Cracking the SAM.

Discussion in 'Ethical hacking Tips' started by vishal sharma, May 23, 2006.

  1. vishal sharma

    vishal sharma New Member

    Joined:
    Jul 23, 2004
    Messages:
    106
    Likes Received:
    6
    Trophy Points:
    0
    Warning and disclaimer:
    ***********************
    This article is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this article or the information presented within it.

    After researching for the last article I decided to try cracking a SAM file myself. JTR got the password I had created quite quickly (jut 4 chars long) but I know longer passwords could take a lot more time. After thinking and looking at a number of sites on the internet I have found two other ways to speed this process up: 1) Using a reconstructed list of possible cracked passwords with software like rainbow crack. And 2) Changing the SAM file. I am going to be discussing the second of these in this article, but of course it is easy for you to look up the first if needs be. The only problem with modifying the SAM file is that it won’t break encrypted documents.

    ------------------------------

    What we are going to do:

    Windows XP is not like some other more insecure OS’es such as windows 98, because it doesn’t store user passwords and information in separate files. Instead it stores them in what is called the SAM file. Because all the information is put together and some of it is encrypted, it is a lot harder to get out.

    Instead of cracking a password , we are going to modify the password manually. To do this we will need software in the form of a boot disk to extract the SAM file, modify it, and write it back. We need special software to write to the disk as windows XP and NT use a filesystem called NTFS, which isn’t normally supported in DOS.

    Step 1 – Getting the software:

    NTFS4DOS – This is the boot disk software we will use. It is quite similar to a standard ms-dos bootdisk, except it can read/write to NTFS partitions (this is the hard disk format that windows XP uses). It can be obtained free of charge from http://www.datapol.de/dpe/freeware/index.html *

    Chntpw - This is what we will actually use to change the password inside of the SAM file. I could not get the other NTFS driver things on the site to work with my setup, which is why we are using NTFS4DOS. It can be found on the site http://www.cgsecurity.org/ on the NTFS driver page.

    Step 2 – Preparing the boot disk:

    After you have run the NTFS4DOS installer, run the floppy creation wizard. It’s pretty simple – format the floppy disk, selecting the option to create an ms-dos boot disk, and then follow the wizard through, disable anything you don’t need so as to save space. After you have done this, download the ntfs drivers and tools from the cgsecurity website and copy the cwsdpmi.exe and chntpw.exe files to your boot floppy. They can be found in the ‘bin’ directory.

    Step 3 – Booting up:

    So, we have everything ready! Just put the disk in your computers drive, and start it up. It may take a few seconds to load. (In some computers booting from a floppy disk may be disabled, but it is beyond the scope of this article to discuss bypassing that here, but there are some links at the end that may help). You should get a screen telling you of the NTFS partitions on your hard disk (if it skips them, it means they aren’t ntfs and you only need normal DOS), and a notice asking if you are using this software for private purposes. You must type ‘y’ not ‘yes’ if you are for it to let you use the software.

    If we were just cracking the password, this is where we would extract the sam file, and finish, taking it away for cracking later. If this is what you want then there are other tutorials on this. For those who want to risk screwing up their computer (you shouldn’t be using this on someone else’s without their permission), carry on!

    Step 4 – Changing the SAM file:

    This is actually a lot simpler than it may sound. You need to know where the SAM file is of course. On windows XP home it is in the path ‘c:windowssystem32config’

    First, back up the current SAM file. YOU MUST DO THIS as the chntpw utility is known to screw up a lot:
    A:>copy c:windowssystem32conifgSAM c:SAM.old
    Then just run chntpw in interactive mode:
    A:>chntpw –i c:windowssystem32configsam
    Just go through the options, it’s pretty simple really. Chntpw lists all the user names, then you select one and enter a new password. You may like to check it has worked using a tool like John the Ripper.

    Step 5 – Getting the old SAM back:

    It is pretty likely that chntpw may screw up once or twice, in which case your only option is to try again. Of course, sometime you might want to restore the old password file, you can do this by simply booting up with the disk, and (considering you followed the above exactly) typing:
    Copy c:sam.old c:windowssystem32configSAM
     
  2. Bhullarz

    Bhullarz New Member

    Joined:
    Nov 15, 2006
    Messages:
    253
    Likes Received:
    13
    Trophy Points:
    0
    Occupation:
    System Manager
    Home Page:
    http://www.tutors161.com
    step 4 is not working.Not able to copy the SAM file as the msg is shown it is being used by another process-cannot access the file. Now how to do it ?
     
  3. haider_abbas_simple

    haider_abbas_simple New Member

    Joined:
    Jul 4, 2007
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    you must first reboot the computer and boot it with the help of some boot disk. dont let xp boot because it just reserves this file to be used by it.
     
  4. munkyeetr

    munkyeetr New Member

    Joined:
    May 4, 2007
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Victoria BC, Canada
    Do I want to "write hive files?"

    The default is no, but I would like to be sure.
     
  5. munkyeetr

    munkyeetr New Member

    Joined:
    May 4, 2007
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Victoria BC, Canada
    Never mind.
     
  6. munkyeetr

    munkyeetr New Member

    Joined:
    May 4, 2007
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Victoria BC, Canada
    Has anyone had luck with this? I tried about 6 times and it failed to login with the new passwords.
     
  7. Bhullarz

    Bhullarz New Member

    Joined:
    Nov 15, 2006
    Messages:
    253
    Likes Received:
    13
    Trophy Points:
    0
    Occupation:
    System Manager
    Home Page:
    http://www.tutors161.com
    Even after rebooting , file can not be copied as the msg is file is still in use.Give some good trick/idea which is working.
     
  8. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    It seems to be working for me at least. I have tried on the test PC.
     
  9. munkyeetr

    munkyeetr New Member

    Joined:
    May 4, 2007
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Victoria BC, Canada
    I had no problem coping the backup SAM file, running chntpw.exe, and saving the changes, but when I reboot, I couldn't log in using the new password.

    I tried a half dozen times.
     
  10. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    I did not try logging in but let me check if it works.
     
  11. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    It seems to be working.

    Have you tried the John the Ripper. Try it as well.
     
  12. imp0steur

    imp0steur New Member

    Joined:
    Jul 20, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    0
    its lots easier with Offline NET Password & Registry Editor .. burn the image to cd .. boot up and keep following the options thats it ..
    h**p://home.eunet.no/pnordahl/ntpasswd/
     
  13. hanleyhansen

    hanleyhansen New Member

    Joined:
    Jan 24, 2008
    Messages:
    336
    Likes Received:
    8
    Trophy Points:
    0
    Occupation:
    Drupal Developer/LAMP Developer
    Location:
    Clifton
    Home Page:
    http://www.hanseninfotech.com
    Good article!!
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice