Windows Hash Cracking - GrayHatsCC/Wiki GitHub Wiki
Hash Cracking in Windows 7
Windows stores the password hashes of local accounts. The passwords are stored as hashes to make password more difficult to recover.
Hash Location
Hashes are stored in the SAM file in Windows 7. The SAM file is a Registry Hive and is located in c:\windows\system32\config.
Getting the Hashes
To get the local hashes two files are required: The SAM file and the SYSTEM file. The SAM file contains the actual hashes, but they are encrypted by a key which is located in the SYSTEM file.
One would think the easiest way to get these files is just copy them, but the problem is Windows protects these files from being directly accessed when the system is running. There's a few ways to get these files when the system is running, but this requires administrative privileges, which you presumably do not have. The easiest way is to get them on a dead system using a live cd / usb or removing the hard drive and imaging it.
Acquiring the Hives
Boot up the live cd or open up the hard drive image and navigate to c:\windows\system32\config. Copy the SAM and SYSTEM files to your workspace.
Extracting the Hashes
Now that we have the files, we need to extract the hashes. There's a ton of different tools available to do this, but the de facto tool to use is mimikatz. Mimikatz can currently be found at this url:
https://github.com/gentilkiwi/mimikatz/releases/tag/2.1.1-20170813
Now Google chrome blocks this download so you'll need to use a different browser to download it. Once you have it downloaded, extract and mimikatz.exe. Execute the following command:
lsadump::sam /system:<System Hive> /sam:<Sam Hive>
You will now get a printout of all of the user accounts and their corresponding hashes. We're interested in the NTLM hash for each account.
Cracking the Hashes
Now that you have the hashes, there are a couple methods to go through from here. The easiest thing to do is just put them through an online hash cracker. Two of the most popular are:
If those don't return anything, you can attempt to crack them yourself using one of the various tools out there. Hashcat is by far the best free one out there currently.