This procedure can be used to extract passwords from any Microsoft operating system, the example is based on an MS Windows 2003 being a domain controller. We'll get usernames and passwords out of a remote server. To do this, we will need two tools, PWDump – HERE and LC5 – HERE.

Well, begin with, We lower and unzip the PWDUMP, we access by MSDOS, and we execute “pwdump”, We will see that we need to enter four values to access a remote server, example:

This generates a file in PWDump6 format that we will open with the L0pthcrack:

We install the L0pthCrack if we don't have it installed and open it.

If an attendee opens for us, we close it and create a new Session, after, Click on “Session” > “Import…”

Select at the bottom: “From PWDUMP file” and up in Filename, Select the file with all the passwords, we hit OK.

And it will take out all the users with their hashes, now with brute force, Dictionaries… We will take them out, It's a matter of time and processor.

So in “Session” > “Options Session…”

We customized a bit to make the password search a little faster, click OK and PLAY to start looking for passwords.

After a while the letters of the password will appear and little by little the passwords themselves will appear. 🙂