Docs that have proven to be a staple in understanding computer/network security. This is not an inclusive forum and nothing ipublished will tell you how to 0wn someone, these docs will help you understand how you got 0wnd.
Post Reply
The Chineser
Posts: 5
Joined: Tue Jun 13, 2006 8:23 pm


Post by The Chineser » Tue Jun 13, 2006 8:59 pm

Here is the link to my tutorial. Tell me what you think! ... words.html

Cracking Windows User Passwords

Knowledge Required: basic understanding of the Linux terminal is helpful but not required

Difficulty: Medium

Written by: The Chineser

The Security Account Manager (SAM) is a database stored as in a registry file in Windows NT Operating Systems. It stores users' passwords in a hashed format. Along with the SAM file is its companion the System Key (SYSKEY). SYSKEY is a utility that encrypts the hashed Windows passwords information in a SAM file using a 128bit encryption.

It is possible to capture the SAM file containing the password and crack it. The SAM file is located in the following directory: C:\WINDOWS\system32\config or in Windows 2000 C:\WINNT\system32\config.

So how do you get the SAM?

You can’t copy anything in the /config directory using Windows, This makes it deceptively difficult to extract the password. However you can extract the password via another operating system. The tool we will be using is a Linux distribution by the name of Auditor. The Auditor consists of useful utilities like Bkhive and Samdump2 which we will be using to extract the password from the SAM file.

The first step is to get the Auditor Live CD ISO and burn it to a CD. You can find adownload mirror for the Auditor by clicking here.

Now that you have a copy of the Auditor, boot it up on the target machine. (Make sure the CD-ROM is set as the first boot device in the BIOS)

Now when the Auditor is done loading open up a terminal (click on the icon that looks like a little monitor on the bar on the bottom of the screen) and mount the hard drive. The highlighted text is the command you enter in the terminal:

>mount /dev/hda1 (the hard drive is usually hda1)

In order to do what we need to do we have to have some space to work with, so we would want to work in the ramdisk directory.

>cd /ramdisk/

Next we will use Bkhive to extract the system key from the system hive and the password hashes from the SAM file.

For example:

>bkhive-linux /mnt/hda1/WINDOWS/system32/config/system saved-syskey.txt

or in Windows 2000:

>bkhive-linux /mnt/hda1/WINNT/system32/config/system saved-syskey.txt

You should see something like this:


Bootkey: 407af4376e55f1fd6d58cc47a4fa4c01

Now that we have the system key we can use it to decrypt the SYSKEY of the SAM, and extract the hashes and convert it into a PWDump format file:

>samdump2-linux /mnt/hda1/WINDOWS/system32/config/sam saved-syskey.txt>password-hashes.txt

You should see something like this:

This product includes cryptographic software written
by Eric Young (

No password for user Guest(501)
No V value!

Now that you have the hashes in a text file you can go ahead and save it somewhere. Personally I would save it to a USB flash drive so it can be cracked on a different machine. This way you would have more time to crack it, which may be needed if it’s a particularly strong password. If you choose to save password-hashes.txt on a USB flash drive, you must connect it to the target computer before you boot up the Auditor. To copy the file to your flash drive enter the following command:

> cd /dev/sda

Now, to copy password-hashes.txt

>cp /ramdisk/password-hashes.txt .

(Don’t forget the period at the end)

Now that you have the hashed password in a text file you can crack it. You can crack the password using a program called Cain & Abel.

Once you have Cain & Abel open, select the “Cracker” tab. Next, right-click on the white space in the middle of the program and select “add to list”.

Click on the bullet that says “Import hashes from a text file”. Once you have clicked on it you must specify where the text file containing the hashes is. Once you have selected it, you will see the user names displayed on the screen. Right click on the user name and choose the cracking technique. For whatever you choose, use NTLM hashes.

A brute-force attack guesses all possible combinations of characters within the parameters you have set. If you choose to use this type of attack to crack the passwords I recommend using a password length of 4 to 8 characters using both upper and lower case letters and also numerals. If you are unable to crack the password with a dictionary attack then this technique should be used. First you should always perform a dictionary attack, as it is fast and many weak passwords can be broken with it. This will guess words and phrases in a text-file that is used. It usually contains all the words that would be found in an English-language dictionary and possibly combinations of words and phrases.

This concludes the tutorial. Happy hacking!

The author of this guide has successfully cracked passwords using this method and writes from experience. If you have any questions, or feel that any information in this guide is inaccurate, please contact The Chineser at
Last edited by The Chineser on Thu Jun 15, 2006 6:57 pm, edited 1 time in total.

Posts: 138
Joined: Mon Jun 12, 2006 6:53 am
Location: Ask if it's necessary.

Post by imp0rt » Wed Jun 14, 2006 6:29 am

5th line, phpbb/viewtopic.php?t=6194.

I'm not trying to be a mod here--but all that stuff in the other forum about that site may have to be taken down, because your school might take legal actions, I don't think I want any evidence of visiting there... what if they think I'm one of the contributors they're trying to fish out? I'm probably being paranoid, but could you please post it?

The Chineser
Posts: 5
Joined: Tue Jun 13, 2006 8:23 pm

Post by The Chineser » Thu Jun 15, 2006 6:39 pm

Yikes I will edit that post. Thanks Imp0rt!

Post Reply