When I first became interested in computer security in the late 1990’s everything was about capturing hashes and cracking them using tools like John the Ripper. Now (in 2011), things are much different.
Instead of capturing and cracking it’s now popular (and has been for some time) to simply intercept and replay the hashes themselves to become the target user. This page will cover the fundamentals behind performing these types of attacks.
What is a Hash?
First of all, we’re not using the term hash in any technical sense here, as it has many meanings that are already defined elsewhere. Here we’re talking about Windows–specifically NT–hashes.
That being said, a Windows hash is an artifact of prior successful authentication. It is something that is presented to another system to prove that a user or account is valid, i.e. it’s authentication, not authorization (just because you are who you say you are doesn’t mean you’re allowed to do anything).
This is the part that gets confusing in Windows; there are many hashes that are used within the operating system, and many of them are quite different from each other. Here are the main ones: