iEntry 10th Anniversary
LinuxHaxor
WH
MHCracking Windows Admin pass with Backtrack2
Backtrack2 Homepage: http://www.remote-exploit.org/backtrack.html
Written by : Me (pavs)
Inspired By : http://www.neophob.com/serendipity/index.php?/archives/89-Crack-local-Windows-passwords-with-Backtrack-v1.x.html
One of several ways to gain Admin passwords in a windows system, if you have physical access to the system is by using a boot live linux distro like Backtrack2. Backtrack is a pen-testing distro so obviously it is loaded with all kinds of software to help you do security tests in both local and remote systems.
Assuming that the local allows you to boot from the CD and the bios is not password protected. Which also has ways to go around but I won’t discuss those in this tutorial.
The first thing to do after booting in to BT (Backtrack), is to open a shell window.
Our first job is to mount the disk/partition where the windows installation that we are trying to crack is located. With this command : # cd /mnt/hda2/WINDOWS/system32/config
Next step is to copy the SAM file and the system folder in to a temporary folder so that we can access it later to crack it. With these commands:
# cp SAM /tmp
# cp system /tmp
We will decrypt the SAM file to get the password hashes and route it to the tmp folder with this command: bkhive system key > /tmp/key
Now we extract the password hashes out of the SAM file and dump it in a text file in a “crack-readable” format.
This is how the hashes looks like, obviously some informations are blurred out.
Now we will use John the Ripper password cracker in brute force mode to crack this password. John is not the only program to crack SAM hashes there are other ways and other programs that does the same. The tutorial just demonstrates one of the several ways of doing it.
In Blacktrack2 it’s located here:
Or on the shell you can type this: cd /pentest/password/join-1.7.2/run
This is the process of John cracking the password, with the command:
john –incremental:all -f=NT /tmp/hashes.txt
This process might take very long depending on your processor speed and password complexity and length.
Thats it.
Thats all for now.
Loading ...
it was informative and good . i have used it still need to get the result though its under process anyways goodwork man keep it up
ok,
how to do this on the network?
How do i modify the first step if it won’t let me partition?
Why not use orphcrack? Its _WAY_ less complicated than this crap
So, when its in john, you have to hold down space or enter to keep it going, Or is it working in the background?
thanks
I went through this tutorial but finally couldn’t extract any password using
John the Ripper which is sad because orphcrack cracked it straight away.
The password was very easy : ‘a’.
I even created a simple wordlist (with 3 words in it including a) and run dictionary attack:
john -w:wordlist.txt hashes.txt
The hashes.txt file was:
easy:1012:5e5cc1be27b67ef3e48322be05c61f6a:0ff16fe459689d4e39c7b9d00a030aba:::
(user: easy password: a)
I noticed that this entry looks different in orphcrack.
Any suggestions?
I couldn’t fire up a and old Windows XP Professional PC because I don’t remember the Users or Passwords. With a bootable disk, or externalhardrive,will I be able to boot up and install backtrack on the system to access the Admin? I’d appreciate any help,. thanks.
how to use chntpw2