There are many password cracking tools available. Many are multi-featured. Some tools, like Hashcat, use the additional processing power of the computer's graphics card (GPU). Others, like John the Ripper, have the ability to coordinate cracking across multiple networked computers. Here are some common Windows password cracking techniques and tools:

Technique

Tools

Network brute forcing

  • Hydra
  • Medusa
  • Ncrack
  • AET2 Brutus
  • L0phtCrack
  • Metasploit modules such as:
  • auxiliary/scanner/ftp/ftp_login
  • auxiliary/scanner/telnet/telnet_login
  • auxiliary/scanner/smb/smb_login

Note: For some password dictionaries and rainbow tables, see https://github.com/ah8r/password-dictionaries and http://project-rainbowcrack.com/table.htm.

Dumping LSA secrets

  • Cain & Abel
  • Mimikatz
  • Metasploit module post/windows/gather/lsa_secrets
  • LSAdump
  • procdump
  • PWDumpX
  • secretsdump.py
  • Creddump
  • CacheDump
  • QuarksDump
  • gsecdump
  • hobocopy

Note: For more information on using PowerShell to decrypt LSA secrets, see https://blogs.technet.microsoft.com/heyscriptingguy/2012/07/06/use-powershell-to-decrypt-lsa-secrets-from-the-registry/.

Online SAM cracking

  • Meterpreter hashdump
  • Metasploit modules:
  • post/windows/gather/credentials/credential_collector
  • post/windows/gather/hashdump
  • cachedump
  • samdump2
  • fgdump.exe
  • pwdump7.exe
  • gsecdump
  • PWDumpX
  • hobocopy

Impersonating user tokens

Meterpreter steal_token command (formerly Incognito)

Dumping Windows Vault passwords

  • Built-in Windows Credential Manager (for the user to manage their own credentials)
  • NirSoft VaultPasswordView

Kerberoasting

Some of these tools are used together, and may require additional support tools:

Recovering the SYSKEY bootkey

  • bkhive
  • bkreg (pre-Service Pack 4 machines)

Dumping cached domain login information

  • Cain & Abel
  • creddump
  • Passcape's Windows Password Recovery
  • cachedump
  • fgdump
  • PWDumpX

Offline SAM cracking

  • Cain & Abel
  • John the Ripper
  • Hashcat
  • L0phtCrack
  • Ophcrack
  • vssown.vbs

Offline Active Directory cracking

  • ntdsutil.exe
  • VSSAdmin
  • PowerSploit NinjaCopy
  • DSInternals PowerShell module
  • ntds_dump_hash.zip
  • Metasploit modules:
  • post/windows/gather/ntds_grabber
  • post/windows/gather/ntds_location

Dumping GPP file cPasswords

  • Metasploit module post/windows/gather/credentials/gpp
  • PowerSploit Get-GPPPassword.ps1
  • gpprefdecrypt.py

Keylogging

  • Meterpreter keyscan_start and keyscan_dump commands, various hardware-based USB keyloggers

Social engineering

  • Kali Social Engineering Toolkit (SET)
  • WiFi-Pumpkin

Dumping unattended installation answer file passwords

  • Text editor
  • Knowledge of and access to the file (typically in a shared folder on a Windows Deployment Services server)

Hard Drive overwriting

Cain & Abel exposing LSA secrets in plaintext