(Password Cracking: Lesson 2)

{ Using Kali, bkhive, samdump2, and John to crack the SAM Database  }

1. What is the SAM Database?
   • The SAM database is the Security Accounts Manager database, used by Windows that manages user accounts and other things. It is implemented as a registry file that is locked for exclusive use while the OS is running.
   
   
2. What is Kali?
   • Kali Linux is an advanced Penetration Testing and Security Auditing Linux distribution.
   • Kali is a complete re-build of BackTrack Linux, adhering completely to Debian development standards, which contains for the following features:
     • More than 300 penetration testing tools
     • Vast wireless device support
     • Custom kernel patched for injection
     • Secure development environment
     
     
3. What is bkhive?
   • bkhive dumps the syskey bootkey from Windows NT/2K/XP/Vista system hive.
   
   
4. What is samdump2?
   • samdump2 dumps the Windows NT/2K/XP/Vista password hashes.
   
   
5. What is John the Ripper?
   • John the Ripper is a free password cracking software tool. Initially developed for the Unix operating system, it now runs on fifteen different platforms (eleven of which are architecture-specific versions of Unix, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, and others.
   
   
6. Lab Notes
   • In this lab we will do the following:
     1. We will boot Windows into Kali.
     2. We will use Kali to mount the Windows Disk Partition that contains the SAM Database.
     3. We will use bkhive and samdump2 to extract password hashes for each user.
     4. We will use John the Ripper to crack the administrator password.
     
     
7. Legal Disclaimer
   • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
   • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
   • In addition, this is a teaching website that does not condone malicious behavior of any kind.
   • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
   • © 2013 No content replication of any kind is allowed without express written permission.

    

1. Start Up Damn Vulnerable WXP-SP2.
   • Instructions:
     1. Click on Damn Vulnerable WXP-SP2
     2. Click on Edit virtual machine Settings
   • Note(FYI):
     • For those of you not part of my class, this is a Windows XP machine running SP2.
   • 

    

2. Edit Virtual Machine Settings
   • Instructions:
     1. Click on Network Adapter
     2. Click on the Bridged Radio button
     3. Click on the OK Button
   • 

    

3. Play Virtual Machine
   • Instructions:
     1. Click on Damn Vulnerable WXP-SP2
     2. Click on Play virtual machine
   • 

    

4. Logging into Damn Vulnerable WXP-SP2.
   • Instructions:
     1. Username: administrator
     2. Password: Use the Class Password or whatever you set it.
     3. Click the OK Button
   • 

    

1. Open a Command Prompt
   • Instructions:
     1. Start --> All Programs --> Accessories --> Command Prompt
   • 

    

2. Change the Administrator Password
   • Instructions:
     1. net user administrator football
   • Note(FYI):
     1. We are changing the password to something that is in the dictionary to show you how easily it can be cracked.
   • .

    

3. Shutdown Windows Machine
   • Instructions:
     1. shutdown -s -t 0
   • Note(FYI):
     1. shutdown -s, shutdown the machine.
     2. -t 0, give the user a grace period of 0 seconds.  The default is 30 seconds.
   • 

    

1. Start Up Damn Vulnerable WXP-SP2.
   • Instructions:
     1. Click on Damn Vulnerable WXP-SP2
     2. Click on Edit virtual machine Settings
   • Note(FYI):
     • For those of you not part of my class, this is a Windows XP machine running SP2.
   • 
    
2. Edit Virtual Machine Settings
   • Instructions:
     1. Click on CD/DVD(IDE)
     2. Check the Connect at power on checkbox
     3. Click on the Use ISO Image File: radio button
     4. Click the Browse Button and Navigate to Kali.iso location
     5. Select the Kali.iso
     6. Click on the OK Button
   • 

1. Play Virtual Machine
   • Instructions:
     1. Click on Damn Vulnerable WXP-SP2
     2. Click on Play virtual machine
   • 

    

2. Obtain Boot Menu
   • Instructions
     1. Once you see the below vmware screen, (1) Left Click in the screen and (2) press the "<Esc>" key
   • Note(FYI):
     1. This might take you a few times so be patient!!!
   • 

    

3. Boot Menu Options
   • Instructions:
     1. Arrow Down to CD-ROM Drive
     2. Press <Enter>
   • 

1. Kali Linux Boot Menu
   • Instructions:
     1. Arrow Down to Live (686-pae)
     2. Press <Enter>
   • Note(FYI):
     1. Note this will usually be the first selection.
   • 

    

2. Open a Terminal Window
   • Instructions:
     1. Click on the Terminal Window Icon
   • 

    

3. View and Mount Windows Disk
   • Instructions:
     1. fdisk -l
        • Where "-l" is the lower case letter L.
     2. mount -t ntfs /dev/sda1 /mnt
   • Note(FYI):
     1. The fdisk command will allow you to see the partition table for one or many disk(s)
     2. The mount command will mount a file system.  Since this is a Windows file system, I am specifying the "-t ntfs" option.
   • 

    

4. View Mount Point
   • Instructions:
     1. df -k
   • Note(FYI):
     1. The df command reports on file system disk space usage.
     2. Arrow #1 is point to the Windows Disk.
     3. Arrow #2 is the /mnt point that the Windows Disk is not mounted on.
   • 

    

5. View Windows Disk Contents
   • Instructions:
     1. cd /mnt
     2. ls
     3. cd WINDOWS/system32/config
   • Note(FYI):
     1. Since we mount the windows disk boot partition (/dev/sda1) on top of the /mnt directory, we have to cd into it to see its' contents.
     2. The ls command will list the directories contents.
     3. This is where the SAM database lives.  The SAM database is where all the Windows passwords live. 
   • 

1. Using bkhive and samdump2
   • Instructions:
     1. ls
     2. bkhive system /root/hive.txt
     3. samdump2 SAM /root/hive.txt > /root/hash.txt
   • Note(FYI):
     1. ls the contents of the /WINDOWS/system32/config directory.
     2. bkhive dumps the syskey bootkey from Windows NT/2k/XP/Vista system hive.
     3. samdump2 dumps the Windows NT/2k/XP/Vista password hashes.
   • 

    

2. View Hash Contents
   • Instructions:
     1. cd /root
     2. ls -l *.txt
     3. file *.txt
     4. cat hash.txt
   • Note(FYI):
     1. Change directory into /root, because that is where we put our hive and hash files.
     2. List out the files using a wildcard (*).
     3. Determine the file type of the hash and hive files, where the hash file is (ASCII) and the hive file is (Compressed Binary).
     4. View the contents of the hash file
   • 

1. Run John the Ripper
   • Instructions:
     1. john /root/hash.txt -format=nt2 -users=Administrator
     2. cd /root/.john
     3. ls -l
     4. cat john.pot
   • Note(FYI):
     1. John is a password cracking tool.
     2. After john is ran, it stores the results in the .john directory under the current user's home directory.  (e.g., /root/.john).
     3. Use "ls -l" to show the detail listing of the files.
     4. View the contents of the john.pot file which contains the cracked passwords.
   •