Crack local Windows passwords with Backtrack v1.x

Crack local Windows passwords with Backtrack v1.x

Crack local Windows passwords with Backtrack v1.x 150 150 Roderick Derks

A quick and dirty Windows password recovery:

Boot the Backtrack CD .

Change dir to your Windows mount point:
# cd /mnt/hda2/WINDOWS/system32/config
Copy the SAM and the system Registry hive to the temp dir:
# cp SAM /tmp
# cp system /tmp
Prepare our wordlist:
# cd /pentest/password/dictionaries/
# gunzip -c wordlist.txt.Z > /tmp/words.txt
# cd /tmp

As the Windows hashes (in the SAM file) are encrypted, we need this key (called bootkey) to decrypt the SAM hashes:
# bkhive system key
Now we can dump the password hashes out of the SAM file:
# samdump2 SAM key > /tmp/hashes.txt

Lets crack those hashes… the easiest way would be, if the password is in the wordlist, we use john for this case:
# john -w=words.txt -f=NT hashes.txt
No luck? Lets use the brute force method:
# john –incremental:all -f=NT hashes.txt

If this takes too long you could use ophcrack. This tool uses rainbow tables and should crack your hashes in a few seconds, but you need to download those rainbow tables (350mb or 700mb or you can generate them yourself) which are not included on the Backtrack cd (for a obvious reason…). Or you can use the oph online cracker, which should be quite fast.

Credits goes to http://www.hardware-place.com!

Roderick Derks

Liefhebber van fietsen, van het oplossen van IT puzzels, en van het delen van informatie om anderen te helpen.

All stories by:Roderick Derks

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Your Name (required)

    Your Email (required)

    Subject

    Your Message

      Your Name (required)

      Your Email (required)

      Subject

      Your Message