Windows password cracking using John The Ripper

Prakhar Prasad

Sat, 1 Oct 2011

In this post I will show you how to crack Windows passwords using John The Ripper.

John the Ripper is a fast password cracker, primarily for cracking Unix (shadow) passwords.Other than Unix-type encrypted passwords it also supports cracking Windows LM hashes and many more with open source contributed patches.

Now lets talk about the password protection method used by Windows. Windows user account passwords are typically stored in SAM hive of the registry (which corresponds to %SystemRoot%\system32\config\SAM file), in the SAM file the password is kept encrypted using the NTLM hash is very well known for its cryptanalysis weaknesses.

The SAM file is further encrypted with the SysKey (Windows 2000 and above) which is stored in %SystemRoot%\system32\config\system file.During the boot-time of Windows the hashes from the SAM file gets decrypted using the SysKey and the hashes are loaded to the registry is then used for authentication purpose. Both system and SAM files are unavailable (i.e, locked by kernel) to standard programs (like regedit) during Windows’ runtime .

As told earlier NTLM hash is very weak for encrypting passwords.The NTLM encryption algorithm is explained below :

Major pitfals of NTLM hash
Cracking Windows Passwords John The Ripper

For the sake of demonstrating this I had already set a dummy account called demo and allotted a password iRock to it, which will be cracked later-on.

User Accounts showing demo user

I booted using the Ubuntu LiveCD and mounted my Windows partition - /dev/sda1

[email protected]:~$ sudo mkdir /mnt/WIN
[email protected]:~$ sudo mount /dev/sda1 /mnt/WIN -r

Then copied SAM and system files to /home/prakhar

[email protected]:~$ cd /mnt/WIN
[email protected]:/mnt/WIN$ cd WINDOWS/system32/config
[email protected]:/mnt/WIN/WINDOWS/system32/config$ cp SAM  /home/prakhar &&  cp system /home/prakhar 

Then installed samdump2 and John The Ripper :

[email protected]:~$ sudo apt-get install samdump2
[email protected]:~$ sudo apt-get install john

Then dumped the syskey and NTLM hashes from system and SAM file, respectively :

[email protected]:~$ bkhive system sys.txt
[email protected]:~$ samdump2 SAM sys.txt

NTLM hashes recovered from SAM file

I then bruteforced the password using John The Ripper :

[email protected]:~$ john -format=LM hashes.txt

Loaded 7 password hashes with no different salts (LM DES [64/64 BS MMX])
guesses: 4  time: 0:00:00:05 (3)  c/s: 4805K  trying:
guesses: 4  time: 0:00:00:06 (3)  c/s: 5902K  trying: HEPIL1 - HEPIMI
IROCK (demo)

You can clearly see above, JTR has cracked the password within matter of seconds, I aborted the session in between since password was already recovered. Mission accomplished !