Skip to main content

Decrypt W2K Password Hashes

More
20 years 2 months ago #5151 by FallenZer0

I don't see why you would need write access if you only wished to copy it. Still don't even try to write ntfs through the linux driver, you will corrupt everythin ;)


--I'm not sure either why? Thankyou so much nske for your input.

-There Is A Foolish Corner In The Brain Of The Wisest Man- Aristotle
More
19 years 10 months ago #6760 by uscfan
Replied by uscfan on topic My Technique
Essentially I "steal" SAM files from my school all the time. It is a science and technology high school with roughly 200 windows 2k / xp computers and some older 98 machines. The IT department known as ETIS is really crappy, they are all noobies. The whole system uses novell, which sadly still uses SAM files and stores all passwords locally.

1) Enter BIOS, I found the BIOS password by booting Knoppix-STD sucesfully on one computer. Some computers you dont need to enter BIOS, but on others you need to reset settings so you can boot from CD.

2) Using Knoppix-STD or Slax, the bootable Slackware distro, I extract the SAM files and SYSTEM files from the C:\Windows\System32\Config directory, and place them on a USB thumbstick.

3) I go home and using SAMInside I crack the syskey and export to PWD file.

4) Using the PWD I enter LC5 and crack away.

You cannot access the SAM on a computer with LC5 or SAMInside directly unless you have administrator priviliges, which is why I crack the SAM's in the first place. Overall my technique is extremely fast, and once booted it only takes a few seconds to extract the SAM. I would highly reccomend Slax, which can be found at slax.linux-live.org .
More
19 years 10 months ago #6784 by sahirh

1) Enter BIOS, I found the BIOS password by booting Knoppix-STD sucesfully on one computer. Some computers you dont need to enter BIOS, but on others you need to reset settings so you can boot from CD.


Could you explain that for me ?

For those who are interested, pwdump and l0pht's import function use dll injection on lsass.exe in order to get you the passwords, this implies you already have administrative access to the system and logically, you are looking for horizontal privilege escalation..

If you guys wanna see an interesting way of cracking windows passwords, look at the OpenMosix article that just went up in the Linux section, at the end there is a recipe for building a distributed password cracking cluster... I use this behemoth to crack clients passwords during pen-tests (when time is of the essence).

A couple more tips, if you get LM hashes, chances are you'll crack 'em all in a matter of a few hours, this is because LM splits the password into two 7 character hashes, furthermore, everything is converted to uppercase which greatly reduces the password entropy and gives you a much smaller keyspace to crack.

Since we're on the topic, how about we have a little quiz challenge.... Winner gets to choose the next security article we write:

1. We've been talking about cracking *local* passwords.. who can tell me the best way to crack passwords in an active directory environment. Without using pwdump :) ?

2. What is the key length of the syskey encryption ?

3. Is life different if the syskey is stored on a syskey floppy disk ?

4. What happens if you lose the syskey floppy ?

5. What is the most important hardware requirement for password cracking ?

6. What are precomputed hash-tables, how do they help, and how much ?

7. What are rainbow cracking tables, how do they help ?

8. If you generated enough hash tables, wouldn't you be able to essentially 'look-up' any password ? ;)

Now for those of you who are the really tough boys:

9. What, in your opinion, is the best example of 3 factor authentication (justify) ?

10. What is the protection system used on Aladdin HASP hardware dongles, how does one go about breaking it ?


Don't cheat with google *too* much :)

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
More
19 years 9 months ago #6876 by uscfan
Replied by uscfan on topic Bios
Basically, most of our computers are set so the HD boots first, eliminating the possibility for a CD boot. Some though are not. I, on accident, booted into Knoppix STD because ETIS forgot to change boot order. I used a script included in Knoppix STD called cmospass i believe, which lists all posibilities. For instance it will say:

Compaq: 123123
HP: AABAAB
eMachines: 990099

This much more detailed, it shows around 30 different models including some brand specific. You then choose the closest match and give it a whorl. In this case it was etis6262, hehe, if you ever visit our school have fun.

Now my friends and I can gain access to the BIOS on any computer in the whole school.

===============================================

NEW QUESTION!!!

A friend of mine is quite wealthy and he started cracking the ETIS password, which is Administrator. All the computers have ETIS instead of Administrator. So I do regular crack, no result. I then run brute force for four hours, cracked my principles, but no Admin pass. Then he runs 25 hours, which is numbers, letters, and common symbols, no result. I really don't know what to do!!! I have syskey and all so its not a problem with that, its either a really complicated password or something is wrong!

I know its not very long because I have seen ETIS technicians login on computers and the ***'s are only about 6 characters long.

Does anyone know what the deal is, and would anyone like to give cracking this password a try? I will post on my server in a rar or zip if anyone desires. PLEASE HELP!!! We want to use admin to open IE properties so we can find out how the proxy is set up so I can use my laptop on the internet at school. I have no malicious intent!

Oh yeah, your questions:

1) Honestly what is the best way to do that? I would really like to know more because my dad challenged my to crack his password and there is nothing in his SAM. I concluded the passwords are stored remotely or somewhere else? What is Active Directory? All i know is its like a access-controlled network storage system?

2) No clue

3) No clue

4) If syskey is gone life sucks. I ruined a computer by disabling syskey at school. :( oopsie.

5) CPU, cracking requires 100% CPU. A P4 with HT might perform better than an A64?

6) Precompued hash tables are words and sentences, phrases, etc.. which are already computed into Lanman or NTLM hashes to speed up cracking. I really want some WHERE CAN I FIND EM?!!!

7) No clue

8) No clue

9) Three factor? I would assume that is like the grade login for my school. icue.gusd.net . You need a district number, teacher ID, and a password which is randomly generated every week or something.

10) From the demo I saw, its hardcore lame. I hate crap like that.
More
19 years 9 months ago #6885 by MezzUp
I don't know the answears to sahirh's questions, but I sure am looking forward to reading them :)
More
19 years 9 months ago #6910 by gl0bal
Ummm I'm not gonna be a lot of help but I'll try the 3 questions that I have a vague idea about. To be honest this is info gained fro some recent reading of HackingEXposed Windows Server 2003 so I can't claim to be any kind of a knowledgable practioner... more like a willing apprentice!

1) I'm thinking you might do kerberos sniffing and thn run a crack against the sniffed authentication packets with KerbSniff/KerbCrack.

Or are you talking about John the Ripper (for Unix and Windows), MDcrack (for Windows) or Lophtcrack?

5) I'd probably agree that CPU is the most important hardware component.

9) I'm guessing you mean - something you know, something you have and something you are. So in that case I'd say perhaps a password with a secureID token or access card and biometric authentication (fingerprint scan). From what I undersatnd in teh Windows world it might use EAP-TLS?
Time to create page: 0.144 seconds