Open without a key. How to crack a Windows password

Open without a key. How to crack a Windows password

CODE REDMarch 14, 2020

Not every user uses a password on Windows - it is especially rare for users to set a password on a home computer that only one person works on. But in a corporate network or when using Windows as a server, a password is required. Another interesting property of a Windows user password: if a user has an online Microsoft account, the password hash is still stored on the local computer, but the decrypted password is suitable for both the local computer and Microsoft online services.

In this article, we will find out where the user password is stored in Windows, how to extract data to crack the Windows password, how to open the user password and how to use it even without brute force.

Where does Windows store user login password?

Windows user passwords are stored in the hives of the Windows registry called SYSTEM and SAM in the files:

  • C: / Windows / System32 / config / SAM
  • C: / Windows / System32 / config / SYSTEM

Instead of a plain text password, Windows stores password hashes. These hashes are easily brute force, but even without cracking, Windows password hashes can be used to collect data and carry out attacks.

How to get Windows password hashes

Dump Windows password hashes on a running computer

On a running system, it is problematic to access the C: / Windows / System32 / config / SAM and C: / Windows / System32 / config / SYSTEM files, although this is possible. To save copies of these files, you can use reg utility, namely the following commands:

reg save HKLM \ SYSTEM SystemBkup.hiv

In some instructions, instead of SYSTEM , the SECURITY bush is saved - this is a mistake, you cannot restore the hash with the SECURITY and SAM bushes, we just need SYSTEM and SAM !

The password hash is also contained in RAM, namely in the Local Security Authority Process (lsass.exe) . This process is always running in running Windows and you can dump it (a copy of the process in RAM is saved to disk as a file). You can use various utilities to create a dump, including two official ones:

There is already a task manager on every Windows, to open it press Win + r and type taskmgr , then press ENTER . Or, right-click on the taskbar (that is, on the bottom bar where the clock, start button, etc.) are located and select " Task Manager " in the context menu .

In the Task Manager, click " Details " and in the " Processes " tab , in the " Windows Processes " section , find the Local Security Authority Process , right-click on it and select " Create Dump File " in the context menu :

Wait for completion:

The file will be saved along the path C: \ Users \ USER \ AppData \ Local \ Temp \ lsass.DMP . I have the MiAl username and the path to the file C: \ Users \ MiAl \ AppData \ Local \ Temp \ lsass.DMP .

Dump Windows password hashes on a turned off computer

On the turned off computer, for subsequent retrieval of the user’s password, it is enough to copy the files:

  • C: / Windows / System32 / config / SAM
  • C: / Windows / System32 / config / SYSTEM

The same files can be found in the Windows backup or in the Shadow copy of the disk, or you can copy it by booting from the Live system.

What is the difference between NTLM and NTLMv1 / v2 hashes and Net-NTLMv1 / v2

Now we will hunt for the NTLM hash.

Actually, NTLM and NTLMv1 / v2 are quite different things. The NTLM hash is stored and used locally, and the NTLMv1 / NTLMv2 hashes are used for network authentication and are derived from the NTLM hash. Using any of these hashes, you can decrypt the Windows user password, but these are different encryption / cracking algorithms.

For the Pass-the-hash attack (we will cover it in this article), we use only the NTLM hash, and the NTLMv1 / NTLMv2 hashes are not suitable.

There is one more question what is the Net-NTLMv1 / v2 hashes. Hashes Net-NTLMv1 / v2 is the abbreviated name for the hash NTLMv1 / v2 , i.e. NTLMv1 / v2 and Net-NTLMv1 / v2 is the same. And NTLM is different.

In this article, we will extract, crack and exploit the NTLM hash without hacking.

What is mimikatz

The mimikatz program is well known for the ability to extract passwords in the form of plain text, hashes, PIN codes and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket attacks or build Golden tickets.

In this guide, we will only look at mimikatz’s ability to extract NTLM hashes. Remember, mimikatz also has other very interesting features - look at its extensive help: https://kali.tools/?p=5342

There are implementations of mimikatz in Meterpreter & Metasploit , DLL reflection in PowerShell and other products. In principle, mimikatz can be run in Wine on Linux, but functions related to extracting data directly from Windows will not work; functions for extracting hashes from dumps or decryption from registry files should work on Linux.

How to install mimikatz on Windows

mimikatz is a portable command line utility. That is, installation is not required, but you need to be able to start if you are not very familiar with the command line.

  1. Go to https://github.com/gentilkiwi/mimikatz/releases , download the file mimikatz_trunk.7z or mimikatz_trunk.zip . Unzip the downloaded archive.

  2. Open PowerShell ( Win + xWindows PowerShell (administrator) ) or the command prompt ( Win + rcmd ).

  3. At the command prompt, use the cd command to navigate to the folder with the mimikatz.exe executable file . For example, the archive is unpacked into the folder C: \ Users \ MiAl \ Downloads , then the executable file will be in the folder *C: \ Users \ MiAl \ Downloads \ mimikatz_trunk \ x64 * :

cd C: \ Users \ MiAl \ Downloads \ mimikatz_trunk \ x64 \

  1. Run the executable file.

. \ mimikatz.exe

How to extract NTLM user password hash from registry files

The following commands must be executed in the mimikatz console.

The log command enables writing all output to a FILE:

log FILE

For example, to run all output in a hash.txt file:

log hash.txt

I copied the SYSTEM and SAM files from the turned off computer, now to extract the hash I need to run a command of the form:

lsadump :: sam / system: C: \ path \ to \ SYSTEM / sam: C: \ path \ to \ SAM

An example of my command:

lsadump :: sam / system: C: \ Share-Server \ files \ SYSTEM / sam: C: \ Share-Server \ files \ SAM

Output Example:

The conclusion is quite extensive and there is a lot of incompletely understood data. Of interest are consecutive lines of the form

User: USER

In my example, interesting lines:

User: ShareOverlord

There are also lines with usernames:

User: MiAl

But after them there are no lines with the NTLM hash, because these users do not have a password in the system.

If you want to extract data from the registry files of the current operating system, then exit mimikatz, for this press Ctrl + c .

Now we will dump the SYSTEM and SAM registry hives of the current system:

reg save HKLM \ SYSTEM SystemBkup.hiv

Run mimikatz again:

. \ mimikatz.exe

Turn on logging:

log hash-local.txt

And we execute a command indicating the files in which dumps of the registry hives are saved, that is, SystemBkup.hiv and SamBkup.hiv :

lsadump :: sam /system:SystemBkup.hiv /sam:SamBkup.hiv

Output Example:

Only one user with a hash was found here:

User: Admin

In fact, to extract NTLM hashes from the local system, it was not necessary to dump the registry hives. Another option is to increase the privileges of the mimikatz program itself and extract hashes directly from the system. To do this, run the commands:

privilege :: debug

Extract NTLM hash from lsass.DMP dump

Logically (and in practice) in the dump of the Local Security Authority Process should only be a hash of the user who has logged in with the password.

First, specify the path to the dump file with a command of the form:

sekurlsa :: minidump C: \ path \ to \ lsass.DMP

For instance:

sekurlsa :: minidump C: \ Share-Server \ files \ lsass.DMP

Then run the command:

sekurlsa :: logonPasswords

Brute Force NTLM Hash

For hacking I will take the following hash:

User: Alexey

Take a look at the FAQ Hashcat , to find out the hash mode number NTLM:

1000 | NTLM | Operating systems

That is, the NTLM hash number is 1000 .

To launch a mask attack to crack NTLM in Hashcat, you need to run a command of the form:

hashcat -m 1000 -a 3 ‘HASH’ MASK

An example of my real command:

hashcat --force --hwmon-temp-abort = 100 -m 1000 -D 1,2 -a 3 -i --increment-min 1 --increment-max 10 -1? l? d ca76a176340f0291e1cc8ea7277fc571? 1? 1? 1? 1? 1? 1? 1? 1? 1

In this command:

  • hashcat is the name of the executable file. On Windows, it could be hashcat64.exe.
  • –force - ignore warnings
  • –hwmon-temp-abort = 100 - setting the maximum temperature, after which the search will be interrupted, by 100 degrees Celsius
  • -m 1000 - NTLM hash type
  • -D 1.2 - means to use both the central processor and the video card for hacking
  • -a 3 - means mask attack
  • -i - means gradually increase the number of characters in the generated passwords
  • –increment-min 1 - means start with mask length equal to one
  • –increment-max 10 - means to end the search with a mask length of ten
  • -1? L? D - custom character set number 1, it includes small latin letters (? L) and numbers (? D)
  • ca76a176340f0291e1cc8ea7277fc571 - hash for hacking
  • ? 1? 1? 1? 1? 1? 1? 1? 1? 1 - mask from a custom character set

Hack another hash:

User: Admin

Command (another hash and another set of user characters):

hashcat --force --hwmon-temp-abort = 100 -m 1000 -D 1,2 -a 3 -i --increment-min 1 --increment-max 10 -1? l? u? d 5187b179ba87f3ad85fea3ed718e961f? 1? 1? 1? 1? 1? 1? 1? 1? 1

13 Likes

Can this tutorial be used to crack genuine demo windows 10 to windows 10 pro/home

1 Like

You should not have any kind of problem since it is for all windows, that is, from 7 to 10