Retrieve Windows hashes
This page deals with retrieving windows hashes (NTLM, NTLMv1/v2, MSCASHv1/v2).
Introduction
Windows hashes are the way Windows stores passwords on machines. First, let's clarify things.
NTLM (aka NT) hashes are local users hashes
NTLMv1/v2 (aka Net-NTLMv1/v2) hashes are used for network authentication
MSCASHv1/v2 (aka DCCv1/v2) hashes are domain users hashes
NTLM ≠ NTLMv1/v2 ≠ MSCASHv1/v2
Retrieve NTLM hashes
NTLM hashes are composed of two parts:
LM hash (turned off since Windows Vista / Windows 2008)
NT hash (can be lonely, it stays NTLM hash)
NTLM hashes are stored into SAM database on the machine, or on domain controller's NTDS database. Let's see common techniques to retrieve NTLM hashes.
Dumping SAM database manually
First, get a copy of SAM, SECURITY and SYSTEM hives:
Then retrieve NTLM hashes with secretdump from impacket:
Retrieve and crack NTLM hashes with Meterpreter
On local machines, simply use smart_hashdump:
On domain controllers, two ways to retrieve domain users NTLM hashes:
LSASS injection technique is not a safe and must be avoided!
To crack NTLM hashes, use John integration:
Retrieve NTLM hashes with Mimikatz
Use the following commands into Mimikatz:
These hashes are the NT part. To get full NTLM format, just add the empty LM part: aad3b435b51404eeaad3b435b51404ee:<NThash>
Retrieve NTLM hashes remotely with Secretsdump:
Retrieve NTDS remotely:
You can use secretsdump, again:
Or CrackMapExec:
NTLM hashes can :
be used with Pass-the-Hash technique
be cracked pretty easily
Retrieve NTLMv1/v2 hashes
NTLMv1/v2 hashes are derived from a challenge/response algorithm and are based on the user's NT hash.
Alice access to the share
Fileserver generate a challenge (random number) and send it to Alice
Alice send challenge answer obtained by passing to a function her NTLM hash and the challenge
File server ask domain controller to perform the computation and compare the results
Domain controller says it is ok
Alice can access to the fileserver
These hashes can be retrieved with tools like Responder or Inveigh:
NTLMv1/v2 can:
be relayed (with tools like MultiRelay of ntlmrelayx)
be cracked in a reasonable time
be used with Pass-the-Hash technique, no it cannot.
Retrieve MSCASHv1/v2 hashes
Let's say the machine you are trying to connect to cannot access the domain controller to authentication due to network outage or domain server shutdown. You are stuck. To solve that problem, machines stores hashes of the last (10 by default) domain users that logged into the machine. These hashes are MSCASHv2 hashes.
Let's see common techniques to retrieve these hashes.
Dumping SAM database manually
First, get a copy of SAM, SECURITY and SYSTEM hives:
Then retrieve MSCASH hashes with secretdump from impackets:
Retrieve MSCASH hashes with Meterpreter
Simply use cachedump Meterpreter module:
MSCASHv2 can:
be cracked in quite a long time
be used with Pass-the-Hash technique, no it cannot.
References
Last updated