Windows password recovery
- You have inadvertently forgotten your Windows password and can’t log in to your system. You really need to obtain access to your system. You also need to figure out passwords for others in the system. (The steps below will only work in the lab)
The windows image is available (only on campus) here.
After you have copied it, extract it, and open VirtualBox, create a new vm, DON’t add any disk to it. Then go into settings->storage->remove the sata controller. Add an IDE controller. Add the hard disk you just copied to the IDE controller. Make sure that windows boots, verify that the user
joe is password protected, then shut it down normally.
You could probably guess a few passwords pretty easy, but let’s find a tool that will do a few things for us. The first tool we will use is a Hiren’s boot cd. Download. You can add this as optical storage in the VirtualBox storage settings. Now boot the vm. (You may have to double check that the boot order finds the optical disk prior to the hard disk under System Settings within VirtualBox)
- One easy way to regain access to the system is simply resetting the password or blanking it out.
- Here is a way to do it movie
- Take a screenshot(s) showing that you did this and that you can login as the user
Obviously you could do anything now that you are an administrator, but don’t. Let’s crack a few passwords.
First, login with the vagrant user. If you can’t guess the password, blank it out like you did with the joe user.
Windows password hash crack
It is fairly trivial to reset a users password as we did above, but what if you want to find out the password. As you are logged in as the vagrant user, you should see an
ophcrack on the desktop. I have already downloaded a rainbow table in the
Downloads directory that you could add. Add the local sam file, start the crack. See how many passwords you can find.
Take a screenshot.
Linux password recovery
For this assignment, we will make the assumption that you have physical access to a linux machine and that you have pulled off the
/etc/passwd file and the
/etc/shadow files and put them in the correct format so that your password cracking tool can work. This file is located at here (only on-campus)
You are welcome to use any tools you can find. The objective is to retrieve passwords.
- On an ubuntu system,
sudo apt-get install john(this is also installed on oxygen and nitrogen)
- The performance of running john on the virtual machines is poor, if install john on a real machine, you should have better performance.
- You should do something like
john file.to.crackand sit back and let john do its’ stuff.
- I found that it was able to crack 2 of the passwords in less than 5 minutes. You could just leave the process running and come back in a day or so and see if you were able to crack some more. (When I came back the next day it had cracked an additional 2 passwords)
- John didn’t alert me when it found a password, so I killed it after a few minutes and did
john --show file_to_crack_2015.txt. And it showed me what it had found.
- On an ubuntu system,
Take a print screen of your cracking abilities. (I expect that you will have at LEAST 1 cracked password on the Linux machine)
Online password attack
I have a test machine set up at 126.96.36.199. You should attack the ftp service using hydra to see if you can crack the password for
betsy. (The last one is the hardest). You should use this password file. Please record a print screen of the ultimate password results. Hydra runs something like this:
hydra -l username -P password_list.txt 188.8.131.52 ftp
Your results should look something like this (though you WON’T have xxxx’s for the password):
[ssh] host: 184.108.40.206 login: fred password: xxxxxxxxxxx [STATUS] attack finished for 220.127.116.11 (waiting for children to finish)
Hydra is also installed on oxygen.
- Prove to me that you did all of the above. (Maybe some print screens, or other descriptions)
- List all the users with their passwords (as much as you were able to decipher)
- One document please (preferrably PDF). No zip or tar.
Last Updated 01/19/2021