Hack Like a Pro: How to Grab & Crack Encrypted Windows Passwords

How to Grab & Crack Encrypted Windows Passwords

Welcome back, my neophyte hackers!

Several of you have written me asking how to crack passwords. The answer, in part, depends upon whether you have physical access to the computer, what operating system you are running, and how strong the passwords are.

In this first installment on password cracking, we'll assume the simplest arrangement; you're running Windows, attacking Windows, and have physical access to the computer whose passwords you're attempting to crack.

In future installments, we'll look at cracking passwords remotely, with and on Linux operating systems, and cracking famous web applications such as Gmail and Facebook, so keep coming back!

Step 1: Download Pwdump3

Windows systems encrypt user passwords and store them in a file named SAM and store them in the following directory:

  • c:\Windows\system32\config

The first thing we need to do is grab this file. In an earlier article, we used Metasploit to hack into the malicious dictator's computer and grab his password hashes.

We can also grab the hashes without Metasploit if we have physical access to a computer on the network. This can be done with a neat piece of software called pwdump3. It's installed on BackTrack already, but you can download it for free on Windows using the link below.

Pwdump3 is able to grab the encrypted passwords for us, and we can then crack them with another password cracking tool. So, let's grab that SAM file with pwdump3!

Step 2: Grab the Hashes

Open a command prompt. Now navigate to the folder where you placed your pwdump3 app. I put mine on the desktop. Now type:

  • c:/user/Desktop/pwdump3 mycomputer hashdumpfile.txt

When you hit enter, pwdump3 will grab the password hashes and place them in the file called "hashdumpfile.txt". Make sure that you replace "mycomputer" in the command above with the actual name of your computer. If you don't know the name of your computer, simply type "hostname" as the command prompt and Windows will return the name of your computer.

Pwdump3 can retrieve the password hashes from any computer on your network!

Step 3: Download Cain & Abel

Now that we have encrypted passwords (hashes), we now need to decrypt them so we can read and use them. Most hacking software is developed for the Linux operating system, then gets ported (recompiled) for Windows, but there is one delightful exception—Cain and Abel.

Cain and Abel is a hacking application exclusive to Windows that has never been ported for Linux. It's a powerful and free (but not open source) application that every hacker should be familiar with. We'll be using just one of its many capabilities, namely cracking Windows password hashes.

Now that we have all the tools we need, let's start cracking those passwords!

Step 4: Crack the Passwords

Cain and Abel must be run with administrator privileges, so right-click the CAIN icon on your desktop and select "Run as administrator." It should then open up a screen that looks like this:

Next, click on the "Cracker" tab at the top of the work area, and provide Cain and Abel the password hashes to crack. Simply right-click on the white space in the center of Cain and Abel and a pull-down window will appear. Select "Import hashes from a text file."

Choose the file with the password hashes that you created with pwdump3 (in our example, we used "hasdumpfile.txt") or retrieved on Metasploit, then click on the "Next" button.

We can now right-click on the hashes and select what type of hash crack we want to proceed with. The fastest method is to use the "Dictionary attack."

If you navigate to the Cain folder on your system, you will see a folder called "Wordlist." You can use this relatively small word list or any other word list of your choice (there are numerous word lists available on the Internet with millions of words).

This method attempts all words from the dictionary file to find password matches, and generally is very fast as it can search through even a large dictionary file in just a few minutes. If this fails, select "Hybrid Attack" and finally, a "Brute-Force Attack." A brute force might be slow, but eventually, it will crack all passwords.

Okay, stay connected here at Null Byte, because we have more exciting Hack Like a Pro guides coming up soon!

Magnifying glass and password text images via Shutterstock

60 Comments

First of all i need to thank you for taking out time from your busy schedule teaching us with a lot of Important Info. which i was never knowing. Just need to know About Shodan Search engine. I'm new to it. Can you please Write an Article On Shodan & the searches we can use & filters in Shodan.

I will be very much Thankful too you :)

Naught:

I'll put Shodan on my list to write about in the near future.

OTW

Thank :)

Can You provide An Best Alternate to Google. Except Shodan & duckduckgo

Naughty:

Yes, I can do that. What is your primary issue with google?

OTW

They Have Removed The Safe Search Option, I don't Get the Desired Result Even After Applying Filters, Like I used One Google Dork inurl:".com/view.php?page=../ to Search For Pages On which I can Try Remote File Inclusion......But I am very Unsatisfied With the Result.. :(

Jake:

If you are asking where the hashfiledumpfile.txt will be after running pwdump, it should be in the pwdump directory.

OTW

how to do it in backtrack 5 r3 ?

Rico:

Welcome to Null Byte!

I have a tutorial on grabbing and cracking Linux passwords here

OTW

Is there any way to grab Windows passwords using backtrack besides Metasploit? in other words, is pwdump2 only used when run on windows machines?

One more thing, there is something similar in BTr5 called samdump. What is that used for?

Thank you so much for your help

Jared:

I'm not sure what you asking in the first question. pwdump2 only works on Windows systems as it is a Windows dll.

samdump only works if the system is offline.

OTW

You answered my question. Was wondering if pwdump2 could be run on BTr5 to grab passwords off of windows, but you answered that.

Thanks!

Hello. I can't find it now, but I read somewhere, perhaps not on this site, that you can create and use a custom dictionary for use with Cain. Well, I read that here. What I read elsewhere was that you can create a dictionary using things you know like pet names, birthdays, phone numbers, relative names, etc. I've seen multiple references to creating a custom dictionary, but nowhere can I find instructions on how to actually DO IT. I tried creating a txt file with the words I wanted to try, but even when I plug in the exact password into this txt file (I know the password for this Windows 7 acct because it's a test account) it still isn't successful. There has to be a certain way to format it or something that I'm not aware of. I strongly suspect that the Win 7 acct I'm trying to crack likely contains a pet name and/or address, and something from 0123456789. I need to create a custom dictionary with all of the things I want to try but don't know how to do it. Any help would be greatly appreciated.

Matt:

First, I need to know a bit more info. Are you trying to crack captured hashes from the SAM file? If so, what is the encryption being used?

Cracking password strategies is dependent upon what passwords you are trying to crack and how they are encrypted.

OTW

Thank you for your quick response. I'm not sure about the encryption type. However, it is a 32-bit Windows 7 Home Premium machine that I'm trying to crack. I dumped the hashes from the SAM and I'm using Cain & Abel on my desktop (a 64-bit Windows 7 Ultimate machine) to do the actual cracking. Hopefully that will help determine what you need to know. I also added a screenshot from Cain that may or may not help. The account on top is the one I need to crack. The one on bottom is a test account that I set up on my desktop machine for testing. I know the password for that one. TIA

Matt smith, i believe theres an app for linux called CUPP that helps make great custom dictionairies. OTW - i was wondering if you could elaborate on the method to turn my dict. list (rockyou, ect.) into the hash values. I know its different per SSID so i would have to do it per crack, but i think it was genmpk or something to make the , uh, rainbow tables is it?

Thanks for the info. I have a dual boot with Kubuntu, so I will look into CUPP. I also ran across something called "crunch" on Sourceforge. I believe it is a Linux app as well. I will look into it too. I was hoping there would be something simple where you just provide the words and numbers you believe may have been used in the password, and the software would then build the dictionary for you. Then I could run a dictionary attack in Cain and use that dictionary.

OK, my mind is blown. I have no idea what is going on. I can download the test dictionary from here http://www.rainbowtables.net/tutorials/dictionary.php and then add the password that I know for my test account to that test dictionary. I then run a dictionary attack using that test dictionary and it is successful at cracking my test account. However, if I create my own wordlist/dictionary with the same exact password in it, it fails every time. I'm beyond stumped.

Matt:

First, there is an app in metasploit's SET that generates passwords based upon info you input about the target such as pet names, address, spouse, children's name, etc.

Second, what are you using create your wordlist? You must use notepad and be careful to format the data just like the default wordlists that work.

OTW

what is the name of that app in SET called OWT?

thanks!

And if i remember right matt i think cupp lets u add all sorts of details about the target and u can add names, words, or numbers for it to make up all kinds of combinations with to more precisely hone in on your targets possible passwords he would choose.

Hello again. I have been using a Windows application to generate wordlists. I have also created my own lists from scratch containing just the known correct password and it fails. I originally used Notepad. Since that wasn't working, I thought maybe it was a formatting or encoding issue. I've tried Notepad, MS Word, Wordpad, and Notepad++. Same result every time. I started a forum thread over here https://null-byte.wonderhowto.com/forum/desperately-need-assistance-with-cain-and-ntlm-hash-dictionary-cracking-0149399/ in case having an outright discussion isn't appropriate for the comment thread here. Anyway, I'm going to change the test account password to something arbitrary and then test. If no luck, I'll post a link to my test wordlist in the thread. I figure this isn't the place to have a thorough discussion about my specific issues. Thanks for the responses.

Matt:

Notepad and notepad++ should work, if the formatting is correct. The apps will not.

OTW

how do you crack hashes of a windows 8 system?

in this tutorial you used cain and abel but thats for windows and i was wondering how to do it on a linux.

I tried to use john to crack the hashes like i read somewhere else, but it recognizes the hash as "nt" or "nt2" but I've looked up the actual type and its really supposed to be "md4". I tried using the "--format=raw-md4" but that didnt work either so Im at a stand still and not sure where to go.

Eight:

I believe that Windows 8 is using the same hashes as Windows 7, that is NTLMv2. No one uses MD4 anymore as it is seriously flawed.

You can take the hashes out and run them through Cain and Abel on a Windows machine or John the Ripper in Linux. JtR does auto detecting of the hash, but in Cain and Abel you should select NTLMv2.

OTW

JtR does auto detect but it can't tell if it is nt or nt2, and neither of which is NTLMv2 or i dont think they are. Also it doesnt have a format for a hash type of NTLMv2, but the closest one, netntlmv2, does not work

Hi, i have a problem, when I enter the command prompt for the pwdump3 app, i get an error in the command screen, saying that it can't open my admin map in 5 or something like that. Any idea what this means?

Hello all , and Master!

So, i have question how to use the Cain and abel to crack pasword for web page (server game) if i know usernames.

Lets say, havent used acc, and made it ages ago. So i dont have the (dont remember the pasword for e-mail to recover as resend it, also dont remember evein the email i have putted ages a go. Lets say, i have stoped paly for while. Now i want it :)

So, how i can use cain and abel to crack it? The paswprd list, etc stuff. How does it looks to do it.

The addresse is www.lordswm.com orgin sever were i made account. Now its been merger with heroeswm.ru. but .com is english, .ru rus.

I would be thankfull, for help- tuto, advise.
I m new in this thing, and want to learn more and more... not to do bad things, but to do for my self :)

Is there a way to bruteforce without a wordlist, but with a pattern?
Like say for example I know the password follows a pattern;
#bk##ksow#

where # is some number. So i know their password has a number, then "bk", then a 2 digit number, then "ksow", then another number and I want to bruteforce based on this knowledge. Or alternatively, I know the password contains the string "w1r3l355" in it and is somewhere between 9 to 13 characters long?

Cain and Abel allows you to brute force with a specific character set and number of characters.

You might enhance some of the open source password crackers with that specificity.

Hi Sir, i have read some of your tutorials about cracking passwords of windows, i was wondering if there is a way to crack window 7 password remotely through window 7 or backtrack?

if there is a way that you can tell me, i will be very thankful to your help...
Regards...

Muhammad:

Welcome to Null Byte!

Yes, you can crack Windows 7 passwords remotely. First, you need to exploit the Windows 7 system remotely using Metasploit or other hack (see my Windows 7 hacks). Then upload pwdump and sumdump.dll to the system. Then, extract the hashes and download to your computer where you can then crack the hashes.

OTW

master i,m using win 7 , i tried to install pwdump3 but i couldn't able to install it...my antivirus showing it a malicious file.

It is a malicious file. Turn off you antivirus software.

hello!
i am unable to run the pwdump3

it is in d drive in folder pw i navigated to it but when i am writing the comand to take the hashfiles it is showing logon to \\rajiv3269\admin$ failed:code 53

pls help me

Also, that code 53 usually means that the path to the drive is not found. Make certain that your path is correct to pwdump3.

OTW

Rajiv:

Are you running the command prompt as administrator?

OTW

I want to know how to hack gmail account i have only email id..?

why I get empty hast.txt file after I run pwdump3 ???

Akakus:

I'm not sure. Can you give us more information?

when I run the command, it says complete. However when I check the text file in the pwdump3 directory I find it empty NO hashes . I am running win7 OS 32-bit. AND THERE one more thing the moment it says complete it restarts automatically .

Note : I disabled the Anit-virus already...

In the pwdump3 command, what are you using for the name of your computer?

I run hostname in the cmd and used that displayed name : Akakusxx

Can you give us a screenshot?

I was able to get the hashes using pwdump7 I ran it and I GOT them. Now I am using Cain and Abel to break the hashes. First pwd was cracked and the second is little harder and was not in the dictionary list , so I used Brute force. However it took a while , so i decided to go with the online cracking , and got the second one too .Thanks .

Question popped up in mind just now what do you mean by Hybrid attack , is it in the Cain and Abel program or u mean the Hybrid attack within Kali Linux

Hello,

Can you tell me how to crack password windows 8 64 bit.

I can't install those program because i don't have the administrator privilege. i need the password for the admin privilege.

and i don't want to change the password
thanks.

I want to know this too...

c:/user/Desktop/pwdump3 mycomputer hashdumpfile.txt

When i insert the command line it can't find pwdump3. What could this problem be due to?

Hi there :D

Maybe you have already mentioned it, but im new in all this but would like to learn :)

I have read something abou Cain and Abel bur that seem to only work if the person has used your computer.

So my question is how can i use brute force or something easy and similar to gues someones password ?

This is of cource only to private use because it is fun :D

how do we get gmail or facebook password

pwdump3 doesn't work for me. I'm using pwdump3v2, and trying it on a spare laptop running windows 8.1.
I get the following error message:
Logon to \\mypc\ADMIN$ failed: code 53
mypc is where the actual name of the laptop is.

I think the vulnerability in LSASS that pwdump3 exploits has been fixed in windows 8.1, but is there something else I can do?

so does that mean Kali Linux does not have Cain and Abel for cracking windows passwords

I'm not this computer savvy. Is there a simple so called plug and play download to hack dating and porn sites?

Hi, my .txt files are coming back empty any suggestions?

BTW great tutorials OTW

All of my .txt files don't have anything in them. I've tried pwdump 3, 4, 6, and 7. None of them have worked so far. I have ran the command prompt as an administrator, as well. So far I have gotten nothing back. Any suggestions would be welcome. Help needed.

Hi OTW,

You were talking about saving the list as *.txt with Notepad.
What do you use for the mac?

Share Your Thoughts

  • Hot
  • Latest