Results 1 to 3 of 3

Thread: Cracking Syskey and the SAM on Windows XP, 200 and NT 4 using Open Source Tools

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004

    Cracking Syskey and the SAM on Windows XP, 200 and NT 4 using Open Source Tools

    As suggested by Negative here: http://www.antionline.com/showthread...r=1#post830323 Iím creating this new thread.

    Cracking Syskey and the SAM on Windows XP, 200 and NT 4 using Open Source Tools

    A little over a year ago I wrote a little tutorial called ďCracking Windows 2000 And XP Passwords With Only Physical AccessĒ [0]. It was pretty popular and the data is still useful but in the last year Iíve found far better ways to crack a SAM file with SysKey enabled. One reason Iím writing this new tutorial is because sometime after SAMInside v.2.1.3 exporting to a PWDump file was disabled in the demo version. There are still ways SAMInside could be used, but there are better Open Source tools now that can do the same tasks. This tutorial will recap parts of the original, but also give a far simpler, faster and more concise way to crack hashes in the SAM file that are protected by SysKey.

    SysKey is an extra level of encryption put on the hashes in the SAM file [1]. SysKey was introduced in Service Pack 3 (SP3) for NT 4 but every version of Windows since has had SysKey enabled by default. The way most folks crack a SAM file on a system that uses SysKey is by running a utility called PWDump as an admin to get the LM (LAN Manager) and NT hashes. The problem is PWdump only works if you can run it from an administrator level account, and if the reason an attacker is cracking the hashes in the first place is to get an administrator level account then PWdump is of little use.

    Some folks will ask why would you want to crack the passwords in the SAM at all since itís far easier to just change the Administrator password using a Linux boot disk or Salaís Password Renew for PE Builder. The reason an attacker may want to crack the local passwords instead of changing them is two fold:

    1. An attacker doesnít want to tip off the system administrators. If they notice that the old local admin password no longer works they will get a little bit suspicious donít you think? This is somewhat solved by Salaís Password Renew since it lets you add new admin level accounts as well as change existing accountís passwords.

    2. The same local account passwords may be used on other systems on the network (and most likely are if they use imaging software like Ghost). If the attacker can crack one machineís admin password that same password may allow the attacker to gain access to other boxes on that LAN that they only have remote access (across the network) to.

    This article assumes that the attacker has only physical access to the machine whose SAM they want to crack and that they also have access to the Knoppix variant known as the Auditor security collection boot CD [5] (Iím using version 120305-01 in this tutorial). Here are the steps you will need to take in order to audit local passwords using the Auditor CD:

    Step 1. Download the Auditor Boot CD ISO and burn it to a CD-R. All of the tools we will be using in this tutorial come on the Auditor Boot CD.

    Step 2. Insert the Auditor Boot CD into the target system, reboot and set the CD-ROM as the first boot device in the BIOS. Some systems let you hold down a certain function key at startup to choose what media to boot from (on recent Dellís itís F12).

    Step 3. Auditor will begin to boot and ask you what screen resolution you want to use. Choose a resolution that your monitor and video card will support (I use 2 for 1024x768) then hit enter.

    Step 4. When Auditor finishes booting click on the icon on the KDE bar for a new terminal window (it looks like a little monitor). Below you will see the commands you will have to use to get past SysKey, extract the hashes and attempt to crack the password hashes.

    Step 5. Mount the local hard disk, most likely hda1:

    mount /dev/hda1
    Step 6. Change the present working directory to the ramdisk so we space to work with the files we will be creating:

    cd /ramdisk/
    Step 7. Auditor comes with Ncuomoís Samdump2 and Bkhive [6]. We will be using these tools to extract the system key from the System hive and the password hashes from the SAM file. To get the system key we need to use the Bkhive on our SYSTEM file (most likely in C:\WINDOWS\system32/config\SYSTEM, thatís where it is on my XP Pro test box, on some systems it will me in C:\WINNT\system32/config\SYSTEM or perhaps some other drive entirely). By the way, if for some reason you are running NT4 SP3 you will need to use Bkreg instead, all later system (NT4 SP4, 2000 and XP) use Bkhive. To grab the system key and put it into a file we use the following command:

    bkhive-linux /mnt/hda1/WINDOWS/system32/config/system saved-syskey.txt
    Step 8. Now that we have the system key we can use it to undo SysKey on the SAM, extract the hashes and place them into a PWDump format file:

    samdump2-linux /mnt/hda1/WINDOWS/system32/config/sam saved-syskey.txt>password-hashes.txt
    Step 9. At this point we have a PWDump format file called password-hashes.txt that we could copy off of the system and import into L0phtcrack [7] or Cain [8] (see the old tutorial for details). Since I said we were going to do it all with the Auditor CD and Open Source tools we will use John the Ripper to crack the hashes, but before we can use John we have to extract one of the many wordlists that comes with Auditor. Take a look on the CD in /opt/auditor/full/share/wordlists/ for all of the different wordlists you can use, Iíll use english.txt for this tutorial. To extract english.txt to the ramdisk use the following command:

    gunzip -c /opt/auditor/full/share/wordlists/english/english.txt.gz> /ramdisk/eng.txt
    Step 10. Now that everything is in place we can run John with a simple dictionary attack to see if we can crack any of the hashes:

    john password-hashes.txt -w:eng.txt
    John detects that the dump file has LM (LAN Manager) hashes in it and chooses the format ďNT LM DES [32/32 BS]Ē automatically. If I had disabled the storing of LM hashes in the SAM I might want to use the Ėf option to specify the NT hash format and try to crack the NT hashes instead. To do that I would use the following command:

    john password-hashes.txt -f:NT -w:eng.txt
    If dictionary attacks arenít working and you have a lot of time (as well as a fast computer) you can try Johnís incremental (brute force) mode and see if it gives you better results:

    john password-hashes.txt -i:all
    Incremental mode is limited to only eight characters unless you change the source before you compile it, but at more than eight characters you will likely be waiting a very long time for John to finish. Doing more that eight characters is pointless anyway if you have the LM hashes since there are stored as two seven byte parts (NT hashes are a different story and can be harder to crack).

    In case you were wondering what all of these commands would look like along with their output here is a copy of my session log that may help you understand how they all work together (notice that the password for the Administrator account is ďmonkeyĒ):

    root@1[~]# mount /dev/hda1
    root@1[~]# cd /ramdisk/
    root@1[ramdisk]# bkhive-linux /mnt/hda1/WINDOWS/system32/config/system saved-syskey.txt
    Bkhive ncuomo@studenti.unina.it
    Bootkey: 407af4376e55f1fd6d58cc47a4fa4c01
    root@1[ramdisk]# samdump2-linux /mnt/hda1/WINDOWS/system32/config/sam saved-syskey.txt>password-hashes
    Samdump2 ncuomo@studenti.unina.it
    This product includes cryptographic software written
    by Eric Young (eay@cryptsoft.com)
    No password for user Guest(501)
    No V value!
    root@1[ramdisk]# gunzip -c /opt/auditor/full/share/wordlists/english/english.txt.gz> /ramdisk/eng.txt
    root@1[ramdisk]# john password-hashes.txt -w:eng.txt
    Loaded 3 password hashes with no different salts (NT LM DES [32/32 BS])
    MONKEY           (Administrator)
    guesses: 1  time: 0:00:00:03 100%  c/s: 1622943  trying: ZZYZX - ZZZZZZZ
    root@1[ramdisk]# john password-hashes.txt -f:NT -w:eng.txt
    Loaded 2 password hashes with no different salts (NT MD4 [TridgeMD4])
    monkey           (Administrator)
    guesses: 1  time: 0:00:00:12 100%  c/s: 464435  trying: zzzzzzzzzzzzzzzzzzzzzz

    Mitigating SAM and SysKey Cracking

    There are a few things you can do to make it harder for attacker to crack you local passwords. An attacker will most likely have to get into the BIOs to set it to boot from the CD-ROM. Setting up a BIOs password will help keep crackers from using the Auditor CD (or any boot CD) but if they can get into the computerís case itís easy to reset a BIOs password so some sort of physical case lock should be used as well. Strong passwords (non-dictionary words with more that just alphanumeric characters) will also make it harder for attackers to crack passwords since they will have to resort to potentially slow brute force methods.

    I hope this short tutorial helps, feel free to write me if you have any questions. Some other techniques you may want to look into for faster cracking are cracking clusters [9] and Rainbow tables [10]. Enjoy your hash.


    References and further research:

    [0] Old Tutorial:

    [1] Information on SysKey from Microsoft:

    [2] Linux boot diskette that can reset local NT/2000/XP passwords:

    [3] Salaís Password Renew

    [4] Bartís Pe Builder:

    [5] Auditor security collection boot CD:

    [6] Ncuomoís Samdump2, Bkhive and Bkreg:

    [7] L0phtcrack Web Page:

    [8] Oxid.itís Cain Web Page:

    [9] NeuTrons tutorial on making a password cracking cluster:

    [10] Rainbow Crack:

    Way more details about SAM cracking then you may ever want to know:

  2. #2

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    As a silly aside I'll present the following that actually adds a _little_ to the security model, (actually, it's a PITA - but anything that makes an attackers job more difficult brings a smile to my face)....

    Working for a non-profit with an employee that gleefully saves every last penny I often find myself going to critical servers to insert a CD only to find that there isn't a bloody CD-ROM or floppy in the box. When my employee builds the server he uses the CD-ROM or floppy from his workstation and when he's finished he removes it and puts it back in his workstation. Thus we have servers with no removable drives.... Funnily enough this isn't really an issue... I have my CD-ROM on my computer shared anyway so I simply map a drive on the server to it and put the appropriate CD in and away I go.

    "No problem for the attacker" you all yell....

    Problem for the attacker... If you really are worried about someone trying Irongeek's tactics on servers without removable drives you can adapt the Snort rule that detects drives being mapped to detect from $CRITICAL_SERVERS, (a variable you set in the Snort.conf file with the servers in question delineated there), to $HOME_NET. If you are required to map certain drives from the critical servers to other assets on the $HOME_NET you could create "pass" rules, (be careful with pass rules - they can bite you, and bite you badly), to pass certain mappings and to alert on all others. Thus, if Mr. Bad-Guy tries your trick it will cause an alert and tell you something *bad* just occurred.... and they have physical access to the two machines in the alert....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts