Windows XP, 2003 password crack

The situation is the following:

  • I have an XP SP3 machine with two users (admin and simple user)
  • I forgot both passwords
  • I can boot from a boot CD (Backtrack4)

The mission: To find out the passwords.



Windows 2000, 2003 and XP stores the password hashes in the SAM file. Security Accounts Manager is a registry file and holds the one-way hash of every accounts password in NT or NTLM format.

LM hash consists of 14 characters all converted to uppercase. If the password is less than it is paded with "0"s. Than it is split to 7 byte chunks and DES (ECB mode) encrypted with the magic value ("KGS!@#$%" or in HEX: "0x4b47532140232425").

NTLM hash is more complex, it is MD4 encoded little endian UTF-16 Unicode password.

Since Windows NT4 Microsoft introduced the SYSKEY function to make it harder to crack passwords offline. This function does the partial encryption of the SAM file and the key is the SYSKEY. While windows is running, the SAM file cannot be copied or moved because the kernel keeps an exclusive lock on it. However the copy of the SAM file contents can be found in the memory. Only the System account can read the SAM file while the windows is running.


The SAM file can be found in the following locations:

  • %systemroot%\system32\config
  • %systemroot%\repair
  • memory


Obtaining SAM file and extracting hashes

So the four obvious way to catch the hash are the followings:

  1. boot from a boot CD and copy from the system32\config directory
  2. copy from the repair directory but this hash may be outdated (need to be admin)
  3. use pwdump2 or pwdump to do a .DLL injection and get the hash in the name of System from the registry on a running Windows (need to be admin)
  4. sniff the network traffic if it is in a domain (to be done later)

1. Using Backtrack4 boot CD:


A.) Using SAMDUMP2

Boot the CD and set your preferred keyboard layout if you do not like the english version. I use Hungarian:

loadkeys hu

Check the harddisks:

fdisk -l

Mount the partition with the Windows system folder. In my case it is "/dev/hda1" and I want to mount it under "mnt":

mount /dev/hda1 /mnt

Change directory to the location of "SAM" and "system" files.

cd /mnt/WINDOWS/system32/config/

Get the bootkey to decrypt the SAM file and put it into "/root/hashes.txt":

samdump2 system SAM > ~/hashes.txt

Umount the Windows partition:

umount /dev/mnt

Or put in your USB stick and copy the SAM file to it.

You can determine the USB device location with "dmesg". In my case it is "/dev/sda1":


mount it and copy stuff on it

mount /dev/sda1 /mnt

cp ~/hashes.txt /mnt

umount /mnt


B.) Using Ophrcack GUI

Boot the Backtrack4 CD and start a terminal.

Check the harddisks:

fdisk -l

Mount the partition with the Windows system folder. In my case it is "/dev/hda1" and I want to mount it under "mnt":

mount /dev/hda1 /mnt

Start "Backtrack/Privilege Escalation/Password Attacks/Offline Attack/Ophcrack GUI".

Click on "Load", select "Encrypted SAM" and browse the "/mnt/WINDOWS/system32/config/" directory.

You can crack it now, or save it to a file, than save it to your USB stick (see it in point "A").


C.) Change the passwords

Boot the Backtrack4 CD and start a terminal.

Check the harddisks:

fdisk -l

Mount the partition with the Windows system folder. In my case it is "/dev/hda1" and I want to mount it under "mnt":

mount /dev/hda1 /mnt

Use "chntpw" to do the thing. You can get the help by typing simply the program name:


You can list the users:

chntpw -l /mnt/WINDOWS/system32/config/SAM

You can use it in interactive mode, and it is pretty self explanatory. I suggest you to "empty" the password and not too change it, because it usually won't work. The empty password always works:).


2. Copy SAM file from repair directory.


2/A.) Using BT4

You could do the same thing with the Backtrack4 cd as in the previous solution method.

You could simply browse the SAM file from the running windows instance, copy it and crack it like in the previous method.

Get the bootkey to decrypt the SAM file and put it into "/root/hashes.txt":

samdump2 system SAM > ~/hashes.txt


2/B.) Using the booted Windows and SamDump

You can also use "SAMDUMP" from the Backtrack4 or from the web. It will extract the hashes from the C:\windows\repair\SAM file.

C:\Documents and Settings\Admin\Desktop\passwd-attack\SAMDUMP.EXE c:\WINDOWS\repair\SAM


3. Read SAM from registry using .DLL injection


You have to copy somehow the "PWDUMP" to your computer. Be prepared that the antivirus will automatically recognise and delete it! You can find "pwdump6" on the Backtrak4 but the latest version is pwdump7. So you had better download it from somewhere (links below).

Simply start a command line and run the PwDump7.exe, or whatever version you use.

The pwdump6 requires a hostname, like "localhost" as an argument.

pwdump6 localhost


Hash cracking

You can use various tools to crack the hashes. I will not go into detail now, you can check each of them on the net, I just suggest some:

  • John the ripper (Linux based: brute, dictionary, wordlist, hybrid)

#/pentest/password/jtr/john hashes.txt

  • Cain (Windows based: brute, dictionary, wordlist, hybrid, rainbow)


  • Ophcrack (Linux&Windows LM, NTLM: brute, rainbow)


  • rcrack (rainbow)

#rcrack /rainbowtables/*.rt -f /tmp/hashes.txt

  • rcracki_mt

#rcracki_mt -h 0b3a0bf752587b05269a4e85c1391e5d -t 4 /rainbow_tables/NTLM/



You can protect yourself by using strict password complexity policy.

You should turn off LM hashes in the registry or via GPO.

Mode 1: NoLMHashPolicy by using Group Policy

  1. In "Group Policy", expand "Computer Configuration", expand "Windows Settings", expand "Security Settings", expand "Local Policies", and then click "Security Options".
  2. In the list of available policies, double-click "Network security: Do not store LAN Manager hash value on next password change".
  3. Click Enabled, and then click OK.
  4. Restart the computer, and then change your password to make the setting active.

Mode 2: NoLMHashPolicy by editing Registry

  1. Click Start, click "Run", type "regedit", and then click OK.
  2. Locate and then click the following key in the registry: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
  3. On the "Edit menu", point to "New", and then click "DWORD Value".
  4. Type "NoLMHash", and then press ENTER.
  5. On the Edit menu, click "Modify".
  6. Type "1", and then click OK.
  7. Restart your computer, and then change your password.
  • This must be made on all Windows Server 2003 domain controllers in 2003 Active Directory environment. If you are a domain administrators should use the GPO version from the previous solution.

Mode 3: Use passwords that is at least 15 characters long


You should not use the same administrator password for the workplace and on a public or home computer.


Getting and cracking cached domain passwords

The SAM file of the member computer can be gathered the very same way as described above. However the domain password is cached on the member computer making it possible to logon with the "domain" user without the domain controller.

You need to have admin privileges to get the hash!

The information is stored at "HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1" through "HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$10" and you need System level privileges to get them. Each password hash has its own salt, so it is more secure than the standard SAM and takes longer to crack them.

It does not use .DLL injection. It creates a NT service on the fly in order to read the static LSA key from LSASS.EXE's process memory, and deciphers the cache entries to expose the MSCASH values.

So the cache contains the password hashes, and they can be retrieved with the "cachedump" program what was developed for this reason. You can find it on the BT4 or at Download it and simply run it on the member computer as the followings:

cachedump.exe > hashes.txt


Cracking cached domain passwords

The hashes can be cracked with john the ripper. In John 1.7.2 there is no mscache format, but if you install the jumbo patch, it will be able to use it the same way as usual. You can get some hints from my other howto:

/pentest/password/jtr/john --format=mscache hashes.txt



You can turn off caching in windows by setting cachedlogoncount to "0" (this determines the number of logon attempts the windows will cache):

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount