Windows 10 passwords stored as NTLM hashes (or, more specifically, NT hashes) can be dumped and exfiltrated to an attacker's system in seconds. The hashes can be very easily brute-forced and cracked to reveal the passwords in plaintext using a combination of tools, including Mimikatz, ProcDump, John the Ripper, and Hashcat.
Before we get to any of that, let's discuss the Local Security Authority Subsystem Service, or LSASS, an essential part of the Windows operating system.
LSASS is responsible for authoritative domain authentication, active directory management, and enforcing security policies. It generates the processes accountable for authenticating users with NTML as well as verifies the validity of logins. Because it's so crucial to the functionality of the operating system, hackers will often rename malicious executables after the process.
Mimikatz & ProcDump
Mimikatz, created by gentilkiwi, can be used to extract password hashes, Kerberos tickets, and PIN codes from Windows 10's memory. Since its creation, Mimikatz has made headlines worldwide and become notorious for its ability to extract sensitive credentials from a running Windows computer.
Today, Windows Defender and antivirus software have become increasingly effective at detecting Mimikatz executions and signatures (shown below).
hacking windows hashes crack windows passwords
