Step By Step Windows Password Recovery

Ok, so you've got a computer in your mitts, and you need to know the windows logon password. Maybe some virus / sister / other schmo changed your password, maybe someone quit working at your company and left with all the passwords. Either way, there's a simple to follow way to get those passwords back. Many of you are familiar with a lot of these fundamentals; my goal is to put them all in one tutorial.

Assumptions:
The target machine is running Windows NT, 2000, XP, or server 2003
You are looking for local machine passwords, not domain passwords
You have physical access to the machine, including the ability to boot from cdrom
The target system is storing passwords using the LM scheme.
The password is 14 or fewer characters, or is a dictionary word or derivative.

Tools Used:
knoppix 3.7, burned to a CDR
Cain and Abel
Rainbow crack 1.2a
Rainbowcalc
SamInside 2.3.0.1

All these tools can be found quickly and easily by using a magical device known as "google".

So here's basically what you'll be doing for this attack:

1) You get the encrypted version of the windows SAM database and Syskey using Knoppix, and copy it to a usb pen drive.

2) You extract the encrypted hashes for each password using SAMINSIDE to process the SAM and Syskey files

3) You create a big rainbow table for the LM charset using Rainbow crack

4) You feed this table, along with the hashes, into Cain and Abel, and get the passwords.

Alternatively, to do a dictionary or brute force style attack, you may skip step 3.

Heres how this works in detail:

Windows stores each of its passwords as a hash in a file called the SAM. A hash is like ground meat, in that after you create a hash (ground meat), you can't tell what password (specific animal) it came from. There are many different kinds of hash functions, which you can think of as having many different types of meat grinders. Some are easier to crack than others. The default windows LM hash is the easiest to crack that is still in major use today.

Now it's true that you can't tell what password a particular hash came from, but there are ways around this. Basically, you see what hash you get when you try every password possible, and whichever password gives you the hash you are looking for is the password for that particular account. This is analogous to grinding every cow in the pasture to see which one gives you the kind of meat you're looking for. Our method is similar, though less grousome.

This particular type of attack is nothing new in that people have used similar methods along with dictionaries and brute forcing and such for quite some time. The interesting twist here is rainbow tables. Rainbow tables can be thought of as kind of a brute-force-once-crack-many type of attack. It creates an indexed table of all the possible password / hash combinations up front, and then you can just look for your particular hash later to crack it. After using some complicated mathimatical techniques to reduce the necessary file size of the hash database to something manageable, viola, instant cracking. After the initial table generation, password cracking can be done quite rapidly, usually in just a couple minutes. Also important, this password cracking can be done offline, at your own leisure, without continual access to the machine in question.

The limitations to rainbow tables: You can't use a rainbow style attack against salted hashes or challenge - response password authentications. Think of our meat example. Ok so you have to kill every cow in the pasture and grind it into meat, and then you have to use every possible combination of seasonings and cooking methods to come to a result. Clearly you've just increased your work exponentially, and now rainbow tables are of little use.

Another limitation is that you still have to brute force once in order to crack many times. Anything beyond 9 characters long is too long to make a rainbow table for in practice. And the larger the character set you are trying to crack, the longer it will take to make the rainbow tables. So alphanumeric-symbol32-space is about the best you can do with 7 characters length. To create this kind of table with a 90% chance of getting your password will require using about 20ghz of processing power for roughly 3 months. After that, you can crack any 7 character windows password in a matter of minutes. You can create an lower case only table on about 5ghz of cpu power in less than a week with the same success rate and 7 character length. This will get you the majority of passwords with significantly less investment in computing resources.

The nice part about this is the LM hash function's inherent weaknesses, namely that it is lowercase only, and that it breaks passwords longer than 7 characters into 2 7 character units. This means that you can crack up to 14 character passwords with no more processing power than needed to crack 7 character passwords, AND you can use the easier to create lowercase rainbow tables instead of needing to make a mixed case set. This speeds up cracking immensely. The NTLM hashset is less forgiving, and therefore if you are unlucky enough to be dealing with a system that only stores its passwords as NTLM, you have to create significantly bigger rainbow tables to crack the same passwords.

OK, so enough background. How do you actually pull this off?

First, burn knoppix to a CD. Then, you can do one of two things.

1) you can boot knoppix on the target computer
or
2) take the target computer's hard drive out, and boot knoppix on a different computer with that hard drive attached to it

you would only be using the second option if you couldn't boot knoppix from the target computer for some reason.

You can burn knoppix to a CD using a program such as NERO burning rom. Just select "burn image" from the recorder drop down menu, and select your iso of knoppix you downloaded.

From there, reboot the target computer, and if necessary, go into the bios to make sure that boot from cdrom has priority over boot from hard drive.

Then put your cd rom in and boot knoppix. The plain old version of knoppix takes care of mounting your drives and such, including your pen usb drive and any applicable sata drives, and this is why we're using this version in this tutorial.

After knoppix boots up, you should see some icons on your desktop for HDA, HDB, HDE, or so forth. Your pen drive (if you plugged it in) should be SDA1 or similar. You can plug your pen drive in at any time.

So click on one of the hard drives to open the file browser, and look for the following files:

/drive/windows/system32/config/SAM
and
/drive/windows/system32/config/system

note, windows may be somewhere else like /drive/winnt/, so keep that in mind

In order to copy these files to your pendrive, first you must mount it as writable. In this distro of knoppix, this is deceptively simple. Right click your pen drive on the desktop (SDA1, probably), and click mount. Then right click the drive again, go to actions and click change read / write mode to make the drive writable.

After your pen drive is mounted, simply copy the above mentioned files from one of the hard drive partitions onto the pen drive by dragging them from the hard disk window to the pen drive window, and selecting copy. Then shut down knoppix by clicking the K (start menu) click logoff, then shutdown. This will properly unmount everything. Isn't linux easy ;)

At this point, remove your pen drive, and connect it to your windows based computer (or reboot the current computer to windows)

At this point you will be using saminside. Copy the "SAM" and "system" files into the same folder as your saminside folder. Then open a command prompt window (start->run->cmd) and switch to your saminside folder (example: "cd c:/saminside"). Then run the following commands.

getsyskey system

this extracts the syskey from the system file and by default stores it in the startkey.key file

then use this command

gethashes sam startkey.key >output.txt

this will create a file output.txt with the hashed version of all the passwords on the target system.

now will we enter this hashfile into cain to crack it.

open up cain and abel; windows may complain about a firewall event, you can either leave it blocked or unblock it, it doesn't matter since we aren't using any sniffing this time.

Then click the "cracker" tab, and click on "lm and NTLM hashes". Click the plus sign, then choose, import nt hashes from a sam or text file. Then choose your "out.txt" or whatever you decided to call it. You might be able to skip the saminside step and just open the sam file with cain, but I'm not sure if Cain can crack syskey or not, so this way will certainly work.

Now you need to target the user account you're looking for, as there should be a variety of accounts. You can pick more than one account at once if you'd like as well. Right click the account you're looking for and choose "cryptanalysis attack (lm)". Click "add table" and add all the rainbow tables you've made one by one. Cain should save this list for later use so you won't have to do this again. Now click start. It will now read the rainbow tables one by one, check for hashes, and move on. This will take a few minutes.

Now you have your passwords.

One step was missing however, how to create the rainbow tables. This step should actually be performed first.

First take your rainbow calc program, and use it to decide what kind of tables you should make.
For LM tables, here are the settings you should use:

Alphabetic only tables:

rainbow chain length: 2400
raimbow chain count: 40,000,000 (without commas)
number of tables: 2
split table up: 1
under hash type, choose lm
under charset choose loweralpha

then click calculate
it will tell you that these settings will take about 2 days to create the tables, and will give you a 99.95% chance of cracking any alphabetic LM based windows password.

the batch file it create will look like this:

rtgen lm loweralpha 1 7 0 2400 40000000 all
rtgen lm loweralpha 1 7 1 2400 40000000 all

from the folder where you have your rainbow crack program, just create a simple text file called rtgen.bat, and put those two lines of text in it, and save it. Then, run that .bat file, and wait a while (a couple days). It will update you as to its progress as things move along, and will eventually finish.

After everything is finished, you need to sort the rainbow tables. Open up a command window, go to your rainbow crack directory, and do the following:

rtsort (filename)

where filename is the name of the .rt rainbow table file you created. Do this for all the rainbow tables you made.

Now your rainbow tables are ready!

In rtcalc, you may want to try different chain lengths, different chain counts, more or fewer tables, longer or shorter numbers of characters to crack for (for NTLM, LM should always use 7), or a different character set (such as alphanumeric-symbol 14)

A table to crack the following character set with a 98.8% chance of succeeding uses the following settings:

loweralpha-numeric-symbol14 = [abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_+=]

rainbow chain length: 5000
raimbow chain count: 80,000,000 (without commas)
number of tables: 10
split table up: 4
under hash type, choose lm
under charset choose loweralpha-numeric-symbol14

each file will be 300 megs in size, with 40 files, for a total file size of 12 gigs. It will take approximately 10 times as long to make these tables as the other tables.

The commands to make these tables are as follows:

rtgen lm loweralpha-numeric-symbol14 1 7 0 5000 20000000 #0
rtgen lm loweralpha-numeric-symbol14 1 7 0 5000 20000000 #1
rtgen lm loweralpha-numeric-symbol14 1 7 0 5000 20000000 #2
rtgen lm loweralpha-numeric-symbol14 1 7 0 5000 20000000 #3
rtgen lm loweralpha-numeric-symbol14 1 7 1 5000 20000000 #0
rtgen lm loweralpha-numeric-symbol14 1 7 1 5000 20000000 #1
rtgen lm loweralpha-numeric-symbol14 1 7 1 5000 20000000 #2
rtgen lm loweralpha-numeric-symbol14 1 7 1 5000 20000000 #3
rtgen lm loweralpha-numeric-symbol14 1 7 2 5000 20000000 #0
rtgen lm loweralpha-numeric-symbol14 1 7 2 5000 20000000 #1
rtgen lm loweralpha-numeric-symbol14 1 7 2 5000 20000000 #2
rtgen lm loweralpha-numeric-symbol14 1 7 2 5000 20000000 #3
rtgen lm loweralpha-numeric-symbol14 1 7 3 5000 20000000 #0
rtgen lm loweralpha-numeric-symbol14 1 7 3 5000 20000000 #1
rtgen lm loweralpha-numeric-symbol14 1 7 3 5000 20000000 #2
rtgen lm loweralpha-numeric-symbol14 1 7 3 5000 20000000 #3
rtgen lm loweralpha-numeric-symbol14 1 7 4 5000 20000000 #0
rtgen lm loweralpha-numeric-symbol14 1 7 4 5000 20000000 #1
rtgen lm loweralpha-numeric-symbol14 1 7 4 5000 20000000 #2
rtgen lm loweralpha-numeric-symbol14 1 7 4 5000 20000000 #3
rtgen lm loweralpha-numeric-symbol14 1 7 5 5000 20000000 #0
rtgen lm loweralpha-numeric-symbol14 1 7 5 5000 20000000 #1
rtgen lm loweralpha-numeric-symbol14 1 7 5 5000 20000000 #2
rtgen lm loweralpha-numeric-symbol14 1 7 5 5000 20000000 #3
rtgen lm loweralpha-numeric-symbol14 1 7 6 5000 20000000 #0
rtgen lm loweralpha-numeric-symbol14 1 7 6 5000 20000000 #1
rtgen lm loweralpha-numeric-symbol14 1 7 6 5000 20000000 #2
rtgen lm loweralpha-numeric-symbol14 1 7 6 5000 20000000 #3
rtgen lm loweralpha-numeric-symbol14 1 7 7 5000 20000000 #0
rtgen lm loweralpha-numeric-symbol14 1 7 7 5000 20000000 #1
rtgen lm loweralpha-numeric-symbol14 1 7 7 5000 20000000 #2
rtgen lm loweralpha-numeric-symbol14 1 7 7 5000 20000000 #3
rtgen lm loweralpha-numeric-symbol14 1 7 8 5000 20000000 #0
rtgen lm loweralpha-numeric-symbol14 1 7 8 5000 20000000 #1
rtgen lm loweralpha-numeric-symbol14 1 7 8 5000 20000000 #2
rtgen lm loweralpha-numeric-symbol14 1 7 8 5000 20000000 #3
rtgen lm loweralpha-numeric-symbol14 1 7 9 5000 20000000 #0
rtgen lm loweralpha-numeric-symbol14 1 7 9 5000 20000000 #1
rtgen lm loweralpha-numeric-symbol14 1 7 9 5000 20000000 #2
rtgen lm loweralpha-numeric-symbol14 1 7 9 5000 20000000 #3

You can split up table generation to take place on a number of systems by executing one or more of these commands on each system, for example executing the first half of the list on one computer and the second half on another computer.

Good luck with your windows password cracking efforts!

Forums: Step By Step Windows Password Recovery - Forums