Pro Hackers: Dumping and Cracking SAM Hashes to Extract Plaintext Passwords

Dumping and Cracking SAM Hashes to Extract Plaintext Passwords

Pwdump7 can be used to dump protected files. You can always copy a used file by executing pwdump7.exe –d c:\lockedfile.dat backup-lockedfile.dat Ophcrack is a free open-source (GPL license) program that cracks Windows password by using LM hashes through rainbow tables.

Lab Scenario

The Security Account Manager (SAM) is a database file present on Windows machine that store user account and security decryptors for users on local computer. It store user’s password in a hashes format (in LM hash and NTLM hash). Because a hashes function is one-way, this provide some measure of security for the storage of the passwords.

In a system hacking life cycle, attackers generally dump operating system password hashes immediately after a compromise a target machine. The password hashes enable attackers to launch a verity of attacks on system, including password cracking, pass the hash, unauthorized access of other System using the same password, password analysis, and pattern recognition, in order to crack other passwords in the target environment.

You need to have administrator access to dump the content of the SAM file. Assessment of a password strength is critical milestone during your security assessment engagement. You will start your password assessment with a simple SAM hash dump and running it with a hash decryptor to uncover the plaintext password.

Lab Objective

The objective of this lab is to help peoples to lean how to;

Use the pwdump7 tool to extract password hashes.

Use the Opcrack tool to crack the hash and obtain the plaintext password.

Overview of the Lab

Pwdump7 can be used to dump protected file. You can always copy a used file executing the command pwdump7.exe –d c:\lockedfile.dat backup-lockedfile.dat. Rainbow table for LM hashes of alphanumeric passwords are provided free by the developers. By default, Ophcrack is bundled with table that allow it to crack passwords not longer then 14 characters using only alphanumeric characters.

Lab Task 01:- Generate Hashes

Open the command prompt, and navigate the location the pwdump7 folder. Alternatively you can navigate from the windows explorer to the pwdump7 folder and right-click and select open Cmd Here.
Now run the command pwdump7.exe, and press Enter. This displays all the

password hashes as shown in the above screenshot

Now, save the hashes in a text file by issuing the command pwdump.exe >d:\hashes.txt and press Enter, in this command we are saving the hashes in the hashes.txt file in the D:\ drive.

Now, open the D:\ drive and locate the hashes.txt and double-click to open the

Lab Task 02:- Install Ophcrack

Navigate to the directory you have saved the setup od Ophcrack and double-click on the ophcrack-win32-installer-3.6.0.exe, to install the Ophcrack. You can also download the Ophcrack from the www.Ophcrack.sourceforge.net.

Ophcrack installation window opens, click next to install the application.

In the choose components section, uncheck all the options, and click Next

Lab Task 03:- Task 03:- Crack the Password

On completion the installation open the application from the Apps screen . The Ophcrack main window appears as shown in the screenshot.

Click the Load menu and select PWDUMP file. The Open PWDUMP file window appears. Browse the D:\ and select the hashes.txt which has been created through Pwdump7, and click Open.

The hashes are loaded in the Ophcrack under the NT Hash column. Now, click on the Table menu, the Table Selection window appear, select Vista free and click Install.

Note:- to install the Tables you need to download the tables from the internet, you can download the table from http://Ophcrack.sourceforge.net/tables.php.

The Select the directory which contains the tables window appears, brown the location where the table has been downloaded or stored. Select the folder in which the tables are stored and click Select Folder.