From Wikibooks, the open-content textbooks collection

Reverse Engineering

This page is about cracking (recovering) passwords on Windows XP machines, which is a computationally difficult process. If you just need to set a new password (but without need to recover the old one), then this guide is not for you. For that, you can use, for example, the free-software tool Offline NT Password & Registry Editor or other similar programs.

Wikipedia has related information at Password cracking

Contents 1 Background 2 Overview 3 Detailed Instructions for LoginRecovery.com Service 4 Online sites 4.1 Plain-Text.info 4.2 Astalavista.net 4.3 LMcrack.com 5 Notes 6 Defense against attack 7 Mac OS X 10.3 8 Mac OS X 10.4 9 Samba passwords

[edit] Background

The Windows XP passwords are hashed using LM hash and/or NTLM hash. The hashes are stored in c:\windows\system32\config\SAM. The SAM file is encrypted using c:\windows\system32\config\system and is locked when Windows is running. To get the passwords, you need to shutdown Windows, decrypt the SAM file, and then crack the hashes. You can also obtain the hashes using other software that does not require you to turn your computer off. If everything goes well, you'll have the passwords in 15 minutes.

The SKCLONE tool will allow extracting password hashes in PWDUMP format from the live SAM and importing them to other live systems including 64 bit systems, making it a useful tool for migrating local user accounts to 64 bit windows. It does however require you to run the software as the SYSTEM account, since it will try to reach HKLM\SECURITY\SAM in the registry.

[edit] Overview

1. Use the Login Recovery floppy/CD to extract the password hashes from SAM files.
2. Upload the file to the LoginRecovery.com website.
3. Wait for the decryption and pay for the priority service.

Alternatively:

1. You can use the pwdump (or copypwd or skclone) tool to extract the password hashes, and then use ophcrack or other rainbow table sites to decrypt the passwords. If you do not want to use an online service you can download the ophcrack live CD from http://ophcrack.sourceforge.net/, let the machine boot from the CD, press return, lay back and watch the program crack the hashes.

[edit] Detailed Instructions for LoginRecovery.com Service

• Go to http://loginrecovery.com/ and from the home page click the option to download either the floppy disk image or CD image. If you use the floppy disk image, insert a blank floppy disk into your computer, run the program and a bootable floppy will be created. If you use the CD version, you will need to manually burn the ISO image to a CD, using software which specifically burns ISO images

• Insert the floopy disk or CD into the target computer from which you wish to extract the passwords. Then boot the computer. You may need to alter the bios settings to ensure the floppy drive or CD is booted from.

• If you used the floppy drive some messages will briefly appear on the screen and then the computer will shutdown. On the floppy disk will be a newly created file called "upload.txt" which will contain the encrypted passwords. If you used the CD version, the encrypted passwords will be shown on the screen.

• Put the floppy disk back into an internet enabled computer, and upload the file on the upload page of the loginrecovery site. If you are using the CD, manually re-enter the encrypted password hashes from the screen of the other computer.

• Within ten minutes you will be informed of whether your passwords can be decrypted or not, and then you have the choice to either wait upto 48 hours for these to be displayed. Or you may pay for the priority service which will reveal the passwords instantly.

[edit] Online sites

The LoginRecovery site supports any password consisting of the following "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/" upto 14 characters and alphanumerical passwords above 14 characters. Powerful servers utilise 80GB of tables to allow the response of under 10 minutes, hence they charge for a priority service to cover costs. If your passwords are not so complicated, and you do not wish to pay for the priority service or wait the 48 hours, you may use other online sites to crack it:

[edit] Plain-Text.info

• Use PWDump or other password extraction tool to extract the passwords from the target computer. (Note: In order to work, it must be run under an Administrator account )

• Edit the password hash to the pwdump format (add the colon-delimited username and ID number fields in the front, and 3 colons at the end):

Administrator:500:CC5E9ACBAD1B25C9AAD3B435B51404EE:996E6760CDDD8815A2C24A110CF040FB:::

• Go to http://plain-text.info/ and read the FAQ.

[edit] Astalavista.net

(no longer exists, to be deleted)

• Use PWDump or other password extraction tool to extract the passwords from the target computer.

• Go to http://www.astalavista.net/?cmd=rainbowtables and enter the LM hash (part before the colon) into the query field, select "LM" for the algorithm, and click the "Search" button.
• Check the status page occasionally to see if they have been cracked.
• The result is case-insensitive, so you have to try inputting all variations of upper and lower case to the "NT Calculator". The correct password is the one that matches the NTLM hash (part after the colon).

[edit] LMcrack.com

• Use PWDump or other password extraction tool to extract the passwords from the target computer.

• Go to http://www.lmcrack.com and enter the LM hash (part before the colon) into the query field and click the "Search" button.
• Check the status page occasionally to see if they have been cracked.
• If the hash is not in their database, the rainbow tables will be used to find it.

http://www.objectif-securite.ch/en/products.php http://www.irongeek.com/i.php?page=security/localsamcrack2

[edit] Notes

• If the information retrieved from the pwdump consists of an empty first part, then the LM hash is not stored. This either means that the password is blank, in which case it would look like this:

Administrator:500:0:
_31,D6,CF,E0,D1,6A,E9,31,B7,3C,59,D7,E0,C0,89,C0,xxxxx:::

If it says anything different, then they implemented better security and force you to crack the NTLM hash, which is much more difficult and out of the scope of this guide.

• This only works if the password is 14 characters or shorter
• If the password in Windows 2000/XP/2003 is longer than 14 characters, it will be shortened to two hashes of length seven characters each
• An alternative, which uses the same method of comparing known hashes against unknown is called RainbowCrack, available at http://www.antsight.com/zsl/rainbowcrack/ although this program uses Rainbow Tables that can be in excess of 64 Gb; these tables can be obtained at http://rainbowtables.shmoo.com/
• A comprehensive project of comparing known hashes against an unknown is at http://www.rainbowcrack.com/ however it requires that you submit a Rainbow Table before you can gain access to their server

[edit] Defense against attack

• Have a password longer than 14 characters.
• http://support.microsoft.com/kb/299656/ - prevent Windows from storing LM hashes

[edit] Mac OS X 10.3

Mac OS X 10.3 (Panther) also stores shadowed LM+NTLM hashes for each user. They can be cracked in the same way as the hashes for Windows above

• First find the "generateduid" for the user you want with the command

$ niutil -readprop . /users/<username> generateduid
70902C33-AC79-11DA-AFDF-000A95CD9AF8

• The hashes are stored in the file /var/db/shadow/hash/<generateduid>. The file is 104 characters long, consisting of the 64-character NTLM+LM hashes and the 40-character SHA1 hash. To retrieve the NTLM+LM hashes, you can run this command as an administrator for example

$ sudo cut -c1-64 /var/db/shadow/hash/70902C33-AC79-11DA-AFDF-000A95CD9AF8
996E6760CDDD8815A2C24A110CF040FBCC5E9ACBAD1B25C9AAD3B435B51404EE

• The hashes are stored in the reverse order as the pwdump format (NTLM first instead of LM first), so you need to switch the 32-character halves and insert a colon between them

CC5E9ACBAD1B25C9AAD3B435B51404EE:996E6760CDDD8815A2C24A110CF040FB

• Then follow the instructions for Windows passwords

[edit] Mac OS X 10.4

Mac OS X 10.4 (Tiger) improves the security by only storing LM+NTLM hashes for users who enable Windows Sharing for their account; and when they do enable it, it asks them to enter their password with a warning that their password is stored in a less secure format. However, for those users with Windows Sharing enabled, the above method will still work. The shadow file format is a little different, but the LM+NTLM hashes are still the first 64 characters. If the hashes are not stored, you will get all 0's when you try to retrieve the hashes.

[edit] Samba passwords

In older versions of Samba, the password hashes for Samba users were stored in the file /etc/smbpasswd (location may vary, only root has access) and are in similar format to Windows password hashes discussed above. In newer versions of Samba, run the following as root to get the same information:

pdbedit -L -w