How To: Crack Windows Passwords From SAM and SYSTEM Files, With Backtrack Installed

This is the first complex tutorial I have written, so if there are any mistakes, please let me know.

– Here goes nothin.

To start you are going to need a few things:

• – Backtrack installed on your system. So you will have already downloaded the LIVE CD booted it and installed it to your hard drive in a small partition. If you are having troubles with the installation and dual boot go HERE for a tutorial on that.
• – The rainbow table from shmoogroup. Download here: LanMan – Alpha, Numeric, Symbol14 Character Set 10Gb (They take forever to download and then decompress, but its worth it.) You can DL the file to your windows partition and decompress it there. Use 7zip to decompress the files. In fact that is how I use them in this tutorial, also it just keeps you linux partition smaller. NOTE: these tables are already sorted so you do not need to use rsort.
• – At least a gig of RAM.
• – The SAM and SYSTEM files from … someone’s computer (Note it is illegal to crack the passwords in files you don’t own). I reccomend putting them on a thumb drive.
• – Pateience and Time.

Once you have done/got all of the above you are ready to start cracking:

Boot your backtrack partition. Login as root.
Insert the thumb drive (or cd if you used a cd) with the SAM and SYSTEM files that you legally aquired.
You will need to mount the thumb drive. So go into the KDE version of the “start” button. You will find it all the way in the lower left hand corner or the taskbar…its blue. Click it.
In the muen that pops up, select “System” then “info center”.
You will get a window that shows you all of the components on your machine. Select “storage devices icon. Your thumb drive will appear as an unmounted “SDB” “removable storage” drive. The path will look something like this “/mnt/sdb1”.
Select that drive and right click, in the context menu select “Mount Drive”.
Now you can access the files on the thumb drive. Close the window you just opened.
Its time to copy the “sam” and the “system” files to the temp directory:
Click the little screen icon, in the lower left hand corner of the desktop’s taskbar, to open up a BASH command shell (its a window that looks somewhat similar to the Windows “Command Prompt” window).
Type in this command:

cd /mnt/sdb_removable

The shell should now show this as the directory “slax sdb1_removable #”
Now type these commands:

cp SAM /tmp
cp system /tmp

Keep this BASH shell open.
Note: You have just copied the “sam” and the “system” files to your tmp directory.
Now you need to get the BASH shell back into the root partition (or, more technically, running from/in the root partition).
Use/type this command:

cd root

Now you are running your BASH commands from the root directory.

The Windows hashes are in the SAM file, and they are encrypted. You need a bootkey to decrypt the SAM hashes. You can get the bootkey from the “system” file you harvested. Here’s how:
In the same BASH shell, run this command:

bkhive system key

The boot key will now appear in the BASH shell.
Now you can dump the password hashes out of the SAM file with samdump2:
Still in the same BASH shell, type this command:

samdump2 SAM key > /tmp/hashes.txt

This command just created a file called “hashes.txt” in your “tmp” directory.
Now its time to use those rainbowtables that you downloaded and decompressed.

Note: You need to know where you have them on your machine (ie you need to know the file path in linux).

To do this go back to the “info center” and right click on one of the devices that is NOT your linux partition (it will be an NTFS formated drive with alot of disc space used).
After the “right-click”, select “open in file browser” from the context menu.
If you are in the wrong device close the window that pops up and select a different device. Keep doing this until you find the device that has all the rainbowtables that you have in your Windows “C:\” directory, or wherever you have them stored.
Now find where you kept the rainbow tables. Note that in the search bar there will be a file path (much like in windows file explorer … only different).
Keep this window open.
Now, go back to (select) the BASH shell that you already have open and run this command.

rcrack mnt/sda5/rainbowtables/*.rt -f /tmp/hashes.txt

NOTE: Replace the “mnt/sda6/file/rainbowtables/” part, with the file path in the window that you have kept open with all you rainbowtables in it. Also Note: the asterisk in the command is a “wild card” that will allow rainbowcrack to use ALL of the rainbow tables in that directory.
If you have questions about the “rcrack” command, just type “rcrack” into the BASH shell, and it will show you all the ways to use the command.
The shell will start to run rcrack. Because the tables are so HUGE and numerous it takes a little bit, like 10-20 minutes (remember these tables cover several symbols as well as all the alpha numeric characters)
When it finishes, the bash command will display which paswords were found.Best of luck.

Credits go to
http://www.antsight.com Rcrack Tutorial by Zhu Shuanglei
http://www.neophob.com Tutorial for backtrack + John The Ripper