How to Grab & Crack Encrypted Windows Passwords (Part 2)

Welcome back, my neophyte hackers!

Several of you have written me asking how to crack passwords. The answer, in part, depends upon whether you have physical access to the computer, what operating system you are running, and how strong the passwords are.

In this first installment on password cracking, we’ll assume the simplest arrangement; you’re running Windows, attacking Windows, and have physical access to the computer whose passwords you’re attempting to crack.

In future installments, we’ll look at cracking passwords remotely, with and on Linux operating systems, and cracking famous web applications such as Gmail and Facebook, so keep coming back!

Step 1 Download Pwdump3

Windows systems encrypt user passwords and store them in a file named SAM and store them in the following directory:

• c:\Windows\system32\config

The first thing we need to do is grab this file. In an earlier article, we used Metasploit to hack into the malicious dictator’s computer and grab his password hashes.

We can also grab the hashes without Metasploit if we have physical access to a computer on the network. This can be done with a neat piece of software called pwdump3. It’s installed on BackTrack already, but you can download it for free on Windows using the link below.

• Click here to download pwdump3 for Windows.

Pwdump3 is able to grab the encrypted passwords for us, and we can then crack them with another password cracking tool. So, let’s grab that SAM file with pwdump3!

Step 2 Grab the Hashes

Open a command prompt. Now navigate to the folder where you placed your pwdump3 app. I put mine on the desktop. Now type:

• c:/user/Desktop/pwdump3 mycomputer hashdumpfile.txt

When you hit enter, pwdump3 will grab the password hashes and place them in the file called “hashdumpfile.txt“. Make sure that you replace “mycomputer” in the command above with the actual name of your computer. If you don’t know the name of your computer, simply type “hostname” as the command prompt and Windows will return the name of your computer.

Pwdump3 can retrieve the password hashes from any computer on your network!

Step 3 Download Cain & Abel

Now that we have encrypted passwords (hashes), we now need to decrypt them so we can read and use them. Most hacking software is developed for the Linux operating system, then gets ported (recompiled) for Windows, but there is one delightful exception—Cain and Abel.

Cain and Abel is a hacking application exclusive to Windows that has never been ported for Linux. It’s a powerful and free (but not open source) application that every hacker should be familiar with. We’ll be using just one of its many capabilities, namely cracking Windows password hashes.

• Click here to download Cain and Abel for Windows.

Now that we have all the tools we need, let’s start cracking those passwords!

Step 4 Crack the Passwords

Cain and Abel must be run with administrator privileges, so right-click the CAIN icon on your desktop and select “Run as administrator.” It should then open up a screen that looks like this:

Next, click on the “Cracker” tab at the top of the work area, and provide Cain and Abel the password hashes to crack. Simply right-click on the white space in the center of Cain and Abel and a pull-down window will appear. Select “Import hashes from a text file.”

Choose the file with the password hashes that you created with pwdump3 (in our example, we used “hasdumpfile.txt”) or retrieved on Metasploit, then click on the “Next” button.

We can now right-click on the hashes and select what type of hash crack we want to proceed with. The fastest method is to use the “Dictionary attack.”

If you navigate to the Cain folder on your system, you will see a folder called “Wordlist.” You can use this relatively small word list or any other word list of your choice (there are numerous word lists available on the Internet with millions of words).

This method attempts all words from the dictionary file to find password matches, and generally is very fast as it can search through even a large dictionary file in just a few minutes. If this fails, select “Hybrid Attack” and finally, a “Brute-Force Attack.” A brute force might be slow, but eventually, it will crack all passwords.

Okay, stay connected here at Null Byte, because we have more exciting Hack Like a Pro guides coming up soon!