In Windows, local user account password hashes are stored in the Security Account Manager (SAM) database, which is located in the "C:\Windows\System32\config" directory. The SAM database is a part of the Windows registry and is protected by file permissions and access controls, which makes it inaccessible to regular users.

To get the password hashes from the SAM database, an attacker would typically need to gain access to the system and either extract the SAM database directly or use a tool that can extract the hashes from the registry.

One way we can achieve this is by using the Metasploit framework and using the “hashdump” module built into meterpreter

Meterpreter> hashdump

‍

‍

Once we are able to obtain password hashes from a windows machine it may look something like the below:

Andy:1002:aad3b435b51404eeaad3b435b51404ee:3a0ae9331c2a3d2153bf268aa521a360:::

From this we can see the username, relative identifier, LM, and NT hash being used.

The aad3b435b51404eeaad3b435b51404ee hash is actually the hexadecimal representation of a blank LM password and is typically used when LM is not used.

The hashed characters after the blank LM has is the NT hash of the users password.

To crack windows hashes is the same as any other hash type and we can use John the Ripper like in this video. The command would be similar to the below:

John <hash> --wordlist=wordlist --format=NT

‍

It is also possible to understand the output and the potential value of each user account, this is achieved through looking at the RID value. RID values are used to identify a security principal relative to the local or domain security authority. User accounts that have been created after the OS has been installed start with a RID of 1000.

Important RID values

Admin – RID is always 500

Guest – RID is always 501

User account – RID is always above 1000

The benefit of understanding this output is that we are able to see the high privilege account regardless of the account name.

‍