I dont know the rules about this... so if any mods think this should be removed feel free...

Anyways lets start off by explaining what exactly this is...

This will allow you to obtain a local password on the box you are trying to "recover" There are other ways of doing this remotely... still trying to get that perfected though... but as soon as I do I will post how to do it on here.

There are two methods of doing this. It all just depends on how much time you have.

Yes I know this can also be done in Windows if you have administrator access... this is for the times that you dont.

Method 1:

This requires a couple things:

1. Knoppix (or any other bootable linux cd)(Knoppix: http://www.knoppix.com)
2. SAMInside ( http://www.insidepro.com/eng/saminside.shtml )
3. Cable/DSL internet access (only needed if you want to do it on the spot)
4. Local access to the computer. (can be guest privs)
5. A little time.

Lets start from the beginning assuming you have everything already

1. Put in the knoppix cd and boot from it... hit enter to enter graphical mode.
2. on the desktop it should have mounted the NTFS/FAT partition and allow you to access this.
3. open up the drive and navigate to windows or winnt then system32 then config
4. copy SAM and SYSTEM
5. open up a internet browser... I believe knoppix has Konquerer(sp?)
6. e-mail yourself those two files (if you dont have a web e-mail account... you can use hotmail)
7. remove the knoppix cd
8. restart and load into windows
9. login with whatever access you have
10. download those two files from your e-mail account
11. open them up with SAMInside
12. find the user you want the password for
13. copy the LM hash down (either copy it or write it down)
14. goto http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/
15. scroll down to demo and put in the hash you have gotten
16. your done... password should show up with the results.

Method 2:

This one is a little bit shorter but still requires you to have access to the internet... should take less time.

Tools needed:
1. internet access (can be at home or whatever.)
2. CHNTPW (can be found in the File Downloads Section)
3. pen and paper

1. boot CHNTPW
2. get to where you select the user (you would select the user you want the password for)
3. Write down the LM hash for the user.
4. reboot without the cd/floopy in the drive.
5. goto http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/ and put in the hash you recieved
6. password should print out below the text box
7. your done enjoy

If the system has SYSKEY activated you must turn it off... or you will recieve a phony (sp?) hash.
The CHNTPW disk should have the option to turn it off... I dont remember off the top of my head where it is... but it is on the disk.



I know this is a bit slopy and for all you pros out there most likely a waste of time. But for anyone coming into the field this is a good part to start at. I hope this helps someone.

The way of fixing method 2... preventing it from showing the hash... turn of NTLM/LM hashing in local policys. (I dont know the exact path by heart so... look it up google.com is your friend dont be afraid to use it.) YOU STILL CAN CHANGE THE PASSWORD but you will NOT be allow to see the hash.

Enjoy guys.

-AA

EDIT: Added SAMInside link.
EDIT2: Added Note for Method2.

thanks for the hash cracker link, very useful
pwdump2.exe works good for remote dumping of hashes

Yeah, nice little tutorial, not bad at all

soooooo, /me waits for the remote method ... still havent got pwdump to do it properly...

Hi,

I've seen pwdump3 work well in retrieving remote hashes , provided you have administrative access on the remote box...

Is there a way to get these LM hashes without having admin privileges, in a LAN.?

lol and when you re a machine with restricted accounts ?
Like impossible to use pwdump, impossible to inject a process, regedit disable ?
and impossible to boot on knoppix


do you have a solution ?

you should still be able to boot using knoppix

yea... with rededit disabled that does nothing... with pwdump off... that affects nothing... no need to inject a process...

and if knoppix wont boot... get off your lazy arse and go into BIOS and turn on boot from CD

remotely... still working on a fool proof solution... almost have it down... but finding out some machines are coughing up nothing. (have been testing it on LAN's not WAN's)

Make sure your using pwdump2.exe Myth. I've never had success with just pwdump.exe.

if you dont have admin rights, then use a privi escalation... pipeupadmin comes to mind but i dont know if still works tho... its been a long time since i last used it...

The problem is if the BIOS is password protected though, then you can't boot from a CD unless you are going to reset the BIOS password. And in an office, or school enviroment for example, this can be very difficult.
There are still ways to do it though.
This is quite a useful wee rightup: http://labmice.techtarget.com/articles/BIOS_hack.htm

I used this before and was unable to get it successfully to bump up my privs. (couple months ago)

Pipeupadmin made use of a vulnerability in windows. It is now patched.

yeah the last time i used it was a year ago... anyway, just look for other privilege escalation exploits then.

few comments guys
first-it is not only for NT comp-it covers also later M$ editions (like XP)
second-with an access to the computer there is much simpler method
just boot to any system (with the floppy,CD, USB,LAN,whatever) and copy (to another storage device) two files:
-SAM
-SYSTEM

as SYSTEM file includes all hashes (for all users incl. admin) so u don't need to do anything then just run SAMInside
and that is it

no dumps, no tricks etc.

of course how SAMInside can be used depands on the user's experiences
i always recommend to use a dictionary method first
then bruteforcing but with small letters only
it is based on statistics

1. XP is built on NT

2. During a live boot SAM and SYSTEM cannot be copy/read/accessed of any kind while in Windows.

3. SAMInside is to remove SYSKEY nothing else.

4. NT is mainly partitioned with NTFS... NTFS you CANNOT access through DOS unless you got something along the lines of NTFSDOS... and in any which case you can only copy SAM and no other file. SYSTEM is required to be copyed over also because of SYSKEY which we all know encrypts the password hashs again. and SYSTEM is too big to fit on a floppy. We have tried many different techniques to access the system hashs without needing to boot into a live linux boot. (all failed)

5. If you read the tutorial to the bottom... you do not need to brute force the hashs. As I have said before SAMInside is to remove SYSKEY.

EDIT:

Just read your post again to make sure I covered everything...
so...
6. SAM is what holds passwords not SYSTEM. SYSTEM = SYSKEY

You can use LC5 program to Assesses, recovers, and remediates Windows and Unix account passwords from multiple domains and systems.


@Stake L0pht Crack

- I have been using:

since i saw your post. The website is down now. What is the best online cracker that works simialr to this with immediate results? Is thre any. Ne help would be greatly appreciated. Peace

Doyou know this tool ?

This change the pass of the local user.

You must boot from floppy disk and select the config folder of your system.
then load the "sam" file and select the user password that you want change.

This tool change the passwords but don't recovery its.

bye

PS: escuse me i know bad englis

The Idea is to "recover" the password.. not to overwrite.

There are a bunch of sites listed for LM hash cracking on one of the other treads below or above this one... very close.

(About the LC5 post)

The problem with LC5 is the fact that you NEED administrator to obtain the hash's to crack them. And as far as cracking them... why brute force them if you can have them cracked in 8 seconds?