- Get name,sid
- Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
· Creating and Using Rainbow Tables with winrtgen.exe
· Use Rcrack to crack NTLM passwords
· Crack system user accounts using L0phtCrack – (Can take 5 hours)
The Security Account Manager (SAM) is a database file present on Windows machines that stores user accounts and security descriptors for users on a local computer. It stores users' passwords in a hashed format (in LM hash and NTLM hash). You need to have administrator access to dump the contents of the SAM file.
Pwdump7 can also be used to dump protected files. You can always copy a used file by executing pwdump7.exe -d c:\lockedfile.dat backup-lockedfile.dat.
Rainbow tables for LM hashes of alphanumeric passwords are provided for free by the developers. By default, Ophcrack is bundled with tables that allow it to crack passwords not longer than 14 characters using only alphanumeric characters.
From Windows 10 box to run pwdump7
A. Launch command prompt, click the Search-bar in the Taskbar and type cmd, right-click on the result and click Run as administrator.
B. Type wmic useraccount get name,sid and press Enter. The comamnd displays the User Account Names and their respective IDs.
C. Make sure pwdump7 is on desktop to follow further steps
D. Type cd C:\Users\Admin\Desktop\pwdump7 and press Enter.
E. Type PwDump7.exe and press Enter. You will be shown the password hashes of the user accounts in the command prompt window.
F. To write the password hashes to a file, type PwDump7.exe > C:\Users\Admin\Desktop\hashes.txt and press Enter.
G. Goto C:\Users\Admin\Desktop\hashes.txt open file and replace the box symbols before each user ID with its respective User Name as obtained in step B.
H. Open Ophcrack – Load – pwdump file (select hashes.txt) – Tables – Choose Vista free -The Select the directory which contains the tables window appears. Select the tables_vista_free folder – OK – CRACK (passwords will be displayed eta 15-30 mins)
Once an attacker gains access to a system’s SAM database dump, the easiest and fastest route he or she can follow to recover the plain text password is to use rainbow tables
From Windows box to create rainbow tables with winrtgen.exe
A. Open Winrtgen – Add table - The Rainbow Table properties window appears. Select ntlm from Hash dropdown list. Set Min Len as 4, Max Len as 6 and Chain Count 4000000 Select loweralpha from Charset dropdown list (it depends upon Password). Click OK.
B. A file is created – select this file in winrtgen and click ok \ start and it will generate rainbow table (Takes at least an hour)
From Windows box to use RCRACK
A. rcrack_gui.exe to launch the RainbowCrack application.
B. File –Load NTLM Hashes from pwdump file - Open – Select file containing passwords to be cracked. (Loaded hashes displayed in window)
C. click Rainbow Table from the menu-bar and click Search Rainbow Tables…
D. Choose appropriate rainbow table and it will start cracking automatically. (Happens quickly so problem if taking a long time)
Crack system user accounts using L0phtCrack – (Can take 5 hours)
From Windows box
A. Run L0phtCrack
B. Password Auditing Wizard. – Next - Choose Target System Type section appears, select the Windows or Unix radio-button and click Next
C. Windows Import section appears, select A remote machine radio-button and click Next
D. Windows Import From Remote Machine (SMB) section appears, fill in the following details: Host: field type ip address of remote host. Select the Use Specific User Credentials radio-button (enter credentials.
E. Choose Audit Type section appears, select Strong Password Audit radio-button and click Next.
F. Reporting Options section appears, check that Display passwords when audited and Display encrypted password hashes options are selected and click Next.
G. Job Scheduling section appears, select Run this job immediately radio-button and click Next.
H. Summary section appears, click Finish.