Cracking Windows Vista Beta 2 Local Passwords (SAM and SYSKEY)

Update: 03/05/2007: I've made a single page with links to all of my tutorials on SAM/SYSKEY Cracking, visit it if you want more information on this topic.
Update 02/25/2007: It seems that Mao has followed suit, as of Cain & Abel v4.5 he has added Windows Vista compatibility in NTLM Hashes Dumper, LSA Hashes Dumper and Syskey Dumper for hive files. The direction below should still work, but now you can use Cain instead of Proactive Password Auditor for importing your SAM and SYSTEM.
Update 02/19/2007: Cedric from the Ophcrack project emailed me to let me know that starting with version 2.3.4, Ophcrack now supports Windows Vista. Download Ophcrack from http://ophcrack.sourceforge.net/ if you want a free tool for SAM cracking. Also, check out my newer video:Cracking Windows Vista Passwords With Ophcrack And Cain

        One of the common things folks stumble across my site in search of is information on cracking local Windows 2000/XP passwords. I've created quite a bit of content on the subject over the years, and if you want a broader understanding of the topic please visit these resources:

Text:
http://www.irongeek.com/i.php?page=security/localsamcrack
http://www.irongeek.com/i.php?page=security/localsamcrack2

Video:
http://www.irongeek.com/i.php?page=videos/samdump2auditor
http://www.irongeek.com/i.php?page=videos/LocalPasswordCracking

        While I was playing around with Windows Vista Beta 2 I decided to see if some of the old tools for cracking local account password still worked. It would seem that Microsoft has changed how the SAM file and SYSKEY work in Vista so none of my old tricks that use to work with NT 4/2000/XP functioned anymore. I quickly found that most of the current tools as of this writing(Ophcrack 2.3, Cain 2.9, SAMInside 2.5.7.0, Pwdump3) no longer work, which I have mixed feelings about. It's nice to see the extra level of security, but cracking local passwords was always sort of fun as well as useful from time to time. When I tried to crack local passwords extracted from copied SAM and  SYSTEM hive files I would get the following errors:

Ophcrack:
"Error: no valid hash was found in this file"

Cain:
"Couldn't find lsa subkey in the hive file."

        While tools like Sala's Password Renew could still be use from a Bart's PE boot CD to change any Vista password you wanted, or to create new admin accounts entirely, sometime you need to know the current administrator password. Three reasons to want to know a current Windows password without changing it are:

1. An attacker doesn't want to tip off the system administrators. If they notice that the old admin password no longer works they will get a bit suspicious don't you think?

2. The same account passwords may be used on other systems on the network. If the attacker can crack one machine's admin password that same password may allow the attacker to gain access to other boxes on that LAN that they don't have direct physical access to.

3. To gain access to data that has been encrypted using Windows EFS (Encrypted File System). Changing an accounts password may cause this data to be lost, though I think Sala's tool may be able to do this without losing the encryption key since it uses a Windows service to change the local password.

        Also of note for those interested in cracking Windows Vista passwords, it seems that Vista Beta 2 disables LM hash storage by default, so all you can get is the NTLM hash which can be much harder to crack for reasons stated in my other articles. Another thing I want to make you aware of is the new BitLocker feature of Windows Vista can make pretty much everything in this article useless if it's enabled, but that's a topic for another time.

        I thought all was lost on the Vista password cracking front, but after doing some web searching I found that you can still crack the local passwords if you have the right tools.  It would seem that the folks from Elcom Soft have added support for Vista SAM and SYSTEM hives into their "Proactive Password Auditor 1.61" tool. Unfortunately PPA is a commercial application, but they do offer a sixty day evaluation version that does not seem to be overly crippled. Since Elcom figured out how to do it I'm sure that soon the free tools like Cain and Ophcrack will also. What follows are the basic steps to crack/audit local Windows Vista Beta 2 passwords with Proactive Password Auditor.

        You need to be able to read the drive Windows Vista is installed on. For NTFS drives I've used the Knoppix ( http://www.knoppix.org/ ) and PE Builder ( http://www.nu2.nu/pebuilder/ ) boot CDs with good success. The first step is to boot from a CD-ROM and copy off the SAM and SYSTEM files in C:\WINDOWS\system32\config (you may have to get a slightly older version of them from C:\WINDOWS\config\RegBack instead, also keep in mind that C: may not be your system drive in which case substitute the appropriate drive letter ). The SAM and SYSTEM files are likely to be too large to fit on a 1.44MB floppy unless you compress them using Gzip in Linux or some Windows compression tool in Bart's PE. You could also copy them to some other form of removable media (Thumb drive anyone?) or upload them across the network to an FTP or file server that you have access to. For the Gzip/Floppy instructions read my first tutorial linked at the top of this article. It modern times it's usually easiest to just drag and drop the SAM and SYSTEM to a file server using the GUI that comes with your Boot CD.

        Now that you have a copy of the SAM and SYSTEM hive files start up Proactive Password Auditor and follow these steps:

1. Choose the  radio button labeled "Registry files (SAM, SYSTEM)" under the hashes tab, then click dump.

2. Choose the SYSTEM and SAM files you want to use, then click the "Dump" button.

3. During the Dump phase Proactive Password Auditor automatically tries a simple brute-force attack so your passwords may already be cracked. If not, choose the attack type, and set the hash type to "NTLM attack" since there are no LM hashes. I'll choose the Dictionary attack, click the the "Dictionary list..." button under the "Dictionary" tab and point it at the word list that comes with Cain (C:\Program Files\Cain\Wordlists\Wordlist.txt).

4. Make sure the check boxe(s) next to the account(s) you want to try to crack are selected.

5. Now it's just a matter of clicking the menu item "Recovery->Start recovery", waiting, and hoping for the best.

        Assuming the password is simple enough you should now have a cracked password to work with. Keep in mind that there's no guarantee that you will be able to crack any passwords at all. If the password is not in your dictionary you will have to resort to a Brute-force attack which could take forever if the password was chosen well, but this should get you going in the right direction. Also, if you have large Rainbow tables on your system give them a shot as Proactive Password Auditor supports this cracking method. I plan to update this page once Cain or Ophcrack support Vista. Please send me an email if you notice before I do that any of the free tools have implemented Vista SAM/SYSTEM file support. If this tutorial was of any help to you, please visit some of the sponsor links and help support the site. Thanks.

Useful links:

Sala's Password Renew
 http://www.sala.pri.ee/

Bart's Pe Builder:
 http://www.nu2.nu/pebuilder/
 
Oxid.it's Cain Web Page:
 http://www.oxid.it/cain.html

Ophcrack
 http://ophcrack.sourceforge.net/

Proactive Password Auditor 1.61
http://www.elcomsoft.com/ppa.html

 

Printable version of this article