Sunday, 11 December 2011

How to crack Windows Passwords

The LM hash is the old style hash used in Microsoft OS before NT 3.1 ; NT 3.1 to XP SP2 supports LM hashes for backward compatibility and is enabled by default. Vista and Seven support LM hash but is disabled by default. NTLM was introduced in NT 3.1, and supports password lengths greater than 14.
If LM hashes are enabled on your system (Win XP and lower), a hash will look like:

If LM hashes are disabled on your system (Win Vista, 7+), a hash will look like:
Administrator:500:NO PASSWORD*********************:0CB6948805F797BF2A82807973B89537:::

The first field is the username. The second field is the unique Security IDentifier for that username. The third field is the LM hash and the forth is the NTLM hash.

Extracting the hashes from the SAM (locally)

On Windows, use fgdump (doc & usage) or pwdump, or creddump (python based).
On Linux (or Live system such as Backtrack) you can use creddump (python based), or Samdump2 :
bt ~ # samdump2 /mnt/XXX/WINDOWS/system32/config/system /mnt/XXX/WINDOWS/system32/config/sam
samdump2 2.0.1 by Objectif Securite (
original author:

You can then post the hashes to  cracking system in order to get the plain text.
other simple way is to use 
ophcrack (google it and get the idea)

Extracting Windows Password hashes remotely

Man In the Middle attack

You can use ettercap and the man in the middle attacks to sniff the username and password of a user over the network. You can read ettercap tutorials. There so much that ettercap can do and there are many tutorials covering how to use it !

Metasploit / hashdump

Metasploit is great. Documentation is at Once you have compromised the computer using metasploit you can extract the hashes doing :
use priv

Dump Tools

fgdump or pwdump6 can also remotely dump hashes :
C:\> fgdump.exe -h -u AnAdministrativeUser [-p password]
C:\> pwdump6.exe -u AnAdministrativeUser [-p password]
Here, AnAdministrativeUser's account will be used to perform the password dump. Keep in mind that any user used to perform password dumps needs administrative credentials. In this scenario, you will be prompted for the password before the password dump starts.
fgdump hashes are stored in *.pwdump file ; pwdump6 will dump the SAM to the screen.
You can then post the hashes to our cracking system in order to get the plain text.

No comments:

Post a Comment