Ever had trouble logging into a computer with an unknown password? or you just want full access to that public PC that is in your library? If so, then this is the stuff you are looking for. I had been asked this question many times: “UzEE, how on earth you got admin rights to the systems in the labs?” My answer had always been: “I just found them logged in.”
Well today I share a technique I have used for a couple of years now. The basic idea is to gain admin access to a restricted system to which you only have physical access (you can’t install programs or run scripts etc). This will be a long (but interesting) article and may have information that doesn’t apply to every case. It is also highly recommended that you have some knowledge of computers (more than just surfing the web, writing documents or playing games) and lots of patience.
Disclaimer: If your purpose is just install malicious, non productive software or retrieve personal/illegal information then please do not read this. I or anyone else from Sizlopedia will not be responsible for any harm (intellectual or otherwise) caused by this information.
I would start the article with a little background of why I (or anyone else) would want full access to a system. I’m a student of computer engineering studying at Bahria University, Islamabad. We are subjected to torture worse than Guantanamo Bay, as the systems in the computer labs have no such things as Firefox, Flash Player, Windows Media Player, Photoshop/Fireworks, Messenger, or any other useful software for that matter. We only get 100 MB of a shared network drive for storage of personal files (assignments, notes etc) which also get wiped every couple of months. We are subjected to limited Internet, no social networking, video streaming or downloads (even though we have 4 and 8 Mbps servers).
The above reasons are enough for any technology lover to revolt and find means to get full (sometimes unauthorized) access to the systems. I just want to surf the web more securely, while streaming some tunes and interacting with my friends on Facebook. So after some time (actually my 3rd day in the university) I started looking for ways to gain access to a secure system. I met with random success and new challenges, and share my discoveries with you.
If you try to search online, there is a little chance that you would find technique that is almost 100% effective in all situations. Even after a certain limit, Microsoft suggests that you should reformat your drive and reinstall windows if you can’t remember your credentials.
The tools we would use here are available on the Internet. Actually its a combination of various techniques from various sources, some from Microsoft, some from the hacker and open source community, and some I engineered myself. This will probably be one of the most complete guides to recover your passwords.
Alternatives to this technique do exist but they have their limitations. Here is a quick list of some of the best tools I have used successfully to achieve a similar result:
- Emergency Recovery Disk: If you are the legitimate owner of the system then you must have an emergency recovery disk with you. Its intended for system failures but will work in this case too. Just boot from that disk and restore your system.
- Windows Password Recovery: This is the fastest recovery method I have seen to date. Provided everything goes right, you can recover your password within 10 minutes. Their limitation is that their priority service is not free and they don’t always work on all types of passwords.
- Offline NT Password & Registry Editor: Though this doesn’t recover password, its a fast dirty way to access a restricted system. Just download and burn the Linux shell onto a disc or a flash drive and boot from it. You can do hordes of other stuff besides resetting the password. I use this, the most.
While these alternatives do work, they are usually not applicable to the core reason this article focuses on. At some other time, I will discuss techniques about how to use them with a clean operation.
What you would need
Ok now getting to the main topic. You would need to put together a few things before you can recover the passwords. Here they are:
- Full access to a good PC – At least a Pentium 4 equivalent processor, but a Core 2 is recommended. If you plan on using Celeron or Atom series then don’t. Ideally, you should have something as powerful as a Core i7. If you have full access to more than one PCs connected over a network then use them all (more on this below).
- A CD-R/CD-RW if your board can’t boot USB flash drives.
- A USB 2.0 Flash Drive, if your board supports booting from it, consider a 512 MB drive to directly boot from it.
That’s all for the hardware you need. On the software side, you will have many options, some shareware and some free. Continuing the tradition of Sizlopedia, we will be using free software only, though I would mention all the names.
- A Pre Environment, either Microsoft Windows PE (very rare) or BartPE, both would work. Even though it is recommended, you won’t need this if you can access the registry files some other way (another operating system).
- A Hash Decryptor. One powerful tool is SAMInside, but it isn’t free. The best alternative is to use LCP, a free NT and LM hash decryptor with lots of similarities with SAMInside.
- A Windows XP installation disc to build the pre environment.
It would be worthy to note here that SAMInside can ease a lot of pain in some situations due to its superior features over LCP, but they aren’t always required. Both tools can bypass SYSKEY protection as well as pause and resume attacks. SAMInside can only speed up tasks thanks to its little extras (a bonus attack, dictionary tables, and option to select which passwords to recover) but that’s nothing LCP can’t handle given a little more time.
Step 1: Building the Pre Environment
I am assuming that you have downloaded BartPE Builder, and you have a system with full admin rights and a Windows XP installation disc to work on. Making sure that your Windows XP installation files are already on your hard drive (the i386 folder) or the CD is in the CD-ROM. Start pebuilder.exe, it will ask you to search for installation files. Its a waste of time, so just choose no, and then click the button next to the Source textbox. Browse to your i386 folder (L:i386 in my case, on the CD) and select it.
In the media output group box, select Burn to CD/DVD and choose StartBurn from the drop list. It will automatically select your burner. Click on Build to start building the PE image, which would burn to the disc. This will take some time, and if everything goes successful, you will get a success message.
You could also make a USB boot drive if you like (and are willing to risk it). Its not a 100% guarantee but it has worked for me. You would need at least a 512 MB of flash drive and a couple of files from Windows Server 2003 SP1. This USB Pre Environment builder gives more details on this.
Step 2: Getting the Registry Files
This is the hardest part of the process. Partly due to the fact that now you would be stealing user information and also because that its not easy to locate and access the registry hives. Actually depending on your operating system and settings, the registry information may be stored at a number of places. What you are looking for are three files; SAM (Security Accounts Manager), SYSTEM (Local System hive) and SECURITY (SYSKEY encryption information).
By default, in most operating systems, they are located at WindowsSystem32Config. They are locked by the NT Session Manager and WinLogon so you can’t access them from within Windows. If you have System Restore active, then they would also be located in System Volume Information(restore point image)(restore folder) but its not always accurate.
They safest way is to boot from a non NT Operating System (which supports NTFS) and get the files from there. This is where BartPE comes into play.
- Boot from BartPE by inserting the CD or the USB drive into the target system.
- When Bart finishes loading, click on the Go button and look for the A43 Filemanager. Its location changes with different versions but its easy to find (usually in Accessories, the menu is small).
- This is like the Windows Explorer. Navigate to WindowsSystem32Config and copy the files SAM, SYSTEM and SECURITY to any other folder you can access from within windows. If Bart detected your USB Flash Drive, then you can paste there.
- You are done with Bart. Quickly remove the boot medium and reboot the PC.
- If you haven’t already, retrieve the files you copied from within Windows and leave the system.
Remember if you are doing this on a public PC, then be extremely careful not get caught. This whole process may take about 10 minutes depending on the system speed.
Step 3: Hash Decryption
This is the final and longest step in our process. It would take anywhere from 30 minutes to thousands of days based on the complexity of the password. You should continue this on the most powerful computer you have access to. By that I mean a system which you can use (you don’t need full privileges to run the software). I’d advise you to at least use an Intel Pentium 4/AMD Athlon 64 processor. Anything below that would be a waste of time. Plus you can double your performance if you use a multi core system like the Intel Core 2 or the Intel Core i7.
I’ll assume that you want to continue with the free LCP software, and not SAMInside. They are mostly similar in functionality and provide all the basic set of tools you may need. SAMInside has an added advantage of having an extra attack and some better options for decryption and password prediction. It can reduce the total time you need to crack a password, but anything you can do with SAMInside, you can do it with LCP (it will take a little longer in some cases).
Start LCP by extracting/installing the files you downloaded (Note: you don’t have to install LCP in order to run it). LCP has an excellent documentation that comes with it while a little help material is also available on its website. While I will guide you for making the most straightforward attack, it may often help to know what else you can do with the configuration and this may dramatically reduce the time you need to crack a password.
There are a lot of ways to import the hashes into LCP, but we will use the Load from SAM file option. Click on Import > Import from SAM file… in the main menubar. You will be presented by the dialog depicted in the image to the right. There are a few things you should be careful of, like selecting the right files. Usually people mostly screw up in this part.
For the first textbox, click the browse button and navigate to the SAM file you retrieved earlier. Next, if SYSKEY was enabled, then you need to check Additional encryption is used checkbox. If you are unsure that whether SYSKEY was enabled or not, then a rule of thumb is that if you are using anything after Windows XP Service Pack 2, then SYSKEY would be enabled by default.
Even if you don’t know exactly, you can still provide a SYSKEY file, and the program would alert you if it couldn’t detect a SYSKEY. There are three ways you can provide the SYSKEY.
- From a SYSTEM hive of the target system.
- From a known password of the target system.
- From a recovery disk (virtually obsolete).
We will use the SYSTEM registery hive, we retrieved earlier because its our best bet to uncover the SYSKEY. So click the Browse button and choose the SYSTEM registry hive. Click Ok, and if everything went fine, you should now see the following screen.
This basically is the list of all the user accounts extracted from the files along with some account information. The most important one here is the NT and LM (LAN Manager) hashes. The passwords would appear here when they are decoded. Another interesting set of information here is the length of the password.
If the password you desire is indicated as being less than 8 characters long, then you are (usually) in luck. It would take between 30 minutes to about 2 hours to decode them on a decent system. If they are between 8 to 14 characters, it would take up to 2 days. If its anything above 14 characters, then you should stop right here and go for a distributed attack approach. Otherwise you could be waiting for a thousand years for the password to decrypt successfully.
If you know any details about the password, then its the best time to LCP in on them. By this I mean, if you know something about the length of the password or its complexity, or even if you know a part of it (some characters) then you should configure LCP to take full advantage of that knowledge. This can dramatically reduce the time required to decrypt. I’ll show this by an example:
Suppose that you want to decrypt a hash which would result in “ilovepizza”. The password has 10 UTF-8 characters, and there are a possible 1.54814008760175e+16 combinations of the UTF-8 character set. If each combination takes 1 micro second to process, then you would need 1.54814008760175e+13 seconds (that’s millions of millions of years) to get that password. Now if you know that you’re not going to need all the UTF-8 characters, and use just the lowercase English alphabet, then the total number of possibilities is reduced to 70607460 combinations and the time required to 70607.460 seconds (under 24 hours).
Of course the above figures are just an assumption and don’t reflect any actual time required. IT was just to give you an idea of importance of making the right settings. A pretty much evolved race of humans would eventually see the password coming out at a galaxy far far away, but sadly, they wont know if pizza was a religious food item or a homosexual homicidal lunatic.
Back to the topic, we are now all set to start the attack. Make sure that Hybrid attack is selected from the main toolbar, and click the blue Play button to start. Your password is now being cracked and LCP will show you how much (just an estimate) time is left until the full password is unveiled. This is pretty much it for what you could do with the simple attack. All you have to do now is to be patient.
You can pause/resume your progress anytime on any computer. This is probably the best feature in these software and this forms the basis for the Distributed Attack technique (below).
What if you have 10 computers with similar specs at your disposal? Now if you took the above password example, and split it evenly on 10 computers, your work would have been completed in 7060.746 seconds or about a little under 2 hours. This sure beats waiting for an entire day for a simple (but long) password like that.
LCP makes it very easy to distribute your attack load on multiple computers, and you don’t have to connect them physically. They are not requred to be on a network. I basically always use the distributed attack to uncover my paswords and last time, 7 computers got the work done in three days (which would require up to weeks if I just used one PC).
To start a distributed attack, you have to follow up to the point where you loaded the registry hives into LCP. From there you just have to configure LCP as you normally would, and then do an extra step to setup the distributed attack. Click on File > Distribute Sessions and the distributed attack manager would open up.
It will automatically load your basic configuration which you had setup. Select a naming prefix for your files, and the number of distributions you want to create (the number of PCs you are going to use). Click the distribute button and the distributed files will be generated. Click Save to Folder to save them in a specific folder.
Now you have run an instance of LCP on each computer and load one of the distribution files there and simply start the process. Once the attack on each machine finishes, you will see the respective results on one of the system (one of them will have the password).
This technique can also be used on the same processor if you have a multi core architecture (best for Core 2 Quad or Core i7). Simply make distributions as you have cores (make it double for Core i7) and run that many instances of LCP on the same computer. Then start your process manager (Task Manager or Process Explorer) and right click on each instance of LCP. What you want to do here is to set the process affinity of each process to a different core. It will work as a separate process on that same system.
No matter which path you will take, you will get your password after some time. The process may take long but it is worth the wait. You can always use the faster (less subtle) alternatives I listed above. If you have any further questions or comments, then you can ask them below (via comments). As stated above, I or anyone else from Sizlopedia for that matter, will not be responsible for any harm/damage this may bring. So use at your own risk.