Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Windows Password???

  1. #1
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Default Windows Password???

    Ok, so I know there are heaps of bootable cd’s that people have that will remove the windows password, and allow you to access the system. Providing that the data isn’t encrypted. But what I wanted to know is where is the windows password stored?

    What I would like to try to do is to use the backtrack cd on a windows machine, and then find the windows password file, and learn how to remove it and also copy it to a file to crack with something like john the ripper…

    I know that I can just download one of these cd’s and it will do it all for me… but for my own curiosity I would like to be able to do it myself….

    Cheers

  2. #2
    Good friend of the forums
    Join Date
    Jan 2010
    Location
    outside chicago, il
    Posts
    442

    Default

    Quote Originally Posted by Dissident85 View Post
    Ok, so I know there are heaps of bootable cd’s that people have that will remove the windows password, and allow you to access the system. Providing that the data isn’t encrypted. But what I wanted to know is where is the windows password stored?

    What I would like to try to do is to use the backtrack cd on a windows machine, and then find the windows password file, and learn how to remove it and also copy it to a file to crack with something like john the ripper…

    I know that I can just download one of these cd’s and it will do it all for me… but for my own curiosity I would like to be able to do it myself….

    Cheers
    Read http://forums.remote-exploit.org/sho...62&postcount=1

    I am in the process of updating it again, but the answer to your question is answered in the current version.
    I like the bleeding edge, but I don't like blood loss

  3. #3
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Default

    Thanks for that, that’s exactly what i was looking for...

    But i do have one question, i have an image of a windows 2k server machine, and i started jtr on the hashes, and to my surprise it started to crack most of them quite quickly. Is it really doing a brute force attack on the hashes?

    and is it possible to do a dictionary attack instead? And in saying that, is it possible to do the same thing that cain dose where it will try variations of the words from the dictionary? Ie: “password”-> “password01” -> “password02” etc etc…


    Edit: Also, when jtr cracks the password, it gives it to you in upper case, so even tho you know the password, you still have to do some form of guessing right? as there is no way of knowing what characters are uppercase and lowercase?

  4. #4
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

  5. #5
    Good friend of the forums
    Join Date
    Jan 2010
    Location
    outside chicago, il
    Posts
    442

    Default

    Quote Originally Posted by Dissident85 View Post
    Thanks for that, that’s exactly what i was looking for...

    But i do have one question, i have an image of a windows 2k server machine, and i started jtr on the hashes, and to my surprise it started to crack most of them quite quickly. Is it really doing a brute force attack on the hashes?

    and is it possible to do a dictionary attack instead? And in saying that, is it possible to do the same thing that cain dose where it will try variations of the words from the dictionary? Ie: “password”-> “password01” -> “password02” etc etc…

    Edit: Also, when jtr cracks the password, it gives it to you in upper case, so even tho you know the password, you still have to do some form of guessing right? as there is no way of knowing what characters are uppercase and lowercase?
    First read the LM vs NTLM hashes part of the document. That will answer your case question and give you the knowledge to proceed properly. Then read 2.4 Cracking the NTLM hash using john the ripper

    Now your first question, no it is not bruteforceing at first. JtR tries the simple things first: password, username backwards, etc. Then it starts to use brute force.

    To use a dictionary read 15.2 Configuring John the Ripper to use a wordlist
    I like the bleeding edge, but I don't like blood loss

  6. #6
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Default

    Quote Originally Posted by bofh28 View Post
    First read the LM vs NTLM hashes part of the document. That will answer your case question and give you the knowledge to proceed properly. Then read 2.4 Cracking the NTLM hash using john the ripper

    Now your first question, no it is not bruteforceing at first. JtR tries the simple things first: password, username backwards, etc. Then it starts to use brute force.

    To use a dictionary read 15.2 Configuring John the Ripper to use a wordlist
    Sorry mate, i really should finish reading what is given to me before i go asking more questions

  7. #7
    Junior Member NoobBiscUiT's Avatar
    Join Date
    Jun 2007
    Posts
    58

    Default

    Quote Originally Posted by bofh28 View Post
    Read http://forums.remote-exploit.org/sho...62&postcount=1

    I am in the process of updating it again, but the answer to your question is answered in the current version.

    wow, kickass guide!

    thanks alot, exactly what i was looking for!!

  8. #8
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Default

    Ok, so i have been able to successfully get the windows passwords on a machine that i have psychical access to, but i then tried to access the same machine remotely and tried to do the same thing, but i am having a bit of trouble.

    Code:
    bt ~ # mount -t cifs //10.0.0.6/c$ -o username=loic /mnt/remote_win
    Password:
    bt ~ # bkhive /mnt/remote_win/windows/system32/config/system syskey.txt
    bkhive 1.1.1 by Objectif Securite
    http://www.objectif-securite.ch
    original author: ncuomo@studenti.unina.it
    
    Error opening hive file /mnt/remote_win/windows/system32/config/system
    bt ~ #
    anyone know what could be going wrong here?

  9. #9
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Dissident85 View Post
    Ok, so i have been able to successfully get the windows passwords on a machine that i have psychical access to, but i then tried to access the same machine remotely and tried to do the same thing, but i am having a bit of trouble.

    Code:
    bt ~ # mount -t cifs //10.0.0.6/c$ -o username=loic /mnt/remote_win
    Password:
    bt ~ # bkhive /mnt/remote_win/windows/system32/config/system syskey.txt
    bkhive 1.1.1 by Objectif Securite
    http://www.objectif-securite.ch
    original author: ncuomo@studenti.unina.it
    
    Error opening hive file /mnt/remote_win/windows/system32/config/system
    bt ~ #
    anyone know what could be going wrong here?
    1. You didn't successfully mount the remote?

    2. one of the rare systems that uses Winnt instead of Windows

    3. Corrupted registry file on the remote.

    4. Sunspots.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  10. #10
    Member Dissident85's Avatar
    Join Date
    Jun 2008
    Posts
    127

    Default

    Quote Originally Posted by streaker69 View Post
    1. You didn't successfully mount the remote?
    Ok, i have tried 2 different ways to mount it. " # mount -t cifs " and " # mount -t smbfs " both methods there mount the drive, and I can access files on it. But one small slight off topic question. What is the difference between those two ways of mounting a smb share? I know when I list the contents of the two, they display differently?

    Quote Originally Posted by streaker69 View Post
    2. one of the rare systems that uses Winnt instead of Windows
    Ok, well the OS on that machine is Windows Server 2003 Enterprise Edition? How do I check to find out if that is one of the rare systems that use Winnt? And if so, how would I go about doing the same thing?

    Quote Originally Posted by streaker69 View Post
    3. Corrupted registry file on the remote.
    Again, how would I check for such a thing?

    Quote Originally Posted by streaker69 View Post
    4. Sunspots.
    Right…. :S you sure it not a solar flares? lol

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •