The situation is the following:
The mission: To find out the passwords.
Background
Windows 2000, 2003 and XP stores the password hashes in the SAM file. Security Accounts Manager is a registry file and holds the one-way hash of every accounts password in NT or NTLM format.
LM hash consists of 14 characters all converted to uppercase. If the password is less than it is paded with "0"s. Than it is split to 7 byte chunks and DES (ECB mode) encrypted with the magic value ("KGS!@#$%" or in HEX: "0x4b47532140232425").
NTLM hash is more complex, it is MD4 encoded little endian UTF-16 Unicode password.
Since Windows NT4 Microsoft introduced the SYSKEY function to make it harder to crack passwords offline. This function does the partial encryption of the SAM file and the key is the SYSKEY. While windows is running, the SAM file cannot be copied or moved because the kernel keeps an exclusive lock on it. However the copy of the SAM file contents can be found in the memory. Only the System account can read the SAM file while the windows is running.
The SAM file can be found in the following locations:
Obtaining SAM file and extracting hashes
So the four obvious way to catch the hash are the followings:
1. Using Backtrack4 boot CD:
A.) Using SAMDUMP2
Boot the CD and set your preferred keyboard layout if you do not like the english version. I use Hungarian:
loadkeys huCheck the harddisks:
fdisk -l
Mount the partition with the Windows system folder. In my case it is "/dev/hda1" and I want to mount it under "mnt":
mount /dev/hda1 /mnt
Change directory to the location of "SAM" and "system" files.
cd /mnt/WINDOWS/system32/config/
Get the bootkey to decrypt the SAM file and put it into "/root/hashes.txt":
samdump2 system SAM > ~/hashes.txt
Umount the Windows partition:
umount /dev/mnt
Or put in your USB stick and copy the SAM file to it.
You can determine the USB device location with "dmesg". In my case it is "/dev/sda1":
dmesgmount it and copy stuff on it
mount /dev/sda1 /mnt
cp ~/hashes.txt /mnt
umount /mnt
B.) Using Ophrcack GUI
Boot the Backtrack4 CD and start a terminal.
Check the harddisks:
fdisk -l
Mount the partition with the Windows system folder. In my case it is "/dev/hda1" and I want to mount it under "mnt":
mount /dev/hda1 /mnt
Start "Backtrack/Privilege Escalation/Password Attacks/Offline Attack/Ophcrack GUI".
Click on "Load", select "Encrypted SAM" and browse the "/mnt/WINDOWS/system32/config/" directory.
You can crack it now, or save it to a file, than save it to your USB stick (see it in point "A").
C.) Change the passwords
Boot the Backtrack4 CD and start a terminal.
Check the harddisks:
fdisk -l
Mount the partition with the Windows system folder. In my case it is "/dev/hda1" and I want to mount it under "mnt":
mount /dev/hda1 /mnt
Use "chntpw" to do the thing. You can get the help by typing simply the program name:
chntpw
You can list the users:
chntpw -l /mnt/WINDOWS/system32/config/SAM
You can use it in interactive mode, and it is pretty self explanatory. I suggest you to "empty" the password and not too change it, because it usually won't work. The empty password always works:).
2. Copy SAM file from repair directory.
2/A.) Using BT4
You could do the same thing with the Backtrack4 cd as in the previous solution method.
You could simply browse the SAM file from the running windows instance, copy it and crack it like in the previous method.
Get the bootkey to decrypt the SAM file and put it into "/root/hashes.txt":
samdump2 system SAM > ~/hashes.txt
2/B.) Using the booted Windows and SamDump
You can also use "SAMDUMP" from the Backtrack4 or from the web. It will extract the hashes from the C:\windows\repair\SAM file.
C:\Documents and Settings\Admin\Desktop\passwd-attack\SAMDUMP.EXE c:\WINDOWS\repair\SAM
3. Read SAM from registry using .DLL injection
You have to copy somehow the "PWDUMP" to your computer. Be prepared that the antivirus will automatically recognise and delete it! You can find "pwdump6" on the Backtrak4 but the latest version is pwdump7. So you had better download it from somewhere (links below).
Simply start a command line and run the PwDump7.exe, or whatever version you use.
The pwdump6 requires a hostname, like "localhost" as an argument.
pwdump6 localhost
Hash cracking
You can use various tools to crack the hashes. I will not go into detail now, you can check each of them on the net, I just suggest some:
#/pentest/password/jtr/john hashes.txt
GUI
GUI
#rcrack /rainbowtables/*.rt -f /tmp/hashes.txt
#rcracki_mt -h 0b3a0bf752587b05269a4e85c1391e5d -t 4 /rainbow_tables/NTLM/
Protection
You can protect yourself by using strict password complexity policy.
You should turn off LM hashes in the registry or via GPO.
Mode 1: NoLMHashPolicy by using Group Policy
Mode 2: NoLMHashPolicy by editing Registry
Mode 3: Use passwords that is at least 15 characters long
You should not use the same administrator password for the workplace and on a public or home computer.
Getting and cracking cached domain passwords
The SAM file of the member computer can be gathered the very same way as described above. However the domain password is cached on the member computer making it possible to logon with the "domain" user without the domain controller.
You need to have admin privileges to get the hash!
The information is stored at "HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1" through "HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$10" and you need System level privileges to get them. Each password hash has its own salt, so it is more secure than the standard SAM and takes longer to crack them.
It does not use .DLL injection. It creates a NT service on the fly in order to read the static LSA key from LSASS.EXE's process memory, and deciphers the cache entries to expose the MSCASH values.
So the cache contains the password hashes, and they can be retrieved with the "cachedump" program what was developed for this reason. You can find it on the BT4 or at http://www.hacktoolrepository.com/files/Passwords/CacheDump/cachedump-1.2.zip. Download it and simply run it on the member computer as the followings:
cachedump.exe > hashes.txt
Cracking cached domain passwords
The hashes can be cracked with john the ripper. In John 1.7.2 there is no mscache format, but if you install the jumbo patch, it will be able to use it the same way as usual. You can get some hints from my other howto: http://itfanatic.com/?q=node/42
/pentest/password/jtr/john --format=mscache hashes.txt
Preventions
You can turn off caching in windows by setting cachedlogoncount to "0" (this determines the number of logon attempts the windows will cache):
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
Links:
http://en.wikipedia.org/wiki/Security_Accounts_Manager
http://en.wikipedia.org/wiki/LM_hash
http://en.wikipedia.org/wiki/NTLM
http://en.wikipedia.org/wiki/Pwdump
http://www.freerainbowtables.com/
http://ophcrack.sourceforge.net/
http://www.oxid.it/cain.html
http://project-rainbowcrack.com/
http://www.irongeek.com/i.php?page=videos/LocalPasswordCracking
http://www.irongeek.com/i.php?page=security/cachecrack
http://www.securiteam.com/tools/5JP0I2KFPA.html