Project X16: Cracking Windows Password Hashes with Hashcat (15 pts.)

What You Need for This Project

Creating a Windows Test User

On your Windows 7 machine, click Start.

Type in CMD and press Shift+Ctrl+Enter.

If a "User Account Control" box pops up, click Yes.

In the Administrator command prompt window, execute this command:

net user jose password /add

Downloading and Installing Cain

In a browser, go to

http://www.oxid.it/cain.html

Download Cain & Abel for Windows NT/2000/XP. Install it with the default options.

Troubleshooting

If that page is blocked, which it is on many college campuses, you can get a version of Cain from my Website here:

http://samsclass.info/123/proj10/ca_setup.7z

It's a password-protected 7-Zip archive. The password is sam

If you don't have 7-zip, get it here:

http://7-zip.org/

Extracting Password Hashes with Cain

On your Windows 7 desktop, right-click the Cain icon and click "Run as Administrator".

If a "User Account Control" box pops up, click Yes.

In Cain, on the upper set of tabs, click Cracker.

In Cain, move the mouse to the center of the window, over the empty white space.

Right-click and click "Add to list...".

In the "Add NT Hashes from" box, accept the default selections and click Next.

The password hashes appear, as shown below.

Understanding Password Hashes

There are two password hashes: LM Hashes and NT hashes.

LM hashes are very old and so weak even Microsoft has finally stopped using them by default in all Windows versions after Windows XP.

NT hashes are Microsoft's "more secure" hash, used by Windows NT in 1993 and never updated in any way. As you will see, these hashes are also very weak and easily cracked, compared with Linux password hashes.

Cracking four Linux hashes took about 20 seconds using a dictionary of 500 words when I did it, but as you will see, you can crack four Windows passwords using a dictionary of 500,000 words in about a second. Windows password hashes are more than 10,000 times weaker than Linux hashes.

Notice that your NT password hash starts with 8846, just like mine. This is because Microsoft doesn't salt hashes--every user on every Windows machine on Earth has the same salt if they are using a password of password.

That means you can often crack Windows password hashes by just Googling them, because many lists of common passwords and hashes have been uploaded to the Internet over the last 20 years.

However, we'll use hashcat, which is a very powerful way to crack passwords.

Exporting the Hash to a Text File

In Cain, right-click jose and click Export. Save the file in your Documents folder with the name win1 in the default format (L0phtCrack 2.x file).

Open the win1.lc file in Notepad.

Carefully highlight the NT hash for Jose, as shown below, right-click it, and click Copy.

Pasting the Password Hash into Kali Linux

In your Kali Linux machine, in a Terminal window, execute this command:
nano win1.hash
In the nano window, from the menu bar at the top, click Edit, Paste.

The hash appears, as shown below:

Press Ctrl+X, Y, Enter to save the file.

Dowloading a Wordlist

We'll use a list of approximately 500,000 commonly used passwords from the RockYou breach.

In a Terminal window, execute these commands:

curl http://contest-2010.korelogic.com/wordlists/RockYou-MostPopular500000PassesLetters_less50000.dic.gz > rock.dic.gz

gunzip rock.dic.gz

head rock.dic

You should see the first ten passwords, as shown below:

Troubleshooting

If that server is down, use these commands instead:

curl https://samsclass.info/123/proj10/RockYou-MostPopular500000PassesLetters_less50000.dic.gz > rock.dic

head rock.dic

Getting Hashcat 2.00

Hashcat updated to 3.00 and it won't run in a virtual machine anymore. The simplest solution is to use the old version.

In a Terminal window, execute these commands:

cd
mkdir hash
cd hash
wget https://hashcat.net/files_legacy/hashcat-2.00.7z
7z e hashcat-2.00.7z
./hashcat-cli32.bin -V

Troubleshooting

If that link doesn't work, use this one:

wget https://samsclass.info/123/proj10/hashcat-2.00.7z

Cracking the Hash

In a Terminal window, execute these commands:
cd
./hash/hashcat-cli32.bin -m 1000 -a 0 -o winpass1.txt --remove win1.hash rock.dic
Type YES and press the Enter key.

In a Terminal window, execute this command:

cat winpass1.txt
Explanation: This uses hashcat with these options:

You should see the hash, with the cracked password of "password" at the end, as shown below:

Saving a Screen Image

Make sure the Terminal window is visible, showing the cracked password of "password".

Click on the host machine's desktop, outside the virtual machine to make the host machine's desktop active.

Press the PrintScrn key to copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT.

In the host machine, open Paint and paste in the captured image. Save it as "Your Name ProjX16a".

Getting the win2.hash List

In a Terminal window, execute these commands:
curl https://samsclass.info/123/proj10/win2.hash > win2.hash

cat win2.hash

You should see four password hashes, as shown below:

Cracking the Hashes

In a Terminal window, execute this command:
./hash/hashcat-cli32.bin -m 1000 -a 0 -o winpass2.txt --remove win2.hash rock.dic
Type YES and press the Enter key.

In a Terminal window, execute this command:

cat winpass2.txt
You should see the hashes, with the found passwords at the end of each line as shown below. (I redacted the passwords.)

Saving a Screen Image

Make sure the Terminal window is visible, showing the found passwords.

Click on the host machine's desktop, outside the virtual machine to make the host machine's desktop active.

Press the PrintScrn key to copy the whole desktop to the clipboard.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT.

In the host machine, open Paint and paste in the captured image. Save it as "Your Name ProjX16b".

Turning in Your Project

Email the images to cnit.123@gmail.com with a subject line of "Proj X16 From Your Name", replacing "Your Name" with your own first and last name. Send a Cc to yourself.

Sources

http://www.vidarholen.net/contents/junk/files/sha512crypt.bash

http://hashcat.net/files/hashcat_user_manual.pdf

http://contest-2010.korelogic.com/wordlists.html

http://www.scovetta.com/article-2.html


Last modified 12-8-16