Cracking Windows 7,Vista, XP passwords

byAmmar
2
Cracking passwords Using Backtrack
A bit of theory:
 Windows stores its local user accounts in the C:\windows\system32\config\SAM file. If you want to change ANYTHING that is related to the user accounts you do it from this file, but it is of course encrypted. Not a problem! While we can’t read the file and see what password is already assigned to a user, we can sure as hell overwrite it.
Now you need a version of Linux that has chntpw, for example BackTrack or you can install it on any linux. So you need a Linux that already has it… In my opinion stick with BackTrack.
You really dont need to install backtrack , you can boot it from a CD or USB device.i will write its tutorial later.

Procedure:
We are going to break the windows password with a small tool called  chntpw
Step 1:    Boot Backtrack from a CD or USB.
 
Step 2:  Once Backtrack is booted, go to start(Lower-left corner) Backtrack >> Privilege Escalation >> PasswordAttacks >> Chntpw, opening the Chntpw terminal.
 OPTIONAL STEP: 
Some Linux distros (like BackTrack 5) don’t have the command chntpw added as an alias, so I had to do the following in order to get it to work properly, you might not need to do this on other linux versions as well.
But most of the time we dont need it. 

alias chntpw='/pentest/passwords/chntpw/./chntpw'
Step 3: Use the terminal to change directories to the password file.


cd /media/path/to/disk/WINDOWS/system32/config/
NOTE: The actual path can be found by opening the config folder and then
opening its properties
The actual path is of the form as given below

/media/B830C9BC30C981BC/WINDOWS/system32/config

Step 4:Then execute the chntpw utility

  chntpw -i SAM
 
That will create an interactive mode. Just follow the simple steps to clear the password or you can edit the password.The rest of the process is very simple and self explaining.But be sure to save it once it prompts to whether write to disk or not.

Output
ubuntu@ubuntu:/media/B830C9BC30C981BC/WINDOWS/system32/config$ chntpw SAM 
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
Hive  name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c 
Page at 0x7000 is not 'hbin', assuming file contains garbage end
File size 262144 [40000] bytes, containing 6 pages 
Used for data: 255/20736 blocks/bytes, unused: 9/3648 blocks/bytes.

Hive  name (from header): 
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c 
Page at 0xe000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 13 pages (+ 1 headerpage)
Used for data: 1074/49024 blocks/bytes, unused: 9/3808 blocks/bytes.

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count         : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator                  | ADMIN  | dis/lock |
| 03ec | ASPNET                         |        | dis/lock |
| 03ed | CSC603                         | ADMIN  | dis/lock |
| 01f5 | Guest                          |        | dis/lock |
| 03e8 | HelpAssistant                  |        | dis/lock |

---------------------> SYSKEY CHECK <-----------------------
SYSTEM   SecureBoot            : -1 -> Not Set 
SAM      Account\F             : 1 -> key-in-registry
SECURITY PolSecretEncryptionKey: 1 -> key-in-registry

***************** SYSKEY IS ENABLED! **************
This installation very likely has the syskey passwordhash-obfuscator installed
It's currently in mode = -1, Unknown-mode
SYSKEY is on! However, DO NOT DISABLE IT UNLESS YOU HAVE TO!
This program can change passwords even if syskey is on, however
if you have lost the key-floppy or passphrase you can turn it off,
but please read the docs first!!!

*IF YOU DON'T KNOW WHAT SYSKEY IS YOU DO NOT NEED TO SWITCH IT OFF!
NOTE: On WINDOWS 2000 it will not be possible
to turn it on again! (and other problems may also show..)

NOTE: Disabling syskey will invalidate ALL
passwords, requiring them to be reset. You should at least
 reset the administrator password using this program,
 then the rest ought to be
done from NT.

Do you really wish to disable SYSKEY? (y/n) [n]
RID     : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir : 

User is member of 1 groups:
00000220 = Administrators (which has 2 members)

Account bits: 0x0210 =
[ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  | 

Failed login count: 1, while max tries is: 0
Total  login count: 1

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this  Vista)
 3 - Promote user (make user an administrator)
 4 - Unlock and enable user account [probably locked now]
 q - Quit editing user, back to user select
Select: [q] >
Tags:

2 Comments

  1. AnonymousJanuary 28, 2012 at 10:29 PM

    very good one

    ReplyDelete
  2. UnknownJanuary 12, 2014 at 8:17 AM

    i cannot get into windows folder !! it shows me there is no such files or directory !! can help me out

    ReplyDelete
Post a Comment
Previous Post Next Post