Crack Windows PasswordsI've been researching the extraction of passwords from Windows SAM files lately, and I thought I would report some of my findings.
First off, let me say that I'm not trying to crack passwords for illegitimate reasons. I do freelance computer repair from time to time, and the situation comes up sometimes when I can't get into accounts to fix problems. Not that I feel I have to justify myself, but I do won't to make it clear that I'm not promoting the illegal cracking of passwords for malicious use.
Now, there are a couple of issues that we have to look at before we get started. First off, the SAM file cannot be copied while the operating system is in use. Not even by Administrator! So, we have to figure out how to get the file from outside the os. Second, even when we get the SAM file, the passwords are encrypted, so we'll have to figure out how to crack the encryption.
Ok, so getting the SAM file is the easy part. It's common knowledge that you can't read an NTFS volume from DOS. That is a problem if we want to boot up using a DOS boot disk and copy the SAM to the floppy. Here is the solution to that problem . . http://www.sysinternals.com/Utilities/NtfsDos.html. This handy-dandy little program allows you to mount an NTFS volume in DOS. That's exactly what we want to do! But wait, only one problem. This utility will only mount in read-only mode. That means we read from the drive, but we can't write to it. I'll explain why this can be a problem in a few.
So, we created a bootable floppy (http://bootdisk.com) and we copied the NTFSDOS executable to the floppy. Now restart the computer and if bios is set correctly, the computer will boot from the floppy. If bios is not set to boot from the floppy, you'll need to get into bios and change the boot order. This is a very simple task as long as the bios isn't password protected. I plan on doing a whole other article on bios password cracking too. :)
For now, we'll assume that you were able to boot with the floppy, and the computer is waiting patiently at an A: prompt. Now just type in ntfsdos and press enter. The NTFSDOS program will search the available drives and mount any NTFS volumes that are found. The drive letters for the mounted volume(s) will be displayed on the screen. Next, change to the drive that the SAM is located on, d: for example. Now change directory to the folder where the SAM is, cd d:windowssystem32config. This is the default location in Windows XP, but if you're on a Windows 2000/NT box, the path should be d:winntsystem32config. Now copy the SAM file to the floppy, copy SAM a:. The SAM is a very small file, so it will fit on the floppy just fine. Now just pop out the floppy disk and reboot the computer.
That was really easy wasn't it? It was, and you now have everything you need if you are trying to crack a Windows 2000/NT or Windows XP SP1 machine. The problem is if you are on an XP SP2 machine, there is one more piece of the puzzle you'll need. Service Pack 2 introduced a new password encryption technology called syskey. Syskey is a higher level of encryption than what was used before. The old technology had been cracked long ago, and it was really time for a change! But, syskey wasn't around long before it too was cracked! To crack the syskey encryption though, you need one more file from the same directory you got the SAM. The file is named SYSTEM and contains the syskey information. So, we'll just reboot the system and copy the file to the floppy like we did for the SAM right? Wrong. The SYSTEM file is way to big for a floppy disk. We could just copy the SAM and SYSTEM files to another location on the drive that we do have access to from inside the os right? Wrong. Remember earlier when I told you that NTFSDOS would not mount in write mode? So I guess we're screwed now huh? Nope, there's more than one way to skin a cat!
If the bios supports it, there is a way to boot from a USB thumb drive. Most modern bios's do support this because they support booting from USB floppies or USB hard drives. You can trick bios by formatting the thumb drive to look just like a hard drive. Here's a whole pile of info on booting from a thumb drive http://www.weethet.nl/english/hardware_bootfromusbstick.php. Now that you can boot from the thumb drive, you can copy the SAM and SYSTEM files right to it using NTFSDOS to read. It works great! ;)
Another alternative way to get the SYSTEM file is to boot from a floppy that contains the pro version of NTFSDOS that mounts in read/write mode. The pro version is not free though. Also, you can boot from a live Linux distro that has NTFS read/write support. I haven't actually tried this, but Knoppix would be a great place to start, http://www.knoppix.org/.
Remember, you only need the SYSTEM file if you are on an XP SP2 box. If you're not sure if SP2 has been installed, just get the SYSTEM file while you're there. Better safe than sorry!
Now that you have the files you need, it's time to get cracking! There are a couple of essential tools that you'll need to do this. First download a copy of SAMInside, http://www.insidepro.com/eng/saminside.shtml. You'll use this tool to import the SAM and SYSTEM files and export them as a hash that a cracking program can read. SAMInside also has a cracking engine included in it, but I haven't used it. Once you export the password in pwdump format, you'll need to use John the Ripper to crack the passwords, http://www.openwall.com/john/. John is a command line interface, so make sure you read the included documentation. Most cracking software uses dictionary lists or custom lists that you provide to match passwords. Weak passwords are especially vulnerable to these types of cracking systems.
I hope this information helps you out next time you need access to a system and no one knows the password! Just remember, password strength will determine how easily the SAM can be cracked. If strong passwords were used, it's going to be very hard (if not impossible) to crack the passwords. Feel free to adapt and republish this information how ever you would like. If you do use this article though, please link back to me. :)