Hardware

Brute Force Windows 11 Passwords With Hashcat

Learn how to brute force Windows 10 & 11 passwords using Hashcat.

Hashcat is a powerful password recovery tool that supports a wide range of hashing algorithms. This tutorial will guide you through the steps to brute-force a Windows password using Hashcat.

Requirements

  1. A computer with Hashcat installed.
  2. A Windows machine from which the hashed passwords have been extracted.
  3. Basic knowledge of command-line interface (CLI).

1. Extracting the Windows Password Hashes Using samdump2

To brute-force a Windows password, you first need to extract the password hashes from the Windows machine. You can do that using samdump2.

  1. Download and Install samdump2:
    • On a Linux machine, you can install samdump2 using your package manager. For example, on Debian-based systems:
      sudo apt-get install samdump2
  2. Boot into a Live Linux Environment: Use a live Linux USB drive to boot into a Linux environment on the target Windows machine.
  3. Mount the Windows Partition: Identify the Windows partition using fdisk -l and mount it. For example:
    sudo mount /dev/sda2 /mnt/windows
  4. Extract the Hashes: Extract the SYSTEM and SAM files:
    sudo cp /mnt/windows/Windows/System32/config/SYSTEM /mnt
    sudo cp /mnt/windows/Windows/System32/config/SAM /mnt
  5. Use samdump2 to extract the hashes:
    samdump2 /mnt/SYSTEM /mnt/SAM > /mnt/hashes.txt

2. Setting Up Hashcat

  1. Download Hashcat: Visit the Hashcat website and download the latest version.
  2. Extract the Archive: Extract the downloaded archive to a desired location.

3. Preparing for the Attack

Windows 10 & 11's password hashes are typically in NTLM format. The format in hashes.txt should look like:

user:rid:nthash:::

Creating a Hash File

Create a file containing only the NTLM hashes (16 bytes) by removing the user information and LM hash. For example, create ntlm_hashes.txt with lines like:

63289B7E7462C3300A2B2CC7C72D260C

4. Running Hashcat

  1. Open a Terminal.
  2. Navigate to the Hashcat Directory:
    cd /opt/hashcat-<version>
  3. Execute Hashcat with the Correct Options:
    • For NTLM hashes, use mode 1000.
    • Specify a mask for the password length and complexity. For example, to brute-force passwords of length 8 containing only lowercase letters and digits:
      ./hashcat -m 1000 -a 3 -o found.txt /path/to/ntlm_hashes.txt ?l?l?l?l?l?l?l?l

Example Command Breakdown

  • -m 1000: Specifies the NTLM hash type.
  • -a 3: Selects the mask attack mode.
  • -o found.txt: Specifies the output file for cracked passwords.
  • /path/to/ntlm_hashes.txt: The input file containing the NTLM hashes.
  • ?l?l?l?l?l?l?l?l: Mask for brute-forcing 8-character passwords using lowercase letters.

5. Monitoring the Attack

Hashcat will display the progress, estimated time to completion, and other relevant information in the terminal. You can pause and resume the attack by pressing p and r, respectively.

6. Analyzing the Results

Once the attack is complete, the results will be saved in the specified output file (found.txt). The file will contain the cracked passwords in the format:

<hash>:<password>

Conclusion

Brute-forcing a Windows password with Hashcat involves extracting password hashes, setting up Hashcat, and running the brute-force attack with the appropriate settings. While brute-forcing can be time-consuming, Hashcat's efficiency and speed can significantly reduce the time required to recover passwords. Always ensure you have proper authorization before attempting to crack passwords.