Windows stores user account passwords in SAM file. This file contains hashes of passwords. This SAM file cannot be opened directly by the user, so we have to dump it.
Tools used : Mimikatz John The Ripper , Hashcat.
Dumping SAM file:
For this we need to copy sam and system files from their original path to anywhere.
Copying SAM and SYSTEM files using CMD.
Step 1: Run CMD as administrator and run following commands.
Step 2: open Mimikatz and run the following commands.
We obtained the NTLM hash from the SAM file using Mimikatz.
Now, copy this hash and save it in a notepad file.
Obtaining password from john the ripper and hashcat:
- Download john the ripper
- Extract on desktop
- Paste the notepad file in RUN in john the ripper folder.
- Open cmd
- Go to john the ripper.
- Go to run
- Run the following command.
Note: 2602 is our password.
Using hashcat :
Run the following command in terminal.
hashcat -m 1000 -a 0 filename usr/share/wordlists/rockyou.txt
Note : 1000 — for NTLM hash.
Wordlist rockyou.txt.gz is compressed by default.
So unzip the file to use it.
Go to the file location via terminal and type:
find / -name rockyou.txt 2</dev/null gzip -d rockyou.txt.gz