Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

Cracking Windows Passwords (Part 2 of 2) - fixedByVonnie

Cracking Windows Passwords (Part 2 of 2)

In the previous post I shared the inside scoop on hashes and methods of password extraction.  But there was one thing missing I didn’t tell you how to get the hash!  Today I’m going to enumerate four common ways to grab the hash.  And then I’ll show you how to use PwDump.exe and Cain to crack the hash in seconds.

Walk with me!

Without the hash we can’t do anything.  So let’s start here.

Appropriating the hash

1. You can get the hash by logging into the server machine and saving the hash to a DVD, CD or USB Drive.  Heck you could even upload it to OneDrive or Google Docs because the file usually isn’t that large.

2. Alternatively, you could boot to the local box using a Live CD such as Kali Linux and then use PwDump, BKHive or SAMDump2 to snag the hashes.

3. You could also execute a remote exploit using Metasploit to copy the PwDump, BKHive or SAMDump tools to the victim’s machine and then get the hash and start cracking offline.

4. Kerbcrack is another tool used to facilitate your cracking quest.  It sniffs the hash off the network and then uses a cracking tool to break the password.  This is how you would compromise Active Directory accounts.

Scary but true.

Let’s take a look at this on a live Windows 2003 Server machine.

Cracking the Windows password

Imagine with me that you are the attacker sitting at an unlocked server box.

So the first way to block this kind of attack is to use physical access controls to ensure people can’t just walk into your server room and login to your servers.  Secondly, you would implement technical access controls by ensuring the box is never left unlocked and is secured with a strong password.  Finally, an administrative access control in a company handbook could delineate that unauthorized users would be terminated and punished to the fullest extent of the law.

But hey, let’s say some silly server administrator named Vonnie left the door wide open and the box completely exposed.

You sneak into the server room and are standing before the computer accounts list.

WIndows 2003 Server accounts

Next, you insert your USB stick that fortuitously has PwDump sitting on it.  After extracting the file you run:

pwdump localhost > win2k3hashes.log

This dumps the SAM hashes to a file called win2k3hashes.log.

PwDump in Windows Server 2003

Let’s open it up to take a peek.  The first part is the LAN MAN hash (highlighted below) and the second part after the colon is the NTLM hash.

Windows 2003 Hashes

Here’s a quick tip: remember I told you the second half of the LAN MAN hash is AAD3B435B51404EE?  We would see that string in the second part of the highlighted hash.  It’s actually a hash for a blank value.

Raising cain with Cain & Able

Next, you save the dump to your USB drive, pop it in laptop and import the hash file into the ever popular password cracking application: Cain & Able.

Press the Insert key to open the Add NT Hashes from and select Import Hashes from a text file.  Then browse to the text file and click Next.


Then it’s just a matter of right-clicking the account you want to crack, mousing over Dictionary Attack and choosing LM Hashes.

Now you can insert your dictionary and start cracking.

Cain cracking 2

In a few seconds, Cain already deduced the first half of my password: it’s “PASSWO”

For some reason it didn’t grab the whole thing but the point is that you can use this tool to do some serious damage.

Cain cracking 3

The Bottom Line

Today’s example is an excellent reason why admins shouldn’t run archaic software in production environments.  Windows Server 2003 has been supplanted by Windows Server 2012 R2 which is more secure.  Given how easy it is to extract and crack passwords in Windows Server 2003, no one should ever use it.

The purpose of this series was just to show you how an attacking could pull of this attack.  An admin could forestall the attacker with various administrative, technical and physical controls.  In addition, running the latest version of Windows Server would also stymie the attacker.

Alright, I’ve got to curtail this post here.  My eyes are starting to close and I need a nap haha.

I’m outa’ here.


Connect with Vonnie on Twitter

Posted in Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Vista, Windows XP Tagged with: ,