Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Cracking Windows 2000 And XP Passwords With Only Physical Access

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    Cracking Windows 2000 And XP Passwords With Only Physical Access

    Yet Another: Cracking Windows 2000 And XP Passwords With Only Physical Access

    This article will cover how to crack Windows 2000/XP passwords with only physical access to the target box. I won’t be covering into the internal structure of LM and NTLM hashes or what makes them so insecure, there are many other articles on the Internet that cover the basics of NT security so I would recommend that you Google for them. I will assume that the reader already knows the basics. There are a lot of articles floating around that tell interested parties how to use programs like PWdump to get NT password hashes. Using PWDump is what most folks recommend when Syskey is enabled on a system since the hashes in the SAM file are encrypted. The problem is PWdump only works if you can run it from an administrator level account, and if the reason an attacker is cracking the hashes in the first place is to get an administrator account then PWdump is of little use.

    Another question I get is why crack the password at all since one can get access to the machine by just deleting the SAM file and using a blank password (Windows 2000 only) or by using a Linux password reset boot disk (get one from http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html that works on both 2k and XP) and resetting it to whatever we like. The reason an attacker may want to crack the local password instead of changing it is two fold:

    1. An attacker doesn’t want to tip off the system administrators. If they notice that the old admin password no longer works they will get a bit suspicious don’t you think?
    2. The same account passwords may be used on other systems on the network. If the attacker can crack one machines admin password that same password may allow the attacker to gain access to other boxes on that LAN that they only have remote access to.

    This article assumes that the attacker has only physical access to the machine whose SAM they want to crack and that they also have access to a bootable disk that can read the file system on the target machine. An attacker may have to get into the BIOs to set it to boot from the floppy or CD-ROM so setting up a BIOs password will help but if they can get into the case it’s easy to reset. Any old Windows 9x boot disk should work for Fat32 drives, on NTFS drives I’ve used the Knoppix ( http://www.knoppix.org/ ) and PE Builder ( http://www.nu2.nu/pebuilder/ ) boot CDs with good success.

    The first step is to boot from a CD-ROM or floppy and copy off the SAM and SYSTEM files in C:\WINDOWS\system32\config (you may have to get them from c:\WINDOWS\repair instead, and on some systems the Windows directory is WINNT instead). The SAM and SYSTEM files are likely to be too large to fit on a 1.44MB floppy unless you compress them using Gzip, you could also copy them to some other form of removable media or upload them across the network to an FTP or file server that you have access to.

    In my example I will use Knoppix, Gzip and a floppy to copy the files. Issue these commands from a terminal in Knoppix:

    mount /mnt/hda1/

    This mounts what would most likely be the C: drive on the target machine, it's possible that it could be different. Then we Gzip the SAM file to a floppy:

    gzip -c /mnt/hda1/WINDOWS/system32/config/sam > /mnt/floppy/sam.gz

    Then we get the System file:

    gzip -c /mnt/hda1/WINDOWS/system32/config/system > /mnt/floppy/system.gz

    My modest SAM file has five accounts, it and the System file only take up 751KB after they are compressed with Gzip.

    Once you have the files copy them (an uncompress them if you used Gzip) to your own machine (preferably the fastest you have) and crack Syskey using a program called SAMInside ( http://www.insidepro.com ). Run SAMInside and choose the “Import SAM” option. A dialog box will ask you to point it to the SAM file you wish to crack. If Syskey is enabled (most likely it will be) it will then ask you for the SYSTEM file. You can use SAM inside to try and crack the passwords but if you only have the demo version you are limited in the Brute-force and Dictionary options you can choose. Once you have cracked Syskey and have the hashes export them to a PWDump file using the file menu in SAMInside and then use L0phtcrack ( http://www.atstake.com/products/lc/ ) or Cain ( http://www.oxid.it/cain.html ) to crack the passwords.

    I’ll continue this tutorial using Cain since it’s free. Run Cain and go to the “Cracker” tab. From here choose “LM & NTLM Hashes” in the left pane and then right click on the grid in the right pane and choose “Add to list.” Now choose “Import Hashes from text file or SAM” and click next. Don’t try to import the SAM you copied because if the target system was using Syskey Cain will not be able to crack it. Find the PWdump file you created with SAMInside and open it. From here it’s as easy as holding down control, left clicking on the accounts you want to crack and then right clicking and choosing either “Start Dictionary Attack” or “Start Brute-Force Attack.” A Dictionary attack uses the text file in “c:\Program Files\Cain\Wordlists\Wordlist.txt” to tell it what passwords to try, open that file in notepad and edit it if you want to add more words. The Brute-force method runs through all possible combinations of characters that you configure under the “Brute-Force Options” tab of the “Configure” menu. The Brute-force method can take days depending on the options you choose. Now all the attacker has to do is wait.

    Hope this short article helps, feel free to write me if you have any questions.

    Irongeek@irongeek.com

  2. #2
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    good stuff, i prefer bootin up with like a knoppix cd also, even though i dont do it often 'n i dont forget my passwords, still handy stuff to know. good job.

  3. #3
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    a tutorial like this was already posted:

    http://www.antionline.com/showthread...hreadid=258591
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  4. #4
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    nice stuff about BartPe. I admit ive never heard about it. And I am just looking for a nice cd-bootable tool like that!. Thanks
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Nice tutorial and link's to download's/help/etc. Good job.

    djscribble: He's new, leave 'em alone . Aside's, trying to prove a point by "whoring" your tutorial isn't the right way to go about it, eh?
    Space For Rent.. =]

  6. #6
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    i guess my mom always said that copycating is the best form of flattery... i was just trying to teach him to use the search before stuff gets re-posted....

    o great, now i feel all warm and fuzzy cause i have my own little copycat
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  7. #7
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Excellent point, just worded wrong possibly? But yes, it is always a good thing to use the search feature to see if a tutorial or subject was covered before. However he did mention:

    Yet Another: Cracking Windows 2000 And XP Passwords With Only Physical Access
    Space For Rent.. =]

  8. #8
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I did not copy from anyone djscribble, I wrote the tutorial before I ever knew of the one you wrote. I did do a search before posting and I figured my tutorial would add extra information to the subject that may be useful to some. But thanks for giving be my first neg antipoints.

  9. #9
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    djscribble, although i can a lot of points in common between this tut and yours, i must admit that this is "better". So he's just maked yours better.

    Congrats to you for the first one, and for the poster making it easier.

    Ive printed it and sent to students at my school (security module).

    <edit>
    He has the right, irongeek, since you didnt mentioned him at your tuts. Too many similarities let me think you have read it before make yours
    Dont complain about negs, they make you grow :P
    </edit>
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  10. #10
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Pull up a Google archive of my site and you will see that is's been there since 2/19/2004:

    http://64.233.167.104/search?q=cache...Security&hl=en

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •