Ethical hacking and penetration testing

InfoSec, IT, Kali Linux, BlackArch

How to hack a Windows password

In this article, we will find out where the user password is stored in Windows, how to extract data for cracking the Windows password, how to hack user password and what is Pass the hash attack.

Not everyone uses a password on Windows – it is especially rare for users to set a password on a home computer that only one person works on. But in a corporate network or when using Windows as a server, a password is required. Another interesting property of a Windows user password: if a user has an online Microsoft account, the password hash is still stored on the local computer, and the decrypted password can be used to log in for both the local computer and Microsoft online services.

Where does Windows store user login password?

Windows user passwords are stored in the hives of the Windows registry called SYSTEM and SAM in the files:

• C:/Windows/System32/config/SAM
• C:/Windows/System32/config/SYSTEM

Instead of a plain text password, Windows stores password hashes. These hashes can be brute-forced easily. But even without cracking, Windows password hashes can be used to collect data and carry out attacks.

How to get Windows password hashes

Dump Windows password hashes on a running computer

On a running system, it is problematic to access the C:/Windows/System32/config/SAM and C:/Windows/System32/config/SYSTEM files, although this is possible. To save copies of these files, you can use the reg utility:

In some tutorials, instead of SYSTEM, the SECURITY hive is saved – this is a mistake, you cannot restore the hash with the SECURITY and SAM hives, we just need SYSTEM and SAM!

The password hash is also contained in RAM, namely in the Local Security Authority Process (lsass.exe). This process is always launched in running Windows and you can dump it (a copy of the process in RAM is saved to disk as a file). You can use various utilities to create a dump, including two official ones:

There is already a task manager on every Windows, to open it press Win+r and type taskmgr, then press ENTER. Or, right-click on the taskbar (that is, on the bottom bar where the clock, start button, etc.) are located and select “Task Manager” in the context menu.

In the Task Manager, click “Details” and in the “Processes” tab, in the “Windows Processes” section, find the Local Security Authority Process, right-click on it and select “Create Dump File” in the context menu:

Wait for completion:

The file will be saved along the C:\Users\USERNAME\AppData\Local\Temp\lsass.DMP path. I have the MiAl username and the path to the file C:\Users\MiAl\AppData\Local\Temp\lsass.DMP.

Dump Windows password hashes on a turned off computer

On the turned off computer, for subsequent retrieval of the user’s password, it is enough to copy the files:

• C:/Windows/System32/config/SAM
• C:/Windows/System32/config/SYSTEM

The same files can be found in the Windows backup or in the Shadow copy of the disk, or you can copy it by booting from the Live system.

What is the difference between NTLM and NTLMv1/v2 hashes and Net-NTLMv1/v2

Now we will hunt for the NTLM hash. In the article “Windows Network Authentication Hacking”, we already hunted for the NTLMv1 and NTLMv2 hashes, whose name is pretty similar.

Actually, NTLM and NTLMv1/v2 are quite different things. The NTLM hash is stored and used locally, and the NTLMv1/NTLMv2 hashes are used for network authentication and are derived from the NTLM hash. Using any of these hashes, you can decrypt the Windows user password, but these are different encryption/cracking algorithms.

For the Pass-the-hash attack (we will cover it in this article), we use only the NTLM hash, and the NTLMv1/NTLMv2 hashes are not suitable.

There is one more question what is the Net-NTLMv1/v2 hashes. Net-NTLMv1/v2 hashes is an abbreviation for NTLMv1/v2 hashes, i.e. NTLMv1/v2 and Net-NTLMv1/v2 are the same. And NTLM is different.

In this article, we will extract, crack and exploit without brute-force the NTLM hash.

What is mimikatz

mimikatz program is well-known for the ability to extract passwords in plain text, hashes, PIN codes and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket attacks or build Golden tickets.

In this guide, we will only look at mimikatz’s ability to extract NTLM hashes. Remember, mimikatz also has other very interesting features – look at its extensive help: https://github.com/gentilkiwi/mimikatz/wiki

There are implementations of mimikatz in Meterpreter & Metasploit, DLL reflection in PowerShell and other products. mimikatz can be run in Wine on Linux, but functions related to extracting data directly from Windows will not work; functions for extracting hashes from dumps or decryption from registry files should work on Linux.

How to install mimikatz on Windows

mimikatz is a portable command line utility. That is, installation is not required, but you need to be able to start if you are not very familiar with the command line.

1. Go to https://github.com/gentilkiwi/mimikatz/releases, download the mimikatz_trunk.7z or mimikatz_trunk.zip file. Unzip the downloaded archive.

2. Open PowerShell (Win+x → Windows PowerShell (administrator)) or the command line (Win+r → cmd).

3. At the command prompt, use the cd command to navigate to the folder with the mimikatz.exe executable file. For example, the archive is unpacked into the C:\Users\MiAl\Downloads folder, then the executable file will be in the C:\Users\MiAl\Downloads\mimikatz_trunk\x64\ folder:

4. Run the executable file.

How to extract NTLM user password hash from registry files

The following commands must be executed in the mimikatz console.

The log command enables writing all output to a FILE:

For example, to run all output in a hash.txt file:

I copied the SYSTEM and SAM files from the turned off computer, now to extract the hash I need to run a command of the form:

An example of my command:

The output is quite extensive and there is a lot of data. Of interest are sequential lines of the form:

In my example, interesting lines:

There are also lines with usernames:

But after them there are no strings with the NTLM hash, because these users do not have a password in the system.

If you want to extract data from the registry files of the current operating system, then exit mimikatz, for this press Ctrl+c.

Now we will dump the SYSTEM and SAM registry hives of the current system:

Run mimikatz again:

Turn on logging:

And we execute a command indicating the files into which dumps of the registry hives are saved, that is, SystemBkup.hiv and SamBkup.hiv:

Only one user with a hash was found here:

In fact, to extract NTLM hashes from the local system, it was not necessary to dump the registry hives. Another option is to increase the privileges of the mimikatz program itself and extract hashes directly from the system. To do this, run the commands:

How to extract NTLM hash from lsass.DMP file

Logically (and in practice) in the dump of the Local Security Authority Process should only be the hash of the user who logged in with a password.

First, specify the path to the dump file with a command of the form:

Then run the command:

How to brute-force NTLM hash

For hacking I will take the following hash:

Take a look at the Hashcat help to find out the NTLM hash mode number:

That is, the NTLM hash number is 1000 (hashcat mode).

To launch a mask attack to crack NTLM in Hashcat, you need to run a command of the form:

An example of my real command:

In this command:

• hashcat is the name of the executable file. On Windows, it could be hashcat64.exe.
• —force means ignore warnings
• —hwmon-temp-abort=100 means setting the maximum temperature, after which the brute-force attck will be interrupted, by 100 degrees Celsius
• -m 1000 means NTLM hash type
• -D 1,2 means to use both the central processor and the video card for brute-force
• -a 3 means mask attack
• -i means gradually increase the number of characters in the generated passwords
• —increment-min 1 means start with mask length equal to one
• —increment-max 10 means to end the search with a mask length of ten
• -1 ?l?d means custom character set number 1, it includes small Latin letters (?l) and numbers (?d)
• ca76a176340f0291e1cc8ea7277fc571 is the hash for hacking
• ?1?1?1?1?1?1?1?1?1 is a mask from a custom character set

Let’s hack one more hash:

Command (another hash and another set of custom characters):

So, in this article, we learned how to extract an NTLM hash and crack a Windows password. But what if you fail to crack NTLM? See the second part, entitled “Pass-the-hash attack (how to use NTLM without cracking a password)” for the answer.

How to Hack Windows with a Text File

Welcome to another windows hacking tutorial using Metasploit and a text file. Yes, you heard that right, we will be using a text file to hack windows 10.

How does windows hacking with a text file work?

This hack uses a winrar_name_spoofing vulnerability to target windows an create a reverse shell. We will be using this vulnerability to exploit a Windows 10 machine with the help of the Metasploit framework. We will be creating a malicious ZIP file, and inside a zip file, the payload(virus) file will be hidden in the form of .txt file format. When our target victim opens that text file, a meterpreter session will be established with our attacking machine.

So widout further ado let’s start the tutorial.

Steps to create a Payload using Metasploit Framework

Step 1: Open a Kali Linux terminal and launch the Metasploit framework using the following command:

Step 2: Once msfconsole is open, type the following command to select the winrar_name_spoofing vulnerability

Step 3: Now, you can type the show options command to show all the available options which can be used with this hack:

The output of the command:

Step 4: Now, we need to set the name of the malicious file and the name of the spoof file, which will be hidden inside the ZIP file.

Type the following commands:

Step 5: Now, we need to set LHOST and LPORT in Metasploit. Since I’m using the windows exploit on my Local Area Network(LAN), I’ll put my local IP Address and LPORT as 4444. If you were using Ngrok or NOIP, you would use the corresponding IP addresses. Run the commands

Step 6: Now we need to set the listener for the Payload, to do that run the following command in the kali Linux terminal:

Step 7: Now type exploit and then a file with named funnyvideo.zip will be created into the location /root/.msf4/local/funnyvideo.zip

Step 8: Copy the malicious file and sent it to the victim by using social engineering methods.

Steps to create a Listener for the Payload

In this step, we will create a listener for our windows Payload. This will help us control the target system using the windows exploit.

Step 1: Now type the following command to use the Metasploit multi/handler

Step 2: Now, we need to set the payload, for that we need to run the following command:

Step 3: Now set the LHOST and LPORT for the listener, type the following command to do that. Note they need to be the same as the malicious file you created.

Step 4: Now type exploit in the terminal, and now your exploit will run

Step 5: Congrats, you now just have to wait till the target opens the file and viola you have hacked their system.

Type help to see all the commands possible using the Metasploit framework.

Commonly asked questions about hacking windows with an Image:

Q1 Is hacking windows 10 devices legal?

No, hacking windows 10 is not legal. This post is an educational post to show how hackers can hack windows with a text file. This hack is only for educational purposes.

Q2 The Malicious text file I made is detected as a virus by antivirus. What do I do?

Do not worry; you are safe. The alert is because you made your own virus, which is hidden in the zip file. The antivirus software might detect the virus. Which only means you have a great antivirus.

Q3. How can I hack my friends or girlfriends pc with this hack?

This hack is only for educational purposes, not for hacking people. We do not support any illegal hacking. Kindly refrain from such comments and requests.

Q4. Does this hack work on all versions of Windows?

Yes, it does work on all versions of windows; however, updated windows might detect it as a virus. An antivirus will definitely detect it as a virus.

I hope you liked this article, and you learned how to hack windows with an image. Donate to support. Keep sharing the articles. Happy Hacking.