A hash is a fixed-length string generated by a cryptographic algorithm from input data, such as a password. In Windows systems, hashes are used to store and verify user credentials without exposing the actual passwords. Hash functions are designed to be one-way, meaning it is computationally infeasible to reverse the hash back to the original data. However, attackers often attempt to extract and crack these hashes to gain unauthorized access.

Windows systems primarily use the following hash types:

• NTLM (NT LAN Manager): An older authentication protocol that uses MD4-based hashes. Despite being deprecated, NTLM hashes are still present for backward compatibility.
• Kerberos: A modern authentication protocol that uses ticket-based authentication and stores password-derived keys (hashes) for ticket encryption and decryption.
• LM (LAN Manager): An obsolete and insecure hash used in legacy systems.
• DPAPI (Data Protection API): Used for encrypting sensitive data, sometimes involving user credentials.

For a deeper dive into hash algorithms, see the NIST Glossary or explore Hash Algorithms Explained: Secure Password Storage.

In Windows authentication, hashes serve as a secure representation of user passwords. During login, the entered password is hashed and compared to the stored hash. If the hashes match, access is granted. This process is fundamental to both NTLM and Kerberos protocols, ensuring that plaintext passwords are never transmitted or stored. For more detail on how NTLM hashes work, see Understanding NTLM: A Comprehensive Guide to its Mechanisms and Security Implications.

Extracting password hashes from Windows systems is a sensitive operation that should only be performed under explicit authorization. Legitimate scenarios include:

• Password recovery for users who have lost access
• Penetration testing with written client consent
• Incident response and forensic investigations
• Security audits and compliance checks

Always ensure you have proper authorization and adhere to organizational policies and legal requirements. For more, refer to SANS Ethical Guidelines or review Legal Password Testing: Stay Compliant in 2025.

Unauthorized extraction of password hashes is illegal and unethical. It can result in:

• Criminal prosecution under laws such as the Computer Fraud and Abuse Act (CFAA)
• Termination of employment and loss of professional certifications
• Reputational damage and civil liability

Always operate within the bounds of the law and obtain explicit permission before extracting hashes.

To extract hashes from a Windows system, you typically need administrative privileges or SYSTEM-level access. This is because sensitive files and memory locations containing hashes are protected by the operating system. Attempting extraction without sufficient privileges will fail or trigger security alerts.

Several tools are commonly used for hash extraction:

• Built-in Windows utilities (e.g., reg.exe, cmdkey)
• Mimikatz – A powerful open-source tool for extracting credentials from memory
• pwdump – Extracts password hashes from the SAM database
• LSA Secrets Dumper – For extracting LSA secrets
• ProcDump – Dumps process memory for offline analysis

Always download tools from reputable sources and verify their integrity. For a curated list, see MITRE ATT&CK: Credential Dumping or refer to the Password Recovery Tools 2025: Top Picks Ranked.

NTLM hashes are stored in the SAM (Security Account Manager) database, located at C:\Windows\System32\config\SAM. The SAM file is locked while Windows is running, but hashes can also be found in memory (e.g., LSASS process) and in registry hives.

While Windows does not provide direct tools for hash extraction, you can use built-in utilities to export registry hives for offline analysis:

reg save HKLM\SAM C:\temp\SAM
reg save HKLM\SYSTEM C:\temp\SYSTEM

These files can then be analyzed with third-party tools to extract NTLM hashes. Note that administrative privileges are required.

Mimikatz and pwdump are widely used for extracting NTLM hashes:

• Mimikatz: Run as administrator and use the following commands:

  privilege::debug
  lsadump::sam
  

  This will display NTLM hashes for local accounts. For more, see the Mimikatz GitHub repository.
• pwdump: Extracts hashes directly from the SAM database. Usage:

  pwdump7.exe > hashes.txt
  

  The output can be used for offline password cracking. For advanced cracking techniques, you can refer to the Password Cracking Guide 2025: 5 Latest Techniques.

Always use these tools responsibly and only on systems where you have authorization.

To defend against NTLM hash extraction:

• Disable or restrict NTLM authentication where possible (Microsoft Guidance).
• Use strong, unique passwords for all accounts.
• Enable LSASS process protection (RunAsPPL).
• Limit administrative privileges and use Credential Guard.
• Monitor for suspicious access to SAM and LSASS.

For more defensive strategies, consult the CIS Controls: Credential Access Protection.

Kerberos is a ticket-based authentication protocol used in modern Windows domains. It relies on secret keys derived from user passwords to encrypt and sign authentication tickets. These keys (hashes) are stored in memory and used to generate and validate TGTs (Ticket Granting Tickets) and TGSs (Service Tickets). If you want to learn more about how Kerberos secures authentication, see Understanding Kerberos 5: A Comprehensive Guide to Secure Authentication.

Kerberos hashes and tickets are not stored on disk in a retrievable format but reside in memory, primarily within the LSASS process. Key files and locations include:

• LSASS process memory (lsass.exe)
• Kerberos ticket cache (in user session memory)
• Active Directory database (for domain controllers)

For more on Kerberos internals, see Microsoft Kerberos Authentication Overview.

To extract Kerberos hashes, you need to dump tickets from memory. This is typically done by:

• Dumping the LSASS process memory using tools like ProcDump:

  procdump -ma lsass.exe lsass.dmp
  

• Analyzing the memory dump with Mimikatz:

  sekurlsa::tickets
  sekurlsa::kerberos
  

  These commands display Kerberos tickets and keys in memory.

For more, refer to CrowdStrike: Dumping Process Memory.

Popular tools for Kerberos hash extraction include:

• Mimikatz: The sekurlsa::kerberos and sekurlsa::tickets modules extract Kerberos tickets and keys.
• Rubeus: A C# tool for Kerberos abuse and ticket extraction. Usage example:

  Rubeus.exe dump

  For more, see the Rubeus GitHub repository.
• Impacket: Python library for Kerberos ticket extraction and manipulation. See Impacket on GitHub.

To mitigate Kerberos hash extraction risks:

• Enable LSASS protection (RunAsPPL).
• Use Windows Defender Credential Guard to isolate secrets.
• Apply the latest security patches and updates.
• Restrict administrative access and use secure workstations for privileged accounts.
• Monitor for suspicious memory access and ticket dumping activity.

For more, see CISA: Kerberos Attacks and Defenses.

Extracted password hashes are highly sensitive and must be handled with extreme care:

• Limit access to authorized personnel only.
• Use encrypted storage and secure transfer methods (e.g., SFTP, encrypted USB drives).
• Log all access and actions involving hashes.
• Do not share hashes via insecure channels (e.g., email, chat).

For data handling standards, see ISO/IEC 27001. To check the strength of extracted passwords, you might use a password strength checker.

When storing extracted hashes:

• Encrypt files using strong algorithms (e.g., AES-256).
• Store in secure, access-controlled environments.
• Implement strict retention policies—delete hashes when no longer needed.
• Use secure deletion tools to prevent recovery of deleted files.

For secure disposal guidelines, refer to NIST Guidelines for Media Sanitization.

Modern Windows systems employ various security mechanisms to prevent hash extraction:

• Protected Process Light (PPL): Prevents unauthorized access to LSASS memory.
• Credential Guard: Isolates secrets in a secure environment.
• Antivirus and EDR solutions: Detect and block hash dumping tools.

To bypass these, attackers may attempt to:

• Use kernel-level exploits (illegal and highly discouraged).
• Boot into offline environments (e.g., WinPE) to access files.
• Exploit misconfigurations or outdated systems.

For defenders, ensure all protections are enabled and up to date. See CrowdStrike: Endpoint Detection and Response. For insight into how brute-force and other password attack strategies are evolving, read about Bruteforce Attack Limits: Calculate Time Needed.

Some hashes may be encrypted or protected by additional security layers:

• Use SYSTEM and SAM hives together to decrypt protected hashes.
• For domain accounts, hashes are stored in the NTDS.dit file on domain controllers, requiring specialized tools (e.g., ntdsutil, secretsdump.py from Impacket).
• If hashes are inaccessible, verify permissions and check for security software interference.

For more, see MITRE ATT&CK: LSASS Memory.

To reduce the risk of hash extraction:

• Apply the principle of least privilege—limit admin accounts.
• Enable Credential Guard and LSASS protection.
• Disable or restrict NTLM and LM authentication.
• Enforce strong password policies and multi-factor authentication.
• Regularly patch and update all systems.

For a comprehensive checklist, see CIS Controls: OS Hardening or review Password Policy Best Practices 2025.

Effective monitoring can detect and prevent unauthorized hash extraction:

• Monitor for access to SAM, SYSTEM, and LSASS files/processes.
• Set up alerts for suspicious process creation (e.g., procdump, mimikatz).
• Use EDR solutions to detect credential dumping techniques.
• Review security logs for signs of privilege escalation or unauthorized registry access.

For monitoring best practices, refer to SANS: Monitoring Windows Event Logs.

Extracting hashes from Windows systems is a powerful technique that can be leveraged for legitimate password recovery, penetration testing, and incident response. However, it also poses significant security risks if misused. By understanding the underlying mechanisms of NTLM and Kerberos authentication, using the right tools, and adhering to strict legal and ethical standards, cybersecurity professionals can responsibly extract and handle password hashes. Equally important is implementing robust defensive measures to prevent unauthorized hash extraction and protect sensitive credentials from compromise.

• MITRE ATT&CK: Credential Dumping
• CISA: Kerberos Attacks and Defenses
• CrowdStrike: Dumping Process Memory
• Mimikatz GitHub Repository
• Rubeus GitHub Repository
• Impacket on GitHub
• CIS Controls: Credential Access Protection
• ISO/IEC 27001 Information Security
• NIST Guidelines for Media Sanitization
• SANS: Monitoring Windows Event Logs