Cracking Windows 2000 And XP Passwords With Only Physical Access

Update: 03/05/2007: I've made a single page with links to all of my tutorials on SAM/SYSKEY Cracking, visit it if you want more information on this topic.
Update 03/21/2005: See newer tutorial here.

          This article will cover how to crack Windows 2000/XP passwords with only physical access to the target box. I won't be covering into the internal structure of LM and NTLM hashes or what makes them so insecure, there are many other articles on the Internet that cover the basics of NT security so I would recommend that you Google for them. I will assume that the reader already knows the basics. There are a lot of articles floating around that tell interested parties how to use programs like PWdump to get NT password hashes. Using PWDump is what most folks recommend when Syskey is enabled on a system since the hashes in the SAM file are encrypted. The problem is PWdump only works if you can run it from an administrator level account, and if the reason an attacker is cracking the hashes in the first place is to get an administrator account then PWdump is of little use.

          Another question I get is why crack the password at all since one can get access to the machine by just deleting the SAM file and using a blank password (Windows 2000 only) or by using a Linux password reset boot disk (get one from http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html that works on both 2k and XP) and resetting it to whatever we like. The reason an attacker may want to crack the local password instead of changing it is two fold:

          1. An attacker doesn't want to tip off the system administrators. If they notice that the old admin password no longer works they will get a bit suspicious don't you think?
          2. The same account passwords may be used on other systems on the network. If the attacker can crack one machines admin password that same password may allow the attacker to gain access to other boxes on that LAN that they only have remote access to.

          This article assumes that the attacker has only physical access to the machine whose SAM they want to crack and that they also have access to a bootable disk that can read the file system on the target machine. An attacker may have to get into the BIOs to set it to boot from the floppy or CD-ROM so setting up a BIOs password will help but if they can get into the case it's easy to reset. Any old Windows 9x boot disk should work for Fat32 drives, on NTFS drives I've used the Knoppix ( http://www.knoppix.org/ ) and PE Builder ( http://www.nu2.nu/pebuilder/ ) boot CDs with good success.

          The first step is to boot from a CD-ROM or floppy and copy off the SAM and SYSTEM files in C:\WINDOWS\system32\config (you may have to get them from c:\WINDOWS\repair instead, and on some systems the Windows directory is WINNT instead). The SAM and SYSTEM files are likely to be too large to fit on a 1.44MB floppy unless you compress them using Gzip, you could also copy them to some other form of removable media or upload them across the network to an FTP or file server that you have access to.

            In my example I will use Knoppix, Gzip and a floppy to copy the files. Issue these commands from a terminal in Knoppix:

                    mount /mnt/hda1/

            This mounts what would most likely be the C: drive on the target machine, it's possible that it could be different. Then we Gzip the SAM file to  a floppy:

                    gzip -c /mnt/hda1/WINDOWS/system32/config/sam > /mnt/floppy/sam.gz

        Then we get the System file:

                    gzip -c /mnt/hda1/WINDOWS/system32/config/system > /mnt/floppy/system.gz   

        My modest SAM file has five accounts, it and the System file only take up 751KB after they are compressed with Gzip.       

          Once you have the files copy them (an uncompress them if you used Gzip) to your own machine (preferably the fastest you have) and crack Syskey using a program called SAMInside ( http://www.insidepro.com ). Run SAMInside and choose the "Import SAM" option. A dialog box will ask you to point it to the SAM file you wish to crack. If Syskey is enabled (most likely it will be) it will then ask you for the SYSTEM file. You can use SAM inside to try and crack the passwords but if you only have the demo version you are limited in the Brute-force and Dictionary options you can choose. Once you have cracked Syskey and have the hashes export them to a PWDump file using the file menu in SAMInside and then use L0phtcrack ( http://www.atstake.com/products/lc/ ) or Cain ( http://www.oxid.it/cain.html ) to crack the passwords.

          I'll continue this tutorial using Cain since it's free. Run Cain and go to the "Cracker" tab. From here choose "LM & NTLM Hashes" in the left pane and then right click on the grid in the right pane and choose "Add to list." Now choose "Import Hashes from text file or SAM" and click next. Don't try to import the SAM you copied because if the target system was using Syskey Cain will not be able to crack it. Find the PWdump file you created with SAMInside and open it. From here it's as easy as holding down control, left clicking on the accounts you want to crack and then right clicking and choosing either "Start Dictionary Attack" or "Start Brute-Force Attack." A Dictionary attack uses the text file in "c:\Program Files\Cain\Wordlists\Wordlist.txt" to tell it what passwords to try, open that file in notepad and edit it if you want to add more words. The Brute-force method runs through all possible combinations of characters that you configure under the "Brute-Force Options" tab of the "Configure" menu. The Brute-force method can take days depending on the options you choose. Now all the attacker has to do is wait. Hope this short article helps.