Cracking Passwords Guide

Cracking Passwords Version 1.1

by: J. Dravet

February 15, 2010Abstract

This document is for people who want to learn to the how and why of password cracking. There isa lot of information being presented and you should READ IT ALL BEFORE you attempteddoing anything documented here. I do my best to provide step by step instructions along with thereasons for doing it this way. Other times I will point to a particular website where you find theinformation. In those cases someone else has done what I attempting and did a good or great joband I did not want to steal their hard work. These instructions have several excerpts from acombination of posts from pureh@te, granger53, irongeek, PrairieFire, RaginRob, stasik, andSolar Designer. I would also like to thank each of them and others for the help they have providedme on the BackTrack forum.I will cover both getting the SAM from inside windows and from the BackTrack CD, DVD, or USB flash drive. The SAM is the Security Accounts Manager database where local usernames and passwords are stored. For legal purposes I am using my own system for this article. The first stepis to get a copy of pwdump. You can choose one fromhttp://en.wikipedia.org/wiki/Pwdump.Update: I used to use pwdump7 to dump my passwords, however I have come across a new utilitycalled fgdump fromhttp://www.foofus.net/fizzgig/fgdump/This new utility will dump passwordsfrom clients and Active Directory (Windows 2000 and 2003 for sure, not sure about Windows2008) where pwdump7 only dumps client passwords. I have included a sample hash.txt that hassimple passwords and should be cracked very easily. NOTE: Some anti-virus software packagesflag pwdump* and fgdump as trojan horse programs or some other unwanted program. If necessary, you can add an exclusion for fgdump and/or pwdump to your anti-virus package so itwon't flag them. However it is better for the community if you contact your anti-virus vendor andask them to not flag the tool as a virus/malware/trojan horse.You can find the latest version of this document athttp://www.backtrack-linux.org/

Contents

1LM vs. NTLM2Syskey3Cracking Windows Passwords3.1Extracting the hashes from the Windows SAM3.1.1Using BackTrack Tools3.1.1.1Using bkhive and samdump v1.1.1 (BT2 and BT3)3.1.1.2Using samdump2 v2.0.1 (BT4)3.1.1.3Cached Credentials3.1.2Using Windows Tools3.1.2.1Using fgdump3.1.2.2Using gsecdump

Cracking Passwords Version 1.1file:///D:/password10.html1 of 452/15/2010 3:48 PM

3.1.2.3Using pwdump73.1.2.4Cached Credentials3.2Extracting the hashes from the Windows SAM remotely3.2.1Using BackTrack Tools3.2.1.1ettercap3.2.2Using Windows Tools3.2.2.1Using fgdump3.3Cracking Windows Passwords3.3.1Using BackTrack Tools3.3.1.1John the Ripper BT3 and BT43.3.1.1.1Cracking the LM hash3.3.1.1.2Cracking the NTLM hash3.3.1.1.3Cracking the NTLM using the cracked LM hash3.3.1.1.4Cracking cached credentials3.3.1.2John the Ripper - current3.3.1.2.1Get and Compile3.3.1.2.2Cracking the LM hash3.3.1.2.3Cracking the LM hash using known letter(s) in known location(s) (knownforce)3.3.1.2.4Cracking the NTLM hash3.3.1.2.5Cracking the NTLM hash using the cracked LM hash (dumbforce)3.3.1.2.6Cracking cached credentials3.3.1.3Using MDCrack 3.3.1.3.1Cracking the LM hash3.3.1.3.2Cracking the NTLM hash3.3.1.3.3Cracking the NTLM hash using the cracked LM hash3.3.1.4Using Ophcrack 3.3.1.4.1Cracking the LM hash3.3.1.4.2Cracking the NTLM hash3.3.1.4.3Cracking the NTLM hash using the cracked LM hash3.3.2Using Windows Tools3.3.2.1John the Ripper 3.3.2.1.1Cracking the LM hash3.3.2.1.2Cracking the NTLM hash3.3.2.1.3Cracking the NTLM hash using the cracked LM hash3.3.2.1.4Cracking cached credentials3.3.2.2Using MDCrack 3.3.2.2.1Cracking the LM hash3.3.2.2.2Cracking the NTLM hash3.3.2.2.3Cracking the NTLM hash using the cracked LM hash3.3.2.3Using Ophcrack 3.3.2.3.1Cracking the LM hash3.3.2.3.2Cracking the NTLM hash3.3.2.3.3Cracking the NTLM hash using the cracked LM hash3.3.2.4Using Cain and Abel3.3.3Using a Live CD3.3.3.1Ophcrack 4.Changing Windows Passwords4.1Changing Local User Passwords4.1.1Using BackTrack Tools4.1.1.1chntpw4.1.2Using a Live CD

Cracking Passwords Version 1.1file:///D:/password10.html2 of 452/15/2010 3:48 PM

4.1.2.1chntpw4.1.2.2System Rescue CD4.2Changing Active Directory Passwords5 plain-text.info6Cracking Novell NetWare Passwords7Cracking Linux/Unix Passwords8Cracking networking equipment passwords8.1Using BackTrack tools8.1.1Using Hydra8.1.2Using Xhydra8.1.3Using Medusa8.1.4Using John the Ripper to crack a Cisco hash8.2Using Windows tools8.2.1Using Brutus9Cracking Applications9.1Cracking Oracle 11g (sha1)9.2Cracking Oracle passwords over the wire9.3Cracking Office passwords9.4Cracking tar passwords9.5Cracking zip passwords9.6Cracking pdf passwords10Wordlists aka Dictionary attack 10.1Using John the Ripper to generate a wordlist10.2Configuring John the Ripper to use a wordlist10.3Using crunch to generate a wordlist10.4Generate a wordlist from a textfile or website10.5Using premade wordlists10.6Other wordlist generators10.7Manipulating your wordlist11Rainbow Tables11.1What are they?11.2Generating your own11.2.1rcrack - obsolete but works11.2.2rcracki11.2.3rcracki - boinc client11.2.4Generating a rainbow table11.3WEP cracking11.4WPA-PSK 11.4.1airolib11.4.2 pyrit12Distributed Password cracking12.1 john12.2medussa (not a typo this is not medusa)13using a GPU13.1cuda - nvidia13.2stream - ati14example hash.txt

1 LM vs. NTLM

The LM hash is the old style hash used in MS operating systems before NT 3.1. It converts the password to