You can try several approaches to crack passwords:
- Brute force the password across the network. This technique attempts to crack passwords from network-based services so that an attacker can try to authenticate across the network to remote services.
- Dump credentials currently loaded in memory, including:
- LSA secrets.
- User hashes.
- Hashes from privileged accounts such as krbtgt.
- Tokens (temporary access keys) from current or previously logged-on users.
- Copies of previous user passwords that are used to enforce password history policies.
- Steal a copy of a file that contains the credentials and attempt to crack offline (SAM, SYSTEM, ntds.dit).
- Dump locally cached domain logon information.
- Steal the Group Policy Preference (GPP) file to extract any passwords (cPassword).
- Not bother to crack, but instead:
- Use current privileges from a buffer overflow or other exploit to create a new account.
- Use the dumped hash of a privileged account to create a new account or ticket.
- Boot into another OS to overwrite the disk location where the password, including SYSKEY, is stored.
More About Credential Dumps and Other Cracking Options
The following table briefly describes how certain credential dumps and other cracking techniques work.
LSA secrets dump
This technique attempts to crack passwords stored in the Registry (HKEY_LOCAL_MACHINE/Security/Policy/Secrets) by the Local Security Authority Subsystem (LSASS). The Registry is loaded into RAM when the machine boots up. Stored passwords include:
You can dump hashes directly from the Registry hives HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SAM and pass them to a cracker.
User token dump
By inspecting memory and running processes, you can view which processes are owned by various users. You can then steal and use one of the user tokens to impersonate that user. Anything you do will be in the context of that user, and will be logged as having been performed by that user.
Windows Vault dump
The Windows Vault is a set of local files that store credentials for:
Files are located in several places:
Dump the hash of the krbtgt account from the memory of a server with a service that uses a domain-based user account, and use it to create new golden tickets. These allow any domain user to request the Ticket Granting Ticket from a domain service account and crack the account's plaintext password offline. This is significant because many services have admin privilege and their passwords are seldom changed.
Note: For more information on kerberoasting, see https://pentestlab.blog/2018/06/12/kerberoast/ and https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/.
SYSKEY boot key
You can extract the SYSKEY boot key parts from the Registry and crack it so it can be used to decrypt the SAM, LSA secrets, and cached domain passwords. The Registry keys that store this information are:
Cached domain login dump
By default, Windows domain members (from XP on) cache domain credentials for users who try to log on to the domain but no domain controller is available. This cache is stored in HKEY_LOCAL_MACHINE/Security/CACHE/NL$X. The default policy is to allow these cached credentials to be used 10 times before a domain controller must be reached. The Local System can extract these values.
Offline SAM cracking
You must get a copy of the Registry keys from HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SAM or the physical files they're loaded from and send those to the cracker.
Offline Active Directory cracking
Steal a copy/backup of Active Directory database file on a domain controller. Located at %SystemRoot%\NTDS\Ntds.dit. Perform offline cracking on the file.
Read and crack the cPassword value from the Group Policy Preferences (GPP) file. This is located in the SYSVOL share of any Active Directory domain controller. Domain admins use this optional setting to standardize local account (usually administrator) passwords on all workstations/member servers across the domain. MS14-025.
Install a physical- or software-based keylogger on a computer to capture a user's login credentials.
Trick a user into revealing their password to you through shoulder surfing (including mobile device across-the-room camera recording), Wi-Fi evil twins, phishing emails, bogus login pages, etc.
Unattended installation answer file dump
Steal the answer file used in a Windows unattended installation, as the local administrator password is stored in cleartext. If you can edit the file, you can also make sure that the Microsoft-Windows-Shell-Setup\UserAccounts\AdministratorPassword section is added so that the administrator is not prompted to change their password on first logon so the stolen password will be usable on that machine.
Hard drive overwriting
Boot into another operating system and erase/overwrite the location on disk where the password is stored (C:\Windows\System32\Config).