First, you need a floppy disk. . .. .

Now, I know what your thinking. You've seen at least 20 different tutorials, and they all didn't work. This one works.

Format the floppy disk, then run the attached program. It will install NTFS dos on the floppy disk. Go to your school (because chances are, this is what most people are using this for) and put the floppy in the drive. Restart the computer. NTFS DoS will come up all by itself, you may have to hit enter once. When it comes up, go to the Logical C: drive, then %systemroot% (which will be either /windows or /winnt) then go to system32, then config. Highlight the sam file, and then hit the copy key (it will be presented to you on the screen). Copy the sam file onto your floppy disk. If it is too big, take out the current floppy disk and put in a new one.

Ok, now you have the sam file. Using samdump (included below) dump the md5 hash out of the sam file. To do it, just open up the command prompt, and run the command:
samdump C:\sam >> sammd5.txt

or where ever the sam file is. Now, there is a more sophisticated program you can use (samdump2) but it requires the use of bkhive for those of us that don't have admin priveleges. I'll talk about that later. Right now, we will work with this. So, now you need to decrypt the md5 passwords. Probably the best, easiest thing to use is Rainbow crack. What it does is actually compiles every password combination possible, and then cracks the md5 password in seconds. This has disadvantages. It can easily consume about 3 gigs and 26 days if you have a slower computer. I recommend you go to illmob.org and buy the tables off of illwill for 10 bucks. It's money well spent. Using his tables, you can crack the password in seconds. I'll include Rainbow Crack in the download also. Currently, www.secureit.co.il has a table that will crack any md5 password, and can be accessed via the web. This may be something else to look into. Anyways, try createing the tables on you computer, if you really feel like saving 10 bucks.

An alternate way to get the password is to get the system hive, and take out the md5 key. Normally, you are not allowed to do this with windows running, but NTFS dos does not count. Unfortunately, I haven't been able to copy it because it is so big. It is more or less your entire registy in a hive. You cannot copy something to the same drive with this program, but in a different place. If you can figure that one out, then help yourself. Then you would use bkhive to crack the system hive, then samdump2 to crack the sam hive passwords.

Well, I hope this was informational. For more NTFS dos programs, go to www.ntfs.com. They have advanced data recovery software (what the government uses to get deleted stuff off of your computer when you've gotten caught hacking).

Another way to get the password is to use LC4 (l0pht crack 4) and bruteforce it. But LC4 costs some money, but thier are cracks for it on the internet. Have fun.

Cool.. Thanks for the file and the tutorial.. I'll try it tomorrow:) thanks a lot

good tutorial nice one!

the SAM doesnt have md5 encryption silly, im in the middle of writing how to do all this i just havent had the time to complete it but the basics are to boot with a floppy disk then copy the SAM file from the c:\windows\system32\config directory (exchange windows for winnt if on win2k) also you should grab the SYSTEM file too because if the person encrypted the SAM with syskey you wont be able to crack it without the key used...ill upload a tutorial later on how to get the key used with syskey along with some good SAM cracking programs (some i cant upload due to them being commericial and board doesnt allow warez)

bbl

A classic tut but instead of ntfs dos I usually break out a copy of my favority linux cd based distro. You can find many of them on this board. As far as breaking syskey I use SAMinside, if anyone knows of any noncommercial tools I would be interested in hearing them.

if i knew more shit about linux i could prolly custimize a boot disk to compress the sytem file and sam that way theyll fit on the floppy im sure someone has done this along the way... but as far as getting the syskey key you would use the atttached tools from a dos prompt

i will see that prog illwill thnx anyway ..

I found a free Linux alternative :

http://home.eunet.no/~pnordahl/ntpasswd/

thank you guys, i had a problem to access one of my pcs', but now i was able
to reset the password using the linux floppy mentioned earlier...thanx

Nice work boys.

What if we get SAM through remote shell from /repair/ dir... Is there any interesting stuff in there?

BTW. I think Rainbowcrack doesn't need syskey or hash, nor anything to crack the SAM... But it is hard to make tables for it... So it would be nice if someone could post RCrack tables making tutorial...

Thanks very helpful

Those 3 files, bkreg, bkhive, and samdump2.. won't work from dos, they use RegQuery/RegGet* (windows functions)... to get the stuff they need from the windows registry.. Although, one idea that may work is to change bkreg a bit, since it is only one cpp file, and make it use regedit from dos... to get the registry info it needs... anyone think that might work?

It would really be nice to be able to make a single boot disk to grab unencrypted hashes, or at least the SAM and the syskey key, instead of the SAM and the whole syskey file, which takes way too much space. (right now my method is to load usb drivers as well as ntfsdos stuff and copy em both onto a usb disk)

its not working for me..
it spits some error with numbers when booting .

noob question; why would i want to get the SAM file and crack the hash? what is stored in it? SAM = security accounts manager right?

thebroken.org has a scene about this on their new video if some of you are still confused...

thanks, ill try it.

Thx for the file and the tutorial.. I'll try it tomorrow:) thanks a lot

I can boot and copy files freely but when i try to access the SYSTEM or SAM file it gives me an "Access is denied." message and then 0 file copied. umm..

I'm using ntfsdos with an XP created bootdisk..

Trying to access a win 2k pro machine....

Any suggestions? would booting in linux allow me to access them? (haven't tried that route yet, but will)

Or maybe is there another way to to get the lm hashes, I tried pwdump but it gives me an error message about not being able to access LSASS, it seems like the machine doesn't let me access lsass (obviously, i don't have administrator rights)

I don't really want to reset the password, and I probably couldn't if i wanted... The SAM file and SYSTEM don't allow renaming or ANYTHING even with ntfsdos,,, There has to be a way to read those off of there!

I am n00b writing simple script. SYSTEM FILE = system.drv ? SAM = SAMSRV.DLL and LSASS.EXE is good to right?

Rich

getting lsass.exe isn't going to help yah at all...

the SYSTEM file is "SYSTEM"
the SAM file is "SAM"

check the windows\system32\config\ directory...

I must have missed the config dir. sorry for the noob question.

I think I have found something. And someone here will have to test it out to make sure I am not tripping.

1. Cannot get SAM without booting to DOS.

I think I achieved getting the same file INSIDE windows while Windows is running.

Here is how I did it. ( if I am not tripping )

1. Loaded up Winiso 5.3
2. Started a new ISO images and chose to ADD file manually.
3. Browsed to the C:\winnt\system32\config folder and clicked on the SAM file.
4. Click Add.
5. Added it to the ISO directory. What caught my attetion was inside windows it does not show a share "hand" But inside Winiso it does. ( it just struke me as odd)
6. In Winiso goto File\Save As. I chose the Desktop so if it worked I could find it.
7. Named it SAM ( just becuase I felt liek typing a short name and SAM is short)
8. It starts to create the image and gets to 68% and fails with this error:
"Assertion fialed:m_dst->write.m_dwMaxSector == m_dst
>write.m_dwcurrentSector, File D:\Company\1«ËÚǼ·\winiso\CWriteISO.cpp, Line 49. Then it says " Abnormal Program Termination"
9. Goto the desktop and look for the ISO image called SAM.(or whatever you called yours )
10. Open it with WinISO and drag and drop the SAM file from Winiso window to the desktop.
11. It says " Could not read from the source Image file" Abort, Retry, Ignore?
12. Say Abort.
13 Now look on the desktop and the file SAM is there. And it is the correct size. I chekced it against the one in the config file.

Now here is where you guys come in. Can you crack it? If you can then we now have a way to copy the file from inside windows while it is running.

Rich



::::::UPDATE:::::::
I copyed the whole Config DIR. to test it and it work crc's are all the same. And once they are copied you can copy them to any dir without problems.

did you not read the post I just did? I told how to do it without even having to boot to dos.. sigh. oh well. No one listens to me @ work either..lol

Rich

Hello. I got LC4, and im testing it on my own computer. In the right side of the program-window, it displays how much time has elapsed, time left, % done, and so on. The one thing that stroke me was the amount of passwords it tries per second. It says 1.565.346 which is over 1,5 million, PER SECOND. Can that really be true? It uses 97% CPU power also... but still...

Hmm. I now tryed to copy the SAM file. Of course its not possible to just open the directory, while XP is running, and then copy it. So i used my bootdisks (there are 6 of them cause its XP) and through DOS, i tryed to copy it, but i got access denied

I've been trying a lot of stuff out about this subject, and I come to following conclusions

pwdump4 > still a bit buggy, can't seem to get hashes with it
pwdump3v2 > this one works like a charm! tested on 2ksp4 and xpsp1
pwdump3e > same as v2, works great
pwdump2 > if it works, I didn't wait to see (or I did something wrong.., I know I had the right pid..???)
pwdump, samdump > didn't test it
saminside does a good job too but it's not free
didn't have time to look at bkreg or bkhive.. if someone had some tries with it I would like to know..

do it the boot way if you want or don't have the priveleges, with any linux live distro or a dos+ntfs disk
or sniff it with dsniff or cain...

when you go about cracking it rainbow is the one to use! since you only want to compute once to get really fast crackin results (tested a 5 digit pw on a 1-5 digit, 69chars, 99.99%probability rainbow table, cracked in less then 1 minute) I'm working on a table set containing 95% of all 6-8 digit pw's alpha (26 chars), whitch is good enough for me. the total table set would fit on one cd!!
If it's not found with this you could still do a dictionary attack, bruteforcing is nice.... if you live forever

I hope this gets some problems out of the way for some of you, since I've seen people who still use pwdump2..

Bonarez

Only error I got when I tried to open was that I could not open the file because it was the same one in the system. Probally a fluke error on that system. But anyhow I have not given up yet. I love a challange!today I am going to try to use some remote software to do it. will post results.

Rich

I use my "own" version of WinPE (Bart's PE modified) with SAMinside and I can get the username/pass everytime... NTFS DOS Pro is also included...

I've tested both LC4 and SAMinside now, and although LC4 looks so much more fancy and better, SAMinside is much faster, and it fits on a floppy

I use BartPE as well, I've tried to include cain onto the build but without much success, saminside works fine with BartPE. I think I'm going to make a BartPE build with the rainbowtables but without cain, I'll run it commandline or write some small vb gui to use it..

cool thanx that really help me

Lot's of good info, thanks everyone for their input..

Thanks for the link caleb. Lots of good information there..

Very nice guys.
Quick and Easy....
123 hackz

Thanks for your hard work

Regards,

t0ky

You can't just use linux bootdisks to copy the sam file anymore. You can't copy the sam file... at all.
If the computer has all service packs installed then you have to find a secondary admin account, blank its password and login as admin then use the LSASS method to retrieve the rest of it. You're only out that one login and if the login you blank out isnt admin or administrator your in business.

I also havent had a problem using linux to copy a sam file from a win2k w/sp4 machine. All i did was

mount /dev/hda1 /mnt/die
cp /mnt/die/winnt/repair/SAM /home/root/SAM
mount /dev/fd0 /mnt/floppy
cp /home/root/SAM /mnt/floppy


I've never tried the bootdisk method, or using rainbow crack, but i definetely have to try it. I'll try using pwdump 3v2 since i do have secondary admin privileges to one of the boxes.

using passwords that are a-z 0-9 rainbow crack and pwdump3v2 works great but if the passwords has special charcters the best i have found is windows password explorer