Windows Logon Password - How Crackers Work

Cracking windows logon password is not so difficult. You can get many offline password crackers  which could change/clear the existing password (like offline nt password and registry editor) or cracks the existing password (like oph crack). Just download their ISO images ,burn them,insert to CD ROM and then things are simply self explainatory. I am writing this post to make you clear that how actually these password crackers work. 

Okay when you set windows logon password, it is obviously stored in a file somewhere in windows.

The password is stored in SAM file placed in %systemroot%\system32\config  (like C:\windows\system32\config).

Now why we just dont try to open SAM and see all stored passwords. Okay lets do it, go to C:\windows\system32\config and open SAM. You must get an error that " it is in use by some another application". Actually we cant open SAM file when windows is running . Even if anyhow we manage to access the content of SAM file, we won't get the passwords in clear text but they are encrypted.

 

So , what is SAM file ?

SAM stands for Security Accounts Manager. SAM is database stored as registry in windows that stores windows users passwords in hashed formats( LM and NTLM). These are usually called as hashes.

What are hashes ?

Hashes are kind of encryption.  A hash function is a one way function. One way means, if plain text

is converted into hash, it can not be converted back plain text. Remember this is the most important

point that they are one way functions.

What is windows authentication procedure ?

When ever a user creates new account in windows, its password is convetred to hash and stored in SAM database.When user logins, the password is converted to hash and is compared with the stored hash in SAM database, if both the hashes match , the user is authenticated.

How to access SAM file ?

SAM file can not be moved/copied or opened when windows is running. It can be accessed only when windows is offline/not running . Got confused that how can we use the windows files when it is not running ?

Here comes the concept of Live Operating systems. A live CD is containing a bootable OS. Just insert it in CD ROM and you can use it without any installation.

How to crack Windows password ?

Okay suppose we have got access to SAM file and have password hashes. Dont you think its useless because hashes cant be converted to plain text ? Lets see, what we can do.

We ( I mean automated tools) can actually do two things.

1. Clear/Change password :Clear the existing hash and put new hash (we know alogrithm to convert plain text to hash) in order to change/clear the password. This is  how offline nt password and registry editor work. It doesn't give you the original password but helps you to change/clear it.

2.Crack password Make a long list of all possible combinations of alphabets,numbers and convert them to hashes.Compare every hash with hash we obtained from SAM file and hashes could be cracked. This is exactly how OPH crack works. It has already saved hashes of many possible combinations of letters/numbers stored in tables called as rainbow tables.