You can try several approaches to crack passwords:

  • Brute force the password across the network. This technique attempts to crack passwords from network-based services so that an attacker can try to authenticate across the network to remote services.
  • Dump credentials currently loaded in memory, including:
  • LSA secrets.
  • User hashes.
  • Hashes from privileged accounts such as krbtgt.
  • Tokens (temporary access keys) from current or previously logged-on users.
  • Copies of previous user passwords that are used to enforce password history policies.
  • Steal a copy of a file that contains the credentials and attempt to crack offline (SAM, SYSTEM, ntds.dit).
  • Dump locally cached domain logon information.
  • Steal the Group Policy Preference (GPP) file to extract any passwords (cPassword).
  • Not bother to crack, but instead:
  • Use current privileges from a buffer overflow or other exploit to create a new account.
  • Use the dumped hash of a privileged account to create a new account or ticket.
  • Boot into another OS to overwrite the disk location where the password, including SYSKEY, is stored.

More About Credential Dumps and Other Cracking Options

The following table briefly describes how certain credential dumps and other cracking techniques work.



LSA secrets dump

This technique attempts to crack passwords stored in the Registry (HKEY_LOCAL_MACHINE/Security/Policy/Secrets) by the Local Security Authority Subsystem (LSASS). The Registry is loaded into RAM when the machine boots up. Stored passwords include:

  • Default administrator password from installation
  • Internet Explorer passwords
  • Remote Access connection passwords
  • SYSTEM account passwords
  • EFS encryption keys

Hash dump

You can dump hashes directly from the Registry hives HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SAM and pass them to a cracker.

  • Must be in SYSTEM privilege or using SYSTEM token
  • Extract hashes and credentials directly from the Registry
  • Extract hashes through DLL injection into the lsass.exe process

User token dump

By inspecting memory and running processes, you can view which processes are owned by various users. You can then steal and use one of the user tokens to impersonate that user. Anything you do will be in the context of that user, and will be logged as having been performed by that user.

Windows Vault dump

The Windows Vault is a set of local files that store credentials for:

  • Internet Explorer 10.0/11.0 and Microsoft Edge (Windows 8 or later)
  • Windows Mail (Windows 8 or later)
  • Microsoft Account (Hotmail, Live, MSN, Office 365, OneDrive, etc.)
  • Windows Explorer Network Drive Mappings
  • Online credentials for various websites
  • Single sign-on (SSO) passwords

Files are located in several places:

  • C:\Users\[User Profile]\AppData\Local\Microsoft\Vault
  • C:\ProgramData\Microsoft\Vault
  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault


Dump the hash of the krbtgt account from the memory of a server with a service that uses a domain-based user account, and use it to create new golden tickets. These allow any domain user to request the Ticket Granting Ticket from a domain service account and crack the account's plaintext password offline. This is significant because many services have admin privilege and their passwords are seldom changed.

Note: For more information on kerberoasting, see and

SYSKEY boot key

You can extract the SYSKEY boot key parts from the Registry and crack it so it can be used to decrypt the SAM, LSA secrets, and cached domain passwords. The Registry keys that store this information are:

  • SYSTEM\CurrentControlSet\Control\Lsa\JD
  • SYSTEM\CurrentControlSet\Control\Lsa\Skew1
  • SYSTEM\CurrentControlSet\Control\Lsa\GBG
  • SYSTEM\CurrentControlSet\Control\Lsa\Data

Cached domain login dump

By default, Windows domain members (from XP on) cache domain credentials for users who try to log on to the domain but no domain controller is available. This cache is stored in HKEY_LOCAL_MACHINE/Security/CACHE/NL$X. The default policy is to allow these cached credentials to be used 10 times before a domain controller must be reached. The Local System can extract these values.

Offline SAM cracking

You must get a copy of the Registry keys from HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SAM or the physical files they're loaded from and send those to the cracker.

  • Copy the HKLM\SAM and HKLM\SYSTEM hives reg.exe or regedit.exe:
  • regedit --> Right-click HKLM\SYSTEM --> Export
  • regedit --> Right-click HKLM\SAM --> Export
  • reg.exe save HKLM\SYSTEM
  • reg.exe save HKLM\SAM
  • Use cscript vssown.vbs to make a Volume Shadow Copy, then use the copy command to extract the two physical files from it:
  • copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
  • csript vssown.vbs /create
  • Boot another OS and copy the two physical files: %WINDIR%\System32\Config\SAM, %WINDIR%\System32\Config\SYSTEM.

Offline Active Directory cracking

Steal a copy/backup of Active Directory database file on a domain controller. Located at %SystemRoot%\NTDS\Ntds.dit. Perform offline cracking on the file.

cPassword dump

Read and crack the cPassword value from the Group Policy Preferences (GPP) file. This is located in the SYSVOL share of any Active Directory domain controller. Domain admins use this optional setting to standardize local account (usually administrator) passwords on all workstations/member servers across the domain. MS14-025.


Install a physical- or software-based keylogger on a computer to capture a user's login credentials.

Social engineering

Trick a user into revealing their password to you through shoulder surfing (including mobile device across-the-room camera recording), Wi-Fi evil twins, phishing emails, bogus login pages, etc.

Unattended installation answer file dump

Steal the answer file used in a Windows unattended installation, as the local administrator password is stored in cleartext. If you can edit the file, you can also make sure that the Microsoft-Windows-Shell-Setup\UserAccounts\AdministratorPassword section is added so that the administrator is not prompted to change their password on first logon so the stolen password will be usable on that machine.

Hard drive overwriting

Boot into another operating system and erase/overwrite the location on disk where the password is stored (C:\Windows\System32\Config).