trying to hack WINXP box, It should work, but it doesnt
Results 1 to 5 of 5

Thread: trying to hack WINXP box, It should work, but it doesnt

  1. #1
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    Posts
    167

    trying to hack WINXP box, It should work, but it doesnt

    well anywayz here is my problem....

    I'm trying to crack the SAM file on my own computer. The sam file in %SYSTEMROOT%\repair seems to be garbage. I RUN lophtcrack and I put the right password in the text file, so it should crack it, however it doesn't. I really don't understand this. So today I used NTFSPRO to access SAM during bootup. So I take sam out of C:\WINDOWS\SYSTEM32\CONFIG\ and copy it to A:\. I then run lophtcrack again on my new SAM file, and the file is the same, garbage. It can't be cracked even though I put the correct password in the txt. I thought it might be syskey encrypted though I never choose a pass phrase or whatever.

    Did I use NTFSPRO wrong?

    Hey thanks again fellas

  2. #2
    Senior Member
    Join Date
    Nov 2002
    Posts
    339
    not sure if you used it wrong so much as you might have went about getting the wrong hash, there are four ways that I know of to obtain the correct hash and where to find it.
    You can find what you're looking for in several locations on a given machine.

    It can be found on the hard drive in the folder %systemroot%system32config. However this folder is locked to all accounts including Administrator while the machine is running. The only account that can access the SAM file during operation is the "System" account.

    You may also be able to find the SAM file stored in %systemroot% epair if the NT Repair Disk Utility a.k.a. rdisk has been run you have not removed the backed up SAM file.

    The final location of the SAM or corresponding hashes can be found in the registry. It can be found under HKEY_LOCAL_MACHINESAM. This is also locked to all users, including Administrator, while the machine is in use.

    So the three locations of the SAMHashes are:

    - %systemroot%system32config

    - %systemroot% epair (but only if rdisk has been run)

    - In the registry under HKEY_LOCAL_MACHINESAM


    Now as far as obtaing the hash I can only think of 4 ways.


    1) Probably the easiest way to do this is to boot your target machine to an alternate OS like NTFSDOS or Linux and just copy the SAM from the %systemroot%system32config folder. It's quick, it's easy, and it's effective. You can get a copy of NTFSDOS from Sysinternals(http://www.sysinternals.com) The regular version of NTFSDOS is freeware, which is always nice, but only allows for Read-Only access. This should be fine for what you want to do, however, if you're the kind of person that just has to have total control and has some money to burn. NTFSDOS Pro, which is also by Sysinternals has read/write access but it'll cost you $299.

    2) Once again, you may be able to obtain the SAM from %systemroot% epair if rdisk has been run and you are lucky enough to have a sloppy admin.

    3) You can also get password hashes by using pwdump2. pwdump uses .DLL injection in order to use the system account to view the password hashes stored in the registry. It then pulls the hashes from the registry and stores them in a handy little text file that you can then import into a password cracking utility like l0phtcrack.

    4) The final way to obtain password hashes is to listen directly to the network traffic as it floats by your computer and grab hashes using the above mentioned l0phtcrack.

    If you are sure you have the correct hash then i would go ahead and use one of two crackers.

    John the Ripper - John the Ripper is the old standby password cracker. It is command line which makes it nice if you're doing some scripting, and best of all it's free. The only real thing that JtR is lacking is the ability to launch Brute Force attacks against your password file. But look at it this way, even though it is only a dictionary cracker, that will probably be all you need. I would say that in my experience I can find about 85-90% of the passwords in a given file by using just a dictionary attack. Not bad, not bad at all.

    L0phtCrack - Probably the most wildly popular password cracker out there. L0phtCrack is sold by the folks at @Stake. And with a pricetag of $249 for a single user license it sure seems like every one owns it. Boy, @Stake must be making a killing. This is probably the nicest password cracker you will ever see. With the ability to import hashes directly from the registry ala pwdump and dictionary, hybrid, and brute-force capabilities. No password should last long. Well, I shouldn't say "no password". But almost all will fall to L0phtCrack given enough time. However, I'm sure you could, if you were so inclined, find a copy of L0phtcrack for free from some online resources.

    I really hope this helps, I run L0phtCrack on my system every now and then just to see how my passwds are holdong up. Take it easy.
    Don\'t be a bitch! Use Slackware.

  3. #3
    Member
    Join Date
    Apr 2002
    Posts
    30

    rdisk is not in XP or Win2000

    Yo hatebreed....

    Good post. Just wanted to clarify one thing;

    rdisk went away with the introduction of Windows 2000. To make it more enjoyable, Microsoft changed this AGAIN in XP!

    In Windows 2000 - Emergency Repair disks are made in the Winbows Backup utility.
    In Windows XP - No more ERD's. We now use ASR, or Automated SYstem Repair.

    This probably doesn't help br_fusion , but maybe it'll save a few minutes overall.

    Cheers,
    vegaswolves
    Put down the mouse......Step away from the keyboard!
    --Me

  4. #4
    Senior Member
    Join Date
    Nov 2002
    Posts
    339
    well i apologize for the false info, thanx for the heads up on that vegas.
    Don\'t be a bitch! Use Slackware.

  5. #5
    Member
    Join Date
    Apr 2002
    Posts
    30
    No worries.

    I'm with you on L0pht crack.....very sweet tool!

    vegas
    Put down the mouse......Step away from the keyboard!
    --Me

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •