May 21st, 2006 03:00 PM
Auditor vs BackTrack in retrieving password hashes
I have XP Pro SP2 which is up to date with Windows Updates. I followed irongeek's tutorial using Auditor to retrieve the password hashes. There are three accounts, each with a password, but samdump2 reported that there were no passwords when trying to extract to password-hashes.txt. The accounts are The Administrator, a second Admin account and a final account with Limited rights for everyday use.
I tried the same technique using BackTrack and it only identified the Limited account as having a password. It extracted the hash into the text file.
Does anyone have any idea why I've only been able to retrieve one set of hashes when using two sets of tools that are well-recommended? I was particularly careful using spaces and lower case as I know that Linux is sensitive. I used exactly the same commands at the console in Auditor and BackTrack.
May 21st, 2006 05:55 PM
Probably should just save the SAM file to a floppy, go to your own box, and break it with L0pht or Cain. You just don't know what you are doing.
May 21st, 2006 06:57 PM
Thank you for the comments.
I'm working at my own laptop and, whilst I have Cain, I don't have L0pht. I prefer to learn more, hence I tried to follow one of irongeek's clear tutorials. I agree that, so far as Linux is concerned, I have little idea about what I'm doing, hence I'm using a Live CD. I changed the working directory to the ramdisk, as recommended. Subsequently, I copied the SAM and syskey to the desktop in Auditor and BackTrack so it was easy to see and examine exactly what files were created there by bkhive and samdump2.
I'd still like to know why irongeek's explicit instructions don't work. As I mentioned, my system is fully up to date and I've not disabled LM Hashes in the registry.
Does anyone else have any recommendations, other than to stop trying, which would defeat the object of the tutorials to advance my knowledge!
May 22nd, 2006 12:32 PM
I used Auditor to try and dump the hashes to a text and it didn't work, I gave up, just copied the SAM and SYSTEM files to a floppy, then dumped them in SAMInside. Worked like a charm.
May 24th, 2006 10:18 AM
Thank you - I'll look into this option. It's still annoying that I can't get it to work though!
May 25th, 2006 09:26 AM
NB Replace hda1 and Z with your drive
May 25th, 2006 05:23 PM
Thanks again. I meant it's annoying that I can't get Auditor and BackTrack to work! I've not had chance to get SAMInside yet.
May 25th, 2006 11:41 PM
Yeah, it is quite frustrating. But its not too big a deal to just dump it seperately and then either use rainbow tables or boot back into linux and crack it in John.