Labs / Windows Password Cracker
- Challenge
- Released 05 Nov 2025
🔓 Can you break into these Windows password hashes?
A Windows SAM database dump sits before you, containing encrypted password hashes from a corporate network. The NTLM hashes hold the keys to user accounts and potentially sensitive information. With the right tools and wordlists, can you crack these hashes and uncover what's hidden inside?
Start Lab Environment
Challenge Overview
Windows systems store password hashes in the Security Account Manager (SAM) database. These NTLM (NT LAN Manager) hashes can be extracted during penetration tests and cracked offline to recover plaintext passwords.
Learning Objectives
- Understanding Windows password storage and SAM database
- Identifying and working with NTLM hash format
- Using password cracking tools (hashcat and john)
- Performing offline hash cracking attacks
- Recognizing weak password practices in Windows environments
Challenge Scenario
You have obtained a dump of Windows SAM hashes from a target system during a penetration test. The dump contains several user accounts with NTLM password hashes. Your objective is to crack the password for the secretuser account - the cracked password itself is the flag.
Required Tools
- hashcat - GPU-accelerated password cracking tool with NTLM support
- john - CPU-based password cracker (John the Ripper)
- Wordlists - rockyou.txt, SecLists, or other password lists
Skills Required
- Understanding of Windows authentication
- Knowledge of NTLM hash format
- Command-line usage of cracking tools
- Basic cryptography concepts
NTLM Hash Format
The SAM dump uses the standard format:
username:RID:LM_hash:NTLM_hash:::
Where the NTLM hash (4th field) is the MD4 hash of the password that you need to crack.