PVA – My collection

source:  http://www.irongeek.com/i.php?page=security/cracking-windows-vista-xp-2000-nt-passwords-via-sam-and-syskey-with-cain-ophcrack-saminside-bkhive-etc

I get questions about SAM/SYSKEY cracking so often, and since I’m tired of pointing people to my other tutorials on the same subject, I’m creating this one-stop-shop for info on the topic. I’m putting up this one page with links to all of my videos and articles on how Windows passwords work and how they can be audited/cracked. If one tutorial does not work for you, try another. If none work for you, ask on http://binrev.com , but only if you are interested in learning how things work and not just getting into a box. The “Local Password Cracking Presentation” one covers the most from a technically standpoint, but the other ones may be more helpful for your specific conditions.

Text:

Cracking Windows Vista Beta 2 Local Passwords (SAM and SYSKEY)
http://www.irongeek.com/i.php?page=security/vistasamcrack

Cracking Windows 2000 And XP Passwords With Only Physical Access
http://www.irongeek.com/i.php?page=security/localsamcrack

Cracking Syskey and the SAM on Windows XP, 2000 and NT 4 using Open Source Tools
http://www.irongeek.com/i.php?page=security/localsamcrack2

Videos:

Cracking Syskey and the SAM on Windows Using Samdump2 and John
http://www.irongeek.com/i.php?page=videos/samdump2auditor

Cracking Windows Passwords with BackTrack & the Online Rainbow Tables at Plain-Text.info
http://www.irongeek.com/i.php?page=videos/backtrackplaintext

Local Password Cracking Presentation
http://www.irongeek.com/i.php?page=videos/LocalPasswordCracking

Cracking Windows Vista Passwords With Ophcrack And Cain
http://www.irongeek.com/i.php?page=videos/cracking-windows-vista-passwords-with-ophcrack-and-cain

Cracking Windows Vista Beta 2 Local Passwords (SAM and SYSKEY)

Update: 03/05/2007: I’ve made a single page with links to all of my tutorials on SAM/SYSKEY Cracking, visit it if you want more information on this topic.
Update 02/25/2007: It seems that Mao has followed suit, as of Cain & Abel v4.5 he has added Windows Vista compatibility in NTLM Hashes Dumper, LSA Hashes Dumper and Syskey Dumper for hive files. The direction below should still work, but now you can use Cain instead of Proactive Password Auditor for importing your SAM and SYSTEM.
Update 02/19/2007: Cedric from the Ophcrack project emailed me to let me know that starting with version 2.3.4, Ophcrack now supports Windows Vista. Download Ophcrack from http://ophcrack.sourceforge.net/ if you want a free tool for SAM cracking. Also, check out my newer video:Cracking Windows Vista Passwords With Ophcrack And Cain

One of the common things folks stumble across my site in search of is information on cracking local Windows 2000/XP passwords. I’ve created quite a bit of content on the subject over the years, and if you want a broader understanding of the topic please visit these resources:

Text:
http://www.irongeek.com/i.php?page=security/localsamcrack
http://www.irongeek.com/i.php?page=security/localsamcrack2

Video:
http://www.irongeek.com/i.php?page=videos/samdump2auditor
http://www.irongeek.com/i.php?page=videos/LocalPasswordCracking

While I was playing around with Windows Vista Beta 2 I decided to see if some of the old tools for cracking local account password still worked. It would seem that Microsoft has changed how the SAM file and SYSKEY work in Vista so none of my old tricks that use to work with NT 4/2000/XP functioned anymore. I quickly found that most of the current tools as of this writing(Ophcrack 2.3, Cain 2.9, SAMInside 2.5.7.0, Pwdump3) no longer work, which I have mixed feelings about. It’s nice to see the extra level of security, but cracking local passwords was always sort of fun as well as useful from time to time. When I tried to crack local passwords extracted from copied SAM and  SYSTEM hive files I would get the following errors:

Ophcrack:
“Error: no valid hash was found in this file”

Cain:
“Couldn’t find lsa subkey in the hive file.”

While tools like Sala’s Password Renew could still be use from a Bart’s PE boot CD to change any Vista password you wanted, or to create new admin accounts entirely, sometime you need to know the current administrator password. Three reasons to want to know a current Windows password without changing it are:

1. An attacker doesn’t want to tip off the system administrators. If they notice that the old admin password no longer works they will get a bit suspicious don’t you think?

2. The same account passwords may be used on other systems on the network. If the attacker can crack one machine’s admin password that same password may allow the attacker to gain access to other boxes on that LAN that they don’t have direct physical access to.

3. To gain access to data that has been encrypted using Windows EFS (Encrypted File System). Changing an accounts password may cause this data to be lost, though I think Sala’s tool may be able to do this without losing the encryption key since it uses a Windows service to change the local password.

Also of note for those interested in cracking Windows Vista passwords, it seems that Vista Beta 2 disables LM hash storage by default, so all you can get is the NTLM hash which can be much harder to crack for reasons stated in my other articles. Another thing I want to make you aware of is the new BitLocker feature of Windows Vista can make pretty much everything in this article useless if it’s enabled, but that’s a topic for another time.

I thought all was lost on the Vista password cracking front, but after doing some web searching I found that you can still crack the local passwords if you have the right tools.  It would seem that the folks from Elcom Soft have added support for Vista SAM and SYSTEM hives into their “Proactive Password Auditor 1.61” tool. Unfortunately PPA is a commercial application, but they do offer a sixty day evaluation version that does not seem to be overly crippled. Since Elcom figured out how to do it I’m sure that soon the free tools like Cain and Ophcrack will also. What follows are the basic steps to crack/audit local Windows Vista Beta 2 passwords with Proactive Password Auditor.

You need to be able to read the drive Windows Vista is installed on. For NTFS drives I’ve used the Knoppix ( http://www.knoppix.org/ ) and PE Builder ( http://www.nu2.nu/pebuilder/ ) boot CDs with good success. The first step is to boot from a CD-ROM and copy off the SAM and SYSTEM files in C:\WINDOWS\system32\config (you may have to get a slightly older version of them from C:\WINDOWS\config\RegBack instead, also keep in mind that C: may not be your system drive in which case substitute the appropriate drive letter ). The SAM and SYSTEM files are likely to be too large to fit on a 1.44MB floppy unless you compress them using Gzip in Linux or some Windows compression tool in Bart’s PE. You could also copy them to some other form of removable media (Thumb drive anyone?) or upload them across the network to an FTP or file server that you have access to. For the Gzip/Floppy instructions read my first tutorial linked at the top of this article. It modern times it’s usually easiest to just drag and drop the SAM and SYSTEM to a file server using the GUI that comes with your Boot CD.

Now that you have a copy of the SAM and SYSTEM hive files start up Proactive Password Auditor and follow these steps:

1. Choose the  radio button labeled “Registry files (SAM, SYSTEM)” under the hashes tab, then click dump.

2. Choose the SYSTEM and SAM files you want to use, then click the “Dump” button.

3. During the Dump phase Proactive Password Auditor automatically tries a simple brute-force attack so your passwords may already be cracked. If not, choose the attack type, and set the hash type to “NTLM attack” since there are no LM hashes. I’ll choose the Dictionary attack, click the the “Dictionary list…” button under the “Dictionary” tab and point it at the word list that comes with Cain (C:\Program Files\Cain\Wordlists\Wordlist.txt).

4. Make sure the check boxe(s) next to the account(s) you want to try to crack are selected.

5. Now it’s just a matter of clicking the menu item “Recovery->Start recovery”, waiting, and hoping for the best.

Assuming the password is simple enough you should now have a cracked password to work with. Keep in mind that there’s no guarantee that you will be able to crack any passwords at all. If the password is not in your dictionary you will have to resort to a Brute-force attack which could take forever if the password was chosen well, but this should get you going in the right direction. Also, if you have large Rainbow tables on your system give them a shot as Proactive Password Auditor supports this cracking method. I plan to update this page once Cain or Ophcrack support Vista. Please send me an email if you notice before I do that any of the free tools have implemented Vista SAM/SYSTEM file support. If this tutorial was of any help to you, please visit some of the sponsor links and help support the site. Thanks.

Useful links:

Sala’s Password Renew
http://www.sala.pri.ee/

Bart’s Pe Builder:
http://www.nu2.nu/pebuilder/

Oxid.it’s Cain Web Page:
http://www.oxid.it/cain.html

Ophcrack
http://ophcrack.sourceforge.net/

Proactive Password Auditor 1.61
http://www.elcomsoft.com/ppa.html

Cracking Windows 2000 And XP Passwords With Only Physical Access

Update: 03/05/2007: I’ve made a single page with links to all of my tutorials on SAM/SYSKEY Cracking, visit it if you want more information on this topic.
Update 03/21/2005: See newer tutorial here.

This article will cover how to crack Windows 2000/XP passwords with only physical access to the target box. I won’t be covering into the internal structure of LM and NTLM hashes or what makes them so insecure, there are many other articles on the Internet that cover the basics of NT security so I would recommend that you Google for them. I will assume that the reader already knows the basics. There are a lot of articles floating around that tell interested parties how to use programs like PWdump to get NT password hashes. Using PWDump is what most folks recommend when Syskey is enabled on a system since the hashes in the SAM file are encrypted. The problem is PWdump only works if you can run it from an administrator level account, and if the reason an attacker is cracking the hashes in the first place is to get an administrator account then PWdump is of little use.

Another question I get is why crack the password at all since one can get access to the machine by just deleting the SAM file and using a blank password (Windows 2000 only) or by using a Linux password reset boot disk (get one from http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html that works on both 2k and XP) and resetting it to whatever we like. The reason an attacker may want to crack the local password instead of changing it is two fold:

1. An attacker doesn’t want to tip off the system administrators. If they notice that the old admin password no longer works they will get a bit suspicious don’t you think?
2. The same account passwords may be used on other systems on the network. If the attacker can crack one machines admin password that same password may allow the attacker to gain access to other boxes on that LAN that they only have remote access to.

This article assumes that the attacker has only physical access to the machine whose SAM they want to crack and that they also have access to a bootable disk that can read the file system on the target machine. An attacker may have to get into the BIOs to set it to boot from the floppy or CD-ROM so setting up a BIOs password will help but if they can get into the case it’s easy to reset. Any old Windows 9x boot disk should work for Fat32 drives, on NTFS drives I’ve used the Knoppix ( http://www.knoppix.org/ ) and PE Builder ( http://www.nu2.nu/pebuilder/ ) boot CDs with good success.

The first step is to boot from a CD-ROM or floppy and copy off the SAM and SYSTEM files in C:\WINDOWS\system32\config (you may have to get them from c:\WINDOWS\repair instead, and on some systems the Windows directory is WINNT instead). The SAM and SYSTEM files are likely to be too large to fit on a 1.44MB floppy unless you compress them using Gzip, you could also copy them to some other form of removable media or upload them across the network to an FTP or file server that you have access to.

In my example I will use Knoppix, Gzip and a floppy to copy the files. Issue these commands from a terminal in Knoppix:

mount /mnt/hda1/

This mounts what would most likely be the C: drive on the target machine, it’s possible that it could be different. Then we Gzip the SAM file to  a floppy:

gzip -c /mnt/hda1/WINDOWS/system32/config/sam > /mnt/floppy/sam.gz

Then we get the System file:

gzip -c /mnt/hda1/WINDOWS/system32/config/system > /mnt/floppy/system.gz

My modest SAM file has five accounts, it and the System file only take up 751KB after they are compressed with Gzip.

Once you have the files copy them (an uncompress them if you used Gzip) to your own machine (preferably the fastest you have) and crack Syskey using a program called SAMInside ( http://www.insidepro.com ). Run SAMInside and choose the “Import SAM” option. A dialog box will ask you to point it to the SAM file you wish to crack. If Syskey is enabled (most likely it will be) it will then ask you for the SYSTEM file. You can use SAM inside to try and crack the passwords but if you only have the demo version you are limited in the Brute-force and Dictionary options you can choose. Once you have cracked Syskey and have the hashes export them to a PWDump file using the file menu in SAMInside and then use L0phtcrack ( http://www.atstake.com/products/lc/ ) or Cain ( http://www.oxid.it/cain.html ) to crack the passwords.

I’ll continue this tutorial using Cain since it’s free. Run Cain and go to the “Cracker” tab. From here choose “LM & NTLM Hashes” in the left pane and then right click on the grid in the right pane and choose “Add to list.” Now choose “Import Hashes from text file or SAM” and click next. Don’t try to import the SAM you copied because if the target system was using Syskey Cain will not be able to crack it. Find the PWdump file you created with SAMInside and open it. From here it’s as easy as holding down control, left clicking on the accounts you want to crack and then right clicking and choosing either “Start Dictionary Attack” or “Start Brute-Force Attack.” A Dictionary attack uses the text file in “c:\Program Files\Cain\Wordlists\Wordlist.txt” to tell it what passwords to try, open that file in notepad and edit it if you want to add more words. The Brute-force method runs through all possible combinations of characters that you configure under the “Brute-Force Options” tab of the “Configure” menu. The Brute-force method can take days depending on the options you choose. Now all the attacker has to do is wait. Hope this short article helps.

Cracking Syskey and the SAM on Windows XP, 2000 and NT 4 using Open Source Tools

Update: 03/05/2007: I’ve made a single page with links to all of my tutorials on SAM/SYSKEY Cracking, visit it if you want more information on this topic.
Update 03/22/2005: See Shockwave Flash Video Version.

A little over a year ago I wrote a little tutorial called “Cracking Windows 2000 And XP Passwords With Only Physical Access” [0]. It was pretty popular and the data is still useful but in the last year I’ve found far better ways to crack a SAM file with SysKey enabled. One reason I’m writing this new tutorial is because sometime after SAMInside v.2.1.3 exporting to a PWDump file was disabled in the demo version. There are still ways SAMInside could be used, but there are better Open Source tools now that can do the same tasks. This tutorial will recap parts of the original, but also give a far simpler, faster and more concise way to crack hashes in the SAM file that are protected by SysKey.

SysKey is an extra level of encryption put on the hashes in the SAM file [1]. SysKey was introduced in Service Pack 3 (SP3) for NT 4 but every version of Windows since has had SysKey enabled by default. The way most folks crack a SAM file on a system that uses SysKey is by running a utility called PWDump as an admin to get the LM (LAN Manager) and NT hashes. The problem is PWdump only works if you can run it from an administrator level account, and if the reason an attacker is cracking the hashes in the first place is to get an administrator level account then PWdump is of little use.

Some folks will ask why would you want to crack the passwords in the SAM at all since it’s far easier to just change the Administrator password using a Linux boot disk or Sala’s Password Renew for PE Builder. The reason an attacker may want to crack the local passwords instead of changing them is two fold:

1. An attacker doesn’t want to tip off the system administrators. If they notice that the old local admin password no longer works they will get a little bit suspicious don’t you think? This is somewhat solved by Sala’s Password Renew since it lets you add new admin level accounts as well as change existing account’s passwords.

2. The same local account passwords may be used on other systems on the network (and most likely are if they use imaging software like Ghost). If the attacker can crack one machine’s admin password that same password may allow the attacker to gain access to other boxes on that LAN that they only have remote access (across the network) to.

This article assumes that the attacker has only physical access to the machine whose SAM they want to crack and that they also have access to the Knoppix variant known as the Auditor security collection boot CD [5] (I’m using version 120305-01 in this tutorial). Here are the steps you will need to take in order to audit local passwords using the Auditor CD:

Step 1. Download the Auditor Boot CD ISO and burn it to a CD-R. All of the tools we will be using in this tutorial come on the Auditor Boot CD.

Step 2. Insert the Auditor Boot CD into the target system, reboot and set the CD-ROM as the first boot device in the BIOS. Some systems let you hold down a certain function key at startup to choose what media to boot from (on recent Dell’s it’s F12).

Step 3. Auditor will begin to boot and ask you what screen resolution you want to use. Choose a resolution that your monitor and video card will support (I use 2 for 1024×768) then hit enter.

Step 4. When Auditor finishes booting click on the icon on the KDE bar for a new terminal window (it looks like a little monitor). Below you will see the commands you will have to use to get past SysKey, extract the hashes and attempt to crack the password hashes.

Step 5. Mount the local hard disk, most likely hda1:

Step 6. Change the present working directory to the ramdisk so we space to work with the files we will be creating:

Step 7. Auditor comes with Ncuomo’s Samdump2 and Bkhive [6]. We will be using these tools to extract the system key from the System hive and the password hashes from the SAM file. To get the system key we need to use the Bkhive on our SYSTEM file (most likely in C:\WINDOWS\system32/config\SYSTEM, that’s where it is on my XP Pro test box, on some systems it will me in C:\WINNT\system32/config\SYSTEM or perhaps some other drive entirely). By the way, if for some reason you are running NT4 SP3 you will need to use Bkreg instead, all later system (NT4 SP4, 2000 and XP) use Bkhive. To grab the system key and put it into a file we use the following command:

Step 8. Now that we have the system key we can use it to undo SysKey on the SAM, extract the hashes and place them into a PWDump format file:

Step 9. At this point we have a PWDump format file called password-hashes.txt that we could copy off of the system and import into L0phtcrack [7] or Cain [8] (see the old tutorial for details). Since I said we were going to do it all with the Auditor CD and Open Source tools we will use John the Ripper to crack the hashes, but before we can use John we have to extract one of the many wordlists that comes with Auditor. Take a look on the CD in /opt/auditor/full/share/wordlists/ for all of the different wordlists you can use, I’ll use english.txt for this tutorial. To extract english.txt to the ramdisk use the following command:

Step 10. Now that everything is in place we can run John with a simple dictionary attack to see if we can crack any of the hashes:

John detects that the dump file has LM (LAN Manager) hashes in it and chooses the format “NT LM DES [32/32 BS]” automatically. If I had disabled the storing of LM hashes in the SAM I might want to use the –f option to specify the NT hash format and try to crack the NT hashes instead. To do that I would use the following command:

If dictionary attacks aren’t working and you have a lot of time (as well as a fast computer) you can try John’s incremental (brute force) mode and see if it gives you better results:

Incremental mode is limited to only eight characters unless you change the source before you compile it, but at more than eight characters you will likely be waiting a very long time for John to finish. Doing more that eight characters is pointless anyway if you have the LM hashes since there are stored as two seven byte parts (NT hashes are a different story and can be harder to crack).

In case you were wondering what all of these commands would look like along with their output here is a copy of my session log that may help you understand how they all work together (notice that the password for the Administrator account is “monkey”):

Mitigating SAM and SysKey Cracking

There are a few things you can do to make it harder for attacker to crack you local passwords. An attacker will most likely have to get into the BIOs to set it to boot from the CD-ROM. Setting up a BIOs password will help keep crackers from using the Auditor CD (or any boot CD) but if they can get into the computer’s case it’s easy to reset a BIOs password so some sort of physical case lock should be used as well. Strong passwords (non-dictionary words with more that just alphanumeric characters) will also make it harder for attackers to crack passwords since they will have to resort to potentially slow brute force methods.

I hope this short tutorial helps, feel free to write me if you have any questions. Some other techniques you may want to look into for faster cracking are cracking clusters [9] and Rainbow tables [10]. Enjoy your hash.

References and further research:

[0] Old Tutorial:
http://www.irongeek.com/i.php?page=security/localsamcrack
or
http://www.antionline.com/showthread.php?s=&threadid=260337

[1] Information on SysKey from Microsoft:
http://support.microsoft.com/kb/310105

[2] Linux boot diskette that can reset local NT/2000/XP passwords:
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

[3] Sala’s Password Renew
http://www.sala.pri.ee/

[4] Bart’s Pe Builder:
http://www.nu2.nu/pebuilder/

[5] Auditor security collection boot CD:
http://www.remote-exploit.org/index.php/Auditor_main

[6] Ncuomo’s Samdump2, Bkhive and Bkreg:
http://studenti.unina.it/~ncuomo/syskey/

[7] L0phtcrack Web Page:
http://www.atstake.com/products/lc/

[8] Oxid.it’s Cain Web Page:
http://www.oxid.it/cain.html

[9] NeuTron’s tutorial on making a password cracking cluster:
http://www.antionline.com/showthread.php?s=&threadid=262750

[10] Rainbow Crack:
http://www.antsight.com/zsl/rainbowcrack/

Way more details about SAM cracking then you may ever want to know:
http://www.beginningtoseethelight.org/ntsecurity/index.php#0FEB224E21024B8C

Auditing Syskey and the SAM on Windows Using Samdump2 and John