Retrieving lost Windows NT passwords from a GNU/Linux environment.


Not too long ago, I had to assist my father in getting access to an abandonded laptop running Windows 2000. I soon guided him in navigating in the system by a Slackware rescue CD. At this point, one could just have retrieved all necessary data through old-fashioned copying, but just for the heck of it, I decided to crack the system's passwords.

Soon, I found that there were very little documentation on how to do this from an existing GNU/Linux system, with all guides approaching the problem through a distro specialized on doing such tasks. Eventually, I found the utilities needed and managed to get a few passwords restored. Afterwards, I decided to write this guide.

Tools needed

bkhive (bkhive-0.1.tar.gz)
samdump2 (samdump_2-1.tar.gz)
John the Ripper ( version 1.7 was/is used in this guide

Files needed

Be warned: This guide does in no way attempt to break into a system from the outside, but entering it by having physical access to it. In some way, you have to get the following files from the target system:


Both of these usually (always?) reside in %SystemRoot%\system32\config

Step 1: Extraction, part 1

First, the system keys must be extracted from the system file using bkhive:

bkhive /path/to/system /where/to/save.syskeys

Step 2: Extraction, part 2

Using the extracted syskeys, you kan now produce a file readable by John:

samdump2 /path/to/sam /path/to/syskeys

This will produce its results to standard output, so piping it somewhere would be good:

samdump2 /path/to/sam /path/to/syskeys > file.with.hashes

Step 3: The guessing game

Now, we let John the Ripper get to work on said hashes:

/path/to/john /path/to/file.with.hashes

And you're done! John will (hopefully) present some possible passwords with their associated usernames shortly, but from here on, I refer to the manual of John.

This guide was written by Lars Zetterlund out of boredom. Direct flames/comments to my email address.