Ok imagine this, you have got access to a file server and behold you find an unsecured, unencrypted backup of a domain controller (this isn’t made up I find these in networks sometimes!) and you yoink the NTDS.dit (or maybe it’s just a workstation SAM/SYSTEM file), you extract the hashes but now what, you need to crack those bad boys!

Check out the MS docs on how NT or LM Hashes are computed(hashed)! – (thanks @ANeilan for spotting my mistake!)

[MS-SAMR]: Encrypting an NT or LM Hash | Microsoft Docs

Well, there’s a few tools available to you readily from a local perspective:

  • John the Ripper (or simply John)
  • Hashcat

You should try and crack these:

hashcat.exe -m 1000 Hashrun1.txt rockyou.txt

oh and if you want to add some rules try adding some rules (you can use wildcards on rules as well!)

hashcat.exe -m 1000 -r rules\_NSAKEY.v2.dive.rule Hashrun1.txt rockyou.txt

cool rules include, oneruletorulethemall and dive!

Or

john –format=nt hashru1.txt –wordlist=rockyou.txt

Now also remember you might gain access to the LM hashes (pre Visa / Server 2008 mode).

  • John format = lm
  • Hashcat -m 3000

What if we can’t crack the hashes?

If you dumped the hashes from the SAM or NTDS.DIT but you can’t crack them. Don’t worry, try spraying them around with CRACKMAPEXEC and it’s pass the hash function (PTH) or you know try other methods of PTH like with Metasploit, PSEXEC or IMPACKET.

Other useful hash types for Windows systems include:

NTLMv1/NETNTLMv1 – NETNTLM format (john) or Hashcat -m 5500

NTLMv2/NETNETLMv2 – netntlmv2 format (john) or Hashcat -m 5600

Lastly a very tough hash to computationally crack is the cached domain credentials on a machine.

  • This is -m 2100 with Hashcat
  • –format:mscache for John the Ripper

Now remember that’s not all, if you have SYSTEM on a box you can also weaken protections and get clear text passwords to display and dump with MimiKatz (or perform a DCSYNC), you can dump memory and you can dive the disk for passwords in awesome things like browser password stores etc. and that’s not covering what you can do with responder and cool things like Kerberos to NTLM downgrade.

Also don’t forget to check out previous Hacking 101 post:

Hacking 101 – PwnDefend

Summary

There are often scenarios where hash cracking is required and useful (even in just the “lost password” scenario for IT ops. Hopefully this is a quick reference guide for cracking common windows hash types with hashcat and john the ripper.