TOPIC: Decrypt W2K Password Hashes

Hello All,

This is what I've originally set out to achieve when I started. To Decrypt Syskey encrypted password hashes in SAM on a W2K.

The tools I've used so far without success:

LC5 < www.atstake.com/ >. I've downloaded a 15 day trial version of it.

Cain&Abel V2.5 Beta58 For W2K/NT/XP
< www.oxid.it/cain.html >

CopyPwd < www.jsiinc.com/SUBM/tip6000/rh6093.htm >

The issues I've encountered using LC5 were:

1]. I chose the option to Import Password Hashes From Local Machine, LM & NTLM password hashes were shown, but could NOT actually show the Password in plain text.

2].The other option was to use SAM file. I cannot copy the SAM file while the OS is running, because the OS puts a Lock on the SAM file. The only way I can copy the SAM file is by booting another OS such as NTFSDOS or Linux (with NTFS file system support) which I don't have currently on my machine. I did not try this yet, but I will.

With Cain&Abel:

1]. I get nothing. No hashes either.

With CopyPwd, I've the password hashes in a .txt file and I am not able to use it with LC5 to crack it.

Now, I'm going to attempt to create a user with password < 14 characters, get a copy of NTFSDOS to copy the SAM and try LC5 again to see if I can crack it.

My question is, how do you guys recover passwords? What tools do you use? Can you recommend any Freewares? Also, do you know of any tools that would crack the hashes stored in .txt as I got using CopyPwd?

Sorry for being verbose. Any thoughts would be greatly appreciated.

well here's my old notes :

method 1:
- Boot with a bootable OS that can mount the partition
- Copy the sam and sam hive from windows/System32/config
- Extract the syskey bootkey from the system hive using bkhive
- Dump the password md5 hashes with samdump2
- Brute Force them using johny

method 2:
Just use pwdump3 to get the md5 hash (you'll need to run it under the local winblows with admin privileges, one way or another ..) and then skip to 5.

method 3:
You can change but not retrieve the passwords with ntpasswd

I've used LC4 in the pass and it was quite successful in cracking Windows passwords, but then again, they were slightly weak

I really never sat down to write a step-by-step tutorial about this and it would be very interesting. Perhaps someone would like to write such a tutorial if they are keen and have the time - we are always happy to receive our member's work and post them officially on the site!

Cheers

I forgot to ask a fundamental question. If the OS puts a lock on the SAM, then why when I chose the option to Import From The Local Machine, LC5 dumped the hashes? Shouldn't the OS put out an error message?

I took the Print Screen, but was not able to paste it here. I'm not sure why.

Thankyou.

Hello All,

Progress Report:

1]. I've created a user account *TestUser*.
2]. A purely alphabetic password with length = 8 characters.
3]. Ran LC5, trial version. The trial version ONLY supports Dictionary attacks. The PreComputed and the BruteForce were only for registered licenced users.
4]. Chose to Import accounts from Local Machine.
5]. Ran the Audit.
6]. LC5 got the LM Hash and NTLM Hash and cracked the password and displayed it in plain text for *TestUser*.
7]. LC5 also displayed all the LM & NTLM hashes for all the other accounts.
8]. LM Passwords were *empty*, LM Hash does NOT support passwords with 14 or more characters.
9]. I can post the results on here, but the output displays the LM & NTLM hashes for my other accounts which are members of the admin group.

I just wanted to take small steps.
With that said, my next goals are
-to incrementally make strong passwords for *TestUser*.
-Dump the SAM and choose the option of Importing from SAM File. I've downloaded NTFSDOS Pro [read-only] version from
www.sysinternals.com/ntw2k/freeware/ntfsdospro.shtml. But I read somewhere you need NTFSDOS with [read-write] options. The other option is to use Linux [with NTFS File System Support].

I would greatly appreciate thoughts from you guys or constructive criticisms or anything that would help. If anyone of you think I'm doing something wrong, please feel free to let me know.

Thankyou.

LC and pwdump access the registry from the memory instead of the psysical SAM hive

I don't see why you would need write access if you only wished to copy it. Still don't even try to write ntfs through the linux driver, you will corrupt everythin