373. Cracking Windows passwords if you are a Linux user

Cracking windows passwords is no more difficult than any other set of passwords that need to be cracked via brute force/rainbow table lookup -- it's all about getting your hands on the right files to begin with.

Note that Vista and Windows 7 are the same in terms of how the passwords are stored. XP is different. You'll need to appropriate hash tables when cracking using Ophcrack-- you can't use XP hashes to crack Vista/7 and vice versa.

Why?
I actually have a fairly legit reason for this, other than pure curiosity: the professors and lecturers who have Win 7 at this Uni aren't given administrator access, so that they need to make an appointment with IT staff everytime they want to install or upgrade something. In my opinion, that's taking things way, way too far, especially in light of OSX user and Linux users don't face the same restrictions (I requested my computer to be delivered blank, so not even the IT staff can gain access without physically accessing my hdd).

I've also twice been in situations where a lab computer was set up by a PhD student who had since left, but without telling anyone the BIOS password in one case (remove CMOS battery, drain the power by shorting) and NT 4 password in another case (boot using linux, replace the screensaver file with cmd, boot, then wait and you've got admin access). Adding a few more techniques to your arsenal makes you a more well rounded human being. Plus you might gain a bit more respect from the students. Maybe.

---

Windows files that you need

You'll need to copy two files from your Windows harddrive (most likely o C:\). Since you can't access those files from within windows, the easiest way to do that is to make a bootable USB with linux on it, boot, then mount the windows partition and copy the files. It does require that you know how to mount devices from the command line in linux (hint: read up on mount) but it's really quite easy.

See here for how to make a linux usb install:
Arch: http://verahill.blogspot.com.au/2013/02/331-full-linux-install-on-usb-stick.html
Debian: http://verahill.blogspot.com.au/2013/03/361-installing-debian-on-usb-stick-from.html

On Windows Vista and Windows 7 you need to copy
/Windows/System32/config/SAM
/Windows/System32/config/SYSTEM.

On Windows XP you need to copy
/WINDOWS/system32/config/system
/WINDOWS/system32/config/SAM.

---

Generating input
First set up your linux system and install bkhive and samdump2. On Arch you can get these from the AUR (here and here), and on Debian you can install it from the repos by doing
sudo apt-get install bkhive samdump2

Once you have bkhive and samdump, do

bkhive system sys.out
samdump2 SAM sys.out > crack.list

---

Cracking

I prefer John the Ripper, but ophcrack is in the repos.

Ophcrack
Ophcrack is one alternative for which you can download rainbow tables, while John the Ripper can do it via password lists and brute force. You can get Ophcrack from the Debian repos as well as AUR in ARch.

To crack with Ophcrack you'll need tables -- you can get them from here: http://ophcrack.sourceforge.net/tables.php

Start with Xp Free Small or Vista Free, depending on whether you're going after XP or Vista/Windows 7 passwords. If your passwords still won't break, you can always get a bigger table. Put your tables in e.g. /tmp/crack/xp and /tmp/crack/vista

Do (for xp -- point towards /tmp/crack/vista for vista/windows 7)

ophcrack -n 6 -g -t /tmp/crack/xp -f crack.list

where -n 6 means to use 6 threads (use as many as you have cores). You can also launch ophcrack with a graphical user interface by simply typing ophcrack.

John the Ripper
On Arch you can get John the Ripper via the standard repos, and on Debian you can easily compile it.

You should get a good password list to guide your cracking -- rockyou is probably one of the best:

wget http://runamux.net/search/download/file/95wr2RdM/rockyoutxt.bz2
bunzip2 rockyoutxt.bz2

To crack XP passwords, run
john --wordlist=rockyoutxt --format=lm crack.list

To crack Vista or Windows 7 passwords, run
 john --wordlist=rockyoutxt --format=nt crack.list

If you have compiled john the ripper with mpi support, just launch it along the lines of
mpirun -n 6 john --wordlist=rockyoutxt --format=nt crack.list

---

There's no guarantee that you'll successfully crack all passwords -- it simply depends on 1) how common the passwords are or 2) whether they are short enough to brute force. I've used the methods above to crack passwords on a couple of machines (even virtual ones).

If you're really lazy and want a fully automated cracking experience, just use the ophcrack live cd. The downside is that you'll be occupying the machine which holds the windows installation until you're done cracking. With the method here you can crack at your leisure on your own windows machine.

372. Leadtek DTV1000S on Arch linux

While this DVB-T card seems to work fine out of the box on Arch linux (using kaffeine, gnome-dvb-setup, me-tv, w_scan etc.) it is quite unstable --  you often get 'failed to lock channel' errors, and the picture gets corrupted after watching the same channel too long (1 hour). . In contrast, I've been using it for over a year on Debian without issues, so I decided to have a quick look at what I did back in the days to get it working, and realised I'd been a bit lazy setting things up (i.e. I had treated it like PnP).

---

To improve the stabilit of Leadtek DTV 1000S on Arch linux, do the following:

1. Edit /etc/modprobe.d/modprobe.conf

options saa7134 tuner=48 card=175

2. Install the proper firmware driver
If you've noticed errors in dmesg/during boot-up relating to missing tda10048 firmware, install the dvb-fe-tda10048-1.0.fw firmware from AUR

wget https://aur.archlinux.org/packages/dv/dvb-fe-tda10048-1.0.fw/dvb-fe-tda10048-1.0.fw.tar.gz
tar xvf dvb-fe-tda10048-1.0.fw.tar.gz
cd dvb-fe-tda10048-1.0.fw
makepkg -s
sudo pacman -U dvb-fe-tda10048-1.0.fw-1-2-any.pkg.tar.xz

---

371. Hashcat on debian

http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/ was just published, which made me want to have a look at hashcat.

Note that Hashcat is closed source. An open source alternative is John the Ripper .

Note also that there's a GPU-enabled version of hashcat, ocl-hashcat.

Why?
Whether you'll ever have a legitimate need for this stuff depends, but apart from the fun of it -- and the feelings of Power that cracking gives you -- being able to crack the odd password does serve as an eye opener to how easy this can be under the right circumstances. And who knows? You might find a justified use for it, especially if you're in academia where old computers and poor discipline abounds, and you are faced with computers that belong to you but were set up without any proper records.

---

Installation

sudo apt-get install p7zip-full
sudo mkdir /opt/hashcat -p
sudo chown $USER /opt/hashcat
cd /opt/hashcat
wget http://hashcat.net/files/hashcat-0.44.7z
wget http://hashcat.net/files/hashcat-gui-0.5.1.7z
wget http://runamux.net/search/download/file/95wr2RdM/rockyoutxt.bz2
7z x hashcat-0.44.7z
7z x hashcat-gui-0.5.1.7z
bunzip2 rockyoutxt.bz2
echo 'export PATH=$PATH:/opt/hashcat/hashcat-0.44:/opt/hashcat/hashcat-gui-0.5.1' >> ~/.bashrc
source ~/.bashrc

---

Test run
Let's generate a file of simple passwords to crack:

echo -n "city" | md5sum > test.list
echo -n "n00b" | md5sum >> test.list
echo -n "123654"| md5sum >> test.list
echo -n "Chicago"| md5sum >> test.list
cat test.list

4ed5d2eaed1a1fadcc41ad1d58ed603e
16e029226d8960b2d7cba16cab5f7044
733d7be2196ff70efaf6913fc8bdcabf
9cfa1e69f507d007a516eb3e9f5074e2

Edit the test.list file to remove all the ' - '. Note that you need to run hashcat-gui in your /opt/hashcat/hashcat-0.44/ folder. Start hashcat-gui:

cd /opt/hashcat/hashcat-0.44/
hashcat-gui64.bin

Once it has finished, you can look at the output

cat test.list.out 

733d7be2196ff70efaf6913fc8bdcabf:123654
9cfa1e69f507d007a516eb3e9f5074e2:Chicago
4ed5d2eaed1a1fadcc41ad1d58ed603e:city

Use the rule set best64 and it cracks all passwords and does it fast:

733d7be2196ff70efaf6913fc8bdcabf:123654
9cfa1e69f507d007a516eb3e9f5074e2:Chicago
4ed5d2eaed1a1fadcc41ad1d58ed603e:city
16e029226d8960b2d7cba16cab5f7044:n00b

My account password wasn't cracked by this though, but all that we can be certain that it means is that it would take someone more than 30 seconds to do so. Maybe 35 seconds, maybe 2 years -- we can't tell.

If you want to compare with John the Ripper you could do e.g.
mpirun -n 6 run/./john test.list --wordlist=rockyoutxt --format=raw-md5

to do list-based cracking and
mpirun -n 6 run/./john test.list--format=raw-md5

for brute-force.

John the Ripper works well for windows passwords as well (might write about that in another post)

---

Linux passwords
To crack actual linux user passwords, you'll need to access /etc/shadow and only root should be able to do that. Looking at /etc/password we have for example

guest:$6$MyySaltt$eZXKl12CRRPZW1O/wKpodIB76f46NNVQ3o2Pyvh3m0QeHaW20WthUCkeLCZSPS6o9lks8g4Ua8v6OqbIXZw4r.:12567:0:88888:3:::

I've made up the string above (using mkpasswd -m sha-512 -S MyySaltt which is salted using MyySaltt. ). Anyway, copy the hash, e.g.

$6$MyySaltt$eZXKl12CRRPZW1O/wKpodIB76f46NNVQ3o2Pyvh3m0QeHaW20WthUCkeLCZSPS6o9lks8g4Ua8v6OqbIXZw4r.

to a file, e.g. nutest.list

Do

man crypt

ID  | Method
              ---------------------------------------------------------
              1   | MD5
              2a  | Blowfish (not in mainline glibc; added in some

                  | Linux distributions)
              5   | SHA-256 (since glibc 2.7)
              6   | SHA-512 (since glibc 2.7)

The $6$ means that it's a SHA-512 hashed password.

Now run hashcat:

hashcat-cli64.bin -n 6 -m 1800 nutest.list rockyoutxt -r /opt/hashcat/hashcat-0.44/rules/best64.rule

where 1800 means SHA-512 (do hashcat --help to see what code to use) and 6 is the number of threads (six core CPU). You should be able to easily crack this one...