System Hacking: How Attackers Target Windows Authentication and Passwords

Introduction

Understanding how attackers target authentication systems is foundational to building defences against them. This post covers the mechanics of Windows password storage, the NTLM and Kerberos authentication protocols, and the full spectrum of password-cracking techniques — from low-tech shoulder surfing to sophisticated Kerberos abuse. Everything here is documented for educational and defensive purposes.

How Windows Stores Passwords

Windows never stores passwords in plain text. When a user sets a password, it is run through a hashing algorithm and the resulting hash is stored in the Security Account Manager (SAM) database. In domain environments, hashes are stored in the Active Directory database on the domain controller instead.

Two hash formats are relevant here. The older LM hash is cryptographically weak and largely disabled on modern systems. The NTLM hash (NT hash) is the current standard. Both can be extracted from a compromised system using tools designed for that purpose.

A tool commonly demonstrated in security training is pwdump7, which extracts LM and NTLM hashes from the SAM database of local accounts. Other tools used in this space include Mimikatz, DSInternals, Hashcat, and PyCrack — each serving a different stage of the credential extraction and cracking workflow.

NTLM Authentication: The Challenge-Response Flow

NTLM authentication does not transmit the password over the network. Instead, it uses a challenge-response mechanism to verify that the client knows the password without revealing it. The sequence works as follows.

The user types their password into the logon window. Windows immediately runs it through the hash algorithm, producing the NTLM hash. The client sends a login request to the Domain Controller. The DC responds with a randomly generated logon challenge — a nonce. The client uses its stored NTLM hash to compute a response to that challenge and sends it back. The DC performs the same computation using the hash it has stored, and if the two responses match, authentication succeeds.

The critical implication is that the hash itself can be used to authenticate — the plaintext password is never required after the initial hashing step. This is the foundation of the Pass-the-Hash attack covered later.

Microsoft has since moved its default authentication protocol to Kerberos, which provides stronger security for client/server environments than NTLM. NTLM is retained for backwards compatibility.

Kerberos Authentication

Kerberos replaces the direct challenge-response exchange with a ticket-based system mediated by a Key Distribution Center (KDC). The KDC consists of two components: the Authentication Server (AS) and the Ticket Granting Server (TGS).

When a user logs in, the client sends a request to the AS. The AS responds with a Ticket Granting Ticket (TGT) encrypted with the user's password hash. The client presents this TGT to the TGS to request a service ticket for a specific application. The TGS issues the service ticket, which the client then presents to the application server to gain access. The application server verifies the ticket and confirms the client is who they claim to be.

This architecture means that the user's credentials are only verified once at login. All subsequent resource access uses tickets — the password hash never traverses the network again. It is a more robust model than NTLM, but as the attacks below demonstrate, it is not without its own weaknesses.

Password Cracking: The Attack Categories

Attackers use four broad categories of password attack, each with a different threat model.

Non-electronic attacks require no technical knowledge. Shoulder surfing means observing someone enter their password directly. Social engineering manipulates people into revealing credentials voluntarily. Dumpster diving recovers written passwords or sensitive documents from physical waste. These are low-tech but consistently effective.

Active online attacks involve the attacker directly interacting with the target system — attempting logins, injecting payloads, or intercepting authentication in real time. This category includes dictionary attacks, brute-force attacks, hash injection, keyloggers, password spraying, and Kerberos-specific attacks.

Passive online attacks gather credentials without communicating with the authorising system. Wire sniffing captures network traffic containing authentication data. Replay attacks intercept and reuse captured authentication tokens. Man-in-the-middle attacks position the attacker between client and server to intercept the exchange.

Offline attacks involve copying the password file or hash database and cracking it on the attacker's own hardware, away from any network defences. Rainbow table attacks and distributed network attacks fall into this category.

Dictionary, Brute-Force, and Rule-Based Attacks

These three attack types represent the primary methods for cracking password hashes once they have been obtained.

A dictionary attack loads a wordlist — a file containing millions of common passwords, phrases, and variations — into a cracking tool and tests each entry against the captured hash. It is fast and highly effective against weak or common passwords. The rockyou.txt wordlist, containing over 14 million passwords from a historical data breach, is the standard starting point.

A brute-force attack makes no assumptions about the password. It systematically tries every possible combination of characters until a match is found. It is computationally expensive and slow against long passwords, but guarantees a result given sufficient time and hardware.

A rule-based attack is used when the attacker has partial knowledge of the password — for example, knowing that the organisation requires a capital letter and a number. Rules are applied to a base wordlist to generate variations: capitalising the first letter, appending numbers, substituting characters. This combines the speed of dictionary attacks with broader coverage.

John the Ripper is a widely used tool for all three approaches. A typical workflow against captured NTLM hashes on a Linux system looks like this.

# Step 1 — Generate a customised wordlist using john.conf rules
john --rules --wordlist=/path/to/rockyou.txt --stdout > /path/to/output_wordlist.txt

# Step 2 — Run John against the captured NTLM hashes
john --rules --wordlist=/path/to/output_wordlist.txt --format=NT /path/to/ntlm_hashes.txt

# Step 3 — Display cracked passwords
john --show --format=NT /path/to/ntlm_hashes.txt

The john.conf configuration file controls the mutation rules applied to the wordlist. Customising these rules to reflect the target organisation's password policy significantly increases the hit rate.

Pass-the-Hash (PtH) Attack

Pass-the-Hash exploits the fundamental property of NTLM authentication identified earlier: the hash itself is sufficient to authenticate. An attacker does not need to crack the hash to impersonate the user — they only need to obtain and use it.

The attack sequence is as follows. A user with domain admin privileges logs on to a workstation. The attacker compromises a server on the network using a local or remote exploit. They extract the logged-on domain admin account hash from the SAM file — it is present in memory because the admin authenticated to that server. The attacker then injects this hash into a new local session and uses it to authenticate directly to the domain controller, gaining full domain admin access without ever knowing the plaintext password.

This attack is particularly powerful because it bypasses password complexity requirements entirely. A 20-character random password provides no additional protection once the hash has been extracted. Defences against PtH attacks focus on limiting the exposure of privileged account hashes — through Credential Guard, restricted admin mode, and tiered administration models.

LLMNR/NBT-NS Poisoning

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Windows name resolution protocols used as fallbacks when DNS cannot resolve a hostname. They broadcast queries on the local network segment asking if anyone knows the address of a given host.

An attacker on the same network segment listens for these broadcasts. When a victim machine sends an LLMNR or NBT-NS query for a non-existent hostname — often triggered by a misconfigured application or a mistyped network path — the attacker responds, claiming to be the requested host. The victim machine, believing it has found what it was looking for, begins an NTLM authentication handshake with the attacker. The attacker captures the resulting NTLMv2 hash.

The tool Responder automates this attack entirely. The captured NTLMv2 hash can then be cracked offline or used in a relay attack. The defence is straightforward: disable LLMNR and NBT-NS via Group Policy if they are not required, and enable SMB signing to prevent relay attacks.

AS-REP Roasting: Cracking Kerberos Passwords

AS-REP Roasting targets a specific Kerberos misconfiguration. Normally, Kerberos requires the client to prove knowledge of their password during the initial authentication request — this is called pre-authentication. Certain legacy or misconfigured accounts have the "Do not require Kerberos pre-authentication" option enabled.

For these accounts, the Authentication Server will respond to any unauthenticated request with a TGT encrypted with the user's password hash — no proof of identity required. An attacker can request this ticket for any vulnerable account and receive an encrypted blob derived from the user's password hash. This blob can then be taken offline and cracked.

# Extract the TGT hash for accounts with pre-auth disabled
python3 GetNPUsers.py DOMAIN.COM/ --no-pass --usersfile users.txt -dc-ip 10.10.1.22

# Crack the extracted hash offline with John the Ripper
john --wordlist=/path/to/rockyou.txt hash.txt

A successful AS-REP Roasting attack yields the plaintext password for the targeted account. If that account has elevated privileges, the attacker can move laterally through the network or escalate to full domain compromise. The fix is simple: enable Kerberos pre-authentication on all accounts. There is rarely a legitimate reason to disable it.

Defensive Takeaways

The attacks covered here share a common thread — they exploit weak configurations, reused credentials, and the inherent properties of legacy authentication protocols. The practical defences are well understood.

Enforce strong, unique passwords and use a password manager. Disable NTLM where possible and enforce Kerberos. Enable Kerberos pre-authentication on all accounts. Disable LLMNR and NBT-NS via Group Policy. Deploy Credential Guard on Windows endpoints to protect hashes in memory. Use tiered administration — domain admin credentials should never touch workstations or internet-facing systems. Monitor for anomalous authentication patterns, particularly off-hours logons and lateral movement between servers.

Understanding how these attacks work at a technical level is the most direct path to building environments that are resilient against them.