ranleyos

Windows XP Admin Account Hack

32 posts in this topic

So, here's the gig...

I have a box that for exploratory purposes, I'd like to acquire the admin's password. I have done this several times before using a combination of tools, knoppix, accessing the sam, cain, etc.. Anyway, nothing seems to be working. The hash seems to be absolutely uncrackable. I haven't done this in a while, and I don't use windows all that often, so I'm wondering if there has been some incredible security update that is new to xp? I've even tried rainbow tables on this bad boy. If I import the pwdump file to cain it indicates that the type is: LM & NTLM. Is this type uncrackable? Should I just throw in the towel?

Can anyone offer any insight on some possible steps to try?

If someone has a crazy notion to give the hash a try, here it is: (as from the sam file)

root:500:30E0C8062F009BAD64434F73F3815A86:039FE7E19C10B4A11D9708422ED74225:Built-in account for administering the computer/domain::

Thanks guys/gals

Edited by ranleyos
0

Share this post


Link to post
Share on other sites

When trying to crack the SAM file you did remember to also grab the SYSTEM file as well? It is needed to crack password.

In my experience recovering windows xp passwords is easy as long as the LM hash is still enabled and the password is shorter than 16 characters. Boot Knoppix and copy c:\windows\system32\config\SYSTEM and c:\windows\system32\config\SAM to a network share or flash drive then crack with rainbow tables in Cain. I use the 700MB rainbow table that Ophcrack uses and have never had it fail against a password that uses only letters and numbers. Against a more complex password you will need a much bigger table.

Get the 700Mb number/upper/lower case table here... http://ophcrack.sourceforge.net/tables.php

Ophcrack live cd is another option.

If the hash is truly an NT only hash then rainbow tables will probably still be your best option. Generate your own or download them.

Edited by M0ralGray
0

Share this post


Link to post
Share on other sites

thx nixxt & M0ralGray...

I wasn't very clear in my first post about my approach. What I did was use Knoppix to boot to, then extracted the SAM and SYSTEM file. Then I exported it as a pwdump file. Then I opened it using Opthcrack and tried to crack it. The tables I have installed are the free ones (XP free fast, XP free small, & Vista free). I could not crack it with those tables. I see there are other tables that can be downloaded for $100 a piece, but I'd really not shell out that kind of money if it is not a guaranteed thing. I also did try LMCrack without any success.

As far as rainbow tables go... Well, I agree that is my best bet, and I have a utility that will generate rainbow tables. The problem is that while I don't know the password, I do know that it is at least 8 characters and is alpha-numeric-symbol type. So, in order to generate the rainbow tables for that type of password is literally going to take me over a month running full time. The rainbow table I need is about 64 GB I believe. I have tried to look to find places to share/download rainbow tables, but no luck.

I have also been reading that newer windows security/passwords incorporate more difficult hashing algorithm that are rainbow table proof. I guess I'm just stuck. I can always overwrite the admin password, but I'd really rather not (unless its a last resort).

Anyone have any ideas? I really appreciate any input? I have to admit that I a new to cracking with rainbow tables, so any pointers or links to tables would be extra helpful.

Cheers

-r

0

Share this post


Link to post
Share on other sites
I have also been reading that newer windows security/passwords incorporate more difficult hashing algorithm that are rainbow table proof. I guess I'm just stuck. I can always overwrite the admin password, but I'd really rather not (unless its a last resort).

Anyone have any ideas? I really appreciate any input? I have to admit that I a new to cracking with rainbow tables, so any pointers or links to tables would be extra helpful.

There's not quite such a thing as "rainbow tables proof". Such a thing would imply that the one-way hashing algorithm can generate multiple one-way hashes. Rainbow tables work by defining every possible hash according to a set of rules and then looking up the hash in a form of "hash dictionary". If the algorithm being used by windows has not yet been implemented into a rainbow tables generation program, I suggest either writing it into the generation application yourself OR relying back to brute force, as it will take less time than building the rainbow tables yourself. Alternatively, you could go to the rainbowcrack project (see google), build one of their requested tables and then submit your hash for cracking -- who knows, they may already have that part of the hash-set defined.

Hope this helps.

0

Share this post


Link to post
Share on other sites

Well I know that in the linux world there is salting. Not sure if newer windows uses that or not. I'm not really a windows guy (part of the problem I guess). I was looking for rainbow tables to download, but they are few and far in between. I will continue to try to locate some sharable tables for my particular character set while simultaneously trying brute force.

I just figured brute force would take to long for a character set of alpha-numeric-symbol and at least 8 chars? Maybe I'm wrong. I'm using cain to do the brute force attack. Anyone have any pointers to anything better?

-r

0

Share this post


Link to post
Share on other sites

No salting in Windows hashes and I doubt brute forcing it will work. Too time consuming. The only other option i can think of as far as cracking goes is www.freerainbowtables.com

There are other ways to get passwords though. If you can login though any account, even if it's limited, it may be possible to escalate your privileges. From there it might be possible to dump other passwords that have been used (Internet, Wireless, Outlook, etc). It could be that the same password has been used more than once. Just an idea.

0

Share this post


Link to post
Share on other sites

As crazy as it may seem, I haven't even stumbled upon www.freerainbowtables.com until now. Thanks for the suggestion. The links are ACTUALLY working!!! -No, seriously, I have been trying to get legitimate rainbowtable downloads for about 6 days now and any torrent file seems to inactive. I am now downloading the lm-all tables at a whopping 83 KB/sec. -Hey it beats 0 KB/sec. Once downloaded I'll post my results here... If my connection holds at 80 KB/sec, I should have the 33.8GB compressed tables downloaded in about 5 days. Keeping my fingers crossed.

-r

0

Share this post


Link to post
Share on other sites

here you go

lc4 win bruteforcer..

link: LINK REMOVED BY MODERATOR

things you should know:

i tried it on my LM hash and it cracked it..

though it'll take about 4 hours but it's worth it..

0

Share this post


Link to post
Share on other sites

Since I'm still awaiting the download of the rainbow tables, can you provide more information about how you cracked it (if you did). Or, even just send me the results in a message. I've never used L0phtCrack, is there anything else I'd need along with it? What LM Hash did you use?

Edited by ranleyos
0

Share this post


Link to post
Share on other sites
Since I'm still awaiting the download of the rainbow tables, can you provide more information about how you cracked it (if you did). Or, even just send me the results in a message. I've never used L0phtCrack, is there anything else I'd need along with it? What LM Hash did you use?

Just an FYI, if that's really an LM hash (I haven't checked) then only 7 characters of it are encrypted one-way. The rest of them should be easily decipherable. This is why I reccomended brute-forcing.

If you've extracted the SAM file, you should be able to have LC load it up, or you should be able to run LC on the machine as system by using the

C:\>at [military time one minute from now] /interactive [path to LC]

Bug.

EDIT: One more thing, if you're having difficulties with LC, try reading the helpfile/using the wizards provided by the program. Very informative and effective.

Edited by RETN
0

Share this post


Link to post
Share on other sites

Thanks everyone for the feedback; it has been most helpful. I am downloading LC5 right now to give it a shot.

RETN,

You obviously know more about this than I, so just for my own edification... By looking at my hash, what makes you know that only 7 characters are encrypted one-way?

0

Share this post


Link to post
Share on other sites

Hmm... No luck. Still brute forcing with LC5. 1 day into it and 23 hours remaining. Isn't there any faster way to do this? SIGH.....

0

Share this post


Link to post
Share on other sites

Absolute craziness... I already contacted Bruce... He was stumped as well.. He suggested to become a member on binrev since it is home to the most intelligent beings on the planet and post my question there.

0

Share this post


Link to post
Share on other sites

ranleyos,

Just finished brute forcing the password hash you posted with John the Ripper. I started the process right after i posted my first message in this topic. So it has taken almost 6 days to finish. If you want I can PM the password to you, post it here, or let you have a go at cracking it yourself.

--M0ralGray

0

Share this post


Link to post
Share on other sites

Well, I'm glad you were able to get it. I've given up on it. I was just checking to see if it was possible.

Edited by ranleyos
0

Share this post


Link to post
Share on other sites

I used rainbow tables and it took about 30 sec.

[EDITED BY MODERATOR]

Edited by stacksmasher
Password removed. He said he wanted it via PM, not in the forum.
0

Share this post


Link to post
Share on other sites
Absolute craziness... I already contacted Bruce... He was stumped as well.. He suggested to become a member on binrev since it is home to the most intelligent beings on the planet and post my question there.

SamJackson.gif

Edited by J.Ripper
0

Share this post


Link to post
Share on other sites

why would you post that? -doesn't make sense...

0

Share this post


Link to post
Share on other sites

Omg, you must try OphCrack. If it doesn't work, God bless you. But yes, Rainbow Tables are your best bet!

0

Share this post


Link to post
Share on other sites
Omg, you must try OphCrack. If it doesn't work, God bless you.

Certainly a strange way to answer a query. OphCrack is good for rainbow tables but it should be explained that it will not work for a large percentage of the passwords because there are different types of hash tables. Free hash tables for OphCrack are available on the website and will help with your brute-forcing needs. Unfortunately you will have to pay large sums of cash for the most effective NTHash tables. (I'm pretty sure it's the NTHash tables you have to cough up for). These can cost up to about $500 a dictionary, but it really depends how much you want to break the password.

Hope this is helpful.

$$hBl@ck

0

Share this post


Link to post
Share on other sites

This is your Tech at work. I recommend you take a look into Cain using the Ophcrack free rainbow tables unless you think it contains special characters such as @#$% or so on. And also here's a fun fact for people who own a home computer that is XP most people who setup there home computer forget to turn of the spare Administrator account. So if you forget your password hit Ctrl+Alt+Del three times at the Login Screen and it will take you to the Username and Password fields just type in username: Administrator and leave the password field blank. After that create a batch file on that computer by opening up Notepad and type:

net user <Name of the account you lost your password on> *

Then go to Save As and save the document as Change.bat

And save it.

After this close Notepad and double click on the program you have just made. Command prompt will appear and ask you "Type a password for the user:" Just put whatever password you want THAT YOU WILL REMEMBER!!!!!! And hit enter.

Once that's done log off the account your on and logon to the one you lost your password for using the new password you have created just a moment ago.

And that's it.

Edited by Shadow Traveler
0

Share this post


Link to post
Share on other sites
So if you forget your password hit Ctrl+Alt+Del three times at the Login Screen and it will take you to the Username and Password fields just type in username: Administrator and leave the password field blank

Im sure most people know, but just thought i would say that it doesnt work in XP Pro. Just Home and Media edition or whatever it's called

After that create a batch file on that computer by opening up Notepad and type:

net user <Name of the account you lost your password on> *

Then go to Save As and save the document as Change.bat

And save it.

After this close Notepad and double click on the program you have just made. Command prompt will appear and ask you "Type a password for the user:" Just put whatever password you want THAT YOU WILL REMEMBER!!!!!! And hit enter.

Once that's done log off the account your on and logon to the one you lost your password for using the new password you have created just a moment ago.

And that's it.

If you're in as administrator you can just change the password from control panel

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now