Results 1 to 8 of 8

Thread: Auditor vs BackTrack in retrieving password hashes

  1. #1
    Senior Member
    Join Date
    Oct 2004
    Posts
    183

    Auditor vs BackTrack in retrieving password hashes

    I have XP Pro SP2 which is up to date with Windows Updates. I followed irongeek's tutorial using Auditor to retrieve the password hashes. There are three accounts, each with a password, but samdump2 reported that there were no passwords when trying to extract to password-hashes.txt. The accounts are The Administrator, a second Admin account and a final account with Limited rights for everyday use.

    I tried the same technique using BackTrack and it only identified the Limited account as having a password. It extracted the hash into the text file.

    Does anyone have any idea why I've only been able to retrieve one set of hashes when using two sets of tools that are well-recommended? I was particularly careful using spaces and lower case as I know that Linux is sensitive. I used exactly the same commands at the console in Auditor and BackTrack.

    Thank you.

  2. #2
    Probably should just save the SAM file to a floppy, go to your own box, and break it with L0pht or Cain. You just don't know what you are doing.

  3. #3
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    Thank you for the comments.

    I'm working at my own laptop and, whilst I have Cain, I don't have L0pht. I prefer to learn more, hence I tried to follow one of irongeek's clear tutorials. I agree that, so far as Linux is concerned, I have little idea about what I'm doing, hence I'm using a Live CD. I changed the working directory to the ramdisk, as recommended. Subsequently, I copied the SAM and syskey to the desktop in Auditor and BackTrack so it was easy to see and examine exactly what files were created there by bkhive and samdump2.

    I'd still like to know why irongeek's explicit instructions don't work. As I mentioned, my system is fully up to date and I've not disabled LM Hashes in the registry.

    Does anyone else have any recommendations, other than to stop trying, which would defeat the object of the tutorials to advance my knowledge!

  4. #4
    I used Auditor to try and dump the hashes to a text and it didn't work, I gave up, just copied the SAM and SYSTEM files to a floppy, then dumped them in SAMInside. Worked like a charm.

  5. #5
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    Thank you - I'll look into this option. It's still annoying that I can't get it to work though!

  6. #6
    SAMInside:
    http://www.insidepro.com/eng/saminside.shtml

    SAM:
    Z:\WINDOWS\system32\config\sam
    /mnt/hda1/WINDOWS/system32/config/sam

    SYSKEY:
    Z:\WINDOWS\system32\config\system
    /mnt/hda1/WINDOWS/system32/config/system

    NB Replace hda1 and Z with your drive

  7. #7
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    Thanks again. I meant it's annoying that I can't get Auditor and BackTrack to work! I've not had chance to get SAMInside yet.

  8. #8
    Yeah, it is quite frustrating. But its not too big a deal to just dump it seperately and then either use rainbow tables or boot back into linux and crack it in John.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •