How To: Crack Windows Passwords From SAM and SYSTEM Files, With Backtrack Installed

21 09 2006

This is the first complex tutorial I have written, so if there are any mistakes, please let me know.

– Here goes nothin.

To start you are going to need a few things:

  • Backtrack installed on your system. So you will have already downloaded the LIVE CD booted it and installed it to your hard drive in a small partition. If you are having troubles with the installation and dual boot go HERE for a tutorial on that.
  • – The rainbow table from shmoogroup. Download here: LanMan – Alpha, Numeric, Symbol14 Character Set 10Gb (They take forever to download and then decompress, but its worth it.) You can DL the file to your windows partition and decompress it there. Use 7zip to decompress the files. In fact that is how I use them in this tutorial, also it just keeps you linux partition smaller. NOTE: these tables are already sorted so you do not need to use rsort.
  • – At least a gig of RAM.
  • – The SAM and SYSTEM files from … someone’s computer (Note it is illegal to crack the passwords in files you don’t own). I reccomend putting them on a thumb drive.
  • – Pateience and Time.

Once you have done/got all of the above you are ready to start cracking:

Boot your backtrack partition. Login as root.
Insert the thumb drive (or cd if you used a cd) with the SAM and SYSTEM files that you legally aquired.
You will need to mount the thumb drive. So go into the KDE version of the “start” button. You will find it all the way in the lower left hand corner or the taskbar…its blue. Click it.
In the muen that pops up, select “System” then “info center”.
You will get a window that shows you all of the components on your machine. Select “storage devices icon. Your thumb drive will appear as an unmounted “SDB” “removable storage” drive. The path will look something like this “/mnt/sdb1”.
Select that drive and right click, in the context menu select “Mount Drive”.
Now you can access the files on the thumb drive. Close the window you just opened.
Its time to copy the “sam” and the “system” files to the temp directory:
Click the little screen icon, in the lower left hand corner of the desktop’s taskbar, to open up a BASH command shell (its a window that looks somewhat similar to the Windows “Command Prompt” window).
Type in this command:

cd /mnt/sdb_removable

The shell should now show this as the directory “slax sdb1_removable #”
Now type these commands:

cp SAM /tmp
cp system /tmp

Keep this BASH shell open.
Note: You have just copied the “sam” and the “system” files to your tmp directory.
Now you need to get the BASH shell back into the root partition (or, more technically, running from/in the root partition).
Use/type this command:

cd root

Now you are running your BASH commands from the root directory.

The Windows hashes are in the SAM file, and they are encrypted. You need a bootkey to decrypt the SAM hashes. You can get the bootkey from the “system” file you harvested. Here’s how:
In the same BASH shell, run this command:

bkhive system key

The boot key will now appear in the BASH shell.
Now you can dump the password hashes out of the SAM file with samdump2:
Still in the same BASH shell, type this command:

samdump2 SAM key > /tmp/hashes.txt

This command just created a file called “hashes.txt” in your “tmp” directory.
Now its time to use those rainbowtables that you downloaded and decompressed.

Note: You need to know where you have them on your machine (ie you need to know the file path in linux).

To do this go back to the “info center” and right click on one of the devices that is NOT your linux partition (it will be an NTFS formated drive with alot of disc space used).
After the “right-click”, select “open in file browser” from the context menu.
If you are in the wrong device close the window that pops up and select a different device. Keep doing this until you find the device that has all the rainbowtables that you have in your Windows “C:\” directory, or wherever you have them stored.
Now find where you kept the rainbow tables. Note that in the search bar there will be a file path (much like in windows file explorer … only different).
Keep this window open.
Now, go back to (select) the BASH shell that you already have open and run this command.

rcrack mnt/sda5/rainbowtables/*.rt -f /tmp/hashes.txt

NOTE: Replace the “mnt/sda6/file/rainbowtables/” part, with the file path in the window that you have kept open with all you rainbowtables in it. Also Note: the asterisk in the command is a “wild card” that will allow rainbowcrack to use ALL of the rainbow tables in that directory.
If you have questions about the “rcrack” command, just type “rcrack” into the BASH shell, and it will show you all the ways to use the command.
The shell will start to run rcrack. Because the tables are so HUGE and numerous it takes a little bit, like 10-20 minutes (remember these tables cover several symbols as well as all the alpha numeric characters)
When it finishes, the bash command will display which paswords were found.Best of luck.

Credits go to Rcrack Tutorial by Zhu Shuanglei Tutorial for backtrack + John The Ripper



12 responses

10 10 2008
Cracking WindowsXP local user password with Backtrack 3 « IT DIY

[…] How To: Crack Windows Passwords From SAM and SYSTEM Files, With Backtrack¬†Installed […]

19 10 2008
john smith

yah… pretty boring…

15 02 2010

i wana make an iso from sam file

25 01 2013
parth mistry

can u give me ur iso??

15 02 2010

i wana make iso image from sam file

regards Salim

16 03 2010

Some days ago, i just got a windows password recovery tool which can bypass windows password easily,and it can be burnt onto a cd as recovery disk.If you need,then get it.

11 02 2011

SMARTKEY Password Recovery Bundle is a must-have toolkit to recover/remove/reset passwords for Windows, Excel, Word, Access, PowerPoint, Outlook, Outlook Express, PDF, RAR/WinRAR, ZIP/WinZIP, MSN, AOL, Google Talk, Paltalk, Trillian, Miranda, Opera, Firefox and IE Browser, etc. Over 21 types of passwords can be Recovered instantly. Until now, these password recovery tools are the fastest on the market, the easiest to use and the least expensive.

8 05 2011

You can simply use a <a href=""GPU for password cracking. As most of the people still use simple passwords, you can crack it within a few minutes.

8 05 2011

You can simply use a GPU for password cracking. As most of the people still use simple passwords, you can crack it within a few minutes.

28 10 2011

How I Crack windows Password.

My email-id=

20 06 2012

Last month , I lost my windows vista administrator password. I solved my problem with the help of Reset Windows Password utility – It not only supports Windows Vista , I have personally tested it with Windows 7 . It worked perfectly to reset any local user account to a blank password. Just an easy to use bootable CD/DVD . It can also be used on a USB Flash Drive.

16 09 2014

First, Pinterest users should have more creative options to customize the home page.
This tool (once called Pin – Clout) is very similar to Facebook Insights.
With Pinterest, you can pin a picture of your customers and include a blurb of the case study or testimonial.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: