LabEx
Log InJoin Free

Crack NTLM Hashes from a Windows System

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will delve into the world of password security by learning how to crack NTLM (NT LAN Manager) hashes. NTLM is a hashing algorithm used by Microsoft Windows systems to store user passwords. Understanding how these hashes can be cracked is a fundamental skill in penetration testing and security auditing.

You will use Hashcat, a powerful and popular password recovery tool, to perform a dictionary attack against a sample NTLM hash. By the end of this lab, you will understand the basic process of password cracking and appreciate the importance of using strong, complex passwords.

Understand What NTLM Hashes Are

In this step, you will learn about the basics of NTLM hashes. This foundational knowledge is crucial before attempting to crack them.

NTLM (NT LAN Manager) is a suite of security protocols developed by Microsoft. One of its key functions is to handle authentication. When you set a password on a Windows system, it is not stored in plaintext. Instead, it is converted into a hash value using the NTLM algorithm.

An NTLM hash is a 128-bit value, typically represented as a 32-character hexadecimal string. For example, the NTLM hash for the password "password" is 8846f7eaee8fb117ad06bdd830b7586c.

Because hashing is a one-way process, you cannot directly "un-hash" it to get the original password. However, attackers can use techniques like dictionary attacks or brute-force attacks to guess the password, hash their guess, and see if it matches the target hash. This is the process we will explore in this lab.

There are no commands to execute in this step. Please proceed to the next step to create a sample hash file.

Create a Sample NTLM Hash File

In this step, you will create a file containing a sample NTLM hash. In a real-world penetration test, you would first need to extract these hashes from a Windows system's Security Account Manager (SAM) database. For this educational lab, we will simply create a text file with a known hash.

All your work will be done in the ~/project directory. First, use the echo command to create a file named ntlm_hash.txt and write a sample NTLM hash into it. This hash corresponds to a common, weak password.

echo "8846f7eaee8fb117ad06bdd830b7586c" > ~/project/ntlm_hash.txt

Now, verify that the file was created correctly by displaying its content using the cat command.

cat ~/project/ntlm_hash.txt

You should see the following output, which is the hash you just saved:

8846f7eaee8fb117ad06bdd830b7586c

With the hash file ready, you can now proceed to prepare for the cracking process.

Select the Correct Hash Mode for NTLM

In this step, you will learn how to identify the correct hash mode in Hashcat for NTLM hashes.

Hashcat is a versatile tool that supports hundreds of different hash types, from web application password hashes to operating system hashes. To work correctly, you must tell Hashcat exactly what type of hash you are trying to crack. This is done using a specific mode number.

You can find the mode number for NTLM by searching through Hashcat's help menu. Use the grep command to filter the output for "NTLM".

hashcat --help | grep NTLM

The output will list various hash types related to NTLM. Look for the entry for standard NTLM.

...
1000 | NTLM                                             | Operating System
...

As you can see from the output, the mode number for NTLM is 1000. You will use this number in the next step to tell Hashcat how to interpret the hash in your ntlm_hash.txt file.

Launch a Dictionary Attack against the NTLM Hash

In this step, you will use Hashcat to launch a dictionary attack against the NTLM hash. A dictionary attack is a method of cracking a password by trying a list of common words and phrases, known as a "wordlist" or "dictionary".

The setup script for this lab has already downloaded a popular wordlist called rockyou.txt into your ~/project directory. Now, you will construct the Hashcat command to start the attack.

The command structure is as follows:

  • hashcat: The program name.
  • -m 1000: The hash mode for NTLM, which you identified in the previous step.
  • ~/project/ntlm_hash.txt: The path to your file containing the target hash.
  • ~/project/rockyou.txt: The path to the wordlist.
  • --force: This option tells Hashcat to run even if it detects potential issues with the environment, which can be useful in virtualized labs.

Now, execute the full command in your terminal:

hashcat -m 1000 ~/project/ntlm_hash.txt ~/project/rockyou.txt --force

Hashcat will start. The process may take a few moments as it loads the wordlist and begins comparing hashes. You will see output similar to the following:

hashcat (vX.X.X) starting...

...

Session..........: hashcat
Status...........: Running
Hash.Type........: NTLM
Hash.Target......: 8846f7eaee8fb117ad06bdd830b7586c
Time.Started.....: ...
Time.Estimated...: ...
Guess.Base.......: File (~/project/rockyou.txt)
...

Session..........: hashcat
Status...........: Cracked
...

The "Status...........: Cracked" message indicates that Hashcat has successfully found the password.

Analyze the Cracked NTLM Password

In this step, you will view and analyze the cracked password that Hashcat discovered.

Once Hashcat successfully cracks a hash, it saves the result in a file called a "potfile" (as in "pot of gold"). This prevents you from having to re-crack the same hash in the future. The default location for this file is ~/.local/share/hashcat/hashcat.potfile.

The easiest way to see the cracked password is to use Hashcat's --show option. This command tells Hashcat to display any cracked passwords for the hashes provided in your input file.

Run the following command:

hashcat -m 1000 ~/project/ntlm_hash.txt --show

Hashcat will check its potfile and display the result for your hash:

8846f7eaee8fb117ad06bdd830b7586c:password

The output format is hash:plaintext_password. As you can see, the original password for the hash 8846f7eaee8fb117ad06bdd830b7586c is password.

You can also view the raw potfile directly using the cat command:

cat ~/.local/share/hashcat/hashcat.potfile

This will show the same result. You have now successfully cracked an NTLM hash and recovered the original password.

Summary

In this lab, you have successfully performed a basic password cracking attack against an NTLM hash.

You learned:

  • What NTLM hashes are and how they are used in Windows systems.
  • How to use Hashcat, a powerful password recovery tool.
  • The concept of a dictionary attack and the importance of wordlists like rockyou.txt.
  • The process of identifying the correct hash type, launching an attack, and viewing the cracked password.

This exercise demonstrates how easily weak passwords can be compromised. It highlights the critical importance of using strong, unique, and complex passwords, as well as robust hashing mechanisms, to protect systems and data from unauthorized access.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux