How to hack the windows protected account: Dictionary attack for guessing the password of windows account

Posted on Updated on

If I say that everyone wants to hack, I won’t be lying. A lot of computer/cellphone users want to hack cause its fun and somehow you get fame through it. Most of giant companies like Google, Yahoo, Facebook etc. recently have started bug bounty program in which they will pay you for identifying the security loopholes, in short you can earn too, a lot. Usually hackers exploit a certain condition of the system, it can be as simple as using an addition operation (simple plus) or as complex as writing a piece of code to hack a system. Of course its way hard to breach the security of Facebook than of your home desktop PC.

Today, I am going to show you how can you get the password of a protected windows account by performing a dictionary attack.

Practical Example
Lets say you have one elder brother and both of you share same computer that uses Windows 7. There are two user accounts, one is your’s and other of your big bro. But the problem is that your brother’s account type is the ‘administrator’  meaning he has more rights than you and you need his permission to do various tasks e.g installing software, deleting stuff etc. But no one wants to be controlled, isn’t it ? Everyone needs freedom.  So, your motive is to somehow change your account type to administrator or at least get that admin account password.

Dictionary Attack
Almost all digital devices have a security feature called access control. In windows access control is provided in the form of username + password. A legitimate user is only allowed to enter into his account. The problem is not with this access control but its with us, the homo sapiens. What we do is that we don’t make a strong random password, most of us have a very simple passwords like: ‘123456789’, ‘pakistan’, ‘pak12345’,  ‘admin’, ‘007’ etc. The concept behind dictionary attack is that attacker has a dictionary in which a lot of keywords are present and he tries all of those combinations to get the original password. Dictionary attack doesn’t have the success rate of 100% unlike the brute force attack. The bigger dictionary you have i.e more words/phrases you have the better chances you have guessing the password.

Platform: Windows 7 (have tested on WinXP and Win8 too)
Software: Cain & Abel

You need to have access to the victim’s computer & install this software. (required one time only)

1. Go to the following website and download the software ‘Cain & Abel’ [website:] .1

2. Setup will be downloaded (exe).2

3. Run the setup.3

5. Installation will take 1-2 minutes only.4

6. Install “WinPcap” too. 5

7. Check the following option and continue.6

8. Till now both Cain & Abel and WinPcap have been installed, now its time to run the software. Double click the software. Ignore any warnings/errors it shows at the start.7

9. Go the ‘Cracker’ tab, left mouse click on the blank user name field and then click that plus icon. A window will pop up. Click next.9

10. So, it has fetched all the accounts and corresponding *encrypted passwords (NT LASH). But the problem is we need the plain password not the encrypted password, as it is of no use. Right now the administrator and guest accounts have no password thats why NT Password column is showing *blank*. My goal here is to get the password of username Acer.10

11. Left click on Acer username and a list of options will pop up. Under dictionary attack there is NTLM Hashes option, click on it.11

12. Now its time to load the dictionary. I am using a very very very simple dictionary just for demonstration purpose, it doesn’t have many keywords. I recommend using some other dictionary, or what you can do is that simply add keywords yourself to make it good but that would be cumbersome. Left click on the file column and a list will show up, click Add to list and specify the path of dictionary. [dictionary I used:


13. The heart of dictionary attack “Dictionary”. 8

14. Dictionary has been loaded. Lets start the attack. 13

15. Cain & Abel has started the dictionary attack.14

16. And our dictionary attack was successful. The password is “pakistan123” of username Acer.15

This was all guys, hope this tutorial helps you. Feel free to ask anything.

1. Dictionary attack doesn’t have success rate of 100%.
2. The bigger dictionary you have the better chances you have.
3. The bigger the dictionary it is the more time it will take.
* To all the geeks, yes I know its not encrypted password but HASH. But to keep things simple I have called it so.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s