command and softwar...
 
Notifications
Clear all

command and software to crack windows user's password

22 Posts
6 Users
0 Reactions
5,517 Views
 Earn
(@earn)
Estimable Member
Joined: 20 years ago
Posts: 146
 

I suggest using Ophcrack live CD. I have been testing version 1.2.1 the last few days and it has retrieved everything I've thrown at it. It comes with the Rainbow tables already on the CD so just pop it into the machine you want to crack or another machine and point it to the machine on the network that you want to crack.


   
ReplyQuote
azrael
(@azrael)
Honorable Member
Joined: 19 years ago
Posts: 656
 

http//ophcrack.sourceforge.net/

That looks brilliant … I'll add it to the arsenal ! Thank you -)


   
ReplyQuote
chinigami
(@chinigami)
Active Member
Joined: 18 years ago
Posts: 17
Topic starter  

thanks a lot all of u oops
as am a newbie, your advices are very importants so thanks again for your help
am going to try ophcrack live cd wink


   
ReplyQuote
 kern
(@kern)
Trusted Member
Joined: 20 years ago
Posts: 67
 

Earn or anyone
does Ophcrack CD work directly, or do you have to use passdump type utils too?

i used Ophcrack on the FCCU Live cd and iirc some other util from the CD.
The downside to FCCU was that you have to download and store the Tables independently.
thx
Kern


   
ReplyQuote
 dcso
(@dcso)
Eminent Member
Joined: 19 years ago
Posts: 31
 

As I understand it, Ophcrack is a Live CD based on Slax. You use it to boot the computer that you're trying to get the password for. Everything is automated - after the CD boots, it grabs what it needs and starts cracking.

In my testing it returned an 8 character, alpha-numeric password in 14 minutes on a mid-range desktop.


   
ReplyQuote
chinigami
(@chinigami)
Active Member
Joined: 18 years ago
Posts: 17
Topic starter  

Ophcrack cd worked directly and it cracked the passwords quickly wink

but i need to crack the administrator password not using a live cd but using "commands" and it doesn't work ( i have tired

pwdump2 when i tried pwdump2 (over different virtuel machine running different OS windows xp, 2000 pro,98 ) i had always the same result
failed to open lsass.exiting

so i tried another way bkhive than samdump2
but also in this case while using bkhive i received this error messageerror opening hive file (but i have verified that the system file exists in config<-system32<-winnt and that's the command i have used bkhive c\winnt\system32\config\system > key.txt) so i wasn't able to use the samdump command after.

and i tried also to check repair directory where i found the "back up"sam file lol and i could open it with with notepad but it was encrypted (that's why i needed the syskey) cry

i have tried all this commands to make a hask file for john the ripper

just one thing to explain the situation am using a guest account and am trying to crack administrator password to make an escalation attack

so what are your comments about the results i had and thanks for the help


   
ReplyQuote
azrael
(@azrael)
Honorable Member
Joined: 19 years ago
Posts: 656
 

Ophcrack cd worked directly and it cracked the passwords quickly wink

Hey ! Well done -)

pwdump2 when i tried pwdump2 (over different virtuel machine running different OS windows xp, 2000 pro,98 ) i had always the same result
failed to open lsass.exiting

so i tried another way bkhive than samdump2
but also in this case while using bkhive i received this error messageerror opening hive file (but i have verified that the system file exists in config&lt;-system32&lt;-winnt and that's the command i have used bkhive c\winnt\system32\config\system &gt; key.txt) so i wasn't able to use the samdump command after.

and i tried also to check repair directory where i found the "back up"sam file lol and i could open it with with notepad but it was encrypted (that's why i needed the syskey) cry

just one thing to explain the situation am using a guest account and am trying to crack administrator password to make an escalation attack

That's probably why - I guess that if the guest account is relatively well locked down, then these things should be ( and are it seems ! A first for Windows … 😉 ) inaccessible.

so what are your comments about the results i had and thanks for the help

Comment 1 From a Forensic point of view - you have done your job. With a captured machine/machine image - you have cracked the passwords. Job done.

Comment 2 What you are trying to achieve isn't really forensics, although if you were trying to show what someone else might have done, I guess that this is a reasonable experiment - if this is the case, then is there any evidence of the tools that have been used ?

Comment 3 If the aim is purely to break in as an Administrator, I would think that there are better ways to gain Administrative access. If the aim is to gain the Administrative password, then, I would think that there are better ways to gain Administrative access P … and then I would run the assorted tools to extract the password, then I would crack it on another machine -) Then come back to the first machine and log in again.

Personally to do this, I would start with a network attack and see if there are any remote vulnerabilities that might be exploited. If so, job done, if not then you need to find a privilege escalation exploit that will run on the system. Try Google again for Windows XP "privilege escalation" or similar.

Good luck - let us know how it goes -)


   
ReplyQuote
chinigami
(@chinigami)
Active Member
Joined: 18 years ago
Posts: 17
Topic starter  

hi,
first i have discovered that pwdump2 doesn't work on all windows OS version i mean that it worked with windows xp service pack2 but not with win 2000 pro or win 98 but with win 2000 samdump worked(using the sam file in the repair directory) and i have got the hashes file too
i think also as u said azrael that the guest account is hard locked cause bkhive doesn't work also in win xp
i have remarked that john the ripper takes a longer time to crack the password than the ophcrack live cd
and to clarify something (to azrael ) ) i haven't used an image i used a virtuel machine (done by a software called vmware,i don't know if u consider virtuel machine as disk image ? but it doen't seem to be like).So i used virtuel machine to prevent my real machine from "risks of craching"while using some tools.next i created the admin and guest account. i started as a guest and i tried to crack admin password (but not using live cd only some tools).after cracking admin password i will try to destroy some documents and use a rootkit
after finishing that i will start the forensic job using helix tools trying to find trace of the previous escalation attack(so i play the attacker and than the investigator)
i hope that u understand now all the situation and by the way do u know a "downloadble"rootkit (i have seen in www.roootkit.com but the existing rootkit aren't detected by rootkit revealer used in helix )
and as usual thanks azrael for all the help oops
and thanks to all of u


   
ReplyQuote
azrael
(@azrael)
Honorable Member
Joined: 19 years ago
Posts: 656
 

first i have discovered that pwdump2 doesn't work on all windows OS version i mean that it worked with windows xp service pack2 but not with win 2000 pro or win 98 but with win 2000 samdump worked(using the sam file in the repair directory) and i have got the hashes file too
i think also as u said azrael that the guest account is hard locked cause bkhive doesn't work also in win xp

Thanks - good information to have. There are varying levels of lockdown on the guest account in different versions of Windows - some will let you get away with murder, others won't let you breathe without more specific access granted.

i have remarked that john the ripper takes a longer time to crack the password than the ophcrack live cd
and to clarify something (to azrael ) ) i haven't used an image i used a virtuel machine (done by a software called vmware,i don't know if u consider virtuel machine as disk image ? but it doen't seem to be like).So i used virtuel machine to prevent my real machine from "risks of craching"while using some tools.

Fair enough - I use Parallels myself -) What I was asking was if this was a captured machine that you are working on, or one that you have created. But you've answered that P

I convert disk images ( dd acquired etc. ) into VMs to run tools against, see what network connections that they attempt to make etc. It is a very useful technique.

next i created the admin and guest account. i started as a guest and i tried to crack admin password (but not using live cd only some tools).after cracking admin password i will try to destroy some documents and use a rootkit
after finishing that i will start the forensic job using helix tools trying to find trace of the previous escalation attack(so i play the attacker and than the investigator)
i hope that u understand now all the situation and by the way do u know a "downloadble"rootkit (i have seen in www.roootkit.com but the existing rootkit aren't detected by rootkit revealer used in helix )

www.rootkit.com is a good site - you should get a good kit from one of the links there. Have you bought the book yet ?

I understand what you are trying to achieve … The thing is, that I would be suprised if any real attacker bothered with this. The main aim is to get Admin level access, once you have that, knowledge of the Administrator password is irrelevant - you install your rootkit/backdoor, and you need never know, as Admininstrator access is always available - no one wants to deal with the pain of having to crack again if the password is changed.

I can see a case where, if I wanted to frame an Administrator, then logging in with that password doing the dirty, and then getting out again might be beneficial. But in that case, I wouldn't be installing rootkits/backdoors, because that would reduce the usefulness of the framing …

Helix only seems to contain Rootkit discovery software for UNIX/Linux Rootkits. So whatever Windows one you choose, it isn't going to be detected by Helix through these tools.

Seeing as you are in a virtual machine environment, may I suggest that you have a look at InCtrl5 ( http//www.pcmag.com/article2/0,4149,9882,00.asp ) this will give you a very clear idea of what your rootkit installs, and what you should look for using Helix.

Happy to help by the way -)


   
ReplyQuote
chinigami
(@chinigami)
Active Member
Joined: 18 years ago
Posts: 17
Topic starter  

hi am going to correct something that i have said earlier
first pwdump2 have worked with all win version but in case that am connected as an administrator
second all guest account under win 2000 or xp are blocked so we can't use command such as pwdump2 or bkhive
so now am going to use a user account and than try to get the admin password
and azrael u said

www.rootkit.com is a good site - you should get a good kit from one of the links there. Have you bought the book yet ?

i want to tell u that in tunisia we can't buy things using the net,only internal footbal ticket are bought in the net D . the secure trade via internet is an under developping project wink
so i haven't bought the book wink
but i want to ask how could a person crack an admin password without using a live cd(using only tools) ? ? and why pwdump2,samdump and bkhive aren't working under guest account ? ?
thanks


   
ReplyQuote
Page 2 / 3
Share: