Darksat IT Security Forums
June 01, 2020, 01:14:46 am
Welcome, Guest. Please login or register.

Login with username, password and session length
News: Darksat IT Security Forum
From Firewall Support, AntiVirus Questions, Spyware problems, Linux and Windows Security, Black Hat SEO right down to Website Design and Multimedia
  Home Help Search Gallery Links Staff List Login Register  

Cracking Windows Local and Domain Passwords

Pages: [1]
Author Topic: Cracking Windows Local and Domain Passwords  (Read 952 times)
Defcon 5
Posts: 2410

View Profile WWW
« on: July 15, 2008, 01:18:03 pm »


All that is needed it so locate the SAM file, this can be located in two main places one is in the windows folder system 32 and config in that you will see a file called SAM, this is where the password hashes are held.

If you are on a domain or any decent place implementing GPO you will find that you are blocked from accessing it after booting up for obvious reasons, one way to get around this is by booting up something like Knoppix or Bart PE and copying the SAM file to a USB drive and crack it elsewhere, which for stealth reasons is the best option.

Another location for backup reasons is located in windows then repair and its just their, it is possible this is not protected with any group policies but I've only come across 3-4 places disallowing access to this file in the repair folder.


On a lot of domains you will find that users accounts are cached on the computers for simple fault tollerance allowing them to continue working if the active directory domain goes down.
For a paranoid company this is a big no no as you are storing passwords locally massive security risk which is why you will find users have to change passwords every month or so.
The caches hashes are held in simple registry location at the values HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL$1 though NL$10.
These can be changed for obvious reasons but an simple program called cachedump will find you the location and allow you to output the hashes into a simple text file, as the program injects itself to LSASS.exe giving it administrator priviledges.

Very breif but gives you the idea of how simple it is, their are more ways especially locally gaining hashes but these are some of the methods I use.
Report Spam   Logged

Share on Facebook Share on Twitter

Pages: [1]
Jump to:  

Powered by EzPortal
eXTReMe Tracker
Security Forum
Bookmark this site! | Upgrade This Forum
SMF For Free - Create your own Forum

Powered by SMF | SMF © 2016, Simple Machines
Privacy Policy
Page created in 0.047 seconds with 15 queries.