Security, Programming, Pentesting
by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}
Understanding Windows passwords is complex, fortunately, cracking them isn’t.
Many people have done an excellent job of researching and writing about cracking Windows passwords and I am not one of them. Instead of trying to explain their work I will link you to it in the reference section below. The purpose of this document is to show you step-by-step how to obtain and crack local Windows passwords by exploiting physical access to the machine. In most places it is illegal to obtain another person’s password without their permission, don’t do anything illegal.
First, we use the Live CD to boot the Windows workstation. After we boot we need to mount the Windows partition, which will usually be /dev/sda1. If it is not /dev/sda1 you can use dmesg to find the Windows hard drive. The command below should help you find the partition.
# dmesg | grep /dev/sd*
Some computers boot to the hard drive by default so you need to access the BIOS boot menu to boot from the CD. On Lenovo computers you hit the blue ThinkVantage button at the BIOS splash screen and then hit F12 when the menu is displayed. On Dell computers you hit F12 at the BIOS splash screen.
Once the Live CD is booted you can mount the Windows partition.
# mkdir /mnt/windows # mount /dev/sda1 /mnt/windows
After the Windows partition is mounted we need to copy the SAM, SECURITY, and system files onto a USB drive. These files are located in the WINDOWS\system32\config folder. Your USB drive will be considered a second hard drive and will typically be located at /dev/sdb. If it is not the you can use dmesg again to find the USB drive.
# mkdir /mnt/usb # mount /dev/sdb /mnt/usb # cd /mnt/windows/WINDOWS/system32/config # cp SAM SECURITY system /mnt/usb/
At this point, we no longer need the Windows workstation so you can shut it down or restart it. The shutdown command will restart the computer if you use the -r option and halt the computer if you use the -h command.
Next, we load the SAM, SECURITY, and system files onto our machine where creddump is installed. Creddump includes three python scripts pwdump.py, cachedump.py and lsadump.py. We will use the pwdump.py script to create a file with our Windows hashes in pwdump format. The file will include the username, id, LM Hash (if available), and NTLM hash. We can then feed the pwdump.py file into a number of password cracking utilities including, rcracki, hashcat, and john the ripper.
# ./pwdump.py system SAM > hashfile
Finally, we feed our hashfile into our favorite password cracking software. I use rcracki_mt provided by freerainbowtables.com. Rcracki_mt uses indexed rainbowtables also provided by freerainbowtables.com to crack passwords. The rainbow tables for LM hashes are excellent and should crack 99% of all LM hashes. When running rcracki_mt you will need to specify the hash file, the number of threads you want to run, and where the rainbow tables are stored. You can also specify an output file for the cracked passwords.
# rcracki_mt -f hashfile -t 4 -o results.txt *.rti
I hope you found this tutorial helpful. Please feel free to leave comments and suggestions below.