Ethical hacking: Breaking Windows passwords

Introduction to Windows passwords

Windows is the most common desktop platform currently in use. As a result, it is not uncommon for hackers to encounter a Windows password that they need to crack in order to gain access to a specific account on a machine or move laterally throughout the network.

In the past, Windows passwords were extremely easy to crack. The design of the original LANMAN password hashing algorithm had the following flaws:

Cybersecurity Live - Boston
  • Passwords limited to 14 characters
  • Forced all letters to uppercase
  • No salting
  • Passwords broken into two chunks and hashed separately

As a result, passwords stored in the LANMAN format were trivially easy to crack.

With NTLM, cracking Windows passwords is more difficult but still possible. NTLM is weaker than modern algorithms because it is based on the MD4 cipher. While it has been replaced by Kerberos for network authentication, NTLM is still used for saving passwords locally in the Windows SAM file.

Cracking Windows passwords

Since the Windows hash function is based on the weak MD4 algorithm, cracking these passwords is often easier than those protected by an equivalent modern cipher. Cracking a Windows password hash is a three-step process:

  1. Acquiring the hash
  2. Choosing a tool
  3. Choosing a cracking technique

For all of these stages, the best choice often depends on the details of the ethical hacking engagement and the intended target.

Acquiring password hashes

Windows password hashes can be acquired in a few different ways. 

The most common is taking them directly from the machine in question. Windows password hashes are stored in the SAM file; however, they are encrypted with the system boot key, which is stored in the SYSTEM file. If a hacker can access both of these files (stored in C:WindowsSystem32Config), then the SYSTEM file can be used to decrypt the (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: