Hi there,

is there any app to bruteforce the pass of a given nt-user-account?

Would be nice if you could help me!
Thx!

currently creating a paper on this topic will be done in a day or so...

Oh, that's great.
I'm really looking forward to it
Thx!

This may not really help (well, xp is nt based..) but on XP You can create an admin account *IF*, i repeat *IF* you can run commands...

If you do, simply type: "control userpasswords2" without Quotes and a new pop up window will open and you will reach user account properties.

Here u can Reset the Administrator and any User's password so anytime when you Want to use the
Computer start it in safemode pressing F8 at Booting get into the xp as u have Administrator password and go to Controlpanel>Useraccounts and create a New Account. Re start Normally and get into WinXP with your newely made account and do ur job.

And WHAM.
You have admin!

Bruteforcing Win2k/XP password protection


Grabbing the SAM:
On non domain controllers or computers the Security Accounts Manager (SAM) file is stored in %systemroot%\system32\config and is locked by windows and NTFS. NTFSdosPro can be used to grab the SAM file. We however will not be using NTFSDosPro we'll be using another method which will utilize PWDump3.

PWDump3

Download PWdump3 Which can be found here: http://forums.governmentsecurity.org/index...pe=post&id=3313
or in the downloads section of http://www.governmentscurity.org

Usage: PWDUMP3 machineName [outputFile] [userName]

Machine Name can be either a Machine name or IP address with or without the \\

for example: pwdump3 \\127.0.0.1 passwords.txt saves the usernames and hashes to a file called passwords.txt in the local directory of pwdump3.

An editted example would be:
c:\pwdump3v2>type passwords.txt
hehehe:1002:NO PASSWORD*********************:8D8602394CF766E73E84E2EC9FF66BEB:::
junkie:1003:NO PASSWORD*********************:37DC783DEE63C5C6C5BF673D98512374:::

Now that we have the password Hashes.... we can move onto bruteforce them...


John The Ripper
You can download John the Ripper (JTR) at: http://forums.governmentsecurity.org/index...pe=post&id=3316

You may also want to download a dictionary file depending on the area of location etc there are an assortment of dictionary files we'll use English.txt as our example...

For 50 mb's of dictionary files click this link: http://forums.governmentsecurity.org/index...hp?showtopic=81

After you've downloaded JTR and have extracted it... go into the directory "Run" and find and open the file John.ini...

The top of the file should look like this:

I find jack the ripper to be a pain in the @$$ to use and I would recommend cain and abel, available at http://www.oxit.it

runs only on NT based OSes

My favorite way to do this though is to use a modified linux boot cd. Search on google or somethng, you will find one.

Theres an even easier method if you've got the time to do that... just delete the same and all the passwords they reset to null

Nice tut!

But basicly I was looking for a bruteforce tool to do a bruteforce on a remote machine, without havin access to console to run pwdump or something like that.
Some app that for example tries to connect to a given share with a given username with bruteforcing the pass.

Sounds like a job for xscan... It will scan any nt machines and try to bruteforce the user name and password.

i think you can fund the prog at www.xfocus.org

If you have enumerated the user's and say John smith is the admin try various plays on his name e.g JohnSmith,SmithJohn,JSmith etc etc.If the network has a web server it's possible that you will find some good lead's on there.

Mh, xscan just does a dictionary attack.
That isn't enough
No tool that bruteforces an nt-account with a given username online?

Get yourself accross to Securityfocus and check out the tool's section. This will give you a better idea of what's out there.
Curious why a dictionary attack will not do.If you copy the password text from LC3 or languard network scanner you should get a higher hit rate and check out NAT.exe

[QUOTE] Get yourself accross to Securityfocus and check out the tool's section. This will give you a better idea of what's out there.
Curious why a dictionary attack will not do.If you copy the password text from LC3 or languard network scanner you should get a higher hit rate and check out NAT.exe [/QUOTE]

or download the dictionary lists availible in the download section, the use all the lists. still no bruteforcing though... so a hit aint guarantied...

what about that new technique of bruteforcing passwords. It should be really fast, but the demo has taken offline or something?

Let me know,
woutiir

I am seeing a lot of windows apps. Is there any Linux apps that i can brute force or scan for open nt/xp passwords?
I know Xscan did it when i was on windows.

axora, a dictionary attack isn't enough? Why? If it's not, you could always try the technique which involves trying EVERY combination of EVERY character, but expect to wait AT LEAST a few hundred years for the session to complete. There are literally millions of combinations, and the time of how long one run would take (obviously, you WOULD get it eventually after a few hundred years) has been worked out theoretically before: One run would take over 1000 years.

A dictionary attack is sufficient enough for anybody. There's a HUGE dictionary file here, which gives you a pretty good chance of getting the password eventually.


Thank you for your time.
Shaun.

brutus-aet i thnk can try every combination of every character... but like whut shaun said it would take a long time...

i've never managed to make brutus AET work on my pc:/

Xscan indeed. Simple enough for everyone yet it gets the job done.

Just Use Cain & Abel

http://www.oxid.it

has anyone got secure.bat or something that will stop others getting in after?