Cracking Windows Passwords

29 Jan 2011

Understanding Windows passwords is complex, fortunately, cracking them isn’t.

Many people have done an excellent job of researching and writing about cracking Windows passwords and I am not one of them. Instead of trying to explain their work I will link you to it in the reference section below. The purpose of this document is to show you step-by-step how to obtain and crack local Windows passwords by exploiting physical access to the machine. In most places it is illegal to obtain another person’s password without their permission, don’t do anything illegal.

Items Needed:

• A live Linux CD and a USB drive
• A copy of creddump
• rcracki
• rainbow tables

Procedure

First, we use the Live CD to boot the Windows workstation. After we boot we need to mount the Windows partition, which will usually be /dev/sda1. If it is not /dev/sda1 you can use dmesg to find the Windows hard drive. The command below should help you find the partition.

# dmesg | grep /dev/sd* 

Some computers boot to the hard drive by default so you need to access the BIOS boot menu to boot from the CD. On Lenovo computers you hit the blue ThinkVantage button at the BIOS splash screen and then hit F12 when the menu is displayed. On Dell computers you hit F12 at the BIOS splash screen.

Once the Live CD is booted you can mount the Windows partition.

# mkdir /mnt/windows
# mount /dev/sda1 /mnt/windows

After the Windows partition is mounted we need to copy the SAM, SECURITY, and system files onto a USB drive. These files are located in the WINDOWS\system32\config folder. Your USB drive will be considered a second hard drive and will typically be located at /dev/sdb. If it is not the you can use dmesg again to find the USB drive.

# mkdir /mnt/usb
# mount /dev/sdb /mnt/usb
# cd /mnt/windows/WINDOWS/system32/config
# cp SAM SECURITY system /mnt/usb/

At this point, we no longer need the Windows workstation so you can shut it down or restart it. The shutdown command will restart the computer if you use the -r option and halt the computer if you use the -h command.

Next, we load the SAM, SECURITY, and system files onto our machine where creddump is installed. Creddump includes three python scripts pwdump.py, cachedump.py and lsadump.py. We will use the pwdump.py script to create a file with our Windows hashes in pwdump format. The file will include the username, id, LM Hash (if available), and NTLM hash. We can then feed the pwdump.py file into a number of password cracking utilities including, rcracki, hashcat, and john the ripper.

# ./pwdump.py system SAM > hashfile

Finally, we feed our hashfile into our favorite password cracking software. I use rcracki_mt provided by freerainbowtables.com. Rcracki_mt uses indexed rainbowtables also provided by freerainbowtables.com to crack passwords. The rainbow tables for LM hashes are excellent and should crack 99% of all LM hashes. When running rcracki_mt you will need to specify the hash file, the number of threads you want to run, and where the rainbow tables are stored. You can also specify an output file for the cracked passwords.

# rcracki_mt -f hashfile -t 4 -o results.txt *.rti

I hope you found this tutorial helpful. Please feel free to leave comments and suggestions below.

References

• http://support.microsoft.com/kb/913485
• http://moyix.blogspot.com/2008/02/syskey-and-sam.html

Build a Username List

28 Jan 2011

I was recently in a situation where I needed to determine possible usernames through brute force but could not find a good list to use. The lists I found were related to typical Linux or Windows usernames used by the OS or one of its services. These lists did not contain the type of usernames you would normally see at a company, like first initial and last name (jsmith) or last name and first initial (smithj). Since I couldn't find a list like this I built one.

First, I downloaded the top 1000 last names from the 2000 US census. Then, I downloaded the most popular male and female first names from the 1990 US census. I could not find first name information for the 2000 census. Another source of popular first names is the Social Security office where you can search for the most popular baby names for a particular year.

Next, I truncated the female list to the top 1000 names. I did not truncate the male list because it had about 1200 names. I then wrote a script to find the frequency of the first letter of each first name. I used Excel to combine the male and female frequencies and determine the most frequent first letter for both sets of names.

First Letter Frequency Analysis

First Initial	Female Frequency	Male Frequency	Combined Frequency
M	105	88	193
J	80	100	180
C	84	87	171
A	82	87	169
L	96	71	167
D	48	97	145
R	49	94	143
E	59	74	133
S	66	64	130
B	47	71	118
T	44	53	97
K	52	36	88
G	30	50	80
H	22	46	68
F	22	36	58
N	26	29	55
W	10	44	54
P	24	22	46
V	19	17	36
I	17	18	35
O	10	20	30
Y	5	2	7
Z	1	6	7
Q	1	5	6
U	1	1	2
X	0	1	1
Total	1000	1219	2219

Finally, I wrote a script to combine each of the top 1000 surnames with each of the top 10 first initials in both last name + first initial and first initial + last name format. I also created lists with the surname truncated at 6, 7 and 8 characters. Finally, I created lists in the format of first_name.last_name and last_name.first_name.

The list of surnames, lists of first names, and the script to build the username files can be downloaded here. Let me know if you have any questions or need help with the scripts.