Project 12: Cracking Windows Password Hashes with Hashcat (15 pts)

What You Need for This Project

Task 12.1: Extract Windows Password Hashes (10 pts)

Creating a Windows Test User

On your Windows machine, click Start.

Type in CMD and press Shift+Ctrl+Enter.

If a "User Account Control" box pops up, click Yes.

In the Administrator command prompt window, execute this command, which creates a user named "jose" with a password of "P@ssw0rd".

net user jose P@ssw0rd /add
The command succeeds, as shown below.

Downloading and Installing 7-Zip

In a browser, go to

Download the correct version for your operating system, which is probably the 64-bit version, as shown below.

Install it with the default options.

Downloading and Installing Cain

In a browser, go to


Right-click the downloaded file, point to 7-Zip, and click "Extract Here", as shown below.

Enter a password of sam as shown below. Click OK.

Double-click the ca_setup file. Install the software with the default options, as shown below.

When you see the message below, asking whether to install WinPcap, click the "Don't install" button.


If you get a warning box saying "Found some malware", as shown below, you need to tell Windows Defender not to remove Cain.

At the lower left of the desktop, click the magnifying-glass "Search" icon and type DEFENDER. Open Windows Defender.

In Windows Defender, click Settings and turn off "Real-time protection" as shown below.

Close Windows Defender and run the ca_setup file again.

If this is your personal machine, remember to turn "Real-time protection" back on when you complete the project.

Installing WinPcap

In a browser, go to

Click "Installer for Windows", as shown below. Download and install the software with the default options.

Extracting Password Hashes with Cain

On your Windows desktop, right-click the Cain icon and click "Run as Administrator".

If a "User Account Control" box pops up, click Yes.

In Cain, on the upper set of tabs, click Cracker.

In Cain, move the mouse to the center of the window, over the empty white space.

Right-click and click "Add to list...", as shown below.

In the "Add NT Hashes from" box, accept the default selection of "Import Hashes from local system", as shown below, and click Next.

The password hashes appear, as shown below.

Understanding Password Hashes

There are two password hashes: LM Hashes and NT hashes.

LM hashes date from the 1980's, and are so weak Microsoft no longer uses them. The LM hash values Cain shows are just dummy filler values that no longer include any information about real passwords.

NT hashes are Microsoft's "more secure" hash, used by Windows NT in 1993 and never updated in any way. As you will see, these hashes are also very weak and easily cracked, compared with Linux password hashes.

Cracking four Linux hashes took about 20 seconds using a dictionary of 500 words when I did it, but as you will see, you can crack four Windows passwords using a dictionary of 500,000 words in about a second. Windows password hashes are more than 10,000 times weaker than Linux hashes.

Notice that your NT password hash for "Jose" starts with E19CC, just like mine, shown in the image above. This is because Microsoft doesn't add a random "salt" to passwords before hashing them--every user on every Windows machine on Earth has the same salt if they are using a password of P@ssw0rd.

That means you can often crack Windows password hashes by just Googling them, as shown below, because many lists of common passwords and hashes have been uploaded to the Internet over the last 20 years.

However, in this project, we'll use hashcat, which is a very powerful way to crack passwords.

Exporting the Hash to a Text File

In Cain, right-click jose and click Export. Save the file with the name win1 in the default format (L0phtCrack 2.x file).

Open the file in Notepad.

Carefully highlight the NT hash for Jose, as shown below, right-click it, and click Copy.

12.1: Recording Your Success (5 pts)

Use the form below to record your success.

Password hash:

Task 12.2: Cracking a Hash with Hashcat (10 pts.)

Pasting the Password Hash into Kali Linux

In your Kali Linux machine, in a Terminal window, execute these commands:
nano win1.hash
In the nano window, from the menu bar at the top, click Edit, Paste.

The hash appears, as shown below:

Press Ctrl+X, Y, Enter to save the file.

Getting a Wordlist

Kali Linux contains a list of approximately 500,000 commonly used passwords from the RockYou breach.

In a Terminal window, execute these commands to extract them:

gunzip /usr/share/wordlists/rockyou.txt.gz
head /usr/share/wordlists/rockyou.txt
You should see the first ten passwords, as shown below.

Getting Hashcat 2.00

Hashcat updated to 3.00 and it won't run in a virtual machine anymore. The simplest solution is to use the old version.

In a Terminal window, execute these commands:

mkdir hash
cd hash
7z e hashcat-2.00.7z
./hashcat-cli32.bin -V
./hashcat-cli64.bin -V
One of the hashcat versions returns an error message, and the other one works, returning the version number of "2.00".

Make a note of which version works on your system. I used a 64-bit Kali system, so the working version was hashcat-cli64.bin, as shown below.


If that download link doesn't work, right-click this link and save the file:

Cracking the Hash

In a Terminal window, execute these commands. You may need to use hashcat-cli32.bin on your system.
./hash/hashcat-cli64.bin -m 1000 -a 0 -o winpass1.txt --remove win1.hash /usr/share/wordlists/rockyou.txt
If you are prompted to agree to something, type YES and press the Enter key.

You see a message saying "All hashes have been recovered", as shown below.

Explanation: This uses hashcat with these options:

In a Terminal window, execute this command:

cat winpass1.txt
You should see the hash, with the cracked password of "P@ssw0rd" at the end, as shown below:

Getting the win2.hash List

In a Terminal window, execute these commands:
curl > win2.hash
cat win2.hash
You should see four password hashes, as shown below:

Cracking the Hashes

In a Terminal window, execute this command. You may need to use hashcat-cli32.bin on your system.
./hash/hashcat-cli64.bin -m 1000 -a 0 -o winpass2.txt --remove win2.hash /usr/share/wordlists/rockyou.txt
Execute this command:
cat winpass2.txt
You should see three passwords, including the one for the hash beginning with "32ff", which is covered by a gray box in the image below.

Enter the password for the hash beginning with "32ff" into the form below.

12.2: Recording Your Success (10 pts)

Use the form below to record your success.



Hashcat links updated 10-29-18