Hacking Windows XP passwords
Hacking Windows XP passwords
ghost | 8140 Reads | What you should know:
Windows XP passwords are stored in a file called the SAM. Inside the SAM are password hashes, these are the encrypted user passwords.This guide will show you how to get access to and crack the SAM file and retrieve the passwords stored in it.
What you need:
Knoppix-STD - Or any other linux distro. Since you can't access the SAM from inside Windows you have to go for an outside assault.
SAMInside - This will extract the password hashes from the SAM file
Cain & Abel - This will crack the password hash.
USB Pen Drive - Just about anyone will do. The files are too big to fit on a floppy so you need a USB drive or something similar. I'm not linking to one because you can go just about anywhere to get one.
Basic Knowledge of Linux - Since you will be navigating around using a Linux distro, you need to have a general idea of what you are doing. The less time you are at the target computer the better. The extent of the Linux knowledge you will need to know will cover booting the distro, mounting hard drives, and "cd"ing into directories.
Target Computer - No kiddin' right? Your target computer can't have a BIOS password enabled. If it does you will not be able to boot your linux distro without either taking the harddrive or resetting the BIOS password.
And onto the show:
1.Plug your USB drive into the target pc.
2.Put your distro in the cd drive and boot it up.
3.Some distro's will auto-mount the Windows partition. If it doesn't you can mount it yourself using the following commands:
mkdir /mnt/target
mount /dev/hda1 /mnt/target
This is assuming a few things. One is that the distro you are using is compatible with those commands, and that your Windows partition is hda1. You do not have to mkdir either, I just made a new folder to keep things neat.
- The SAM files are stored in the windows/system32/config/ directory so:
cd /mnt/target/windows/system32/config
- Now copy the SAM and system files to your USB drive.
cp SAM /mnt/USB
cp system /mnt/USB
Again, this is assuming that your USB drive is mounted to /mnt/USB
-
You are all done on the target computer now, so go ahead and shutdown the PC and get out of there.
-
Now you need to extract the password hash from the SAM file. Load SAMInside.
[img]http://machination.no-ip.info/images/lessons/sam/saminside.bmp[/img]
- Once you've loaded up the SAM and system files, you will be given the encrypted password hash.
[img]http://machination.no-ip.info/images/lessons/sam/saminside2.bmp[/img]
- If the target computer had LM hashes enabled, things should be very easy to crack. SAMInside might be able to brute force the passwords for you. Depending on the complexity of the password, it could take from a few minutes to a serveral days to crack the password. I'm not too sure how well SAMInside is at cracking the passwords since I havn't used it. If it is unable to crack the passwords you will want to open up Cain.
10.The last time I did something like this, I didn't know about Cain, and SAMInside was a version from back in the day. So it looks as if you don't have to use SAMInside to get the password hashes for Cain. For a program like LC4 you will need SAMInside to get the hashes for you. To use Cain, open it and
- Go to Crack
- Go to LM and NT Hashes
- Right Click and selcect Add to List
- Select Import Hashes from SAM database
- Open the SAM on the first box, then in the second open the system file
- Copy the BootKey it gives you into the Bootkey box in the first window
[img]http://machination.no-ip.info/images/lessons/sam/cain.bmp[/img]
11.Click OK then right click on the account you want to crack. Select either a brute force or dictionary attack. I reccommend dictionary attack if you think the person is less likely to use a complex password such as omg1337@lol rather than something simple like football.
12.That is basically it. The time it takes to crack the password all depends on the speed of your computer and the complexity of the password. Things will go much quicker if the LM hash is enabled. The reason is the LM hash encryption is far less detailed. I will explain how to hack into a target computer using password hash insertion and how to disable LM hashes in my next article.
- Thanks and I hope this helps
