NegativeSpace Posted December 7, 2011 Author Share Posted December 7, 2011 (edited) Use backtrack to dump the same hashes, save them to the thumbdrive(if not writable, you need to make a partition on the thumbdrive that is writable, or remount the system as RW and save it) or another location, upload to another PC on the network, etc(you should be able to copy and paste the hash into a browser, might already be found via google (hint)). Once you have the dump of the sam file, then you can boot into ophcrack(full version, not from backtrack) from another machine and read the sam file for cracking. If then it doesn't work, you need to go to the ophcrack page and find the links for the other tables to download and crack against. XP uses different tables than Vista/7, so make sure you don't waste time downloading the wrong ones. http://ophcrack.sourceforge.net/tables.php I never figured out how to dump the hashes and apply them to ophcrack in BT through the command line. I know now that it wouldn't have worked because ophcrack (within BackTrack Live) doesn't include any tables, but I still want to learn how to do it anyway. If BT is installed on a local drive, how would a person download all of the tables for ophcrack so that it could be used to crack hashes taken from other machines? Edited December 7, 2011 by NegativeSpace Quote Link to comment Share on other sites More sharing options...
digip Posted December 7, 2011 Share Posted December 7, 2011 (edited) samdump2 or bkhive, if iirc, should show you the hashes, then you copy them, in text, or whatever, to where you need them, such as another computer, or a google search. I thought samdump2 dumped them, but maybe that was the wrong tool. Try bkhive. You have to mount the windows hdd, change directory to the location of the SAM file and run bkhive(check its man pages for syntax) or samdump2 to grab the hashes. I think samdump2 does both grab the hashes and crack them, but I could be wrong. I think you can also copy the physical sam file or ntuser.dat file to be pulled from there as well. Haven't done this in so long, I never really had a need, always just booted ophcrack, or used pwdump in windows against the lsass files in XP back in the day. Windows vista and 7 I don't think work with pwdump, but there are ways to dump them in powershell if you have physical access to the machine and are logged in, which in your case, doesn't help. Edited December 7, 2011 by digip Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted December 9, 2011 Share Posted December 9, 2011 Watch this video. Quote Link to comment Share on other sites More sharing options...
NegativeSpace Posted December 9, 2011 Author Share Posted December 9, 2011 I have to say, the thing that I ended up doing, mostly, was suggested to me by digip. I simply downloaded BT5 ISO and Unetbootin, figured out how to find the hash, wrote it down on piece of paper, and used an online cracker. I guess I used the advice from several people to eventually get there, so I'm not sure. Anyone want to comment? I said I would give ten dollars to whoever gave me the instructions, so now I want to do that, but I'm not sure who! If you think it was you, say it was you. If you think it was someone else, say it was them. Thanks for the help again. Great learning experience. Quote Link to comment Share on other sites More sharing options...
NegativeSpace Posted December 13, 2011 Author Share Posted December 13, 2011 If no one else has any opinions on the matter, I am hereby declaring that it was digip who suggested the best course of action. Any objections? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.