Avatar

Labs / Windows Password Cracker

  • Challenge
  • Released 05 Nov 2025

🔓 Can you break into these Windows password hashes?

A Windows SAM database dump sits before you, containing encrypted password hashes from a corporate network. The NTLM hashes hold the keys to user accounts and potentially sensitive information. With the right tools and wordlists, can you crack these hashes and uncover what's hidden inside?

1
Flags
5
Points
Challenge
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Challenge

Windows Password Cracker - Solution

Objective: Crack the Windows NTLM password hash for the secretuser account. The cracked password is the flag.
Step 1: Download the Challenge File

Download the SAM hash dump from the challenge page:

wget https://lab.hdna.me/142-windows-password-cracker/sam_hashes.txt
Step 2: Examine the SAM Hash Dump

View the contents of the SAM hash file to understand the format:

cat sam_hashes.txt

The format is: username:RID:LM_hash:NTLM_hash:::

The NTLM hash is in the 4th field (the second long hash). These are MD4 hashes of the user passwords.

Step 3: Extract NTLM Hashes

For easier cracking, extract just the NTLM hashes (4th field):

cut -d: -f4 sam_hashes.txt > ntlm_hashes.txt
cat ntlm_hashes.txt
Step 4: Crack Hashes with Hashcat (Method 1)

Hashcat is a powerful GPU-accelerated password cracker. NTLM hashes use mode 1000:

Using SecLists 10k-most-common.txt for a quick first pass:

hashcat -m 1000 ntlm_hashes.txt /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt

Or use rockyou.txt wordlist:

hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt

Show cracked passwords:

hashcat -m 1000 ntlm_hashes.txt --show
Step 5: Crack Hashes with John the Ripper (Method 2)

Alternatively, use John the Ripper with the raw NTLM format:

Using SecLists for quick results:

john --format=NT ntlm_hashes.txt --wordlist=/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt

Or use rockyou.txt:

john --format=NT ntlm_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

Show cracked passwords:

john --format=NT ntlm_hashes.txt --show
Step 6: Match Hashes to Usernames and Find the Flag

Once you've cracked the hashes, match them back to the original usernames in sam_hashes.txt:

Cracked Credentials:

  • Guest - Hash: 823893adfad2cda6e1a414f3ebdf58f7 - Password: guest
  • john - Hash: 69bf94898385467264708f3cc51cf0a4 - Password: john
  • admin - Hash: a9fdfa038c4b75ebc76dc855dd74f0da - Password: password123
  • secretuser - Hash: 5fc5d15aac645ea16c1d363ab539724e - Password: TOPSECRET (THIS IS THE FLAG)

The password for the secretuser account is the flag: TOPSECRET

Alternative: Crack Directly from SAM Format

You can also crack hashes directly from the SAM dump format using john:

john --format=NT sam_hashes.txt --wordlist=/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt
Understanding NTLM Hashes

NTLM Hash Details:

  • NTLM (NT LAN Manager) is the authentication protocol used by Windows
  • NTLM hashes are MD4 hashes of the UTF-16 encoded password
  • They do not use salt, making them vulnerable to rainbow table attacks
  • The LM hash (3rd field) is an older, weaker format often disabled
  • Empty passwords produce the hash: 31d6cfe0d16ae931b73c59d7e0c089c0
  • NTLM hashes can be cracked offline once obtained from the SAM database
Hash Analysis Reference
Hash Status
31d6cfe0d16ae931b73c59d7e0c089c0 Empty/blank password (Administrator)
823893adfad2cda6e1a414f3ebdf58f7 Weak password - user: Guest (password: guest)
69bf94898385467264708f3cc51cf0a4 Username as password - user: john (password: john)
a9fdfa038c4b75ebc76dc855dd74f0da Common password - user: admin (password: password123)
5fc5d15aac645ea16c1d363ab539724e Target password - user: secretuser (TOPSECRET - THIS IS THE FLAG)
Security Best Practices

Protecting Windows Passwords:

  • Use strong, unique passwords (minimum 15+ characters)
  • Enable and enforce password complexity requirements
  • Implement multi-factor authentication (MFA)
  • Use Windows Hello for Business or passwordless authentication
  • Regularly audit password strength with tools like DSInternals
  • Disable LM hash storage (already default in modern Windows)
  • Implement account lockout policies to prevent brute force
  • Use Credential Guard to protect against hash theft
  • Monitor for suspicious authentication attempts
  • Rotate passwords regularly, especially for privileged accounts
Tools Summary
Tool Purpose Command Example
hashcat GPU-accelerated NTLM cracking hashcat -m 1000 hashes.txt wordlist.txt
john CPU-based NTLM cracking john --format=NT hashes.txt
cut Extract specific fields cut -d: -f4 sam_hashes.txt
SecLists Password wordlists collection git clone https://github.com/danielmiessler/SecLists.git
Key Learning Points
  • Windows stores password hashes in the SAM database (C:\Windows\System32\config\SAM)
  • NTLM hashes can be extracted and cracked offline
  • Weak passwords are easily cracked even with strong encryption
  • Password complexity and length are critical for security
  • Tools like hashcat (GPU) are significantly faster than CPU-based tools
  • Modern Windows versions use additional protections like Credential Guard
  • Defense in depth: MFA, password policies, monitoring are all essential
Challenge Complete! You have successfully cracked Windows NTLM password hashes and retrieved the flag. This demonstrates the importance of using strong passwords and implementing additional security controls beyond password-based authentication.