Kati Mueller 08.11.2017 5:40  Reading time: 5 min.
How to crack Windows passwords, should you lose them? How well is Windows protected from inside and outside against such attacks?
Content
Windows is secured by passwords against curious fellow users on the outside and against equally curious fellow users on the inside. Unfortunately it happens from time to time that someone forgot his password or changed it unintentionally without remembering the new password. Figuring out unknown passwords isn’t much of a challenge. Windows’ internal security mechanisms are so sloppy that it is quite easy to make forgotten passwords visible again, even though they are not stored in plain text, but as encrypted hash values.
Extract passwords
First you have to get the hash values of the Windows passwords. These are in two protected files SAM and SYSTEM, which can be found in the order C:\Windows\System32\config are (see article picture). If you still have access to your Windows and are allowed to run programs as administrator, you can use tools like pwdump to read the hash values, z.B. pwdump7 from the security company Openwall.
pwdump7.exe is executed as administrator in a command line window (cmd.exe) is executed and the output in the file hash.txt stored. However, the virus scanner must be turned off or the command must be executed in a directory protected from the virus scanner. pwdump7.exe will otherwise be detected as unwanted software.
For those who can no longer get access to Windows, boot the computer with a USB stick containing Knoppix Linux, which can be downloaded directly from the Knoppix website. This will boot a Linux system. This accesses the Windows hard disk directly. You don’t have to expand them for that, and you don’t have to change the contents on your hard drive either.
After successfully booting the stick, the C partition of the Windows hard disk is written to /mnt mounted.
( /dev/<partition> is usually /dev/sda1 or /dev/sda2 and can be replaced with fdisk -l investigate.)
Then the files are SAM and SYSTEM from the directory /mnt/Windows/System32/config/ copied to a second USB stick or even directly to the Knoppix stick.
In a further step, the hash values of the passwords are extracted from the files SAM and SYSTEM extracts. This can also be done under Windows with pwdump7 or under Linux with a tool like samdump2.
(adsbygoogle = window.adsbygoogle || []).push(<>);
Crack passwords
If the encrypted passwords in the hash.txt are present, it goes to the cracking of the hash values. For this you need tools like Hashcat or John the Ripper, whereby for Hashcat a good OpenCL or CUDA capable graphics card from AMD, Intel or NVidia should absolutely be installed. On a graphics card, the calculation of the passwords is much faster thanks to GPGPU. However, inexperienced computer users get Hashcat often fails to run. For beginners John the Ripper better suited. Both program packages are already included in Linux distributions like Debian. Windows users can get the programs Hashcat or John the Ripper from the manufacturer for free.
Windows password hashes are stored in a special format that captures both old LM hashes and new NT hashes. LM hashes are only used up to Windows-XP and are a security nightmare:
The hash values AAD3B435B51404EEAAD3B435B51404EE (LM hash) and 31D6CFE0D16AE931B73C59D7E0C089C0 (NT hash) encode an empty string and mean that the corresponding passwords are not assigned.
Depending on whether LM or NT hashes are to be cracked John the Ripper Started most easily in brood-force mode:
- LM hash: john -format=LM hash.txt
- NT hash: john -format=NT hash.txt
- NT hash (alternative): john -format=NT2 hash.txt
Dictionary attack
Additionally, a word list can be specified for a dictionary attack: -wordlist:<file>
To save time it makes sense to first search for passwords in the word list and in a second pass use the brute force method. The calculation can now take a while, depending on the number, length and quality of the passwords. At some point the passwords are available in plaintext. You save them additionally in the file john.pot below the user directory.
The passwords [admin, 123456, Kochtopf, g2h23m] of four Windows accounts in this example file are calculated in a relatively short time.
The LM hashes are found in 2.5 minutes in brute force mode without a word list.
The same passwords as NT hashes are more strongly encrypted and take about 3.5 minutes in two passes using the standard Linux dictionary.
Harden passwords
You can slow down the calculation of the passwords from the hashes. You have to use long passwords, which contain numbers and special characters and do not appear in dictionaries.
However, there is a trick how to hide Hashcat, John the Ripper and can make the calculation difficult or impossible for other tools. Currently these programs do not recognize umlauts, accented characters or special characters like emojis. Such characters (still) prevent a successful decryption, because only 7-bit ASCII characters between 0x20 and 0x7F are searched for. A simple ‘u’ in the password prevents a calculation. Still..