00:05Let's create a program that cracks Windows hashes.
00:09So first of all, if you have a Windows computer, you can dump hashes with Mimikatz.
00:14And what it will do, because it stores usernames and passwords, and how Windows stores them
00:21is using hashing, so ntlm hashes.
00:24It doesn't store the passwords in readable text, but in ntlm hashes.
00:28So how does this work?
00:30Given any input password, we just zoom in a bit, given any input password, it starts
00:36the ntlm hashing process, or the ntlm hashing algorithm, and gives you an output.
00:43So this is what it does for every password you set in a Windows computer.
00:48And the process is called ntlm hashing.
00:51So to be more clear, the hashing process is irreversible.
00:55So for example, if you have an apple, you can slice it, and this would be your hash.
00:59So given the apple juice, it's very hard to determine that it came from an apple from
01:06just the visual.
01:07And so this is the same with the hashing process.
01:10So given any hash, like this, it's also called a digest.
01:14It's very hard to find out that this is the original password, like you can't just reverse
01:19the process.
01:20So the process is a one-way process, where you have your passwords.
01:24It goes into your ntlm hash algorithm, and it creates your hash, so your gibberish output.
01:30And for every password that is unique, so for example, password1 here creates a different
01:36hash than password2.
01:38But the hashing program is of course the same, and it's very hard to do it in the reverse
01:43order.
01:43So given the hash, you can't just reverse the algorithm and get the password.
01:49Like in the real world, if you have apple juice, you can't just reverse the cutting and have
01:54an apple again.
01:55So that is what hashing is.
01:57Online you can generate some ntlm hashes, for example on this website.
02:04If I type some word here, let's say our password is password, click calculate ntlm hash, and you'll
02:10see this is how windows would store it.
02:12Or if we type some other word, click calculate hash, and you'll see it creates a hash.
02:21Now the hash is totally unique for every word, and a small change will create a huge difference.
02:27For example, we'll hash 1234 and 12345, so, oh sorry, I need to do it one by one, 1234,
02:35four, so this is one hash.
02:38And now I'll do one, two, three, four, five, and you'll see a totally different hash.
02:43So when you use hashing, a unique input will generate a totally unique output.
02:50So how can we crack hashes if this process is not reversible?
02:54Well what one approach we can do is have a list of passwords, and for every line in
03:01that list, calculate the hash, and then compare the hash.
03:06So let's first do the ntlm hashes.
03:09You can use a module called passlib, so if this is not installed, install passlib.
03:15Then, you can use passlib to create hashes, so we'll just demonstrate that.
03:51So there we go, it's created a hash for the input passwords.
03:57Password, so password would be stored on Windows as this, and it's not time dependent when
04:00you hash, so it would always be the same hash.
04:03Now let's do some other hash.
04:06Let's say we hash this, run it, and you'll see the hash change completely.
04:11So this is how we can calculate Windows NT hashes, so using the passlib module.
04:16And what we'll do is write a program that does that for a word list.
04:19So we'll quit this, and open an editor here, open, and so you can create hashes like this
04:32just as you've just seen.
04:33And we'll open a word list called rocku.txt.
04:38So this will just read the file line by line, let me comment this.
04:42And this file needs to be extracted in the same directory as your program, so you'll see if
04:48I have the file rocku.txt here in the same directory as cracker.py which is my python program.
04:56This file can be found in user share word list, so user share word list on Kali Linux, and
05:02you'll have rocku.txt.gz, and that's the user share word list.
05:09You can click right click, extract here, that will give you the text file.
05:17Then if we would run this program, you'll just see the output of every line in the file.
05:24So you'll see the output of every password in that file.
05:32Then what you can do is to hash every line.
05:35So you can say just is nthash.hash, and we'll hash the line.
05:44And for example just output that.
05:46So we have the line and the corresponding hash, the corresponding digits.
05:55Let's write again.
05:57And you'll see it's calculating the hash for every input.
06:05So you might want to tap in between.
06:09And you'll see some lower case here as well, so we'll make everything uppercase.
06:18So you'll see it calculates the hash for every word.
06:22And now whenever we have a hash, for example, as done by Mimikatz, so output hash, so like
06:28this one, we can compare that hash to the output here.
06:31And if it is matching, we know that the password has been found.
06:36So we can say if digits is equal to the password hash, the nthlm hash we found using Mimikatz,
06:46so the windows hash.
06:51We can say found password line.
06:58And because now what happens is that the password from Mimikatz that we dumped, so this hash,
07:07now is the same as the one you found, or your program found in the wordlist.
07:12So save it and run it, and let's see if it cracks it.
07:17So you'll see lots of, it can take a long time before it's cracked.
07:23So just for example, we'll take a different password so that the cracking process is not
07:32going to take ages.
07:36So let's say the password was redford, so creating hash, so this is the hash we're looking for.
07:47Save it and now I'm going to run it.
07:51Save it and eventually it should break and actually I don't have the break line here so it would
07:59just keep continue, we needed to exit the program.
08:03So run it and you'll see it found the password redford.
08:08So now we have a simple windows password cracker.
08:14You'll see that it just goes over the wordlist.
08:17So that's every word in this list.
08:22With the for loop it goes over every line and then calculates the hash.
08:26And it checks if the hash is the same as the hash we're looking for.
08:30So it's pretty basic but this is how it works, right?
08:36So if you have a windows hash that you can dump using MiCats, you can find them, you can
08:43crack them with your own cracker now.
Comments