WIXLIB

Cracking Passwords Version 1.11 of 45file:///D:/password10.htmlCracking Passwords Version 1.1by: J. DravetFebruary 15, 2010AbstractThis document is for people who want to learn to the how and why of password cracking. There isa lot of information being presented and you should READ IT ALL BEFORE you attempteddoing anything documented here. I do my best to provide step by step instructions along with thereasons for doing it this way. Other times I will point to a particular website where you find theinformation. In those cases someone else has done what I attempting and did a good or great joband I did not want to steal their hard work. These instructions have several excerpts from acombination of posts from pureh@te, granger53, irongeek, PrairieFire, RaginRob, stasik, andSolar Designer. I would also like to thank each of them and others for the help they have providedme on the BackTrack forum.I will cover both getting the SAM from inside windows and from the BackTrack CD, DVD, orUSB flash drive. The SAM is the Security Accounts Manager database where local usernames andpasswords are stored. For legal purposes I am using my own system for this article. The first stepis to get a copy of pwdump. You can choose one from http://en.wikipedia.org/wiki/Pwdump.Update: I used to use pwdump7 to dump my passwords, however I have come across a new utilitycalled fgdump from http://www.foofus.net/fizzgig/fgdump/ This new utility will dump passwordsfrom clients and Active Directory (Windows 2000 and 2003 for sure, not sure about Windows2008) where pwdump7 only dumps client passwords. I have included a sample hash.txt that hassimple passwords and should be cracked very easily. NOTE: Some anti-virus software packagesflag pwdump* and fgdump as trojan horse programs or some other unwanted program. Ifnecessary, you can add an exclusion for fgdump and/or pwdump to your anti-virus package so itwon't flag them. However it is better for the community if you contact your anti-virus vendor andask them to not flag the tool as a virus/malware/trojan horse.You can find the latest version of this document at http://www.backtrack-linux.org/Contents1 LM vs. NTLM2 Syskey3 Cracking Windows Passwords3.1 Extracting the hashes from the Windows SAM3.1.1 Using BackTrack Tools3.1.1.1 Using bkhive and samdump v1.1.1 (BT2 and BT3)3.1.1.2 Using samdump2 v2.0.1 (BT4)3.1.1.3 Cached Credentials3.1.2 Using Windows Tools3.1.2.1 Using fgdump3.1.2.2 Using gsecdump2/15/2010 3:48 PM

Cracking Passwords Version 1.12 of 45file:///D:/password10.html3.1.2.3 Using pwdump73.1.2.4 Cached Credentials3.2 Extracting the hashes from the Windows SAM remotely3.2.1 Using BackTrack Tools3.2.1.1 ettercap3.2.2 Using Windows Tools3.2.2.1 Using fgdump3.3 Cracking Windows Passwords3.3.1 Using BackTrack Tools3.3.1.1 John the Ripper BT3 and BT43.3.1.1.1 Cracking the LM hash3.3.1.1.2 Cracking the NTLM hash3.3.1.1.3 Cracking the NTLM using the cracked LM hash3.3.1.1.4 Cracking cached credentials3.3.1.2 John the Ripper - current3.3.1.2.1 Get and Compile3.3.1.2.2 Cracking the LM hash3.3.1.2.3 Cracking the LM hash using known letter(s) in known location(s) (knownforce)3.3.1.2.4 Cracking the NTLM hash3.3.1.2.5 Cracking the NTLM hash using the cracked LM hash (dumbforce)3.3.1.2.6 Cracking cached credentials3.3.1.3 Using MDCrack3.3.1.3.1 Cracking the LM hash3.3.1.3.2 Cracking the NTLM hash3.3.1.3.3 Cracking the NTLM hash using the cracked LM hash3.3.1.4 Using Ophcrack3.3.1.4.1 Cracking the LM hash3.3.1.4.2 Cracking the NTLM hash3.3.1.4.3 Cracking the NTLM hash using the cracked LM hash3.3.2 Using Windows Tools3.3.2.1 John the Ripper3.3.2.1.1 Cracking the LM hash3.3.2.1.2 Cracking the NTLM hash3.3.2.1.3 Cracking the NTLM hash using the cracked LM hash3.3.2.1.4 Cracking cached credentials3.3.2.2 Using MDCrack3.3.2.2.1 Cracking the LM hash3.3.2.2.2 Cracking the NTLM hash3.3.2.2.3 Cracking the NTLM hash using the cracked LM hash3.3.2.3 Using Ophcrack3.3.2.3.1 Cracking the LM hash3.3.2.3.2 Cracking the NTLM hash3.3.2.3.3 Cracking the NTLM hash using the cracked LM hash3.3.2.4 Using Cain and Abel3.3.3 Using a Live CD3.3.3.1 Ophcrack4. Changing Windows Passwords4.1 Changing Local User Passwords4.1.1 Using BackTrack Tools4.1.1.1 chntpw4.1.2 Using a Live CD2/15/2010 3:48 PM

Cracking Passwords Version 1.13 of 45file:///D:/password10.html4.1.2.1 chntpw4.1.2.2 System Rescue CD4.2 Changing Active Directory Passwords5 plain-text.info6 Cracking Novell NetWare Passwords7 Cracking Linux/Unix Passwords8 Cracking networking equipment passwords8.1 Using BackTrack tools8.1.1 Using Hydra8.1.2 Using Xhydra8.1.3 Using Medusa8.1.4 Using John the Ripper to crack a Cisco hash8.2 Using Windows tools8.2.1 Using Brutus9 Cracking Applications9.1 Cracking Oracle 11g (sha1)9.2 Cracking Oracle passwords over the wire9.3 Cracking Office passwords9.4 Cracking tar passwords9.5 Cracking zip passwords9.6 Cracking pdf passwords10 Wordlists aka Dictionary attack10.1 Using John the Ripper to generate a wordlist10.2 Configuring John the Ripper to use a wordlist10.3 Using crunch to generate a wordlist10.4 Generate a wordlist from a textfile or website10.5 Using premade wordlists10.6 Other wordlist generators10.7 Manipulating your wordlist11 Rainbow Tables11.1 What are they?11.2 Generating your own11.2.1 rcrack - obsolete but works11.2.2 rcracki11.2.3 rcracki - boinc client11.2.4 Generating a rainbow table11.3 WEP cracking11.4 WPA-PSK11.4.1 airolib11.4.2 pyrit12 Distributed Password cracking12.1 john12.2 medussa (not a typo this is not medusa)13 using a GPU13.1 cuda - nvidia13.2 stream - ati14 example hash.txt1 LM vs. NTLMThe LM hash is the old style hash used in MS operating systems before NT 3.1. It converts the password to2/15/2010 3:48 PM

Cracking Passwords Version 1.14 of 45file:///D:/password10.htmluppercase, null-pads or truncates the password to 14 characters. The password is split into two 7 characterhalves and uses the DES algorithm. NT 3.1 to XP SP2 supports LM hashes for backward compatibility and isenabled by default. Vista supports LM hashes but is disabled by default. Given the weaknesses in the LMhash it is recommended to disable using LM hashes for all MS operating systems using the steps inhttp://support.microsoft.com/kb/299656NTLM was introduced in NT 3.1 and does not covert the password to uppercase, does not break the passwordapart, and supports password lengths greater than 14. There are two versions of NTLM v1 and v2. Do to aweakness in NTLM v1 is should not be used. Microsoft has included support for NTLM v2 for all of itsoperating systems either via service pack or the Directory Services client (for windows 9X). You enableNTLM v2 by following the instructions at http://support.microsoft.com/kb/239869. For maximum securityyou should set the LMCompatibility to 3 for Windows 9X and LMCompatibilityLevel to 5 for NT, 2000, XP,and 2003. Of course you should test these changes BEFORE you put them into a production environment.If LM hashes are disabled on your system the output of pwdump and/or the 127.0.0.1.pwdump text file willlook like:Administrator:500:NO B435F2CA798D:::Guest:501:NO 59D7E1C039C0:::HelpAssistant:1000:NO B53EF76E601F:::SUPPORT 79AF96:::The first field is the username. The second field is the last four numbers of the SID for that username. TheSID is a security identifier that is unique to each username. The third field is the LM hash. The forth field isthe NTLM hash.If you do not have a ASPNET user account do not worry about it. If you do have a ASPNET user account doNOT change the password as I am told that will break something. What I did was delete the account and thenrecreate it using: et regiis.exe /i2 SyskeyTo make it more difficult to crack your passwords, use syskey. For more information on syskey seehttp://support.microsoft.com/kb/310105. The short version is syskey encrypts the SAM. The weakest optionbut most convenient is to store a system generated password locally; locally means the registry. The up side isthe SAM gets encrypted and you can reboot the server remotely without extra equipment. The next option ispassword startup. This is slightly more difficult to get around, but if you remotely reboot the server, it willstop and wait for someone to enter the password. You will need a KVM over IP or a serial port concentratorso you can enter the password remotely. The most secure option is the system generated password stored on afloppy disk. The downside to this option is floppy disks fail, you misplace the floppy disk, newer equipmentdoes not have a floppy disk drive, no remote reboots, and you will probably leave the floppy in the drive soyou can remote reboot and that defeats security. I use a system generated password stored locally, weak butbetter than not doing it. To disable syskey use chntpw and follow its instructions.3 Cracking Windows Passwords3.1 Extracting the hashes from the Windows SAM3.1.1 Using BackTrack Tools2/15/2010 3:48 PM

Cracking Passwords Version 1.15 of 45file:///D:/password10.html3.1.1.1 Using bkhive and samdump2 v1.1.1 (BT2 and BT3)1. # mount /dev/hda1 /mnt/XXXmount your windows partition substituting hda1 for whatever your windows partition is2. if the syskey password is stored locally you need to extract it from the registry so you can decrypt theSAM. If syskey is setup to prompt for a password or the password is on a floppy, stop now and read thesyskey documentation in this document for more information about syskey. If you installed windows tosomething other C:\WINDOWS please substitute the correct path. WARNING the path is casesensitive. The filenames of sam, security, and system are case sensitive. On my system these files arelowercase. I have come across other XP systems where they are uppercase. On the Vista system I haveused the filenames are uppercase.BackTrack 2 users use the following:# bkhive-linux /mnt/XXX/WINDOWS/system32/config/system syskey.txtBackTrack 3 users use the following:# bkhive /mnt/XXX/WINDOWS/system32/config/system syskey.txt3. # samdump2 /mnt/XXX/WINDOWS/system32/config/sam syskey.txt hash.txtsamdump2 will dump the SAM to the screen and the character redirects the output to a file calledhash.txtyou can also run samdump2 with the -o parameter to write the output to a file# samdump2 -o hash.txt /mnt/XXX/WINDOWS/system32/config/sam syskey.txt3.1.1.2 Using new samdump2 v2.0 (BT4)The current version is 2.0.1 and has the benefit of being able to extract the syskey on its own. This meansdumping the hashes in now a 1 step process instead of two. To upgrade and run sampdump2 v2.0.1:1.2.3.4.5.download the current sampdump2 from http://sourceforge.net/project/showfiles.php?group id 133599# tar -xjvf samdump2-2.0.1.tar.bz2# cd samdump2-2.0.1# make# cp samdump2 /usr/local/bin/samdump20this will keep the existing version. If you want to overwrite the existing version do:# cp samdump2 /usr/local/bin/6. mount your windows partition substituting hda1 for whatever your windows partition is# mount /dev/hda1 /mnt/XXX7. if the syskey password is stored locally samdump2 v2.0 will extract it from the registry so it can decryptthe SAM. If syskey is setup to prompt for a password or the password is on a floppy, stop now and readthe syskey documentation in this document for more information about syskey. If you installedwindows to something other C:\WINDOWS please substitute the correct path. WARNING the path iscase sensitive. The filenames of sam, security, and system are case sensitive. On my system these filesare lowercase. I have come across other XP systems where they are uppercase. On the Vista system Ihave used the filenames are uppercase.8. # samdump2 /mnt/XXX/WINDOWS/system32/config/system /mnt/XXX/WINDOWS/system32/config/sam hash.txtsamdump2 will dump the SAM to the screen and the character redirects the output to a file calledhash.txtyou can also run samdump2 with the -o parameter to write the output to a file# samdump2 -o hash.txt /mnt/XXX/WINDOWS/system32/config/sam syskey.txt2/15/2010 3:48 PM