Hack Like a Pro: How to Grab & Crack Encrypted Windows Passwords

First of all i need to thank you for taking out time from your busy schedule teaching us with a lot of Important Info. which i was never knowing. Just need to know About Shodan Search engine. I'm new to it. Can you please Write an Article On Shodan & the searches we can use & filters in Shodan.

I will be very much Thankful too you :)

Naught:

I'll put Shodan on my list to write about in the near future.

OTW

Thank :)

Can You provide An Best Alternate to Google. Except Shodan & duckduckgo

Naughty:

Yes, I can do that. What is your primary issue with google?

OTW

They Have Removed The Safe Search Option, I don't Get the Desired Result Even After Applying Filters, Like I used One Google Dork inurl:".com/view.php?page=../ to Search For Pages On which I can Try Remote File Inclusion......But I am very Unsatisfied With the Result.. :(

where does hashfile.txt go?

Jake:

If you are asking where the hashfiledumpfile.txt will be after running pwdump, it should be in the pwdump directory.

OTW

use ixquick.com

how to do it in backtrack 5 r3 ?

Rico:

Welcome to Null Byte!

I have a tutorial on grabbing and cracking Linux passwords here

OTW

Is there any way to grab Windows passwords using backtrack besides Metasploit? in other words, is pwdump2 only used when run on windows machines?

One more thing, there is something similar in BTr5 called samdump. What is that used for?

Thank you so much for your help

Jared:

I'm not sure what you asking in the first question. pwdump2 only works on Windows systems as it is a Windows dll.

samdump only works if the system is offline.

OTW

You answered my question. Was wondering if pwdump2 could be run on BTr5 to grab passwords off of windows, but you answered that.

Thanks!

Hello. I can't find it now, but I read somewhere, perhaps not on this site, that you can create and use a custom dictionary for use with Cain. Well, I read that here. What I read elsewhere was that you can create a dictionary using things you know like pet names, birthdays, phone numbers, relative names, etc. I've seen multiple references to creating a custom dictionary, but nowhere can I find instructions on how to actually DO IT. I tried creating a txt file with the words I wanted to try, but even when I plug in the exact password into this txt file (I know the password for this Windows 7 acct because it's a test account) it still isn't successful. There has to be a certain way to format it or something that I'm not aware of. I strongly suspect that the Win 7 acct I'm trying to crack likely contains a pet name and/or address, and something from 0123456789. I need to create a custom dictionary with all of the things I want to try but don't know how to do it. Any help would be greatly appreciated.

Matt:

First, I need to know a bit more info. Are you trying to crack captured hashes from the SAM file? If so, what is the encryption being used?

Cracking password strategies is dependent upon what passwords you are trying to crack and how they are encrypted.

OTW

Thank you for your quick response. I'm not sure about the encryption type. However, it is a 32-bit Windows 7 Home Premium machine that I'm trying to crack. I dumped the hashes from the SAM and I'm using Cain & Abel on my desktop (a 64-bit Windows 7 Ultimate machine) to do the actual cracking. Hopefully that will help determine what you need to know. I also added a screenshot from Cain that may or may not help. The account on top is the one I need to crack. The one on bottom is a test account that I set up on my desktop machine for testing. I know the password for that one. TIA

Matt smith, i believe theres an app for linux called CUPP that helps make great custom dictionairies. OTW - i was wondering if you could elaborate on the method to turn my dict. list (rockyou, ect.) into the hash values. I know its different per SSID so i would have to do it per crack, but i think it was genmpk or something to make the , uh, rainbow tables is it?

Thanks for the info. I have a dual boot with Kubuntu, so I will look into CUPP. I also ran across something called "crunch" on Sourceforge. I believe it is a Linux app as well. I will look into it too. I was hoping there would be something simple where you just provide the words and numbers you believe may have been used in the password, and the software would then build the dictionary for you. Then I could run a dictionary attack in Cain and use that dictionary.

OK, my mind is blown. I have no idea what is going on. I can download the test dictionary from here http://www.rainbowtables.net/tutorials/dictionary.php and then add the password that I know for my test account to that test dictionary. I then run a dictionary attack using that test dictionary and it is successful at cracking my test account. However, if I create my own wordlist/dictionary with the same exact password in it, it fails every time. I'm beyond stumped.

Matt:

First, there is an app in metasploit's SET that generates passwords based upon info you input about the target such as pet names, address, spouse, children's name, etc.

Second, what are you using create your wordlist? You must use notepad and be careful to format the data just like the default wordlists that work.

OTW

what is the name of that app in SET called OWT?

thanks!

And if i remember right matt i think cupp lets u add all sorts of details about the target and u can add names, words, or numbers for it to make up all kinds of combinations with to more precisely hone in on your targets possible passwords he would choose.

Hello again. I have been using a Windows application to generate wordlists. I have also created my own lists from scratch containing just the known correct password and it fails. I originally used Notepad. Since that wasn't working, I thought maybe it was a formatting or encoding issue. I've tried Notepad, MS Word, Wordpad, and Notepad++. Same result every time. I started a forum thread over here https://null-byte.wonderhowto.com/forum/desperately-need-assistance-with-cain-and-ntlm-hash-dictionary-cracking-0149399/ in case having an outright discussion isn't appropriate for the comment thread here. Anyway, I'm going to change the test account password to something arbitrary and then test. If no luck, I'll post a link to my test wordlist in the thread. I figure this isn't the place to have a thorough discussion about my specific issues. Thanks for the responses.

Matt:

Notepad and notepad++ should work, if the formatting is correct. The apps will not.

OTW

how do you crack hashes of a windows 8 system?

in this tutorial you used cain and abel but thats for windows and i was wondering how to do it on a linux.

I tried to use john to crack the hashes like i read somewhere else, but it recognizes the hash as "nt" or "nt2" but I've looked up the actual type and its really supposed to be "md4". I tried using the "--format=raw-md4" but that didnt work either so Im at a stand still and not sure where to go.

Eight:

I believe that Windows 8 is using the same hashes as Windows 7, that is NTLMv2. No one uses MD4 anymore as it is seriously flawed.

You can take the hashes out and run them through Cain and Abel on a Windows machine or John the Ripper in Linux. JtR does auto detecting of the hash, but in Cain and Abel you should select NTLMv2.

OTW

JtR does auto detect but it can't tell if it is nt or nt2, and neither of which is NTLMv2 or i dont think they are. Also it doesnt have a format for a hash type of NTLMv2, but the closest one, netntlmv2, does not work

Eight:

NT2 is NTLMv2.

Hi, i have a problem, when I enter the command prompt for the pwdump3 app, i get an error in the command screen, saying that it can't open my admin map in 5 or something like that. Any idea what this means?

Hello all , and Master!

So, i have question how to use the Cain and abel to crack pasword for web page (server game) if i know usernames.

Lets say, havent used acc, and made it ages ago. So i dont have the (dont remember the pasword for e-mail to recover as resend it, also dont remember evein the email i have putted ages a go. Lets say, i have stoped paly for while. Now i want it :)

So, how i can use cain and abel to crack it? The paswprd list, etc stuff. How does it looks to do it.

The addresse is www.lordswm.com orgin sever were i made account. Now its been merger with heroeswm.ru. but .com is english, .ru rus.

I would be thankfull, for help- tuto, advise.
I m new in this thing, and want to learn more and more... not to do bad things, but to do for my self :)

Is there a way to bruteforce without a wordlist, but with a pattern?
Like say for example I know the password follows a pattern;
#bk##ksow#

where # is some number. So i know their password has a number, then "bk", then a 2 digit number, then "ksow", then another number and I want to bruteforce based on this knowledge. Or alternatively, I know the password contains the string "w1r3l355" in it and is somewhere between 9 to 13 characters long?

Cain and Abel allows you to brute force with a specific character set and number of characters.

You might enhance some of the open source password crackers with that specificity.

Hi Sir, i have read some of your tutorials about cracking passwords of windows, i was wondering if there is a way to crack window 7 password remotely through window 7 or backtrack?

if there is a way that you can tell me, i will be very thankful to your help...
Regards...

Muhammad:

Welcome to Null Byte!

Yes, you can crack Windows 7 passwords remotely. First, you need to exploit the Windows 7 system remotely using Metasploit or other hack (see my Windows 7 hacks). Then upload pwdump and sumdump.dll to the system. Then, extract the hashes and download to your computer where you can then crack the hashes.

OTW

master i,m using win 7 , i tried to install pwdump3 but i couldn't able to install it...my antivirus showing it a malicious file.

It is a malicious file. Turn off you antivirus software.

hello!
i am unable to run the pwdump3

it is in d drive in folder pw i navigated to it but when i am writing the comand to take the hashfiles it is showing logon to \\rajiv3269\admin$ failed:code 53

pls help me

Also, that code 53 usually means that the path to the drive is not found. Make certain that your path is correct to pwdump3.

OTW

Rajiv:

Are you running the command prompt as administrator?

OTW

I want to know how to hack gmail account i have only email id..?

why I get empty hast.txt file after I run pwdump3 ???

Akakus:

I'm not sure. Can you give us more information?

when I run the command, it says complete. However when I check the text file in the pwdump3 directory I find it empty NO hashes . I am running win7 OS 32-bit. AND THERE one more thing the moment it says complete it restarts automatically .

Note : I disabled the Anit-virus already...

In the pwdump3 command, what are you using for the name of your computer?

I run hostname in the cmd and used that displayed name : Akakusxx

Can you give us a screenshot?

I was able to get the hashes using pwdump7 I ran it and I GOT them. Now I am using Cain and Abel to break the hashes. First pwd was cracked and the second is little harder and was not in the dictionary list , so I used Brute force. However it took a while , so i decided to go with the online cracking , and got the second one too .Thanks .

Congratulations!

Question popped up in mind just now what do you mean by Hybrid attack , is it in the Cain and Abel program or u mean the Hybrid attack within Kali Linux

Hello,

Can you tell me how to crack password windows 8 64 bit.

I can't install those program because i don't have the administrator privilege. i need the password for the admin privilege.

and i don't want to change the password
thanks.

I want to know this too...

c:/user/Desktop/pwdump3 mycomputer hashdumpfile.txt

When i insert the command line it can't find pwdump3. What could this problem be due to?

Hi there :D

Maybe you have already mentioned it, but im new in all this but would like to learn :)

I have read something abou Cain and Abel bur that seem to only work if the person has used your computer.

So my question is how can i use brute force or something easy and similar to gues someones password ?

This is of cource only to private use because it is fun :D

how do we get gmail or facebook password

pwdump3 doesn't work for me. I'm using pwdump3v2, and trying it on a spare laptop running windows 8.1.
I get the following error message:
Logon to \\mypc\ADMIN$ failed: code 53
mypc is where the actual name of the laptop is.

I think the vulnerability in LSASS that pwdump3 exploits has been fixed in windows 8.1, but is there something else I can do?

so does that mean Kali Linux does not have Cain and Abel for cracking windows passwords

I'm not this computer savvy. Is there a simple so called plug and play download to hack dating and porn sites?

Hi, my .txt files are coming back empty any suggestions?

BTW great tutorials OTW

Great tutorial!

All of my .txt files don't have anything in them. I've tried pwdump 3, 4, 6, and 7. None of them have worked so far. I have ran the command prompt as an administrator, as well. So far I have gotten nothing back. Any suggestions would be welcome. Help needed.

Hi OTW,

You were talking about saving the list as *.txt with Notepad.
What do you use for the mac?

hi i know i might look kind of stupid asking this question, when ever i navigate to my desktop in cmd, and then am i supposed to copy and paste the text at step 2 with and input my hostname also with that text? becuz whenever i do that it says "The system cannot find the path specified." HELP!