Thursday, September 09, 2004

Recover SAM file for XP password success

After much toying with various flavors of linux have finally done what I set out to do. This was not as easy as I was told it was going to be and really, no one seems interested in helping you recover and crack XP/NT passwords. All but two of the tools I'm using are freely available, but I'm told it can be done with free tools only.

Tools required for my efforts:
  1. A target machine. This computer is running an NT based OS like Windows NT, XP, 2000, Server 2003 and I don't know if Windows ME works this way but... if it has Windows ME on it, chances are the user is too stupid to use a password. The local machine passwords are encrypted into hashes stored in a file called SAM (System Access Manager or some such bullshit... who cares?). The SAM file is protected by Windows and you will not be able to access or copy the file while windows is running. So we need to find a way to access the files of a windows system without running windows, so the SAM file is not protected, and we can see the hash values stored in it.
  2. Knoppix Live Linux (info in english) a "live distro" of the Linux operating system. Live means that it has been designed to boot from a CD, no installing or configuring and that is what I wanted. I used version 3.6 (8-16-2004). I don't know but the absolute basic functions of Linux and despite a lot of reading I don't hold much hope of ever figuring this shit out. Knoppix auto detects hardware, and does it very well. Good enough that you should be able to get it to see the hardware on the target.
  3. USB Thumb drive. In this case I am using a 512mb SanDisk Cruiser Mini. Major over-kill in capacity but I didn't buy the thing for this task, it's quite useful for doing other things too. I supposed you could use a floppy but I haven't tried, and I further supposed that you could have a server out on the net to upload things to but that assumes you have a network connection or are able to establish one, from linux on the target machine. I'd rather not attempt it. I will however say that my target had a cable connection and Knoppix saw it and let me get on the net, no problem. As you know, USB drives aren't free and so that is the first of the not free items.
  4. LC5 (L0pht Crack) is the tool I am using to crack the passwords from the recovered SAM file. This program is not free but does have a free trial which is crippled and time limited.
  5. Although not required, it is desirable to have a separate windows machine to run LC5 on. You can, provided you have an accessable account, install LC5 on the target machine and crack the recovered SAM file. Please note however that not even the venerable L0pht Crack will be able to access the SAM while windows is running so, you will still have to recover it with Linux.
The most challenging part of this project was getting a copy of the SAM file. I know the linux nerds are all busting a gut over this one. It was not easy. I wasn't able to find a single website that had instructions on how to do this. Well I take that back.. a great many web sites have information on this subject. None of those websites tell you much beyond the theory and explain the arguments for some of the commands, and if possible caveats you might encounter.

Guess what? That shit doesn't help anyone but fucking Linux nerds. I don't know what Grub is and I don't give a shit. I don't know why linux doesn't access NTFS volumes without some modification and really, I could give a shit HOW you change that... I just want it changed. So here comes Knoppix. Support for NTFS, and that's not even the best part. It mounts the volumes for you, and puts up a nice little desktop icon for all the drives. That's right... DESKTOP! Knoppix comes with KDE, which is a GUI like windows. So with KDE you get "windows" style navigation and the familiar look/feel of a GUI is pulled off very well. It also has USB support and mounts the USB drive for you, with desktop icon.

Here's what to do to recover the SAM:
  • Burn Knoppix onto a CD from the ISO you downloaded, pack it up and your thumb drive and gain physical access to the target system.
  • plug in the USB thumb drive to the target system
  • Start the target system and get into the BIOS setup utility to make sure the system will boot from the CD-ROM drive first
  • Boot the system with the knoppix CD in the drive and it should boot into Knoppix bootloader, just type knoppix at the boot: prompt.
  • Be patient, this may take some time, produce screen flickers and pops and such from the speakers. Hardware detection, ya know?
  • Once you get to the KDE desktop you need to open up the hard disk that's labeled hda1 and navigate to windows/System32/Config/ where you will find a file named SAM, with no extension. This is the one we want. Right click on it and choose copy.
  • Close the window for hda1 and right click on the icon for sda1, the thumb drive. Choose toggle read/writable. KDE will ask if you're sure you want to do this, you do want to make the drive writable.
  • Open the drive labeled sda1, right click and choose paste.
  • Click that K icon where the start menu should be and choose log out, then choose end session.
  • Knoppix does its thing, ejects the CD, you take it and close the drive, hit enter... go home
You now have the SAM file from the target machine on your thumb drive and using LC5 you can crack the passwords of the accounts on that system. Cool huh.