This allows a hacker to steal a password hash with a well-crafted phishing email.īoth of these techniques have their pros and cons. A hacker who sends a user a link pointing to a file on a hacker-controlled server can trick the target computer into trying to authenticate with the current login credentials. Password hashes can also be stolen by taking advantage of authentication to a remote server. The SAM file is not directly accessible on a running Windows system, but it can be accessed via tools like Mimikatz or through the reg command (if the hacker has SYSTEM privileges). If a hacker can access both of these files (stored in C:WindowsSystem32Config), then the SYSTEM file can be used to decrypt the password hashes stored in the SAM file. Windows password hashes are stored in the SAM file however, they are encrypted with the system boot key, which is stored in the SYSTEM file. The most common is taking them directly from the machine in question. Windows password hashes can be acquired in a few different ways. Cracking a Windows password hash is a three-step process:įor all of these stages, the best choice often depends on the details of the ethical hacking engagement and the intended target.
Since the Windows hash function is based on the weak MD4 algorithm, cracking these passwords is often easier than those protected by an equivalent modern cipher.
While it has been replaced by Kerberos for network authentication, NTLM is still used for saving passwords locally in the Windows SAM file. NTLM is weaker than modern algorithms because it is based on the MD4 cipher. With NTLM, cracking Windows passwords is more difficult but still possible. Passwords broken into two chunks and hashed separatelyĪs a result, passwords stored in the LANMAN format were trivially easy to crack.