Actually crack the local password of WinVista Beta2

  

People often encounter the problem of cracking the local Windows 2000/XP password, but there is very little information available. Over the years, I have done some work in this area. In order to better understand the content of this article, you can use these links to refer to text and video materials.

Text:

http://www.irongeek.com/i.php?page=security/localsamcrack ;

http://www.irongeek.com/I.php?page=security/localsamcrack2

Video:

http://www.irongeek.com/i.php?page=videos/samdump2auditor

http: //www.irongeek.com/i.php?page=videos/LocalPasswordCracking ;

When experiencing Windows Vista Beta 2, I want to see if the old tools that crack the local account password still work. It seems that Microsoft seems to have changed the SAM file and SYSKEY running in Vista, so the crack method previously used on NT 4/2000/XP no longer works. Soon, I found that most of the existing tools no longer work, for example, Ophcrack 2.3, Cain 2.9, SAMInside 2.5.7.0, Pwdunp3, etc. We are certainly very happy to see the increase in security levels, but cracking local passwords is always fun and sometimes useful. When I tried to crack the local password from the copy of the SAM and SYSKEY files, I encountered the following error message:

Ophcrack:

"Error: no valid hash was found in this file"

Cain:

"Couldn't find lsa subkey in the hive file."

While tools like Sala's Password Renew can change Vista's password via Bart's PE boot CD, Or create a new administrator account, but sometimes you need to know the current administrator password. There are three reasons why you need to know the current administrator password instead of changing it to a new one:

1. The hacker does not want to be discovered by the system administrator. If the administrator finds that the original password cannot enter the system, they will be suspicious.

2. The same password may be used in other systems on the network. If a hacker cracks the administrator password for a machine, he or she can access other machines on the LAN with the same password.

3. In order to access information encrypted with Windows EFS (Encrypted File System). Changing the password for an account may result in the loss of this information, but I feel that Sala's tools may be able to do the job without losing the encryption key because it uses a Windows service to change the local password.

Another thing to note is that the default LM hash store for Vista Beta 2 is not activated, so all you can get is the NTLM hash, which is much harder to crack than the former. There is also the new BitLocker feature of Windows Vista. If this feature is enabled, all the methods described in this article will not help, and we will talk about it later.

At first, I felt that I had to crack the password of Vista. I hope it is really not big. But after searching online, I found that if there are good tools, I can still crack the local password. Elcom Soft employees have added support for Vista SAM and SYSTEM in their "Proactive Password Auditor 1.61" tool. Unfortunately, PPA is a commercial application, but they offer a 60-day version. Since Elcom has researched how to do it, I believe that in the near future, free tools like Cain and Ophcrack can do the same. Below we will introduce the specific steps to crack the local Windows Vista Beta 2 password with PPA.

You need to be able to read the drivers installed on Windows Vista. For the NTFS driver, I tried it with Knoppix (http://www.knoppix.org/) and PE Builder (http://www.nu2.nu/pebuilder/) and it has been successful. The first step is to boot from the CD-ROM drive and copy the SAM and SYSTEM files from the C:\\WINDOWS\\system32\\config directory (maybe you are comparing the version, then the directory may be C:\\WINDOWS\\config\\RegBack In addition, it should be noted that the system may not be installed in the C drive, then replace C with the letter of the correct drive). //This article comes from the computer software and hardware application network www.45it.com


Next open PPA, and follow the steps below:

1. Select the hash label below Mark the radio button labeled "Registry files (SAM, SYSTEM)" and click on dump.

2. Select the SYSTEM and SAM files you will use and click the "Dump" button.

3. In the Dump phase, PPA automatically does a simple brute force attack. Perhaps at this step, your password has been cracked. If it hasn't been cracked yet, choose the attack type and replace the hash type with "NTLM attack" because there is no LM hash. I chose a dictionary attack and clicked on the "Dictionary list..." button.

4. Make sure the account you want to crack is selected.

5. Now just click on "Recovery->Start recovery" on the menu and wait until the good results will appear.

If the password is simple enough, you should be able to use the cracked password for the next step. However, it is important to bear in mind that there is no guarantee that all passwords will be compromised. If the password is not in your dictionary, then you need to ask for a brute force attack.

Copyright © Windows knowledge All Rights Reserved