SAM Files and NT Password Hashes
What Is Sam File?
The Security Account Manager (SAM) is a database file[1] in Windows XP, Windows Vista and Windows 7 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory is used to authenticate remote users. SAM uses cryptographic measures to prevent forbidden users to gain access to the system.
The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAMand is mounted on HKLM/SAM.
In an attempt to improve the security of the SAM database against offline software cracking, Microsoft introduced the SYSKEY function in Windows NT 4.0. When SYSKEY is enabled, the on-disk copy of the SAM file is partially encrypted, so that the password hash values for all local accounts stored in the SAM are encrypted with a key (usually also referred to as the "SYSKEY"). It can be enabled by running the syskey program.
Where do I find the SAM/Hashes?
Location of SAM/Hashes:You can find what you're looking for in several locations on a given machine. It can be found on the hard drive in the folder %systemroot%system32config (i-eC:\windows\system32\config). However this folder is locked to all accounts including Administrator while the machine is running. The only account that can access the SAM file during operation is the "System" account.
The second location of the SAM or corresponding hashes can be found in the registry. It can be found under HKEY_LOCAL_MACHINESAM. This is also locked to all users, including Administrator, while the machine is in use.(GO to Run and Type Regedit and Hit enter, Now scroll to HKEY_LOCAL_MACHINESAM, However you may not access to it.)
So the two (Some other also) locations of the SAMHashes are:- %systemroot%system32config- In the registry under HKEY_LOCAL_MACHINESAM
How to Copy Sam file?
There are two Ways.
1) When Os(operating system) is running.
2) When Os is not running.
When Os is running
1.Press window+r.
2.Type regedit.
3.Then click on HKEY_LOCAL_MACHINE.
4.Then, click on sam.
5.Try to export it by clicking right button.
but you can't so follow these steps
6.Right click on sam file.
7.Click on Permissions.
8.Then click on Administrators and remove it.
9.Click on add button and then type "Administrators" and then click ok.
10.And then tick mark the full contol and read for allowing.
11.Then click on apply and right click on sam and click on export.
12.Export by save as type registry hive files.
AND YOU are done.
you have copied sam file
If you want to understand this more clearly then you can watch video tutorial.
Youtube Link of This Video is
https://www.youtube.com/channel/UCIYIZ8KulE0bXtRLnNdIRww
This My Youtube channel you can view tutorial here.
When Os is not running
Probably the easiest way to do this is to boot your target machine to an
alternate OS like NTFSDOS or Linux and just copy the SAM from the
%systemroot%system32config folder. It's quick, it's easy, and it's effective.
You can get a copy of NTFSDOS from Sysinternals (http://www.sysinternals.com)
The regular version of NTFSDOS is freeware, which is always nice, but only allows
for Read-Only access. This should be fine for what you want to do, however, if
you're the kind of person that just has to have total control and has some money to
burn. NTFSDOS Pro, which is also by Sysinternals has read/write access .
step wise
1) Well, the easiest way to do this is to boot your target machine to an alternate OS likeNTFSDOS or Linux and just copy the SAM from the %systemroot%system32config folder.
2) You can also get password hashes by using pwdump2 (Google It to get software ~ Search at openwall.com). pwdump uses .DLL injection in order to use the system account to view and get the password hashes stored in the registry. It then obtains the hashes from the registry and stores them in a handy little text file that you can then paste them into a password cracking utility like l0phtcrack or John the ripper (Linux Based works well) also cain and abel can be used.
3) Import Hashes directly from l0phtcrack, and let them open to you by cracking.
It's quick, it's easy, and it's effective. You can get a copy of NTFSDOS from Sysinternals(http://www.sysinternals.com) The regular version of NTFSDOS is freeware, which is always nice, but only allows for Read-Only access. This should be fine for what you want to do, however, if you're the kind of person that just has to have total control and has some money to burn. NTFSDOS Pro, which is also by Sysinternals has read/write access but it'll cost you $299.
Cracking or Breaking Into Admin Account:
How to get Hashes form SAM file?
Obtained Hashes? Now crack them:
With the hashes in hand and an eagerness to find out what passwords lie waiting.
Let's get cracking. While there are numerous programs available for the use of
password cracking I will quickly cover two of the most popular ones.
John the Ripper -
John the Ripper is to many, the old standby password cracker. It is command line
which makes it nice if you're doing some scripting, and best of all it's free.
The only real thing that JtR is lacking is the ability to launch Brute Force attacks
against your password file. But look at it this way, even though it is only a
dictionary cracker, that will probably be all you need. I would say that in my
experience I can find about 85-90% of the passwords in a given file by using just a
dictionary attack. Not bad, not bad at all.
L0phtCrack -
Probably the most wildly popular password cracker out there. L0phtCrack is sold
by the folks at @Stake. And with a pricetag of $249 for a single user license it
sure seems like every one owns it. Boy, @Stake must be making a killing. :) This
is probably the nicest password cracker you will ever see. With the ability to
import hashes directly from the registry ala pwdump and dictionary, hybrid, and
brute-force capabilities. No password should last long. Well, I shouldn't say
"no password". But almost all will fall to L0phtCrack given enough time.
Another Easy method, Using ophcrack to Hack into
Admin Account:
Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman's original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds.
This is a type of offline cracking, Just grab .iso of ophcrack from here. Burn it and enjoy using.
1. Opchrack can crack passwords for Windows 7, Windows Vista, and Windows XP.
2. Ophcrack can recover 99.9% of passwords from Windows XP, usually in a matter of seconds. Any 14-character or smaller password that uses any combination of numbers, small letters, and capital letters should be crackable.
3. Ophcrack can recover 99% of passwords from Windows 7 or Windows Vista. A dictionary attack is used in Windows 7 and Vista.
4. The Ophcrack LiveCD option allows for completely automatic password recovery.
5. LiveCD method requires no installation in Windows, making it a safe alternative to many other password recovery tools.
6. No Windows passwords need to be known to use the Ophcrack LiveCD to crack your Windows passwords.
Making Your Own Password in Windows:
Injecting Password Hashes into the SAM: Easiest ways to gain Administrator privileges on a machine, is by injecting your own password hashes into the SAM file. In order to do this you will need physical access to the machine and a brain larger than a peanut. Using a utility called "chntpw" by Petter Nordhal-Hagen you can inject whatever password you wish into the SAM file of any NT, 2000, or XP machine thereby giving you total control, just burn the .iso on a disk and use it. I would give a tip like backing up the SAM file first by using an alternate OS.Make a USB disk of linux or Windows Live dsik can also work. Go in, inject the password of your choosing. Login using your new password. Do what you need to do. Then restore the original SAM so that no one will know that i was hacked.
Some security Tips ~ Making strong passwords:
Now, You might have come to know that how passwords can be cracked, So there are some tips for you.
1) Do not make common passwords like 123456 or the one of your own name.
2) Use @, *, # or other symbols in your passwords to ensure maximum security in this case John the ripper and Ophcrack and also other cracking tools may take long time, it will be frustrating for hacker.
3) Keep changing your password. So, that if long time is taken by one hash to decode, until it decodes you have generated another hash.
Thank You
转载网址 :http://smartechverse.blogspot.com/2015/06/crack-windows-admin-password-and-sam.html
感谢原作者