iEntry 10th Anniversary LinuxHaxor WH MH

Cracking Windows Admin pass with Backtrack2

By Peter on July 5th, 2007

Backtrack2 Homepage: http://www.remote-exploit.org/backtrack.html
Written by : Me (pavs)
Inspired By : http://www.neophob.com/serendipity/index.php?/archives/89-Crack-local-Windows-passwords-with-Backtrack-v1.x.html

One of several ways to gain Admin passwords in a windows system, if you have physical access to the system is by using a boot live linux distro like Backtrack2. Backtrack is a pen-testing distro so obviously it is loaded with all kinds of software to help you do security tests in both local and remote systems.

Assuming that the local allows you to boot from the CD and the bios is not password protected. Which also has ways to go around but I won’t discuss those in this tutorial.

The first thing to do after booting in to BT (Backtrack), is to open a shell window.

Our first job is to mount the disk/partition where the windows installation that we are trying to crack is located. With this command : # cd /mnt/hda2/WINDOWS/system32/config

snapshot2

Next step is to copy the SAM file and the system folder in to a temporary folder so that we can access it later to crack it. With these commands:

# cp SAM /tmp
# cp system /tmp

snapshot4

We will decrypt the SAM file to get the password hashes and route it to the tmp folder with this command: bkhive system key > /tmp/key

snapshot8

Now we extract the password hashes out of the SAM file and dump it in a text file in a “crack-readable” format.

snapshot9

This is how the hashes looks like, obviously some informations are blurred out.

snapshot12

Now we will use John the Ripper password cracker in brute force mode to crack this password. John is not the only program to crack SAM hashes there are other ways and other programs that does the same. The tutorial just demonstrates one of the several ways of doing it.

In Blacktrack2 it’s located here:

snapshot10

Or on the shell you can type this: cd /pentest/password/join-1.7.2/run

This is the process of John cracking the password, with the command:

john –incremental:all -f=NT /tmp/hashes.txt

snapshot13

This process might take very long depending on your processor speed and password complexity and length.

Thats it.

Thats all for now.

pavs


Related Posts

Comments are closed.