Obtaining Windows Password Hashes

When attempting to determine the password on a windows system, the first step is to get access to the hashed version of the password. Notice that I said that you’re trying to get the hashed version of the password, and not that you’re trying to get the actual password.  This is an important distinction to make, and one that sometimes causes confusion in people new to the topic. To be clear, if you configure your login password as “mYpasSword”, windows doesn’t store that string somewhere. What it does is pass the password through a hash function, and stores the resulting hash. A hash is a mathematical function that that takes input and returns a fixed block bit stream. The resulting stream is very different even with slight changes to the password. (note: The following examples are generated with the MD4 hashing algorithm.)

So, for example, if a user configures their password to be ‘cat’, the resulting hash that windows would store would be ‘1c3ea6f2b8cf5653460ddf549a52ff4b’. Some important features of any cryptographic hash function are:

  1. Making a small change to the password has a significant change on the hash. For example, the password for ‘bat’ would be: ‘f1af0722af2b86261ae6956048ff0fc6′.
  2. The resulting hash is a fixed string. So longer passwords don’t result in longer hashes. The password ‘&&$ks0(–REALLYLONGPASSWORDEXAMPLE904903$$’ results in a hash of ‘47e738e4225a494e39f8b7a8014ffe3c’
  3. Generating the hash for the same input will consistently give you the same output. This is why some (non-windows) systems salt passwords… a topic we’ll get into a little later.

Okay, so how do we get to the hash? Typically, you’ll need one of two things. Either you’ll need admin access to the system storing the hash, or you’ll need physical access to the system. We’ll extract the hash of a windows 7 system using both of these methods.  Note: Even though all of the following examples are done on a Windows 7 system, they will still work on older versions of Windows.

If you have admin access to a system, then one of the easiest ways to get access to the hash is with one of my favorite tools, Cain and Abel. You can download Cain and Abel from http://www.oxid.it/cain.html. As you can see, this tool offers a LOT of features related to password cracking including options to perform dictionary, brute-force, and rainbow attacks against hashes. If you don’t know the difference between these, you can read about them here.

After you’ve downloaded and installed C&A on the system storing the hashes you’d like to discover, just launch Cain from the programs list. On Vista/7 you’ll need to right-click on Cain and select the option to run it as administrator.

The main page looks like this:

Cain and Abel Main Menu

Select the Cracker tab, and then click “LM & NTLM Hashes” from the long list of options on the left. Note all of the other options including cracking MD5, SHA1, CHAP, and WPA-PSK Hashes.

Click in the blank area of the window and hit the insert button (or right-click and select add to list).

Cain and Abel LM/NTLM add to list option

Leave the “Import Hashes from local system” radio button selected and click Next.

Cain and Abel import hashes menu  

There are two VERY important things to notice with the result from my test machine below.

  1. All of the LM hashes show as the same.  This is because by default, Windows 7 (Vista too) no longer enable the storage of the LAN Manager credentials by default!  This is a VERY nice thing to see from the security side (not so nice for the attacker), since LM was so insecure.  If you aren’t running Vista or 7, you can manually disable the storage of the LM hash by following the instructions here.
  2. The NTLM hash values for user1 and user2 are the same.  You may think this is expected since their passwords are the same.  Unfortunately, Windows 7 still doesn’t take advantage of a password salt, which would result in the same password generating a different hash.  This simple mechanism defeats many hash attacks, and has been in use by other systems since the 70’s.  Note, I’ve seen a LOT of confusion about salts, so I’ve written a small blurb about them to (hopefully) help clarify this subject a bit more.
Cain and Abel list of users and their hashes

Now that we have the hashes, it’s time to try to figure out what the passwords are. Since we’re using Cain for this, we can do this discovery right from the same window. Just right click on the hash you’d like to test (or hold control and select multiple hashes), and select the type of attack you’d like to perform against the hash. I’ve given an overview of each of the different attack types in the article Cracking the Hash.

You can still easily get the password hashes from a system that you do not have admin access on if you have physical access to the system. This is done by using a bootable CD, and then accessing the hashes outside of windows.

One popular option for attempting to get the hashes this way is Ophcrack (available from http://ophcrack.sourceforge.net/). Since a lot of articles on this site will rely on the BackTrack, we’ll be using it to get the hashes in this demonstration.

BackTrack is a bootable linux build that comes pre-loaded with tools useful for penetration testing.  It can be downloaded from http://www.remote-exploit.org/backtrack_download.html.  After downloading and burning it to a CD, you should be able to BackTrack from the CD and run it without making any changes you your installed OS.  This process is fairly straight forward, so I won’t go into details about it here.  After you’ve booted to backtrack (you can type startx at the prompt to launch the gui if you want to have it up for easier exploration), we’ll need to do three things.

First, we need to make our windows drive accessible. To do this, we’ll create a mount point, and mount our system drive.  In my test system, the windows partition was on /dev/sda2, but your location may vary. To make the mount point, type

mkdir /mnt/a

Then to actually mount your windows partition, type

mount -t ntfs /dev/sda2 /mnt/a

That should allow you to successfully browse your windows files.

Backtrack terminal window showing that windows files are now visible from Linux

(Note: The above image truncates the output of the hash.  Storing the result directly into a text file as demonstrated below will keep the entire hash.)

This can be copied into a text file easily by doing this:

 samdump2 /mnt/a/Windows/System32/config/SAM out > hashes.txt

At this point we’ve successfully retrieved our hashes, both from within windows using a privileged account, and from a bootable CD taking advantage of having physical access to the system.

Now the fun begins.  To actually discover the passwords from the found hashes, we can use a number of methods, all covered in the article “Cracking the Hash“.