Hacking & Cracking Windows Password by Just a PDF File

Passwords are always our first and, in cases, sole line of protection from attackers. If an intruder does not possess direct accessibility to a system, they may also use the remote desktop interface to connect to a server or a system. Windows Password hacking and cracking are the most important topic amongst hackers and pentesters. This article discusses the steps to capture NTLM hash of a windows machine and how to crack this password using John the Ripper.

First Thing First, what is NTLM Hash?

Microsoft’s Windows New Technology LAN Manager (NTLM) is a set of protocols that allows hosts to verify their identification while also protecting the privacy and confidentiality of their data. NTLM is the replacement for Microsoft LAN Manager (LANMAN), an earlier Microsoft product.

A security support provider that incorporates the LAN Manager identification protocol, NTLMv1, NTLMv2, and NTLM2 session protocols in a standard bundle, implements the NTLM protocol set. NTLM uses a challenge-response process for user authentication. NTLM uses a three-way handshake:

  • Client -> Negotiation Message.
  • Server – > Challenge Message.
  • Client – > Authentication Message.

The NTLMv2 one-way function uses the NT MD4 algorithm. The 128-bit hash lengths function on both local and server accounts. The NTLM protocol utilizes either of two hashed password values, which are both kept on the server and are password identical due to a lack of salting, indicating that you can validate without having the genuine password if you catch the hash value from the server.


So, Is There Any Tool to Retrieve NTLM Hash?

GitHub tool Bad-PDF generates a malicious PDF document to capture NTLM (NTLMv1/NTLMv2) Hashes from windows systems, it does so by exploiting a loophole discovered by the checkpoint group. Through Responder listener, Bad-Pdf checks the NTLM hashes.

Retrieve NTLM Hash

Interesting, What About Lab Requirement?

To practice this vulnerability, all you need is:

Attacker VM – > Kali Linux.

Victim VM – > Windows 10.

What About Lab Requirement

Let Us Capture NTLM Hashes

  • Clone the Bad-PDF package from GitHub on the Kali Linux desktop. Change directory to the cloned git and give rights to Bad-PDF python file to execute.

Capture NTLM Hashes

  • Run the python file. The python file connects with the responder using a usr/sbin/responder
  • Enter Kali Linux VM IP in network IP.
  • Enter the output file name and interface name.

(Always name payload after some familiar file, so the victim can click on it without getting suspicious)

You will find the created malicious pdf file in the Bad-Pdf folder.

Capture NTLM Hashes 2

  • Transfer the malicious Pdf file into the victim machine. I use cifs-utils to move files from attacker to victim or vice versa. You can also transfer the malicious file with different methods like email.

Capture NTLM Hashes 3

  • Once the victim clicks the PDF file, their NTLM hashes get to capture. You can notice in the screenshot the username of the victim along with its NTLM hash.
  • Save the captured hash in a text document on the Kali Linux desktop to crack the password.

Capture NTLM Hashes 4

Capture NTLM Hashes 5

  • Use John the ripper to crack the hash. Boom, you retrieved the password of Windows 10 Admin.

Capture NTLM Hashes 6

Final Thoughts

Kerberos, like NTLM, is another authentication protocol that makes windows password hacking difficult. NTLM focus on password hashing, a one-way method that generates a piece of text from input data. Kerberos makes use of encryption, a two-way mechanism that encrypts and decrypts data using an encryption/decryption key. NTLM acts as a backup to the Kerberos protocol, which is currently Microsoft’s default authentication tool. If Kerberos refuses to verify the user, the device will fall back to NTLM.

Sana Qazi
Sana Qazi is a technical writer specialized in Information Security. She enjoys writing about technology and reading multiple genres like suspense. When not writing, she can be found traveling, dinning out, watching series etc. She manages her medium blog as well.

Most Popular

Android Tips and Tricks for Getting the Most from Your Phone

Gone are the days when phones were only used to make phone calls and send text messages; nowadays, smartphones are more akin to a...

What Proxies Are For

When you cannot access certain sites or hide your identity, you need a tool for that. For example, the USA proxies are in demand...

Mobile Device Safety: Keeping your phone safe from intrusion

You might have heard that the iPhone is almost completely impossible to hack or that Samsung devices have some of the best firewalls in...

How to Detect Phishing Mails and Websites

Not long ago, phishing websites and mails looked quite unprofessional, they were peppered with spelling mistakes and had a distrustful design. Nowadays the digital...