Retrieving lost Windows NT passwords from a GNU/Linux environment.
Introduction
Not too long ago, I had to assist my father in getting access to an
abandonded laptop running Windows 2000. I soon guided him in navigating
in the system by a Slackware rescue CD. At this point, one could just
have retrieved all necessary data through old-fashioned copying, but
just for the heck of it, I decided to crack the system's passwords.
Soon, I found that there were very little documentation on how to do
this from an existing GNU/Linux system, with all guides approaching the
problem through a distro specialized on doing such tasks. Eventually, I
found the utilities needed and managed to get a few passwords restored.
Afterwards, I decided to write this guide.
Tools needed
bkhive (bkhive-0.1.tar.gz)
samdump2 (samdump_2-1.tar.gz)
John the Ripper (http://www.openwall.com/john/) version 1.7 was/is used in this guide
Files needed
Be warned: This guide does in no way attempt to break into a system
from the outside, but entering it by having physical access to it. In
some way, you have to get the following files from the target system:
sam
system
Both of these usually (always?) reside in %SystemRoot%\system32\config
Step 1: Extraction, part 1
First, the system keys must be extracted from the system file using bkhive:
bkhive /path/to/system /where/to/save.syskeys
Step 2: Extraction, part 2
Using the extracted syskeys, you kan now produce a file readable by John:
samdump2 /path/to/sam /path/to/syskeys
This will produce its results to standard output, so piping it somewhere would be good:
samdump2 /path/to/sam /path/to/syskeys > file.with.hashes
Step 3: The guessing game
Now, we let John the Ripper get to work on said hashes:
/path/to/john /path/to/file.with.hashes
And you're done! John will (hopefully) present some possible passwords
with their associated usernames shortly, but from here on, I refer to the manual of John.
This guide was written by Lars Zetterlund out of boredom. Direct flames/comments to my email address.