Saturday, June 1, 2013

Crack Admin Passes via John the Ripper! 

There's a lot of tutorials on how to gain remote access to a system, but what if you get a guest account or a regular user account? nothing can really be done then until you gain the administrator password. This tutorial is going to teach you how to take guest access (remote or physical) and use it to crack the administrator password for the machine.

I. Cracking Windows passwords with physical access:

So if you're taking the physical approach (sitting at the target machine using a live boot backtrack distribution) the first thing you need to do after booting up into the gui is to mount the target windows partition. To list the partitions available do this:

Code:
fdisk -l

Now that you have a list you need to figure out which one is the windows partition, for most users this is going to be "/dev/sda1" so to mount that do this:

Code:
mount /dev/sda1/ /root/

The next thing is to find the SAM (security account manager) file. This is located in the WINDOWS/system32/config folder for windows 2000 and later. The SAM file is actually locked while the OS is running, with the physical approach we will be bypassing this by using live bootable backtrack, the OS never starts, therefore the SAM doesn't lock. You can try to check the file but the whole thing is encrypted. first we'll navigate to the correct folder, then we'll use bkhive to load the bootkey to a text file, then we'll use that file to dump the SAM file into a text file of just user names and password hashes

Code:
cd /WINDOWS/system32/config/
bkhive system bootkey.txt
samdump2 SAM bootkey.txt > samdump.txt

Now we have our samdump.txt file that has all of the targets password hashes and usernames, so we need to crack them. For the purpose of this tutorial we'll be using John the Ripper but there are many other password cracking tools out there.

Code:
cd /pentest/passwords/john/
./john /root/WINDOWS/system32/config/samdump.txt

Now john the ripper will crack the hashes and give them to you in plain text! Now all that's left is to shutdown the computer, start back up in windows, and try your newly found passwords!

II. Cracking Windows Passwords With Remote Access:

We'll pick up here from getting a meterpreter session on a windows machine. This is a lot easier than the physical process. First we need to load Sam Juicer, then we'll just pull the hashed passwords, then we'll save them to a text file and import the file into john the ripper.

Code:
meterpreter > use -m Sam
meterpreter > hashdump
[after this command you'll get a dump of all of the hashes, copy and paste them into a text file, mine will be hash.txt]
cd /pentest/passwords/john
./john /root/hash.txt

That's it, all there is to it.

III. Cracking Linux Passwords With Physical Access:

Instead of the "SAM" file linux uses the "Shadow" file which is at /etc/shadow. Before you can crack /etc/shadow with john the ripper, it has to be used with etc/passwd, like how we had to use the bootkey to export the hashes from windows. In order to do this we have to unshadow. After we unshadow we will have a file of unencrypted yet still hashed passwords, then we'll take that in to john the ripper and crack. To do this:
Code:
./unshadow /etc/passwd /etc/shadow > /tmp/linux_hashes.txt
./john /tmp/linux_hashes.txt

Once this is done, all of the linux accounts will be cracked!

Enjoy! :)

No comments:

Post a Comment