Brute Force Windows 11 Passwords With Hashcat
Learn how to brute force Windows 10 & 11 passwords using Hashcat.
Hashcat is a powerful password recovery tool that supports a wide range of hashing algorithms. This tutorial will guide you through the steps to brute-force a Windows password using Hashcat.
Requirements
- A computer with Hashcat installed.
- A Windows machine from which the hashed passwords have been extracted.
- Basic knowledge of command-line interface (CLI).
1. Extracting the Windows Password Hashes Using samdump2
To brute-force a Windows password, you first need to extract the password hashes from the Windows machine. You can do that using samdump2.
- Download and Install
samdump2
:- On a Linux machine, you can install
samdump2
using your package manager. For example, on Debian-based systems:sudo apt-get install samdump2
- On a Linux machine, you can install
- Boot into a Live Linux Environment: Use a live Linux USB drive to boot into a Linux environment on the target Windows machine.
- Mount the Windows Partition: Identify the Windows partition using
fdisk -l
and mount it. For example:sudo mount /dev/sda2 /mnt/windows
- Extract the Hashes: Extract the SYSTEM and SAM files:
sudo cp /mnt/windows/Windows/System32/config/SYSTEM /mnt sudo cp /mnt/windows/Windows/System32/config/SAM /mnt
- Use
samdump2
to extract the hashes:samdump2 /mnt/SYSTEM /mnt/SAM > /mnt/hashes.txt
2. Setting Up Hashcat
- Download Hashcat: Visit the Hashcat website and download the latest version.
- Extract the Archive: Extract the downloaded archive to a desired location.
3. Preparing for the Attack
Windows 10 & 11's password hashes are typically in NTLM format. The format in hashes.txt
should look like:
user:rid:nthash:::
Creating a Hash File
Create a file containing only the NTLM hashes (16 bytes) by removing the user information and LM hash. For example, create ntlm_hashes.txt
with lines like:
63289B7E7462C3300A2B2CC7C72D260C
4. Running Hashcat
- Open a Terminal.
- Navigate to the Hashcat Directory:
cd /opt/hashcat-<version>
- Execute Hashcat with the Correct Options:
- For NTLM hashes, use mode 1000.
- Specify a mask for the password length and complexity. For example, to brute-force passwords of length 8 containing only lowercase letters and digits:
./hashcat -m 1000 -a 3 -o found.txt /path/to/ntlm_hashes.txt ?l?l?l?l?l?l?l?l
Example Command Breakdown
-m 1000
: Specifies the NTLM hash type.-a 3
: Selects the mask attack mode.-o found.txt
: Specifies the output file for cracked passwords./path/to/ntlm_hashes.txt
: The input file containing the NTLM hashes.?l?l?l?l?l?l?l?l
: Mask for brute-forcing 8-character passwords using lowercase letters.
5. Monitoring the Attack
Hashcat will display the progress, estimated time to completion, and other relevant information in the terminal. You can pause and resume the attack by pressing p
and r
, respectively.
6. Analyzing the Results
Once the attack is complete, the results will be saved in the specified output file (found.txt
). The file will contain the cracked passwords in the format:
<hash>:<password>
Conclusion
Brute-forcing a Windows password with Hashcat involves extracting password hashes, setting up Hashcat, and running the brute-force attack with the appropriate settings. While brute-forcing can be time-consuming, Hashcat's efficiency and speed can significantly reduce the time required to recover passwords. Always ensure you have proper authorization before attempting to crack passwords.