top of page

Offline Password Attacks

Offline password attacks are nothing but getting a hash of password and trying to get plaintext password out of it. In windows there is a Security Account Manager (SAM) file. It is a pro­tected subsystem that manages the accounts database. Passwords are in LM or NTLM. SAM is available either locally or on the domain. Local Security Authority is responsible for validation of credentials in windows.


This SAM file is located at ‘C:\Windows\System32\config’ folder and it’s copy is located at ‘C:\Windows\repair’ folder. But directly we can’t read SAM file. We require a key called as ‘Boot key’ and it is stored in a file named as ‘system’. This ‘system’ is located in the same folder of SAM file.


Windows doesn’t allow doing any operation with SAM and system file. Hence, we have to use their copies from ‘repair’ folder. Once we get these files we can try to get hash of the password and then plaintext out of it.



Deliverable:



Lab Set up

  • Virtualization using Oracle Virtual box

  • Attacker’s System: Kali Linux

  • Target System : Windows XP


In Kali Linux --> Terminal



1. To get boot key from system file using tool bkhive.

~# bkhive system [bootkeyfile.txt]


Here, bkhive --> tool to extract bootkey from system file

system --> system file

[bootkeyfile.txt] --> new file where bootkey will be stored



2. Now use samdump2 to get hashdump of the sam file.

~# samdump2 sam [bootkeyfile.txt]


Here, samdump2 --> tool to get hashdump

sam --> sam file

[bootkeyfile.txt] --> file created in previous step where bootkey was stored


You will see the result that contains words separated by colon i.e. ‘:’ as follows:


username : user id : password hash in LM format : password hash in NTLM format



3. Save the result into a text file. Thus we will get hashdump of the sam file. Let’s name the file as hashdumpfile.txt or anything you want.



4. Now use John the Ripper to get plaintext password out of it.

~# john [hashdumpfile.txt]


Here, john à tool John the Ripper

[hashdumpfile.txt] --> hashdump file created in previous step





Note 1:

We can directly get the hashdump file from windows XP, if we exploit it with metasploit’s meterpreter shell and simple using a command ‘hashdump’. After that we can directly use step number 3 and 4.




Note 2:


LM v/s NTLM


LM --> Lan Manager

NTLM --> New Technology Lan Manager


Windows XP stores password in LM and NTLM format as follows


username : user id : password hash in LM format : password hash in NTLM format


But, Windows 7 saves password in NTLM format only. The password hash in LM format i.e. the 3rd field is same for all users. It is the hash of ‘nothing’ i.e. empty. Thus Windows 7 doesn’t store the hash in LM format.


For windows 7


username : user id : password hash in LM format for empty (i.e. nothing) : password hash in NTLM format





bottom of page