BR said:
Hi Chris
Kindly explain the route of going the lmhash from the SAM
and have your password as I have not had luck any other
way
Thanks
can be found in
and you didn't
don't know what
you can extract
time. if you want
i will explain
OK.
Windows stores your password in a file called the SAM which is stored in
the WINNT\System32\Oonfig\ directory. You cannot directly access this
file in windows without the help of a utility like PWDUMP2.
Log onto the account that you have access to and go here to get a copy
of PWDUMP2:
http://www.bindview.com/Support/RAZOR/Utilities/Windows/pwdump2_readme.cfm
You will just need to extract the files to a directory and run them from
the command line. When you are at the command line inside the PWDUMP
directory type "pwdump2 > passwd.txt" (without quotes). This will save a
dump of your SAM file into a plain text file called "passwd.txt" in the
same directory you are in. If you open up the text file, you will see
several rows of "hashes" leading with user names. The line you are
concerned with is labeled administrator at the beginning. It will look
like this:
Administrator:1001:F6D60BAC31C7C9643E3EEDB1A2279F74:C2C2278535D91764984B42D187820C50:::
Now that you have your hash, you need to do something with it. There are
several utilities out there to crack NT hashes. The easiest to use (i
think) is available here (30 day demo):
http://www.elcomsoft.com/pwsex.html
Go there and click on "Download free trial version of PWSEX 1.10".
Install (I havent done it in awhile, but i am fairly certain you can
install this one without administrator rights. If you can't, you will
need to do someone else's computer to do the cracking. Just same the
password dump txt file to a floppy and transfer it to the machine
running PWSEX.
OK. So now you have PWSEX 30 day trial installed and a dump of your SAM.
Time to get crackin'. Fire up PWSEX. You will see a normal windows
interface with a row of icons, another row that says "attack type" and
then a third row that has two tabs: "Hashes" and "Whatever attack type
you have selected". On the hashes tab, select "DUMP FILE", and then
click the "OPEN DUMP FILE" button. Browse to your text file. Open it.
PWSEX will run a quick brute force attack. Unless your password is WAY
weak, it will not get it right away (if it did, you can stop here, your
password will appear in the interface grid). Most likely, it DID NOT get
the password on the quick brute force, so now you need to tick the USERS
in the USER NAME column that you want to try to crack. In the attack
type row select "DICTIONARY ATTACK". Click "DICTIONARY LIST". In the
dictionary list dialog click "ADD". Use "english.dic" that comes with
the program. Make sure you have a user ticked in the Dump list, and then
select (from the menu at the top) Recovery>Start Recovery. You can
choose both LM and NTLM dictionary attacks from the ATTACK TYPE row. If
your password is not found in the dictionary, then you will need to run
a brute force crack. You will need to set parameters like password
length and such (here's a hint: if <empty> is shown in the "Password
[8..14]" column of the user's row, then their password is less than 8
characters long). You should be able to figure out where to go from
here. I'm not going to give a whole lesson in windows cracking here, and
i have given you enough information to retrieve your password, so have
at it.
If you are having problems, feel free to email me (remove "REMOVECAPS"
from my email address) and i will try to help. Have a good day and good
luck.
