Cracking Windows 2000 Passwords

The SAM file in Windows contains the usernames and hashed passwords. It's located in the Windows\system32\config directory. The file is locked when the operating system is running so that a hacker can't attempt to copy the file while the machine is booted to Windows.

One option for copying the SAM file is to boot to an alternate operating system such as DOS or Linux with a boot CD. Alternately, the file can be copied from the repairdirectory. If a system administrator uses the RDISK feature of Windows to back up the system, then a compressed copy of the SAM file called SAM._ is created inC:\windows\repair. To expand this file, use the following command at the command prompt:

  C:\>expand sam._ sam

After the file is uncompressed, a dictionary, hybrid, or brute-force attack can be run against the SAM file using a tool like L0phtCrack. A similar tool to L0phtcrack is Ophcrack. Exercise 1 illustrates how to use Ophcrack to crack passwords.

Exercise 1: Use Ophcrack to Crack Passwords

---

1. Download and install ophcrack from http://ophcrack.sourceforge.net/.
2. Run the ophcrack program and set the number of threads under the Preferences tab to the number of cores of the computer running ophcrack plus one. If you change this value, you have to exit ophcrack and restart it in order to save the change.

   Note

   This step is optional but will speed up the cracking process.

3. Click the Load button to add hashes. There are numerous ways to add the hashes:
   • Enter the hash manually (Single Hash option)
   • Import a text file containing hashes you created with pwdump, fgdump, or similar third-party tools (PWDUMP File option)
   • Extract the hashes from the SYSTEM and SAM files (Encrypted SAM option)
   • Dump the SAM from the computer ophcrack is running on (Local SAM option)
   • Dump the SAM from a remote computer (Remote SAM option)

   Note

   For the Encrypted SAM option, the SAM is located under the Windows system32/config directory and can only be accessed for a Windows partition that is not running. For the Local SAM and Remote SAM options, you must be logged in with the administrator rights on the computer you want to dump the SAM.

4. Click the Tables button.
5. Click the enable (green and yellow) buttons.
6. Using the up and down arrows, sort the rainbow tables you are going to use. Keep in mind that storing the rainbow tables on a fast medium like a hard disk will significantly speed up the cracking process.
7. Click the Crack button to start the cracking process. You'll see the progress of the cracking process in the bottom boxes of the ophcrack window. When a password is found, it will be displayed in the NT Pwd field. You can save the results of a cracking session at any time by clicking the Save button.

---

Hacking Tools

Win32CreateLocalAdminUser is a program that creates a new user with the username and password X and adds the user to the local administrator's group. This action is part of the Metasploit Project and can be launched with the Metasploit framework on Windows.

Offline NT Password Resetter is a method of resetting the password to the administrator's account when the system isn't booted to Windows. The most common method is to boot to a Linux boot CD and then access the NTFS partition, which is no longer protected, and change the password.