aurélien@duboc:~$

EN - Recover Windows account passwords

This article might help you to retrieve plaintext passwords from Windows sessions. I disclaim any liability if you use this article for illegal actions. If you want to train, you can downloads some virtual machines below, this tutorial is also made for you if you are working on a real Windows Operating System.

Step 0: Download the virtual machines (training mode)

If you are working on a real Windows operating system, just skip this until Step 1.

Main source

Alternative source

Upload the virtual machines

Uplaod the ova’s files into VirtualBox.

Step 1: Boot on a Linux Live OS

Step 1.1: Download a live iso

You can download here the iso file of Kali Linux 64 Bit or Kali Linux 32 Bit, depending on your CPU computer. If you do not know, try first with Kali Linux 32 Bit

Step 1.2: Making a bootable usb key from iso

Skip this step if you are working on the virtual machines until Step 1.3

On Windows

Install Rufus and follow the instructions

On Linux

Be sure of what you are doing, you is going to delete your device data where /dev/sdX is your device, to print device list, use lsblk command

sudo dd if=my_iso_file.iso of=/dev/sdX bs=4M status=progress

Further information

If you want to boot from your USB key, you might need to disable Secure Boot in your BIOS options. To show booting option, you need to spam F12 on startup.

Step 1.3: Boot on a live linux operating system

Skip this step if you are working on a real Windows Operating System until Step 1.4.

  • Add the ISO to the configuration of the virtual machine

Step 1.4: Boot on the live linux operating system (kali)

  • Start the virtual machine and select `Live (amd64)`

Step 2: Get an admin user from scratch

If you already get an admin account, go to Step 3.2

Step 2.1: If you DO NOT get a user on the Windows system

If you already have an unpriviledge account, go to Step 2.2.

  • Mount the Windows partition with read/write option and replace Utilman.exe (Utility Manager application of Windows) by cmd.exe in order to get an administrator shell without need to authenticate. In my case, `/dev/sda2` is the Windows partition.

Step 2.2: If you already get a user on the Windows system

  • Mount the Windows partition with read/write option and promote your existing user as an administrator using `chntpw` command. `windaube` is the unpriviledge user that already exist on my Windows, replace it by yours when using `chntpw -u <user> Windows/System32/config/SAM`.

Step 3: Retrieve passwords hash of administrators users

Step 3.1: If you DO NOT get a user on the Windows system

Skip this step to Step 3.2 if you already have your access to an administrator user on the Windows system.

  • Click on the Utility Manager application of Windows from the administrator login interface in order to trigger an administrator Windows shell, then create a new account. If you get an error on `net localgroup Administrateurs hacker_user /add`, your user if created but is not an administrator so go back to Step 2.1 in order to promote your new user as an administrator. `Administrateurs` is the name for the localgroup for administrators on my french Windows install (in English it might be `administrators` or `Administrators`)
  • So we created a new user `hacker_user` with password=`password`, let's login

Step 3.2: Download mimikatz

  • Mimikatz is a power tool made by `gentilkiwi` that will enable us to get the passwords hash of all users on the system. If you asked why do we need an administrator account to use this tool, its because you need the administrator privilege to disable Windows Defender that is blocking the downlaod of this tool.
  • Same thing with the other virtual machine:

Step4: From hash to plaintext (passcracking)

With the two virtual machines we get several hashes we are going to break.

Write this into a file called hashes.txt:

windaube:a8bc9746281c76995222af521a5a02d7
hacker_user:8846f7eaee8fb117ad06bdd830b7586c
HackademINT-Windaube1:a779a6cb2541da6cacc4f2c55d1e6c66
HackademINT-Windaube2:458fccb8bf74b63b6ab6e54347f005cf

Step 4.1: Using an online tool

Go to this website and let’s see what happened. If the passwords are not strong enought, it would be easy to get the plaintext password from the hash using online tools

Step 4.2: Using hashcat

Hashcat is the world’s fastest password cracker tool. In this tutorial, the passwords of administrator looks like Windaube{this_is_the_password_content}, so we need to do a rule-based attack.

Write into a file called rule.txt: $} ^{ ^e ^b ^u ^a ^d ^n ^i ^W

Do not forget to download a good wordlist in order to bruteforce passwords, you can use rockyou.txt

Try to break the hashes with and without the custom rule !

hashcat -a 0 -m 1000 hashes.txt rockyou.txt --user -O
hashcat -a 0 -m 1000 hashes.txt rockyou.txt -r rule.txt --user -O

When it is finished, show the result with:

hashcat -m 1000 hashes.txt --user --show

hacker_user:8846f7eaee8fb117ad06bdd830b7586c:password
HackademINT-Windaube2:458fccb8bf74b63b6ab6e54347f005cf:Windaube{yuszyuszyusz}
HackademINT-Windaube1:a779a6cb2541da6cacc4f2c55d1e6c66:Windaube{intoxicating}
windaube:a8bc9746281c76995222af521a5a02d7:windaube
comments powered by Disqus