A quick and dirty Windows password recovery
Boot the Backtrack CD.
Change dir to your Windows mount point:
# cd /mnt/hda2/WINDOWS/system32/config
Copy the SAM and the system Registry hive to the temp dir:
# cp SAM /tmp
# cp system /tmp
Prepare our wordlist:
# cd /pentest/password/dictionaries/
# gunzip -c wordlist.txt.Z > /tmp/words.txt
# cd /tmp
As the Windows hashes (in the SAM file) are encrypted, we need this key (called bootkey) to decrypt the SAM hashes:
# bkhive system key
Now we can dump the password hashes out of the SAM file:
# samdump2 SAM key > /tmp/hashes.txt
Lets crack those hashes… the easiest way would be, if the password is in the wordlist, we use john for this case:
# john -w=words.txt -f=NT hashes.txt
No luck? Lets use the brute force method:
# john –incremental:all -f=NT hashes.txt
If this takes too long you could use ophcrack. This tool uses rainbow tables and should crack your hashes in a few seconds, but you need to download those rainbow tables (350mb or 700mb or you can generate them yourself) which are not included on the Backtrack cd (for a obvious reason…). Or you can use the oph online cracker, which should be quite fast.
