cain and Abel
- FGDump 3.0
- l0phtcrack 6.0
More information about this issue : Stamp Out Hash Corruption, Crack All the Things! – BlackHat 2012
Related article : How to extract Cached and Stored Credentials & LSA secrets