How to get a Windows password with DOS

Huge area to cover, we have assembled and written tutorials that have proven helpful over time.

How to get a Windows password with DOS

Postby B-Con » Wed Jul 14, 2004 4:01 pm

OK, I've finally figured out how to boot to DOS and strip the SAM and SYSTEM files for Window's NT-based OS's.....

I'd write a tutorial about it, but I'm not sure if anyone's interested in posting it. If I did write it (and it were good), would you post it, or would it be a total yawn?

If you would post it then I'd gladly write it.....
Last edited by B-Con on Wed Jul 21, 2004 7:26 pm, edited 1 time in total.
- "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.

- Why know the ordinary when you can understand the extraordinary?
User avatar
B-Con
Challenge Winner [1x]
 
Posts: 2679
Joined: Thu Apr 22, 2004 4:19 pm
Website: http://bradconte.com
Location: UC Davis

Postby Prism » Wed Jul 14, 2004 4:26 pm

how did you manage to put the system file on a disk, did you get the dos usb support working?
User avatar
Prism
Owns you
 
Posts: 1618
Joined: Thu May 06, 2004 9:18 am

Postby B-Con » Wed Jul 14, 2004 4:47 pm

Actually, I used RAMdisk to create a ramdrive, and copied the files to there, then zipped them (since I got himem.sys to work).....
- "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.

- Why know the ordinary when you can understand the extraordinary?
User avatar
B-Con
Challenge Winner [1x]
 
Posts: 2679
Joined: Thu Apr 22, 2004 4:19 pm
Website: http://bradconte.com
Location: UC Davis

Getting the password for Windows-NT based machine thru DOS

Postby B-Con » Thu Jul 15, 2004 2:09 pm

OK, so there's a Windows NT-based machine that you (for some reason) want to get on but it's password protected, or you only have a limited account on the machine and want the administrative password? This here is what you need.... (NOTE: If the computer is on Windows NT or 2000, use the “WINNT/system32” directory instead of “Windows/system32” directory I refer to here, as that is only for applicable for XP.)

What we're going to do is quite simple (in concept at least): Boot to DOS (instead of Windows), steal the necessary registery files, and crack them on another computer. Actually doing it is more complex, yet easily doable.

All you need to start are the following:
- A computer other than the one you're trying to get into (or at least an account on that one)
- Internet access (to download some files)
- Two floppy disks
- The ability to follow instructions

You'll also need to know a couple basic DOS commands:
dir "__" --- This will list all the files in the specified directory
copy "file" "location" --- This will copy the file to the specified location
del "file" --- This will delete the specified file
ctl+alt+del --- This instantly reboots the computer


*** LET'S DO IT ***

1)
Download >DOS 6.22<. This specific file is a self-extracting boot-disk creator. Just stick your floppy in the drive, double-click it, and it will create the DOS 6.22 boot disk. Once it's done, delete the file "edit.hlp" on the disk to make room for future files we'll be putting on there.

2)
Download >himem.sys< and copy it do your disk. Open your "config.sys" file (you may have to enable the viewing of Operating System protected files to find it) and add the following two lines, preferably at the top:
Code: Select all
DEVICE=himem.sys dos = high, umb
Having completed this, you have now enabled DOS to view more RAM than it originally could -- by nature DOS can only see 640K worth of RAM. Doing this tho won't necessarily let DOS see everything the machine has to offer, but it should get up to about an extra 32MB (called extended memory), more than enough for what we're going to do. For future reference, in DOS you can type "mem" and get a synopsis of your RAM supply.

3)
Now you need to get yourself a shiny little compression program for DOS so you can compress and swipe the registry files you're after. I highly recommend >PKZip 2.50< because it's small and works very nicely, and is also Windows compatible, altho you don't need that feature. I'll assume that's what you're using from here on, as it's what you should be. After you download it, unzip it and copy all the extracted files to your SECOND floppy disk. Now take the disk out, as you won't need it for a few more steps.

---> At this point, you will need to know if the operating system containing the files you want is on a FAT32 or NTFS formatted partition. It is most likely that it be NTFS, which will make our life harder, but not impossible. To determine which, simply boot to the DOS disk and see if you can find the drive it's one (use "dir C:", "dir D:", etc to find a drive with the "Windows" directory on it). If don't see it, it's on NTFS. If you can, it's FAT32 and you can skip down to the "FAT32" section.


*** NTFS ***

4)
Now, since we know that DOS cannot read from NTFS formatted drives, we will need to find a way to make it. Download >NTFSDOS< and copy it to your DOS disk. Open your "autoexec.bat" file and add the simple following line, preferably at the end of the file:
Code: Select all
NTFSDOS.EXE
Now when you boot to DOS, it will run the NTFSDOS program, which allows DOS to read NTFS partitions. It will come up and inform you which drives it is mounting and what drive letter it is assigning to each. For some reason, it usually mounts the first one as 'D', so I'll assume it does the same for you in the following steps. Unfortuanly, NTFSDOS only allows us to read NTFS partitions, we still can't write to them.

5)
Later on when we try to zip the registry files we'll find that, altho the resulting zip file would be small enough to fit onto the disk, it won't ever appear. This is because PKZip will try to create temporary files for the zipping process, and because you're zipping to the floppy you'll run out of space to work with. And we can't zip the files to the hard drive because, as I already said, we can't write to an NTFS part ion using NTFSDOS, we can only read from it. The solution is to create another drive, one that is big enough to house both the temp files and the final zip file that will contain the compressed registry files. Creating this drive is not as hard as it sounds. Once again, you'll have to download a file for DOS, this time it's >RAMDRIVE.SYS<. Copy this to your DOS floppy, and once again open config.sys, this time add the following line (preferably above the bottom one that contains "lastdrive"):
Code: Select all
devicehigh = ramdrive.sys /E 5120
The number "5120" is the size of the drive that it will create, in KB. You can set it at anything you want so long as you have the RAM to do it, but don't underestimate what you'll need and fall short. 5120KB equals 5MB, and that will be ample for our needs here. If you're worrying that a RAMdrive will be harder to use than a normal drive, don't worry at all. Once it's been created you can write to and from it as easily as anything else -- as far as you are concerned, it IS a normal drive, only the computer knows better.

CHECKPOINT:
Now, to summarize: You should have one DOS boot disk that has the extra files himem.sys, NTFSDOS.EXE, and RAMDRIVE.SYS, and should have added their respective lines of code to the appropriate files. Your second disk should strictly contain the PKZip program files.

6)
"Buckle your seatbelt Dorathy, 'cause Kansas is going bye-bye" -- we are now about to *gasp* actually use DOS. Place your boot disk in the computer you wish to gain access to boot it up. After the preliminary BIOS checking and stuff by the computer, DOS will load. Watch what's going on and you will see, for just a second, a block of text that reflects the RAMdrive being created. If you see "RAMdrive mounted as X" then it's been successfully created! Remember the letter used, I'll assume from here on that it's drive C because that's what mine always does. (If the RAMdrive does not work, you probably either inserted the line of code in config.sys wrong, or have a bad copy of RAMDRIVE.SYS (doubtful).) The screen will continue scrolling down as more stuff is loaded. When NTFSDOS is loaded, you will see a list of the drives it's mounting and corresponding letters that they have been mounted as. These are NTFS partitions that NTFSDOS has found. The first one listed should be the one with Windows, it's usually 'D' unless you specify otherwise (which we didn’t).

7)
Now we're done with all the foreplay and can get down to the real business. When you boot to DOS, it's actually loaded into memory, so you can issue most commands without even needing the disk in there. This will work to our advantage in a moment. Right now, take the DOS disk out and replace it with the disk containing PKZip. Then enter the following line of code:
Code: Select all
pkzip c:\tocrack.zip d:\windows\system32\config\SAM d:\windows\system32\config\system
The first word, "pkzip", simply addressed the PKZip program, the next one "c:\tocrack.zip" tells PKZip where to place the ZIP file and what to name it, the next two are the locations of the registry files you want to take. In all, this will take the SAM and SYSTEM registry files that you need and zip them to your RAMdrive. This should take about a minute, so be patient, DOS isn't quite as fast as Windows. When it's done, it'll ask you to insert the disk with "/command.com", this is your DOS disk, so re-insert it and "press any key", then remove the DOS disk again and put the PKZip disk back in. Next copy the tocrack.zip file to your PKZip disk with the following command:
Code: Select all
copy c:\tocrack.zip a:\

*** FAT32 ***

4,5,6,7) FAT32 is much easier to work with than NTFS. Simply insert your DOS disk and boot the computer. Once it's loaded, find the drive with Windows on it (should be 'C'). Then take the DOS disk out and replace it with the disk containing PKZip. Then enter the following line of code:
Code: Select all
pkzip c:\tocrack.zip c:\windows\system32\config\SAM c:\windows\system32\config\system
The first word, "pkzip", simply addressed the PKZip program, the next one "c:\tocrack.zip" tells PKZip where to place the ZIP file and what to name it, the next two are the locations of the registry files you want to take. In all, this will take the SAM and SYSTEM registery files that you need and zip them to your RAMdrive. This should take about a minute, so be patient, DOS isn't quite as fast as Windows. When it's done, it'll ask you to insert the disk with "/command.com", this is your DOS disk, so re-insert it and "press any key", then remove the DOS disk again and put the PKZip disk back in. Next copy the tocrack.zip file to your PKZip disk with the following command:
Code: Select all
copy c:\tocrack.zip a:\
Then get rid of the file your just created on the hard drive so you can eliminate the "evidence", do this by entering:
Code: Select all
del c:\tocrack.zip

*** NTFS + FAT32 MERGE ***

Congratulations! If you executed that second to last command correctly, you now have swiped the needed files and are close to being done. Just to be sure, tho, that you do have the precious tocrack.zip file on your floppy, type "dir a:\" and look for it in the listing. If it's there, all is well (it will only be missing if you screwed up somewhere along the line).

8 )
Now take the PKZip disk to a machine that you have an account on, and copy the tocrack.zip file off of it to your desktop, then unzip it.

9)
Now you'll need a way to actually crack the files. For this, you will need the program >PWSEX<. Download it and install it, don't worry that it's only the trial version. Once it's installed, open it and don't touch any of the options except the button next to "Registry files (SAM, SYSTEM)", check that one and click the "Dump from memory" button. Place your DOS disk in the computer and find the location of the SYSTEM file for the top input, and the location for the SAM file for the bottom one. Then click the "Dump" button. PWSEX will then crack the username's and corresponding passwords for the machine that the files came from. Simply look at the list it generates and, well, you should be able to figure that part out.... ;)


Enjoy :D

This tutorial was written completely and originally by B-Con, and may be copied and reproduced with credit given to it's creator. Any similarity to another tutorials is entirely coincidental.... An up-to-date version can be found on my site.
Last edited by B-Con on Wed Oct 13, 2004 6:22 pm, edited 7 times in total.
- "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.

- Why know the ordinary when you can understand the extraordinary?
User avatar
B-Con
Challenge Winner [1x]
 
Posts: 2679
Joined: Thu Apr 22, 2004 4:19 pm
Website: http://bradconte.com
Location: UC Davis

Postby B-Con » Sun Aug 01, 2004 5:41 pm

Thanx guys
ok when you say boot TO the DOS disk does that mean just turn off the computer and turn it back on with the disk in ther? im having problems with this and also does this work with the windows 2000 pro OS?
When I say boot to DOS, yes, turn off the computer, insert the disk, and boot it back up......

But to my knowledge, this will not work for Win2000, but then I don't use/have access to it so I wouldn't know.... first check your Windows\system32\config directory to see if the SAM and SYSTEM files are there, if they aren't, then it definately won't work, if they are, I can't think of a reason why it wouldn't work.... ;)

BTW: I added a couple quick lines to delete the file you create on the hard drive if you're on a FAT32, that way there's no evidence left behind you ;)
- "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.

- Why know the ordinary when you can understand the extraordinary?
User avatar
B-Con
Challenge Winner [1x]
 
Posts: 2679
Joined: Thu Apr 22, 2004 4:19 pm
Website: http://bradconte.com
Location: UC Davis

Postby B-Con » Mon Aug 02, 2004 12:55 am

But to my knowledge, this will not work for Win2000
I think the only difference is that the location is C:\WINNT\system32\config\sam ||system
I Googled it, you're right :D
- "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.

- Why know the ordinary when you can understand the extraordinary?
User avatar
B-Con
Challenge Winner [1x]
 
Posts: 2679
Joined: Thu Apr 22, 2004 4:19 pm
Website: http://bradconte.com
Location: UC Davis


Return to “%s” Windows Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests

cron