hashcat Archives

If you don’t know how to run hashcat on Windows Subsystem for Linux, meaning that you want to use the Linux bash command line interpreter directly on your Windows desktop, there is a possibility to get the full potential out of hashcat and the OpenCL acceleration of your GPU (nVidia, AMD) .

This tutorial assumes that you already have the Windows Subsystem for Linux installed on your Windows 10 system.

If you don’t have it, just do the following:

Click the Windows 10 start button
Search for “turn Windows features on or off”. Open it.
Locate “Windows subsytem for Linux”. Check it.
Click, OK/Apply
Reboot
Go to the Windows Store and search for Ubuntu, Kali Linux or any other Linux distro you find there.
Install it!
You are ready to continue.

Installing the Windows subsytem for Linux.

Now, truth be told, there are simpler ways to run hashcat: directly on a Linux or Windows host.

This can be achieved by downloading and installing the latest hashcat release from the hashcat website and by installing the latest nVidia or AMD driver.

So, if you just like to over-complicate things or you need something to work on (like me), just follow along.

The first step that I did, as any normal Linux user would, I installed hashcat and the nVidia drivers directly from the bash shell:

sudo apt install hashcat nvidia-384

The installation went smoothly, but hashcat would not recognize the GPU and this was not acceptable to me because the GPU (GTX 1060 M) is 10 times faster than my Intel i9 CPU.

So what I ended up doing was to download the latest hashcat release directly to my Windows Desktop. Unpack the archive (using 7zip).

And now comes the weird part. Did you know that the Windows Subsystem for Linux can run Windows binaries out of the box? I didn’t. Until now.

So what I ended up doing was to run the Windows hashcat binary directly from bash. Confusing, isn’t it?

Here’s me navigating to the Windows hashcat binary folder and running the crack session:

cd /mnt/c/Users/nixware/Desktop/hashcat-5.1.0

./hashcat64.exe -a 0 -m 5100 C:/Users/nixware/Desktop/hashcat-5.1.0/test.hash d:/wordlists/wordlist.txt -w 3 --status

Running hashcat on the Windows subsytem for Linux.

As you can see, you will find your C: or D: drives in /mnt directory of the Windows Subsystem for Linux.

As for the cracking speed of the GPU via the subsytem and bash, I can confirm that there is no difference between running directly on a Linux/Windows guest system and the Windows Subsystem for Linux.

If you receive an “Token length exception” error, please check this article.

And that is it. Happy cracking session

The SAM file is locate in C:\Windows\System32\config and stores all Windows account password encrypted.

The problem is that you cannot copy or tamper the file while the file system is mounted.

This leaves us with at least 2 options: copy the SAM and SYTEM files from a Linux live CD or by having a copy of those files in a backup.

I have the backup and I copy the 2 files to my Kali Linux machine.

I recover the NTLM hashes by issuing the following command:

root@kali:~# /usr/bin/samdump2 /root/Desktop/SYSTEM /root/Desktop/SAM
user1:1000:aad3b435b51404eeaad3b435b51404ee:f9a14effe4a24ceb1cf0b2e8e9e7e9f9:::
root@kali:~#

The backup is from a Windows 7 version and that means that we are seeing NTLM v.2 hashes, which translates to the fact that only the last part of the hashes are useful.

So we need to convert to uppercase the bold part by using 2 BASH commands:

cristi@ubserver-nv:~/hashcat$ STRING=’f9a14effe4a24ceb1cf0b2e8e9e7e9f9‘
cristi@ubserver-nv:~/hashcat$ echo $STRING | awk ‘{print toupper($0)}’
F9A14EFFE4A24CEB1CF0B2E8E9E7E9F9
cristi@ubserver-nv:~/hashcat$

Copy the uppercase version to a text file and start hashcat:

crs@ubsv:~$ ./hashcat -m 1000 -a 3 ./ntlm.txt -w 3 –status

Good luck!

Tag Archives: hashcat

How to run hashcat on Windows Subsystem for Linux

Crack the Windows SAM file from a backup filesystem