sam

All posts tagged sam

Cracking the SAM

Posted by jchoponis on September 8, 2009
Posted in: Security. Tagged: , , , , , . Leave a Comment

I have done this before, but it’s been awhile, so I thought I would refresh my memory on password cracking.

My tools (used on Windows XP VM)

  • L0phtCrack (15 day trial for downloads, GUI, professional-grade)
  • Cain and Abel (freeware, GUI)
  • OphCrack (freeware, GUI)
  • pwdump (used for grabbing the SAM)

My victim

I have a Windows XP Professional SP3 virtual machine with a SAM that has several accounts with passwords of  varying strength.

  • user1 / asdfjkl;
  • user2 / weak
  • user3 / asdfjkl;12345
  • user4 / 123ikm852
  • user5 / jasonlives
  • user6 / jasonalmostlives
  • user7 / jason1lives
  • user8 / biec?32z

The Process – Part 1

  1. First, I boot up the VM with my linux ISO (use the try ubuntu without making changes option)
  2. I open the Places -> Computer area and open the 8.6 GB media drive (my local file system). Then I navigate to the SAM stored in c:windowssystem32config. Click the thumbnails for a larger picture.
  3. Copy the SAM somewhere…in this case, I put it on my host machine as a temporary storage area. Then I rebooted my victim machine & installed L0phtCrack on it to start a brute force attack on the hashes in the SAM. (I love drag-and-drop features in VMware Workstation!)
  4. L0phtCrack can import the local machine’s SAM with it’s wizard interface, but you need admin access to do that. I just skipped the wizard and imported my SAM file.
  5. I modified the session options like so (to include characters)…you can also see the proc is maxed out (lc.exe)! This translates to 50% utilization on my host machine.
  6. Now it is time to wait…
  7. After a long wait, my somewhat under-powered VM came up with the following…
    2. Note that only the weakest were cracked. It seems the demo of this tool only allows 6 accounts and does not allow brute force cracking (although you can select it). Too bad I can’t actually try all of the features with this demo (on a budget for this experiment). So I will attempt another method…

The Process – Part 2

  1. I decided to try other password tools – like Cain. This is part of the Cain & Abel suite here. I also needed to use Ophcrack available here.
    1. A word about the efficiency for Ophcrack – it uses rainbow tables, which are precomputed hashes for sets of passwords…so instead of trying every password in the dictionary (with a dictionary-only table), the program will just search for the matching hash.
    2. So if (for example) my password was “mice” and the hash was “x94lfrj94j48dk”, then Ophcrack would just search it’s large table to find that hash.
  2. I also used pwdump7 available here. This dumps the live SAM to a text file that contains the hashes that various tools can import.
    1. For instance – I ran the following on my XP victim machine.
      1. c:pwdump7pwdump7.exe > c:samdump.txt
      2. Here is the sample I got from it -> samdump
    2. I can then import my dump file to Cain or Ophcrack
  3. First – Cain.
    1. Cracker tab -> Right-click to load my samdump.txt file.
    2. I tried a modified dictionary attack with all possible characters and numbers. I loaded the default word list included with Cain – c:program filescainwordlistswordlist.txt.
    3. My results are here in a screen shot, again, just click to get a larger view.
    5. In summary, Cain was not as effective as I would have hoped, as a full dictionary and hybrid attack did not reveal many of the passwords. I also tried a brute force with all possible characters, but that would have taken years to complete (by Cain’s estimate). I still think Cain is an easy-to-use security tool and do not wish to discredit it – there are many other features I have not tested yet. For this exercise, I turned to rainbow tables. Note that the online rainbow crack with Cain is not free.
  4. Enter Ophcrack – the basic rainbow tables are free (lowercase, uppercase, numbers – about 750 MB). Tables with characters are quite large (8 GB) and cost a couple hundred bucks.
    1. I downloaded the fast free xp tables. This was a large download but was no challenge for my Internet pipe!
    2. I installed the table download in Ophcrack by unzipping it and using Ophcrack to point to its location.
    3. I loaded my samdump.txt file and began cracking. You can also load a local or remote live SAM.
    4. It did not take long for the program to compare against the table – only about 5 minutes on my VM.
    5. Here are the results – ophcrack results
    6. Note that Users 3, 6, and 8 were note cracked – they were either too long for the computed tables or the tables lacked the characters used in the password. Thus, there would be no match in the table. I believe that purchasing a commercial table set would be quite useful in cracking most passwords.

Conclusion

While cracking passwords is easier than it used to be, strong passwords will still keep you pretty safe. I recommend following best practices on this – upper-case and lower-case letters, numbers, and symbols for a password of 8 or more characters. Avoid words in a dictionary – I was able to crack the password “weak” in seconds with all three tools.

Also – if you think “3″ for “e” or “@” for “a” is clever – think again. I could search for these variations on dictionary words in Cain by ticking a box. L0phtCrack had a similar option.

I think rainbow tables are the best way to go for general cracking…they are much faster. However, you have to purchase the larger tables that have all possible combinations. Even these giant tables have limits (usually like 16 character passwords). Brute force is the ultimate, but you will be well aged by the time you brute force a password with letters, numbers, and symbols with a length of 8 or 10 characters.

Cain seems similar to L0phtCrack, but it is free. If I had a serious password audit need, I would definitely purchase rainbow table sets and probably L0phtCrack. However, there are plenty of free tools for password cracking – finding a jem among them is the hard part.

In addition, you can see from above that there are numerous ways to get a password hash dump from a system – whether you have admin-level access or not.

Note that this article represents an experiment with my own property and systems – I do not condone cracking other people’s systems without their consent. Use this information at your own risk.