Is it possible to break a Windows encrypted SAM file where passwords are stored if you have the physical drive offline?
Thanks
Asked
Active
Viewed 2,217 times
1 Answers
1
Yes, you can use the cachedump (to dump cached credentials) and pwdump (to dump password hashes out of the SAM file) in combination with the system hive. You should have access to both files on the hard drive. You can then crack the hashes with hashcat or John the ripper.
See https://tools.kali.org/password-attacks/creddump for more details/examples.
-
Well John is very nice to test for poorly choosen passwords, but facing a decent one, brute force in the only way, and it can take a rather loooong time... – Serge Ballesta Jan 06 '20 at 15:15
-
What's your point? Brute forcing long passwords is slow, OP didn't ask how long it would take. Both jtr and hashcat can do wordlists, rules and brute force and both can use GPU. Benchmarks may vary by some amount – wireghoul Jan 06 '20 at 18:14
-
@Serge Windows passwords are hashed pretty much everywhere they are stored, whether on disk or in memory. This is the default behavior on modern Windows versions. Cracking comes with the territory, and wordlists with masks/rules are the norm these days – DoubleD Jan 06 '20 at 18:42