{"id":578,"date":"2019-03-03T17:01:08","date_gmt":"2019-03-03T22:01:08","guid":{"rendered":"https:\/\/www.ccrossan.com\/blog\/?p=578"},"modified":"2019-03-03T17:02:12","modified_gmt":"2019-03-03T22:02:12","slug":"windows-10-password-recovery","status":"publish","type":"post","link":"https:\/\/crossan007.dev\/blog\/windows\/windows-10-password-recovery\/","title":{"rendered":"Windows 10 Password Recovery"},"content":{"rendered":"\n
Tweet<\/a><\/div>\n

DISCLAIMER: DO NOT EXECUTE THIS PROCESS WITHOUT EXPLICIT APPROVAL FROM THE SYSTEM OWNERS.\u00a0 I AM NOT ENDORSING OR APPROVING ANY ILLEGAL ACTIVITY WHICH COULD BE ACCOMPLISHED FOLLOWING THESE STEPS<\/strong><\/p>\n

An older friend forgot his computer password; asked me for help.<\/p>\n

I booted the machine, and saw an email address where the Windows 10 username normally would be;\u00a0 my first thought was “oh, great; this is a Microsoft Online\u00a0 joined computer, password recovery probably won’t happen”<\/p>\n

I did a little research, and found some evidence that suggests my seemingly outdated knowledge about passwords being stored in the SAM seems to still stand.\u00a0 However, Windows 10 Anniversary Update changed the encryption algorithm used on the SAM:\u00a0https:\/\/twitter.com\/gentilkiwi\/status\/762465220132384770<\/a><\/p>\n

This algorithm change broke my normal tool (OPHCRACK), since it was unable to read the NTLM hashes from the SAM.\u00a0 SAM encryption caused OPHCRACK to incorrectly read every account hash as 31d6cfe0d16ae931b73c59d7e0c089c0<\/code>.\u00a0 So, I copied the SAM and SYSTEM files (at C:\\Windows\\System32\\config) from the target machine to my desktop for additional processing.<\/p>\n

Mimikatz <\/a>has a module `lsadump::sam` which accepts parameters for offline SYSTEM and SAM decryption.\u00a0 Easy command line:<\/p>\n

lsadump::sam \/system:c:\\users\\charles\\documents\\system \/sam:c:\\users\\charles\\documents\\sam<\/pre>\n
This returned decrypted NTLM hashes for easy cracking.<\/p>\n
I decided to try a new tool here to crack the plain text password from the NTLM hashes: Hashcat<\/a>.\u00a0 There’s a Windows 64bit compiled version (I know, I know don’t run random binaries…) which made it easy to get cracking quickly.<\/p>\n
I copied the hash from the output of Mimikaz into a text file called hashes.txt<\/code>\u00a0and ran the command<\/p>\n
.\\hashcat64.exe -m 1000 -a 3 -O -o pass1.txt .\\hashes.hash<\/pre>\n
My 10 year old computer cracked the Microsoft Online account NTLM Windows 10 password hash in ~8 minutes. It was two dictionary words and a two-digit number for a total of 8 characters.\u00a0 I was using brute-force in this scenario, so the fact that dictionary words were used is of no consequence.\u00a0 Had I been using a dictionary, the attack would have likely concluded sooner.<\/p>\n
Just for fun, I generated a new NTLM hash, but replacing vowels with numbers (i<\/code>\u00a0with 1<\/code>\u00a0and the e<\/code>\u00a0with 3<\/code>\u00a0and so fourth), the attack took the same amount of time.<\/p>\n
\r\n\r\nimport hashlib\r\nprint hashlib.new('MD4', 'password'.encode('utf-16le')).hexdigest()\r\n\r\n<\/pre>\n
Moral of the story:\u00a0 USE STRONG PASSWORDS AND A PASSWORD MANAGER<\/h4>\n","protected":false},"excerpt":{"rendered":"
DISCLAIMER: DO NOT EXECUTE THIS PROCESS WITHOUT EXPLICIT APPROVAL FROM THE SYSTEM OWNERS.\u00a0 I AM NOT ENDORSING OR APPROVING ANY ILLEGAL ACTIVITY WHICH COULD BE ACCOMPLISHED FOLLOWING THESE STEPS An older friend forgot his computer password; asked me for help. I booted the machine, and saw an email address where the Windows 10 username normally … Continue reading Windows 10 Password Recovery<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1,211],"tags":[227,228,33,226,109,212,225],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\t\n