KALI LINUX

How to crack passwords using

Hashcat
The Visual Guide

by
Taylor Cook
Master of Computer Security

This book is dedicated to all Cyber Security students – have the time of your
life!

This ebook is licensed for your personal enjoyment only. This ebook may not
be re-sold or given away to other people. If you like to share this book with
another person, please purchase an additional copy for each person you share
it with.
Copyright © 2017 T. Cook. All rights reserved. Including the right to
reproduce this book or portions thereof, in any form. No part of this text may
be reproduced in any form without the express written permission of the
author.
Version 2017.01
 1 What is a Hash?

Cracking password hashes is a magical black art, fundamental to Cyber

Security. To understand password security, we need to understand hashing.
So what is a hash? A hashing algorithm converts all passwords into a fixed
length number. Even the addition of a single space totally alters the hash.
Each operating system hashes their passwords differently; therefore, the
hashing algorithm needs to be identified in order to crack the password.
Windows hashes are very weak compared to KALI Linux, which uses
SHA512 hashing.
Windows uses either LM hashes or NTLM hashes. LM hashes are old and
Microsoft stopped using them after Windows XP. NTLM passwords have
been cracked at a rate of 350 billion hashes per second, and that was back in
2012.

HASHCAT MODES (FOR DIFFERENT HASHES).

There are many different hashing algorithms, each with a separate mode
number. Make sure that identify the hash before you start with Hashcat.
The modes are listed online:
https://hashcat.net/wiki/doku.php?id=example_hashes
So if you want to crack a hash from a Windows phone, then just change the
mode to -m 13800 in Hashcat, and away you go.

Hashcat calls each hashing algorithm a “mode”, and assigns it a number.

The Hashcat mode to crack an MD5 hash is

-m 0, whereas Windows NTLM would be
–m 1000, and KALI’s SHA512 hash would need –m 1800.
Next, I want you to see the hashing algorithms convert a password into a
fixed number. There are several online sites that hash passwords so that you
can see the effects of hashing instantly.

STEP 1 – ONLINE HASHING – MD5

To generate MD5 hashes online, visit:
http://www.miraclesalad.com/webtools/md5.php
Type in “password” and the MD5 hash will appear.
The long number highlighted in yellow is the hash of the word “password”.
Remember that password security is like a lottery ticket. If your lottery
numbers match, then you have the winning ticket. So how do we fake a
winning lottery ticket?
The first steps are:
Install KALI Linux using VirtualBox for Windows machines or use
KALI as the actual operating system if you have a spare computer.
Generate some sample hashes using the site above and paste these into a
Leafpad file called hashes.txt.
Generate a word list in Leafpad called word.txt. Later on I will show you
where to find much larger wordlists of the top 500 and top 10000
passwords, in addition to the major security breaches that formed the
“Rockyou” dictionary of 14 million unique passwords.
Select a mode eg –m 0 is MD5.
 Next we select the attack mode.
You will often see the syntax –a 0, which means a straight through
attack. The attack modes are:

0 = Straight Through (just the word file)

1 = Combination
2 = Toggle case
3 = Brute Force

Rules set. In the initial stages of password cracking, we will not use rule sets.
However, once you become proficient, rules sets are invaluable, in tackling
complex passwords.

In the meantime, it is useful to be able to identify the likely hashing algorithm

used.

We can use Hash Identifier to give us a good idea as to the possible hashing
algorithm.
STEP 2 – HOW TO IDENTIFY THE HASH IN ORDER TO CRACK
IT
KALI Hash-Identifier
Hash-Identifier is preinstalled within Kali under:
05 > Password Attacks > Offline Attacks >

Hash identifier launches, and we paste in our hash:

Hash Identifier detects the most likely hash based on its characteristics.
In Windows, you can download HashID from this site:
https://sourceforge.net/projects/hashidentifier/

Paste in the hash and it will identify the likely hashing algorithm. I hashed
“hashcat” in MD5.
HashID identified this as an MD5 hash

Next, I hashed “hashcat” in SHA1. HashID identified this as being a SHA1

or MySql5 hash.

Each hash has certain characteristics, such as a different fixed length.

Hash Size
MD5 Hash 16 Bytes
 SHA1 Hash 20 Bytes
SHA256 Hash 32 Bytes
SHA512 Hash 64 Bytes

Due to these differences, each hash algorithm will be cracked at a

different speed. Some hashes such as the Windows NTLM hash are very
quick to crack. Other hashes were designed to be slow to Brute Force, such
as Bcrypt, (based on the Blowfish cipher).
The Hash cracking speeds also depends on the power of the CPU or Graphics
card.
Here are the cracking speeds for a NVIDIA GTX 1080 graphics card:

Hash Million Hashes

/Second
MD5 Hash 24943.1 mH/s
NTLM Hash 41825.0 mH/s
SHA1 Hash 8538.1 mH/s
SHA512 Hash 1071.1 mH/s

If we use a more powerful Graphics card or several Graphics cards, the

speeds will increase.
WHAT DOES EACH HASH LOOK LIKE?
QUESTIONS TO PONDER OVER
Which operating systems use the NTLM hashing algorithm?
What hash is being attacked with a mode of -m 1000?
What hash does Kali Linux use?
Can Hashcat crack WIFI hashes?
Can Hashcat crack Windows phone hashes?
Can Hashcat crack KEEPASS hashes?
How can you benchmark the cracking speed of your CPU?

KALI LINUX SHA 512 HASHES ARE CRACKED USING MODE

1800 OR –M 1800
WINDOWS NTLM HASHES ARE CRACKED USING MODE –M
1000
STEP 2 – CREATE 3 TEXT FILES IN LEAFPAD
You need to create these 3 text files in the same directory that you installed
hashcat (this is important).

APPLICATIONS > USUAL APPLICATIONS > ACCESSORIES >

LEAFPAD

CREATE 3 NEW TEXT DOCUMENTS IN LEAFPAD

WORD.TXT
HASH.TXT
CRACKED.TXT
Use Leafpad. You might want to create a Folder called Hashcat (see the
button Create Folder).
Create a file called word.txt
File save as > create hash.txt and cracked.txt.

STEP 3 – FILL 2 OF THE TEXT FILES WITH TEST DATA

WORD.TXT.
In word.txt, put in your 3 test passwords with each password on a new line.

/root/Documents/Hashcat/word.txt

HASH.TXT
In hash.txt, put in the MD5 hashes for the 3 test passwords in word.txt
To get MD5 hashes, visit:
http://www.miraclesalad.com/webtools/md5.php
Type in “password” and the MD5 hash will appear.

Copy and paste the hash into Hash.txt.

The yellow highlighted number is our MD5 hash to be copied.
Paste the hashes for our 3 passwords into the hash.txt.

/root/Documents/Hashcat/hash.txt

Hashcat will output the cracked passwords into cracked.txt, so we do not edit
this file.
That’s all our prep set up. Now we move onto using Hashcat.

If you wish to check the files contain the data entered, use leafpad to open the
file and doublecheck.
Leafpad /root/Documents/Hashcat/word.txt
 2 KALI Linux - Hashcat

Hashcat comes preinstalled on KALI Linux, and these screenshots are from
KALI 2017.1.

STEP 1 –START HASHCAT

My assumption is that this is the first time that you have used the Hashcat
command line. Therefore I’ll try to make this guide step by step.
Applications > 05 Password Attacks > Hashcat

You will see Hashcat launch into a black terminal window.

Remember that we created those 3 text files earlier? This is where we use
them.
When we created the text documents, they were saved to
/root/Documents/Hashcat.

If you saved the text files to a different directory, then now is the time to
write down the full path.
STEP 4 – RUN HASHCAT

The command we use first will be:

hashcat -a 0 -m 0 /root/Documents/Hashcat/hash.txt.

Explanation of Syntax (on next page)

-m = hash type (the hash varies by operating system)
-a = Attack Mode (we’ll use both Straight and Combination
Attack)
-r = rules file (look for xyz.rule)
Here is the attack:

hashcat -a 0 -m 0 /root/Documents/Hashcat/hash.txt
/root/Documents/Hashcat/word.txt

Hashcat displays the cracked passwords. However, what if we want to save

the cracked passwords into a file?

hashcat -a 0 -m 0 --
outfile=/root/Documents/Hashcat/cracked.txt
/root/Documents/Hashcat/hash.txt
/root/Documents/Hashcat/word.txt
--force (if needed)
Hashcat finds all 3 passwords:

If we type in leafpad cracked.txt, leafpad will display the contents of the file.

To run a crack again, we need to delete the saved results

stored in hashcat.potfile. We discuss how to do that next.
Hashcat.potfile
Cracked passwords are written to the hashcat.potfile.
To find where the potfile is on your KALI linux system use locate.

Locate –i “*potfile*”

Here we can see the .potfile is under the /root directory, which tells us that
Hashcat was first run under this directory.
Next, we use Leafpad to open and delete the contents of the .potfile.
LEAFPAD /ROOT/.HASHCAT/HASHCAT.POTFILE

The hashcat.potfile contains the found hash and text password.

Delete the contents of the file to run an attack again on the same password.
Alternatively you can use this self explanatory syntax:

--potfile -disable
Next we add a 4th word (coffee) to our wordlist and add the MD5 hash to the
hash.txt

Hashcat cracks the 4th hash.

Important
If the base password is not in the word.txt or our wordlist,
the password cannot be cracked.
 3 – Download Larger Wordlists

So far, we have only 3 words. The real power comes when we add large
word lists.
In order to crack a password, the base word of the password must be
contained in the wordlist.
After a major security breach, the wordlists often leak out onto the Internet.
The passwords lists kept by Daniel Miessler offer a broad range of easy to
use wordlists that start with 500 or even 10,000 passwords.
https://github.com/danielmiessler/SecLists/tree/master/Passwords

If you look up the worst 500 passwords, you can paste this into the word.txt
file and use this in Hashcat.
Copy the top 500 worst passwords into word.txt.

Paste in the MD5 hash for dragon into hash.txt.

Now run Hashcat for MD5.

hashcat -a 0 –m 0 --outfile=cracked1.txt hash.txt word.txt

Now the cracked1.txt file will contain the result.
CRACK YOUR KALI DEFAULT PASSWORD
Kali Linux uses the SHA512 hash.
First we need to obtain the password hash

cat /etc/shadow

Did you see the root hash listed on the first line?
root:$6$tZ5sZcY8$HN2NbtT6i4H3i4ScGve6CsPLQHd3pZD2w3Pcfh7wsuKwGjghK5Gi

Lets break down the hash.

root = user id
$6$ = SHA512 hash used (normally Unix based).
$tZ5sZcY8$ = Salt of tZ5sZcY8
So what is the actual hash we need for Hashcat?
We need:
HN2NbtT6i4H3i4ScGve6CsPLQHd3pZD2w3Pcfh7wsuKwGjghK5GiZD7tAMPVOf9SO
Ignore the data after the /. This is the hash that we would copy and paste into
our hash.txt.

$6$ DENOTES SHA512 HASHING

So if the Kali hash uses SHA512, what mode would that be in Hashcat?
https://hashcat.net/wiki/doku.php?id=example_hashes

We look up the mode number for the hash – and see 1800 listed.

Kali Linux SHA 512 Hashes are cracked using Mode –m

1800
Windows NTLM hashes are cracked using Mode –m 1000

Next, we consider the number between the two $ signs, this is called the
“Salt”.
THE SALT IS BETWEEN THE $DOLLARSIGN$

A Salt is a random number added, into the calculation, so that the hash will
alter even where the same password has been used.

So if 10,000 Kali installations have the default password of “toor”, the hash
would be different for every installation, because the salt alters the hash.
SELECT A LARGE ENOUGH DICTIONARY
The plain text password has to be in the dictionary in order for it to be
cracked. Therefore we need to find a dictionary that contains the word
“toor”.
Luckily “toor” is included in this dictionary:
https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_l
As this is a large wordlist, view it, copy all and paste into the word.txt file
using leafpad.
To cheat, I have pasted “toor” into the first line of word.txt, to speed up the
recovery time.
HASHCAT SYNTAX TO CRACK KALI LINUX HASHES.
Here is the moment we have been waiting for; the syntax to crack the Kali
root hash.

hashcat –m 1800 –a 0 hash.txt word.txt

Here’s the output:

This time, the output was saved to a file called cracked1.txt – toor has been
identified.
FAMOUS HACKING DICTIONARIES.
The two major cracking dictionaries are Rockyou and CrackStation.

ROCKYOU
Rockyou contains 14 million unique passwords.
https://github.com/danielmiessler/SecLists/tree/master/Passwords

Kali includes the Rockyou dictionary by default. /usr/share/wordlists/

CRACKSTATION
You can download Crackstation free via torrent.

You can download the 15GB version, or the human wordlist which has only
64 million passwords.
Download CrackStation by Torrent:
https://crackstation.net/buy-crackstation-wordlist-password-cracking-
dictionary.htm
WEAKPASS
Be careful to check the size of the download; the smallest download on
Weakpass is 28 GB.
http://weakpass.com/download
 4 – Rule Sets

Under the Hashcat directory, you will find a folder called Rules.
Hashcat states that “the rule based attack is one of the most complicated of
the attack modes. The rule based attack is like a programming language
designed for password generation”.
Each rule allows Hashcat to modify, cut or extend passwords, making this the
most accurate and efficient attack.

You may also find these attacks called

“word mangling”.

When users must have a number in their password, they will normally add it
to the end of the password.

The Hashcat rules can be found here:

https://hashcat.net/wiki/doku.php?id=rule_based_attack

Where the minimum password length has been set to say 8 characters,
Hashcat can ignore all passwords with 7 or less characters.
The use of rules makes any attack, more precise and faster. You can open
each rule set in Leafpad, and this is a great way to learn more about rule sets.

Rules are located under:

/usr/share/hashcat/rules

You can open each rule in leafpad to learn more about it. There are
screenshots of each rule set in the next section.
LEETSPEAK RULE SET
The Leetspeak rule set enables Hashcat to replace standard letters with a
number or special character.
A common transformation would be to change “password” in the wordlist to
“p4ssw0rd” or “p@55w0rd”. Use Leafpad to open up the leetspeak rule.
LEETSPEAK ATTACK SYNTAX

hashcat -m 0 hash.txt word.txt

-r /usr/share/hashcat/rules/leetspeak.rule
--outfile=cracked1.txt

This means:
-m 0 – specifies the hashing algorithm applied which in this case is MD5.
This can be found using the Hashing Identifier tool.
hash.txt – the file with the hashes in.
word.txt – the file with the base passwords in
-r – specifies that a rule set will be used in this cracking session
-r rules\leetspeak.rule - specifies the location of the rule set.
--outfile=cracked1.txt – txt file of cracked passwords
Leetspeak rules change a single character, such as a into a 4 or a @. The
leetspeak rules are below.
If we generated an MD5 hash for “p@ssword” and pasted that into hash.txt,
the added password into our word.txt, what would happen?

Paste the MD5 Hash into hash.txt

Next we enter the syntax to recover the password.

hashcat -m 0 hash.txt word.txt
-r /usr/share/hashcat/rules/leetspeak.rule
--outfile=cracked1.txt

Hashcat has converted our “password” base word into various leetspeak
options and has recovered “p@ssword”.
Note:The word.txt file never contained “p@ssword” only “password”.
Wasn’t that fun?
So what does this imply for complex passwords that use numbers to replace
letters?
There is a contentious debate within Cyber Security regarding overly
complex passwords.

A long password requires more effort to

Brute force.

Each extra character doubles the effort required by the password cracker.
Therefore, it would take twice as many guesses to Brute force an 11-character
password as a 10-character password. Hence, many researchers consider a
longer password to be more robust than a shorter complex password.
Personally, I would recommend a password of at least 14 characters, in
addition to the use of a structured password to assist our memory. Structure
is important to recall; and the reason that complex passwords are so difficult
to remember is that they are unstructured.
Of course, it makes sense to add in special characters to a password, as this
increases the “keyspace”, to the 95 keys on a keyboard. If you only used
lower case letters, that is a keyspace of 26 in the English alphabet. The use
of special characters is to increase the keyspace, which slows down a
cracker.

Brute force Calculator

Please excuse me going slight off topic, to direct you to an online Brute force
Calculator. http://calc.opensecurityresearch.com/
A 6 character NTLM v2 (Windows) password would only take 2 days to
Brute force.
How long would a 14 character NTLMv2 password take? You may be
shocked that to brute force a 14 character Windows keyspace could take:
7 Trillion years (yikes..)
Next we will cover the Best64 rule set.
BEST64 RULE SET
The Best64 rule set conducts multiple changes to words in wordlists. It tries
to append number combinations to each word as well as rotate various
chunks of each word. It also includes various other rules.
Here we see how it appends a number at the end.

There is a lot more going on inside this ruleset, so it’s worth reading
carefully.
hashcat -m 0 hash.txt word.txt
-r /usr/share/hashcat/rules/best64.rule
--outfile=cracked1.txt --force

This means:
-m 0 – specifies the hashing algorithm applied which in this case is MD5.
This can be found using the Hashing Identifier tool.
hash.txt – the file with the hashes in.
word.txt – the file with the base passwords in
-r – specifies that a rule set will be used in this cracking session
-r rules\best64.rule - specifies the location of the rule set.
--outfile=cracked1.txt – txt file of cracked passwords

So let’s add the MD5 hash for “password9” into our hash.txt file and see if
this rule will add “9” to the word “password” contained in the word file.
Hash.txt now contains the hash for “password9”.

Syntax – to invoke the best64.rule

Hashcat hashes “password 9” even though it is not in the word.txt dictionary.

PASSWORDSPRO RULE SET
The PasswordsPro rule set is one of the MOST ADVANCED and
comprehensive rule sets. It adds prefixes and suffices to a password.

When we read the PasswordsPro rule, we can see why it is so effective.

Next, add the hash for “password1989” to hash.txt.

Syntax for the PasswordsPro Rule

hashcat -m 0 hash.txt word.txt

-r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule --
outfile=cracked1.txt
The PasswordsPro ruleset instantly cracks our password with the year 1989
added to the end.
Don’t believe me?

Awesome right?
Therefore when users add a year to their password, the PasswordsPro rule is
our best friend.
Inside the PasswordsPro rule, there are some letters, which you might want to
research, ready for Masks.

Next is a table, which shows how advanced these rules can become.
EXPLANATION OF HASHCAT RULES
These are some Hashcat word mangling rules.
Reference:
http://thesprawl.org/research/automatic-password-rule-analysis-generation/
STRAIGHT THROUGH
Straight Through cracking, just compares the hash to the passwords in the
wordlist. This is the fastest form of cracking
However, its weakness is that it cannot crack complex passwords not
included in the basic wordlist.

So as demonstrated earlier, “password” would be cracked, but

“password1989” would not.
COMBINATION
This uses two dictionaries.
Each word in the first dictionary is appended to a word in the second
dictionary. The Hashcat website shows an example of this.

First we need to make two dictionaries in Leafpad.

We create dict1.txt and dict2.txt.
Next we combine two words from each dictionary, and hash passwordyellow
and passwordred, which are:
85a0747bfe24c85faaf1707de63cbe12
8242a40015ef44702d8ae8578fb2cb15

We must specify exactly 2 dictionaries in the command line, along with an

attack mode of –a 1.

hashcat –m 0 –a 1 hash.txt dict1.txt dict2.txt

Yes, Hashcat has performed a little bit of magic and cracked both passwords.

If we open up the hashcat.potfile:

We find that Hashcat has combined the 2 dictionaries and cracked the hashes.

You probably noticed that this time that we did not specify an output file, but
relied on the hashcat.potfile to contain the cracked passwords.

Question:
How do you clear the potfile message?
Leafpad hashcat.potfile
Delete the contents, and now the attack will rerun.
Remember, the .potfile holds a list of all previously cracked passwords.
TOGGLE
Rather than using all lower case characters, a user will often toggle the case
of a few characters to strengthen their password.

In the legacy Hashcat, this was a separate Toggle attack, now a ruleset is used
as a more efficient attack.

Under rules we will find various rule sets to toggle a certain number of
characters within a password.
First, we copy a hash of “PaSSword” into our hash.txt file – the hash is:
b5652d2f1754c2e97c9f0762c2e960fe

Next we will locate the “toggles4.rule”.

The attack syntax is:

hashcat -m 0 hash.txt word.txt
-r /usr/share/hashcat/rules/toggles4.rule
--outfile=cracked1.txt --force

Will Hashcat be able to find the toggled version of the password?

Hashcat has cracked the hash, using the toggle4 rule.

We can confirm this in cracked1.txt.

Users will often “toggle” a password for extra security, so this rule is quite
useful.
BRUTE FORCE
This is the simplest attack, which will attempt all combinations. However,
there is almost no need to Brute Force passwords these days. How come?
For efficiency, we use the Mask Attack instead.

MASK ATTACK
The Mask Attack limits the keyspace of a Brute Force Attack, making it
faster. Most companies will enforce a minimum password length. There is
no need for us to consider passwords less than this.
Where we know that the minimum password length is 8 characters, we limit
the attack with a mask.
A Mask Attack will always relate to the number of
characters in a password.
Under rules we find various Hashcat masks, which ends in .hcmask. The
masks (.hcmask files) are located under:
/USR/SHARE/HASHCAT/MASKS/

If we open the masks, we see built-in character sets being specified. Such as:
?l = lowercase letters.
First, enter in hash.txt the hash for “1234”.
81dc9bdb52d04dc20036dbd8313ed055

Next, the attack syntax for a small mask.

Hashcat –m 0 –a 3 hash.txt
/usr/share/hashcat/masks/rockyou-1-60.hcmask
Hashcat will Brute Force this short password quickly.

Notes:
Read the .hcmask file to see what combinations will be cracked.
Each mask tackles a different combination.
We use masks instead of brute force attacks as they are faster
and more effective.
Remember the keyspace limitations. The longer the password,
the longer it will take to crack it. So limit the keyspace.
To set a minimum and maximum password length to brute force
Here, we wish to Brute Force “letmein” with a minimum of 7 characters and
a maximum of 8 characters.

hashcat -m 0 -a 3 -i --increment-min 7 --increment-max 8 hash.txt ?a?a?a?a?

a?a?a?a /usr/share/hashcat/masks/rockyou-7-2592000.hcmask

-increment-min 7 – this sets the minimum password length to 7 characters

-increment-max 8 – this sets the maximum password length to 8 characters

hash.txt – this is the hash to crack

?a – this means to recover all, this includes lowercase, upper case and special
characters. You need a “?a” for each character.

The hash for “letmein” is:

0d107d09f5bbe40cade3de5c71e9e9b7

Keep pressing “s” to display the current status of the attack. Hashcat will
give you a Time Estimate, and here the attack is 11 days 13 hours.
As stated earlier, avoid Brute Forcing, as there are better attacks.
ONLINE CRACKERS - HASHKILLER

If you have a complex hash, you could always submit the hash to a free
online cracker.

Hashkiller
https://hashkiller.co.uk/md5-decrypter.aspx

Enter the MD5 hash, and complete the Captcha.

If the hash is known, Hashkiller will display the password.

HOW DO I BENCHMARK MY COMPUTER?

Hashcat can benchmark your system, to reveal your cracking speed.
Depending on your system use the command:
hashcat –b
hashcat –b –force
hashcat –b –m 0
RESULTS OF BENCHMARKING AN I7 CPU
Limitations of Hashcat
Hashcat cannot crack all password lengths. Generally Hashcat could only
crack passwords up to 15 characters, however since oclHashcat-plus, there
has been support for longer passwords. Therefore the limit has increased
from 15 characters to 55, with some deviations to the rule.
So if our KALI Linux password were set to 17 characters, then Hashcat
could not crack it, even where the password dictionary contained the word.

Hash Type Max Hashcat Mode

Password
Length
Cracked
SHA512 16 1800
(Unix)
NTLM 27 1000
Bitcoin 40 11300

Windows hashing is based on NTLM, and this reduces the maximum Hashcat
password length from 55 to 27 characters. How come?

NTLM is based on UTF16 which uses 16 bits, or 2 bytes per character. This
means we have to halve the number of characters to find the limit.
So if we have 55 characters/ 2 bytes, we end up with 27.5 characters.
So the maximum NTLM password length is 27.
Hashcat would fail if where the NTLM password had 28 characters.
The restriction is due to the fact that Hashcat uses registers to store
passwords. Once the registers are full, then longer passwords cannot be
cracked, even where the word is in the password dictionary.
For Fast hashes, the attack mode can be a limitation:
Attack Mode Max Password
Length
Mode 0 – Straight 31 Characters
through
Mode 1 – 31 Characters
Combination
Mode 6 – Hybrid 31 Characters
Wordlist & Mask
Mode 7 – Hybrid 31 Characters
Mask and Wordlist
So length is important!
 5 – How do I extract a Windows NTLM
Hash?

So, how do you find the password hashes on a windows computer?

Windows Hashes are stored in the SAM file:

C:\windows\system32\config\SAM

There are 3 locations which may hold a SAM file.

SAM file (need both C:\windows\system32\config\SAM, and

C:\windows\system32\config\system)

Registry (HKEY_LOCAL_MACHINE\Security\Cache for domain

credentials, HKEY_LOCAL_MACHINE\SAM for local credentials)
In-memory (dump with mimikatz) – note this is in-memory and not
written to hard disk.

However, the SAM file is locked when windows is in

use. So you cannot theoretically access the hash file
after Windows has booted…or can you?
RECOVERY OF HASHES
PWDUMP 7 TOOL – EASIEST METHOD - WINDOWS
This tool needs CMD to be run with Administrator privileges to recover
system hashes.
Navigate to the PWDUMP7 directory, then enter:
PWDUMP7.EXE > C:\PWDUMP7.TXT

Use Notepad to open the file at c:\pwdump7.txt and you’ll see a range of user
id’s and hashes displayed.

The pwdump7 website shows this output – with the user account and the hash
displayed.

Download pwdump7 here:

http://www.tarasco.org/security/pwdump_7/
INSTALL A LINUX LIVE CD – FOR WINDOWS
Browse to the c:\windows\system32\config\SAM.
Often you can run a Kali Linux CD to browse to the windows system files.
The instructions to follow are here:
http://cyberpratibha.com/blog/how-to-find-administrator-password-of-
window-10-using-kali-linux/

Install Bkhive on Kali 2 to extract Windows SAM files.

https://samsclass.info/124/proj14/bkhive.htm

WINDOWS CREDENTIAL EDITOR

This tool will dump passwords that are in memory. Use with the -w flag to
dump passwords in clear text.
http://www.ampliasecurity.com/research.html
It supports Windows XP, 2003, Vista, 7, 2008 and Windows 8.
DISK CADDY TO ACCESS DISK.
You can remove the disk and place it into a disk caddy, which is connected
via a USB to your windows laptop. You can then access the SAM file.
 6 – Next steps?

USE HASHCAT ON WINDOWS

Hashcat operates on both Windows 10 and KALI Linux, so just for reference,
Hashcat can be downloaded for Windows:
https://hashcat.net/hashcat/

I used Peazip to unzip the files; Peazip is a free open source unzipping
program, which works with both Windows and Linux.
USE OCLHASHCAT WITH A GRAPHICS CARD
The fastest way to hack passwords is to use a high powered graphics card,
which can crack passwords many times faster than a CPU. In fact cracking
is estimated to be around 150 times faster using a GPU compared to a CPU.
In 2012, a graphics card cluster managed to bruteforce 350 billion guesses
per second against the Windows NTLM hash. Therefore, every possible 8
character Windows password could be guessed within 5.5 hours.
You can read the Ars Technica article online:
https://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-
standard-windows-password-in-6-hours/
If you have a powerful graphics card, then you might want to try graphics
card hacking, and see if you can surpass 350 billion guesses per second.
Go on, you know you want to.
Hashing Cracking Speed
The Windows hashing algorithm (NTLM) is one of the fastest to Brute force.
One of the slowest hashes to Brute force is Bcrypt (it was designed out of a
block cipher called Blowfish).

It is much faster to Brute Force Windows passwords, than Bcrypt passwords,

this makes Bcrypt more secure.
If you are ever cracking a system, you will need to adapt to the type of
hashing algorithm used, as this affects your cracking speeds.
Only use Brute Force as a last resort, as there are faster alternatives with the
use of rules and masks.
 The adventure continues . . .

Follow my adventures in Information Security.

If you liked this hacking and cyber security series, please post a review at
Amazon, and let your friends know about the series.

Or drop me a comment on Amazon if you would like a particular KALI tool

to be included.