http://www.antionline.com/showthread.php?threadid=276048
thread-ből egy jó összefoglaló.
Cracking Windows Vista Beta 2 Local Passwords (SAM and SYSKEY)
One of the common things folks stumble across my site in search
of is information on cracking local Windows 2000/XP passwords. I’ve created
quite a bit of content on the subject over the years, and if you want a broader
understanding of the topic please visit these resources:
Text:
http://www.irongeek.com/i.php?page=…y/localsamcrack
http://www.irongeek.com/i.php?page=…/localsamcrack2
Video:
http://www.irongeek.com/i.php?page=…samdump2auditor
http://www.irongeek.com/i.php?page=…asswordCracking
While I was playing around with Windows Vista Beta 2 I decided to see if
some of the old tools for cracking local account password still worked. It would
seem that Microsoft has changed how the SAM file and SYSKEY work in Vista so
none of my old tricks that use to work with NT 4/2000/XP functioned anymore. I
quickly found that most of the current tools as of this writing(Ophcrack 2.3,
Cain 2.9, SAMInside 2.5.7.0, Pwdump3) no longer work, which I have mixed
feelings about. It’s nice to see the extra level of security, but cracking local
passwords was always sort of fun as well as useful from time to time. When I
tried to crack local passwords extracted from copied SAM and SYSTEM hive files I
would get the following errors:
Ophcrack:
"Error: no valid hash was
found in this file"
Cain:
"Couldn’t find lsa subkey in the hive
file."
While tools like Sala’s Password Renew could still be use from a
Bart’s PE boot CD to change any Vista password you wanted, or to create new
admin accounts entirely, sometime you need to know the current administrator
password. Three reasons to want to know a current Windows password without
changing it are:
1. An attacker doesn’t want to tip off the system
administrators. If they notice that the old admin password no longer works they
will get a bit suspicious don’t you think?
2. The same account passwords may
be used on other systems on the network. If the attacker can crack one machine’s
admin password that same password may allow the attacker to gain access to other
boxes on that LAN that they don’t have direct physical access to.
3. To gain
access to data that has been encrypted using Windows EFS (Encrypted File
System). Changing an accounts password may cause this data to be lost, though I
think Sala’s tool may be able to do this without losing the encryption key since
it uses a Windows service to change the local password.
Also of note for
those interested in cracking Windows Vista passwords, it seems that Vista Beta 2
disables LM hash storage by default, so all you can get is the NTLM hash which
can be much harder to crack for reasons stated in my other articles. Another
thing I want to make you aware of is the new BitLocker feature of Windows Vista
can make pretty much everything in this article useless if it’s enabled, but
that’s a topic for another time.
I thought all was lost on the Vista
password cracking front, but after doing some web searching I found that you can
still crack the local passwords if you have the right tools. It would seem that
the folks from Elcom Soft have added support for Vista SAM and SYSTEM hives into
their "Proactive Password Auditor 1.61" tool. Unfortunately PPA is a commercial
application, but they do offer a sixty day evaluation version that does not seem
to be overly crippled. Since Elcom figured out how to do it I’m sure that soon
the free tools like Cain and Ophcrack will also. What follows are the basic
steps to crack/audit local Windows Vista Beta 2 passwords with Proactive
Password Auditor.
You need to be able to read the drive Windows Vista is
installed on. For NTFS drives I’ve used the Knoppix ( http://www.knoppix.org/ ) and
PE Builder ( http://www.nu2.nu/pebuilder/ ) boot CDs with good success. The
first step is to boot from a CD-ROM and copy off the SAM and SYSTEM files in
C:\WINDOWS\system32\config (you may have to get a slightly older version of them
from C:\WINDOWS\config\RegBack instead, also keep in mind that C: may not be
your system drive in which case substitute the appropriate drive letter ). The
SAM and SYSTEM files are likely to be too large to fit on a 1.44MB floppy unless
you compress them using Gzip in Linux or some Windows compression tool in Bart’s
PE. You could also copy them to some other form of removable media (Thumb drive
anyone?) or upload them across the network to an FTP or file server that you
have access to. For the Gzip/Floppy instructions read my first tutorial linked
at the top of this article. It modern times it’s usually easiest to just drag
and drop the SAM and SYSTEM to a file server using the GUI that comes with your
Boot CD.
Now that you have a copy of the SAM and SYSTEM hive files start
up Proactive Password Auditor and follow these steps:
1. Choose the radio
button labeled "Registry files (SAM, SYSTEM)" under the hashes tab, then click
dump.
2. Choose the SYSTEM and SAM files you want to use, then click the
"Dump" button.
3. During the Dump phase Proactive Password Auditor
automatically tries a simple brute-force attack so your passwords may already be
cracked. If not, choose the attack type, and set the hash type to "NTLM attack"
since there are no LM hashes. I’ll choose the Dictionary attack, click the the
"Dictionary list…" button under the "Dictionary" tab and point it at the word
list that comes with Cain (C:\Program Files\Cain\Wordlists\Wordlist.txt).
4.
Make sure the check boxe(s) next to the account(s) you want to try to crack are
selected.
5. Now it’s just a matter of clicking the menu item
"Recovery->Start recovery", waiting, and hoping for the best.
Assuming
the password is simple enough you should now have a cracked password to work
with. Keep in mind that there’s no guarantee that you will be able to crack any
passwords at all. If the password is not in your dictionary you will have to
resort to a Brute-force attack which could take forever if the password was
chosen well, but this should get you going in the right direction. Also, if you
have large Rainbow tables on your system give them a shot as Proactive Password
Auditor supports this cracking method. I plan to update this page once Cain or
Ophcrack support Vista. Please send me an email if you notice before I do that
any of the free tools have implemented Vista SAM/SYSTEM file support.
Thanks.
Useful links:
Sala’s Password Renew
http://www.sala.pri.ee/
Bart’s Pe Builder:
http://www.nu2.nu/pebuilder/
Oxid.it’s Cain Web Page:
Ophcrack
http://ophcrack.sourceforge.net/
Proactive Password
Auditor 1.61
http://www.elcomsoft.com/ppa.html
__________________
http://www.irongeek.com
http://www.antionline.com/showthread.php?threadid=276048
Kurbli 