Windows Logon Password - How crackers work ?

Cracking windows logon password is not so difficult. You can get many offline password crackers  which could change/clear the existing password (like offline nt password and registry editor) or cracks the existing password (like oph crack). Just download their ISO images ,burn them,insert to CD ROM and then things are simply self explainatory. I am writing this post to make you clear that how actually these password crackers work. 


Okay when you set windows logon password, it is obviously stored in a file somewhere in windows.
The password is stored in SAM file placed in %systemroot%\system32\config  (like C:\windows\system32\config).
Now why we just dont try to open SAM and see all stored passwords. Okay lets do it, go to C:\windows\system32\config and open SAM. You must get an error that " it is in use by some another application". Actually we cant open SAM file when windows is running . Even if anyhow we manage to access the content of SAM file, we won't get the passwords in clear text but they are encrypted.

So , what is SAM file ?

SAM stands for Security Accounts Manager. SAM is database stored as registry in windows that stores windows users passwords in hashed formats( LM and NTLM). These are usually called as hashes.


What are hashes ?

Hashes are kind of encryption.  A hash function is a one way function. One way means, if plain text
is converted into hash, it can not be converted back plain text. Remember this is the most important
point that they are one way functions.

What is windows authentication procedure ?

When ever a user creates new account in windows, its password is convetred to hash and stored in SAM database.When user logins, the password is converted to hash and is compared with the stored hash in SAM database, if both the hashes match , the user is authenticated.

How to access SAM file ?

SAM file can not be moved/copied or opened when windows is running. It can be accessed only when windows is offline/not running . Got confused that how can we use the windows files when it is not running ?
Here comes the concept of Live Operating systems. A live CD is containing a bootable OS. Just insert it in CD ROM and you can use it without any installation.

How to crack Windows password ?

Okay suppose we have got access to SAM file and have password hashes. Dont you think its useless because hashes cant be coverted to plain text ? Lets see, what we can do.

We ( I mean automated tools) can actually do two things.

1. Clear/Change password :Clear the existing hash and put new hash (we know alogrithm to convert plain text to hash) in order to change/clear the password. This is  how offline nt password and registry editor work. It doesn't give you the orignal password but helps you to change/clear it.
2.Crack password Make a long list of all possible combinations of alphabets,numbers and convert them to hashes.Compare every hash with hash we obtained from SAM file and hashes could be cracked. This is exactly how OPH crack works. It has already saved hashes of many possible combinations of letters/numbers stored in tables called as rainbow tables.


I hope things are clear to you :).

18 comments:

Post a Comment
  1. woww..nice post..everything is clear..

    is this same in linux operating systems??..

  2. Thanks. Though there are some variations, the Linux also stores the hashed passwords in 'shadows' file in 'etc' directory.

  3. Thanks yar
    fantastic very clear info.

  4. wow nice post...i like it plz keep posting

  5. you said password is converted in to hashes.so can I use Brutus or Lcrack to crack it??..
    lcrack can crack MD4 hash and MD5 hash. please reply..

  6. yeah sure, you can use them. I use 'John the ripper'

  7. gr8 work seems impressive nd usefull.............

  8. Superb. works amazingly

  9. Your post are the best ones i have ever read.
    very simple but yet very educated !!
    Keep it Coming!!

  10. but the windows stores the password In LM hashes not in Md4 or md5 hashes so that u can crack it however LM hashes may be cracked

  11. I HAVE A QUESION :
    OUR PASSWORD IS SAVED ON SERVER IN THE FORM OF HASHES ....WHEN WE LOG IN OUR ENTERED VALUE GOES IN THE ONE WAY FUNCTION AND COMPARED TO THE VALUE ...THIS MEANS SERVER DOES NOT PHYSICALLY STORE OUR PASSWORD ...SO WHEN WE CLICK ON FORGET PASSWORD FB OR OTHER SITE HOW SERVER SEND US OUR USERNAME AND PASSWORD TO OUR EMAIL ...EVEN IT DOES NOT HAVE OUR PASSWORD?????

  12. THEY NEVER SEND THE PASSWORD. they send a link to change your password. You cant see your old password, you can just change it

  13. Nice Stuff! I really liked it…

  14. It’s really very interesting post full of valuable information very well written by u. The key part of this post is its descriptive way to define anything. I liked it with my heart. This post is a excellent example of such kind of thread.
    Escorts in Delhi

  15. Nowadays people have got in to the habit of making post but the most important thing is to make an interesting and informative post.
    Mumbai Escorts Service
    Escorts in Mumbai

  16. This page gives the great information
    How can i get the live os cd

  17. Please try any linux flavors, they all come with live environments
    I prefer linux-mint 10+ or ubuntu 8+ as they support windows ntfs(file system)

  18. Nice Post Thanks :)

Post a Comment