Skip to content

Windows Password Hashes

Windows OS stores hashed user account passwords locally in the SAM (Security Accounts Manager) database.

The SAM database file cannot be copied while the operating system is running. However, there are some situations in which a copy of the SAM database was created.

Attackers typically use in-memory techniques and tools to dump SAM hashes from the LSASS process.

Elevated/Administrative privileges are required in order to access and interact with the LSASS process.

NTLM hashing: Passw0rd! -> MD4 -> HASH

Hashes can be dumped using: - Mimikatz: Mimikatz usage - The inbuilt Meterrpeter "hashdump" command: once a system is exploited run the command hashdump

Exclude guest hash and create a file with the dumped hashes.

Once dumped, hashes can be cracked using: - John The Ripper - Hashcat

Crack NTLM Hashes With John The Ripper

# Crack hashes using the default wordlist
john --format=NT hashes.txt 

# Crack hashes using a custom  wordlist
john --format=NT hashes.txt --wordlist=WORDLIST_PATH

Crack NTLM Hashes With Hashcat

hashcat -a 3 -m 1000  hashes.txt WORDLIST_PATH

# -a: attack mode, Brute-force=3
# -m: hash type, NTLM=1000