0

I am having a real issue cracking one NT hash i've pulled from my system for a Microsoft Account.

I used - PwDump8.2 I have an admin account unlocked on the system and can access most files. I know pieces of the password so I have used John The Ripper -Jumbo

john --wordlist=F:\Mutatewordlist.txt --format=NT hash.txt --fork=10

to run extensive mask wordlist attacks as well as running incremental which took just over 24hour to "complete"(.pot file is empty)

Can anyone help me understand what i have done wrong and how i can do this properly to get back into my main account? If someone could test the PwDump on their own Microsoft Account and verify it is outputing the correct NTLM Hash that would settle my mind a bit.

Patho
  • 5
  • 1
  • Is the account for which you are trying to get the password logged out, or is it logged in but locked? If it is logged in but locked, you might be able to extract the password from memory in plaintext using [mimikatz](https://github.com/gentilkiwi/mimikatz). Even if it is logged out, it will give you the hash, which you can compare with the one you got from PwDump. – nobody Nov 21 '21 at 20:20
  • The account is logged off. i've used both mimikatz and pwdump8 to cross check and they are both giving me the same hash but after all the failed attempts i've started to think they are both outputting a bogus hash. I've just added a password to this local admin account and it's hash cracked fine. I dont know if Microsoft accounts have extra layers of protection or not. I even went so far as a to run a 100gb wordlist thought JTR and even that failed -_- – Patho Nov 21 '21 at 20:35
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. – Community Nov 22 '21 at 01:50

1 Answers1

1

The credentials for Microsoft accounts are more complicated than simple NTLM. If you're using a Windows Hello PIN to log on (which I believe is the default now) the underlying NTLM hash returned when dumping credentials will not necessarily be correct.

Instead, you need to crack the WINHELLO hash. There's some background on doing this here. Hashcat supports cracking WINHELLO passwords using -m 28100 as the hash type specifier in the command line flags.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • This is also relevant in regard to Windows 10 passwords: https://security.stackexchange.com/questions/157922/how-are-windows-10-hashes-stored-if-the-account-is-setup-using-a-microsoft-accou - the hash format changed a while back and many older tools will either dump the wrong hash or fail to dump a hash at all. – Polynomial Nov 21 '21 at 21:59
  • So the program you suggested seems to find the pin guid but its failing to decrypt it. Any idea what i might have missed? [ScreenDMP](https://i.ibb.co/Bg7scPP/123123.png) |TopRight Green = User filename | Topleft Green = PIN GUID + Account Username | Bottom Green = PIN GUID failing – Patho Nov 22 '21 at 05:53
  • No idea on that one, unfortunately. You might have to ask on the Hashcat forums. – Polynomial Nov 22 '21 at 12:10