Sunday, August 08, 2010
Anu
There are two intended audiences for thisarticle.
The first are people, who for legitimate reasons, have lost offorgotten their username and password and therefore cannot log intotheir own machine.
The other audience are those interested in computersecurity.
For this later audience this article is intended todemonstrate the vital importance of physical security. That is, to showthat with physical access, an intruder can break into a Windows XPmachine even if that machine is configured to require a username andpassword to log on.
There are two basic approaches to gaining access to the targetmachine. The first is to find and decrypt the existing account namesand passwords on the system. The second is to actually overwrite theadministrator password (usually with a blank one). The second approachis more useful if you have corrupted your system somehow so that theadministrator password doesn't work any more. Utilizing the secondmethod carries with it a chance that you could destroy your passwordhashes (meaning no account will be able to access the machine). Thisfact, combined with the fact that changing the administrator passwordis quickly noticeable, renders this second approach a last ditch effortfor most cases.
Because Windows XP passwords are encrypted in a unique fashionmany password crackers utilize rainbow tables to decrypt them. Arainbow table is a huge list of hashes produced by encryptingpasswords. XP passwords are stored encrypted, so your password isactually stored as an encrypted string. A rainbow table is basically ahuge index of encrypted passwords and their unencrypted version. Bytaking an encrypted password and comparing it to these tables you canquickly look up what the unencrypted version of the password actuallyis. This attack method is successful mainly because creating therainbow tables is time consuming, but looking up an encrypted passwordis not. Thus, an attacker can create the tables beforehand, taking asmuch time as they want, and then crack passwords quickly with thelookup. Of course, the larger the range of options (letter, numbers,symbols, etc.) the larger the table.
Ophcrack is a quick anddirty cracking tool for recovering Windows passwords. The programitself uses rainbow tables to recover passwords for accounts on awindows machine. The easiest way to use Ophcrack is actually todownload and burn the bootable ISO image. This is sort of like a Knoppixdistribution (a bootable linux CD) that automatically fires up Ophcrackand begins work on Windows passwords it finds on the host system.Depending on your system setup Ophcrack can save you a lot of time. Ifound Ophcrack discovered the administrator password on my XP Prolaptop in less than a minute after the boot process completed. Someaccounts may take much more time to crack than others. However, if youneed access to a machine and you're willing to wait around whileOphcrack does it work then this might be your best bet. I should alsonote that Ophcrack is not 100 percent reliable. Although it cracked theadministrator account on my machine quite quickly it didn'tsuccessfully crack a password for one of the user accounts thatutilizes special characters. This is a weakness in the included tables,however, not in Ophcrack itself. Because the live CD only includesalphanumeric rainbow tables it won't be able to crack accounts thathave special characters in their passwords.
Resetting the administrator password is a little more complex,but relies on the same sort of tools. The first thing you'll need isanother Linux boot CD, specifically Knoppix-STD. This is a single,security oriented boot CD packed with useful tools for diagnostics,testing, and security related purposes. What you'll have to do is bootoff the Knoppix CD, mount the Windows drives, then use command lineutilities to reset account passwords.
The reason this process isn't so straightforward is that thewindows passwords are encrypted using information stored in the SYSTEMfile, and the hashes themselves are stored in a SAM file. The passwordhashes are created using registry data, which is stored in several'hives.' Once all these pieces are located you can monkey with the useraccounts fairly easily.
The program you need to use in Knoppix-STD is chntpw. This is acommand line utility, so you'll have to open a terminal window tobegin. Once the terminal is open you're going to want to mount thewindows filesystem.
To figure out which is the windows filesystem issuethe command:
cat /etc/fstabNext you'll want to actuallymount the filesystem using:
Assuming that '/dev/hda1' is the drive on which windowsis installed.mount -o rw /dev/hda1 /mnt/windows
The '/mnt/windows' is arbitrary and you could use anyname that you wanted (instead of windows, the /mnt part is actually aspecific directory).
Next you'll want to navigate to the directory where the password files are located using:
This is the directory on windows where the SAM andsystem file are located (usually C:\WINDOWS\system32\config).cd /mnt/windows/WINDOWS/system32/config
Now thatyou're in the proper directory you can change the administratorpassword using:
At the prompt that asks you if you wish to disableSYSKEY select no, at the prompt to enter a new password simply hitreturn to set a blank password (this is the safest option). Make sureto confirm the change and write the hive files when prompted.chntpw -u administrator SAM system SECURITY
This willreset the administrator password to a blank password so you can rebootand log in as the administrator.
Another option is to use Offline NT Password and Registry Editorwhich is another bootable linux distribution with all the tools you'llneed to reset your passwords. This set of tools actually utilizes thesame ntchpw program and other utilities as Knoppix-STD, but you mayhave more success with one tool or the other. For instance, some peoplereport having trouble booting their machine using the Knoppix-STD CD.The nice thing about this utility is that it's pretty straightforward.You simply boot off the CD and answer the questions as they're asked,there isn't any extraneous utility or options on the disk.
Assuming you actually have access to the machine throughanother legitimate account cracking the passwords for other systemaccounts becomes much easier. Programs like SAMInside, John the Ripper, PWDump, MD5Crack.
Of course, using one of the above methods you could reset or discoverthe password to a legitimate account, then use that information to login and utilize these programs.
Using cracking tools from the machineitself presents some advantage, but also some challenge. Anti virus orother security protections loaded on the machine might thwart attemptsto load such software or crack the password, and without access to theadministrator account it might be impossible to disable thesesafeguards.
IF YOU NEED ANY TOOLS/SOFTWARES (THAT ARENAMED IN THIS POST), THAN MAIL ME or LEAVE A COMMENT & I'LL SEND IT TO YOU...
Posted in
0 comments:
Post a Comment