# Dumping & Cracking Windows Hashes (NTLM Hashes)

### **Windows Password Hashes**

* The Windows OS stores hashed user account passwords locally in the SAM (Security Accounts Manager) database.
* Hashing is the process of converting a piece of data into another value. A hashing function or algorithm is used to generate the new value. The result of a hashing algorithm is known as a hash or hash value.
* Authentication and verification of user credentials is facilitated by the Local Security Authority (LSA).
* Windows versions up to Windows Server 2003 utilize two different types of hashes:
  * LM
  * NTLM
* Windows disables LM hashing and utilizes NTLM hashing from Windows Vista onwards. 

### **SAM Database**

* SAM (Security Account Manager) is a database file that is responsible for managing user accounts and passwords on Windows. All user account passwords stored in the SAM database are hashed.
* The SAM database file cannot be copied while the operating system is running.
* The Windows NT kernel keeps the SAM database file locked and as a result, attackers typically utilize in-memory techniques and tools to dump SAM hashes from the LSASS process.
* In modern versions of Windows, the SAM database is encrypted with a syskey.

### **NTLM (NTHash)**

* NTLM is a collection of authentication protocols that are utilized in Windows to facilitate authentication between computers. The authentication process involves using a valid username and password to authenticate successfully.
* From Windows Vista onwards, Windows disables LM hashing and utilizes NTLM hashing.
* When a user account is created, it is encrypted using the MD4 hashing algorithm, while the original password is disposed of.
* NTLM improves upon LM in the following ways:
  * Does not split the hash in to two chunks.
  * Case sensitive.
  * Allows the use of symbols and unicode characters.

<figure><img src="https://3226903849-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaKwXOzYgG7jDDDoVkYvX%2Fuploads%2Fuaw5j40EZHQx74gmw9M1%2FNTLM%20(NTHash).png?alt=media&#x26;token=4f555398-943e-4c9d-9437-b61660416687" alt=""><figcaption><p><strong>NTLM (NTHash)</strong></p></figcaption></figure>

## **Dumping & Cracking NTLM Hashes**

* We can dump Windows password hashes by leveraging various utilities like:
  * The inbuilt meterpreter “`hashdump`” command
  * [**`Mimikatz`**](https://github.com/ParrotSec/mimikatz)
* After we have dumped the hashes, we can crack them through the use of the following utilities:
  * [**`John The Ripper`**](https://www.openwall.com/john/)
  * [**`Hashcat`**](https://hashcat.net/hashcat/)

### **Meterpreter Commands:**

* **`pgrep lsass`** – Find the process ID (PID) of the "lsass" process.
* **`migrate 708`** – Migrate to another process with the PID 708.
* **`hashdump`** – Dump password hashes from memory.

### **Cracking Password Hashes with John the Ripper:**

To crack password hashes using John the Ripper, you can use the following command:

```bash
john --format=NT hashes.txt
```

This command attempts to crack password hashes stored in the "hashes.txt" file using John the Ripper, with the specified hash format.

### **Cracking Password Hashes with Hashcat:**

To crack password hashes using Hashcat, you can use the following command:

```bash
hashcat -a3 -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
```

This command uses Hashcat with attack mode 3 and hash mode 1000 to attempt to crack password hashes stored in the "hashes.txt" file using the "rockyou.txt" wordlist.

***

***

***

**`Hacker's Mantra:`**`Hackers: the rebels of the tech world.`