Ethical hacking: Breaking Windows passwords

October 15, 2019 by Howard Poston

Introduction to Windows passwords

Windows is the most common desktop platform currently in use. As a result, it is not uncommon for hackers to encounter a Windows password that they need to crack in order to gain access to a specific account on a machine or move laterally throughout the network.

In the past, Windows passwords were extremely easy to crack. The design of the original LANMAN password hashing algorithm had the following flaws:

  • Passwords limited to 14 characters
  • Forced all letters to uppercase
  • No salting
  • Passwords broken into two chunks and hashed separately

As a result, passwords stored in the LANMAN format were trivially easy to crack.

With NTLM, cracking Windows passwords is more difficult but still possible. NTLM is weaker than modern algorithms because it is based on the MD4 cipher. While it has been replaced by Kerberos for network authentication, NTLM is still used for saving passwords locally in the Windows SAM file.

Cracking Windows passwords

Since the Windows hash function is based on the weak MD4 algorithm, cracking these passwords is often easier than those protected by an equivalent modern cipher. Cracking a Windows password hash is a three-step process:

  1. Acquiring the hash
  2. Choosing a tool
  3. Choosing a cracking technique

For all of these stages, the best choice often depends on the details of the ethical hacking engagement and the intended target.

Acquiring password hashes

Windows password hashes can be acquired in a few different ways. 

The most common is taking them directly from the machine in question. Windows password hashes are stored in the SAM file; however, they are encrypted with the system boot key, which is stored in the SYSTEM file. If a hacker can access both of these files (stored in C:WindowsSystem32Config), then the SYSTEM file can be used to decrypt the password hashes stored in the SAM file. The SAM file is not directly accessible on a running Windows system, but it can be accessed via tools like Mimikatz or through the reg command (if the hacker has SYSTEM privileges).

Password hashes can also be stolen by taking advantage of authentication to a remote server. A hacker who sends a user a link pointing to a file on a hacker-controlled server can trick the target computer into trying to authenticate with the current login credentials. This allows a hacker to steal a password hash with a well-crafted phishing email.

Both of these techniques have their pros and cons. Stealing the Windows SAM file requires access to the target computer but can steal more password hashes in one go. A phishing attack allows an attacker to steal a hash remotely but may require an unpatched computer and access to certain ports through any firewalls that lie in the way.

Password cracking tools

The next step in the Windows password cracking process is selecting a password cracking tool. A variety of different Windows password crackers exist, including:

  • Hashcat: Free, open-source password cracker for all desktop operating systems with GPU support
  • John the Ripper: Available in free (all operating systems) or Pro (*nix operating systems) operating systems
  • Ophcrack: Password cracker designed for all operating systems that specializes in Windows password cracking

While all of these are functional tools, hashcat and John the Ripper are often most popular due to their support for a variety of different hash formats.

Choosing a cracking technique

Most Windows password cracking tools will allow any of the three main password cracking techniques. The choice of which technique to use depends mainly on the expected behavior of the target.

Dictionary attack

Most people use extremely weak passwords. The average person probably uses a dictionary word with common substitutions (0 for O, 4 for A and so on) and potentially a special character and a couple of numbers tacked onto the end. A password cracking tool with a standard English dictionary can crack these passwords without any difficulty.

For the slightly more advanced passwords, it’s useful to have a dictionary of the most commonly used passwords. These passwords have been exposed in the rash of recent data breaches and are available online either free or possibly for a price (for more curated lists). However, analysis of cracked passwords of 2018 found that 3% of people used the password 123456 and over 10% used the top 25 most common password, so, in many cases, an extensive list may not be necessary to gain access.

Brute-force guessing attack

Brute-force attacks are the only way to be certain of success at password cracking. By trying every possible password for a system, it’s guaranteed that you’ll find the right password. 

Strong password systems are designed to make this type of attack computationally unfeasible. However, Windows’s password storage systems have not kept up with password cracking technology. The minimum password length is commonly eight characters and allows the full range of letters, numbers, and special characters.

While this may have been secure in the past, it can now be defeated by a hacker with access to the right hardware and software. In February 2019, the team building hashcat stated that the tool can be used to search the entire space of eight-character passwords in about 2.5 hours. Since most users will choose the minimum length when creating a password (especially when capitals, lowercase, numbers and special characters may be required by configuration), this means that these passwords can be cracked in a few hours.

Hybrid attack

Dictionary and brute-force attacks make tradeoffs between speed and guarantee of success. Most tools also support a hybrid attack mode which performs a dictionary attack first and then switches to a brute-force attack if unsuccessful. A lot of subject-matter expertise and optimization goes into these tools, making them extremely effective at password cracking.

Conclusion: Breaking Windows passwords

Every Windows password hash can be cracked. However, the amount of time and resources that it takes may not be feasible for an ethical hacking engagement. Before firing up a tool and trying to crack a password, it’s always useful to leverage knowledge of the target to make the process easier.

Most users will do the minimum possible to fulfill an organization’s password requirements, so trying to learn those (whether through searching around or a social engineering phone call) may greatly decrease the time and effort spent trying to crack a particular password hash.



  1. Use an 8-char Windows NTLM password? Don’t. Every single one can be cracked in under 2.5hrs, The Register
  2. I can get and crack your password hashes from email, CSO
  3. The most popular passwords of 2018 revealed: Are yours on the list?, WeLiveSecurity
  4. LM, NTLM, Net-NTLMv2, oh my!, Medium
Posted: October 15, 2019


We've encountered a new and totally unexpected error.

Get instant boot camp pricing

Thank you!

A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.

Articles Author
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in cryptography and malware analysis. He has a Master’s degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity R&D at Sandia National Labs. He currently provides consulting and technical content writing for cybersecurity, cryptocurrency, and blockchain.