Jump to content

winxp home password recovery


TheGeek

Recommended Posts

trust me the program does not copy the file but only copys down several lines of hex from the file. I think these are the files that contain the password. the reason i know is when you upload the only file uploaded is the upload.txt and this file only has a couple lines of hexdecimals for each user. the best thing to do is eachof you try it out and you'll see how it works.

Link to comment
Share on other sites

I did it a while back now, I'm aware, read this post...

 

So now we could recover the password, but now how loginrecovery do it, which is what we want... so lets look at what loginrecovery are taking (from a .bat file on the floppy we get):

 

:windows
echo. >> log.txt
echo %1: (Windows) >> log.txt
get %1:\windows\system32\config\sam %1:\windows\system32\config\system >> upload.txt
goto end

 

They are taking c:\windows\system32\config\sam AND c:\windows\system32\config\system

 

This is everything Proactive Password Auditor requires to quickly bruteforce and get the password and is how I have got my own password, those files work.

 

So what we have is my method gets 2 files, loginrecovery gets the same 2 files.

 

However we store it differently... I upload the files directly to a floppy disk as a sam file and a folder, whereas loginrecovery stores all required data in a single .txt file, this is where the difference is, if we can understand HOW the data we want is stored in that .txt file we're sorted (until the 30 day trial runs out!).

 

Oh ye, one other problem, I can't stick the .txt file into Proactive Password Auditor, which is a problem, we need a different program to brute force the password.

 

=====

 

Even when I get the source code for the loginrecovery program, we might be able to learn exactly where the data in the upload.txt file comes from but we still cannot load a .txt into the brute force program I have, so we need one which will allow us to upload a .txt.... if we can't find that then we need to go back to my method in the edited part of post #26 which isn't even fully tested but should work.

 

=====

 

I'm away for the next few days, when I get back we should have the source code which will allow us to get on with stuff, somehow, maybe, hopefully!

Link to comment
Share on other sites

err, *frantic googling*

 

Download Proactive Password Auditor demo:

http://www.elcomsoft.com/ppa.html

 

Read this:

http://www.pcstats.com/articleview.cfm?articleid=1501&page=1

 

Access NTFS drives through DOS, see here:

http://www.ntfs.com/products.htm

Download it,

Run it... it writes to a floppy

Boot off the floppy

It's like DOS and it has NTFS access

 

http://www.rarlab.com/download.htm

offers command line compression (winRAR) facilities

 

http://loginrecovery.com/

well we all know that one!

 

Most of the stuff online allows you to remove or reset the password, this is not our aim. What we want to do is get the SYSTEM and SAM files and then using brute force... try googling around, there's a lot of stuff about it.

 

Tip about searching: A lot of this stuff falls under "password recovery" because they can't really call it "hack windows passwords" or something, to search 'xp password recovery' is just as likely to give a result as a search for something to do with sam file and passwords or whatever.

Link to comment
Share on other sites

  • 2 weeks later...

Right, latest info:

 

By booting into safe mode, accessing admin account & running a prog like pwdump2 you can get a pwdump file output in the format:

 

user_name:user_id:LM_hash: ntlm_hash:comment:user_home_directory

 

The using SAMInside or Proactive Password Auditor you can brute force the password out of the pwdump file... there we go, prob solved.

 

=====

 

But like we know one prob leads to another. The prob with this method is that it involves accessing the admin account on the computer for less than 1 minute. The only problem being (well, we always needed physical access) so it'd be the "accessing admin" account side of things. What if admin is pwd protected???

 

btw, pwdump2 cannot be run in DOS mode, I thought that was a brain wave, till I found out I was wrong... the hard way!

 

=====

 

We always have the use NTFSDOS alongside with command line RAR tools to retrieve SAM and System files which you then plug into SAMInside or Proactive Password Auditor and that gets the answer.

 

=====

 

So we have a few methods of doing this... The problem with loginrecovery.com's method of retrieval is that we still can't "read it" at all... and they still haven't sent me the source code.

 

The most we can say for loginrecovery's is that this:

 

0,51,9D,BE,6E,5F,34,05,0B,38,D1,1C,5F,BF,BD,F3,BD

 

is the same as this:

 

519dbe6e5f34050b38d11c5fbfbdf3bd

 

and they are both the same LM hash. So we need to convert the top line, which I think is hex into the second line, which is the LM hash, in plain-text? if that's the right terminology... Is there such thing as a de-hex-er (ie. converts hex into plain-text) if that is what we need

 

[Edit] well either the top aint hex or the bottom aint ASCII because something like this http://centricle.com/tools/ascii-hex/ which is an ASCII to hex converter don't work at all for this.

Link to comment
Share on other sites

There are different methods of getting the password... and each different methods results in a different end format.

 

Like remember your very first post in this thread, and what you had in the quote box, that is different to what you'd get if used a different program to get the password, even though the passwords are the same.

 

We have different programs all doing the same job through out the password encoded in different ways. And obviously each program has its own advantages and disadvantages.

 

=====

 

Coming back to your original... what is the pattern? Well I don't know. The floppy disk has written that coding itself and I don't know how to decode it. When loginrecovery send me the source code for the program (which I requested 2 weeks ago now) I might be able to answer your question. Until then I can't.

 

So rather than stopping there I said, how else can you get the password?

 

=====

 

One way to get the password is to use a program called pwdump2 (do a google search and download it).

 

All you have to do is walk up to the computer, run pwdump2 and it'll give you the password, but it will be encoded.

 

However luckily we can decode this using a program like SAMInside or Proactive Password Auditor (you can download a demo for both of those).

 

So that is answer number 1.

 

Now the problem with this method is that you need to be logged onto Windows to run pwdump2 (it will not run from DOS), so what if you don't have access to an account on that computer?

 

=====

 

The answer is that you boot the computer up using a program called NTFSDOS.

 

What you do with that program is that you put it on a floppy disk, boot the computer off the floppy & then you copy/paste a few needed files (which include the password) onto that floppy.

 

You then take the floppy with new files back to your computer and use a program like SAMInside or Proactive Password Auditor to retrieve the password from the files you just took.

 

=====

 

Now if you have NO physical access to the computer, well, you'd need admin rights to it via a LAN and if you do then from within Proactive Password Auditor you can retrieve the file & get the password from it.

 

=====

 

That should make it quite clear!

Link to comment
Share on other sites

Zanthra knows what he's talking about. Trust me, nobody in security would do something as silly as a simple mapping from letters to hex symbols. A good hash has the property that a tiny change in the cleartext produces a large, and unpredictable change in the hash. There are at least 4 different protocols windows uses for login that involve hashes.

 

LAN Manager (LM) is an old authentication protocol that uses a shitty, weak hash that can be brute forced almost instantly. NTLM is the updated version used since NT, but can still be brute forced pretty quickly. NTLM 2 is an update that I don't know much about, but I'd hope that by this time they'd learned their lesson and done some decent hashing. Kerberos is what's used to log into a Windows Server 2k or 2k3 domain, which finally does respectable crypto.

 

Your Windows computer never wants to store or pass the password in clear, so it stores and passes a hash of it instead. That's what you see as a hex string. Unfortunately, with the crappy Windows LM hashing, you can brute force the hell out of it and crack it pretty quickly. For the updated authentication protocols that take a bit longer, you can always send them off to someone with cycles to spare (like, well, loginrecovery.com) and let them brute force it for you.

 

Also, keep in mind that hashing is not encryption. If you use a weak password, it can be cracked using dictionary attacks and intelligent brute force schemes (likes ones that use common letter->number swaps and append a few numbers to the end of the dictionary words). Just use a long, complex password... or use a mac like I do. It's hard to work in security and feel good using a Windows box :P

Link to comment
Share on other sites

There's a mod you can do to ensure that LM hashing is not used on your computer and only the stronger NT hashing is used, see here:

 

http://support.microsoft.com/default.aspx?scid=kb;en-us;299656

 

DoorNumber1: Do you know if there would be a way to convert that hex string (like you see in the 1st post) into the plain hash, ie.

convert this hex:

0,51,9D,BE,6E,5F,34,05,0B,38,D1,1C,5F,BF,BD,F3,BD

into this hash:

519dbe6e5f34050b38d11c5fbfbdf3bd

(they are the same thing in a different format.)

Link to comment
Share on other sites

look into a tiny program called rainbowcrack it technically is a brute force cracker, but it uses algorythmes to break down and decode the hashes in seconds, it is whaat the website uses... in the earlier versions of this website, thaat information was just given out freely.... however, the hash databases are roughly 30 gigs and would take years of computing time for a single machine... however there are some sites that offer these so called tables... this program... rainbow crack.... can also hack MySQL passwords and ppossibly *nix passwords....

 

happy googling ;):D

Link to comment
Share on other sites

Alright, I have thought long and hard on this one... I did the program myself so i could have a copy of the upload.txt. This is basically a pwdump hash. If you delete the first 0 and all the commas, as well as deleting the underscore and the space for that line (so that it is all on one line) and then the last five characters (in the case of the password set as Ab, that would be 0911B), you get a usable pwdump hash. Now if you put your modified hash into a password cracking device (IM me for a good one), you will recieve your password in return. As for how it works, the "stuff" after the 1003: is your LAN manager hash and the stuff after that colon is your NT hash. These use different algorithms to crack or decrypt which is why there was such differences for capitals and lowercase.

 

-EDIT-

Didnt realize there was a second page to this one....some info on here may still be usefull

Link to comment
Share on other sites

tal8, wow, all I can say is thanks so much... I spose the pwdump hash is just kinda looking at you with all those stupid commas etc. but you saw it first, so all I can say is thanks soo much, I'm really grateful :)

 

btw, I think all of the info in your post was useful, even if you didn't see the 2nd page.

 

kaz_64: you seemed to post a while back and I seem to have missed your post. I just got a trojan whilst trying to download rainbowcrack from here: http://www.antsight.com/zsl/rainbowcrack, so I wouldn't advise people to try that. It didn't seem to be one of those malware warnings you get when you download something like sub7 where the error is because sub7 is a known malicious software so it doesn't like it at all, I was just downloading the file and Avast starts popping up saying the download was a trojan.

 

Anyway, SAMInside seems sufficient for me for now, even if it does take 30mins... and thanks again to tal8 :)

Link to comment
Share on other sites

tal8' date=' wow, all I can say is thanks so much... I spose the pwdump hash is just kinda looking at you with all those stupid commas etc. but you saw it first, so all I can say is thanks soo much, I'm really grateful :)

 

btw, I think all of the info in your post was useful, even if you didn't see the 2nd page.

 

kaz_64: you seemed to post a while back and I seem to have missed your post. I just got a trojan whilst trying to download rainbowcrack from here: http://www.antsight.com/zsl/rainbowcrack, so I wouldn't advise people to try that. It didn't seem to be one of those malware warnings you get when you download something like sub7 where the error is because sub7 is a known malicious software so it doesn't like it at all, I was just downloading the file and Avast starts popping up saying the download was a trojan.

 

Anyway, SAMInside seems sufficient for me for now, even if it does take 30mins... and thanks again to tal8 :)[/quote']

 

 

Avast is wrong then, that is the rainbow crack homepage and it is not a trojan, i have ran it many times and read/modified the source code, it contains no malicious code. i'm happy to hear you found another solution though, happy cracking.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.