🔑Cracking Windows Hashes 🕵

In this step by step guide, you’ll learn how to grab Windows 10 hashes then recover the password with various hash cracking techniques. The toolset included in this guide is Kali Linux, Mimikatz, Hypervisors, Hashcat and Johnny.

There are plenty of guides out there for cracking Windows hashes. However many of them are outdated because Windows is making it more difficult to recover hashes. I wish to share the method that works with a modern Windows 10 system.

This guide assumes you have physical access to a Windows 10 computer and wish to bypass the operating system password. To begin you’ll need a few common gadgets ready so take note you have the following:

What you need to get started:

  1. Kali Bootable USB
  2. USB external storage drive
  3. Another computer running as a Linux host w/ Windows VM or Windows host w/ Linux VM

Finding the Hashes

Once you see the screen above, you successful booted Kali Linux. In these photos I’m using an older version of Kali so yours might look a bit different. Login credentials with probably be kali:kali and if that doesn’t work try root:toor for username:password. Once logged in click on the “Files” icon:

Then navigate to the hard drive containing the Windows system on the computer. By clicking on “+ Other Locations” you’ll see all the hard disks on the computer. If their is only one hard drive in the computer it should be right under the “Computer” drive:

Side note: At this point you have access to all the files on the Windows computer. If having access to the Windows OS isn’t important to you, and you just want to recover files, you can access all the files right here!

To harvest the Windows hashes we’ll need these two files:

/media/windows/Windows/System32/config/SAM
/media/windows/Windows/System32/config/SYSTEM

Navigate to these files by “Opening in Terminal”:

Then with the command cd Windows/System32/config we change into the required directory. The with cp SAM /root/Desktop/SAM and cp SYSTEM /root/Desktop/SYSTEM we copy both files to our desktop:

Now is a good time to plug in that external USB drive:

Find the USB External Storage drive in the file manager and copy over the SAM and SYSTEM files to it:

Dumping the Hashes

Disable all the Windows Defender settings because today we’re going to be installing malware on purpose…

Download the latest release of Mimikatz. A very popular tool to help crack Windows systems:

Yes… We know it’s malware. But it’s our malware!

Open up Command Prompt and change directories into the mimikatz/x64 location you just downloaded and extracted:

Execute mimikatz.exe

Plug in that external USB drive and copy over the SAM and SYSTEM file into the mimikatz\x64 directory:

Finally we can dump the hashes with the following command:

lsadump::sam /system:SYSTEM /SAM:SAM

Scroll down a bit to find a Username’s hash, this computer has the username “Hacker”:

Cracking the Hashes

echo “c7e86705ea4642f5b8a6e34d86333955” > hash.txt

The simplest password cracking method that will crack basic passwords is with john or hashcat using the rockyou.txt word list This is pre-installed on Kali Linux and if you haven't already, unzip the word list with the following command:

gunzip /usr/share/wordlist/rockyou.txt

Now run the following command to crack the hash!

john hash.txt /usr/share/wordlists/rockyou.txt — format=nt

Alternatively we can crack it the essentially the same way with hashcat

hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt

If you want to get a bit fancy we can launch a more sophisticated attack. Alot of passwords people likely use for their PC’s are likely a common word followed by some random numbers and letters at the end. We can account for many of these passwords by first finding a list of common words. This common-password list from SecLists is perfect for this.

Download this word list and put it in the same local directory as your hashes. Next we can use this word list with a hashcat mask to append 4 random uppercase, lowercase, numbers and special characters with ?a . The full command to conduct the attack would look like so:

hashcat -m 1000 -a 6 hash.txt common-passwords-win.txt ?a?a?a?a

Thanks for Reading!

Sources

https://www.cyberpratibha.com/blog/how-to-find-administrator-password-of-window-10-using-kali-linux/
https://www.tomsdev.com/blog/2017/retrieving-lost-windows-10-password-using-kali-linux-mimikatz-hashcat/

https://www.blackmoreops.com/2014/03/27/cracking-wpa-wpa2-with-hashcat-kali-linux/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store