In the previous post, we focused on retrieving Windows login passwords from a memory dump using Volatility.
But what happens if you don't have a memory dump / only have a forensic image of the hard drive?
Well, Rob Lee has kindly provided the tools in the SANS SIFT (V2.12) workstation and Irongeek has previously posted a how-to-guide. Additional information is also available in "Windows Registry Forensics" by Harlan Carvey (p 95) which describes other tools that can be used to crack Windows passwords (eg pwdump7, Cain, ophcrack).
For this exercise, we will be using the M57 Jean image (mounted as before) and seeing if we can extract any Windows passwords.
Windows (XP) uses a "bootkey" to encrypt the SAM password hashes so we need to determine this (using bkhive) first. We can then retrieve the unencrypted password hashes (using samdump2) and crack them using John The Ripper.
Note: With this knowledge comes great responsibility - seriously, please don't abuse it.
At a terminal command prompt:
1. Type "bkhive /mnt/m57jean/WINDOWS/system32/config/system saved-system-key.txt"
which should give the following output:
bkhive 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it
Root Key : $$$PROTO.HIV
Default ControlSet: 001
Bootkey: 02d709efb8514a2fc7474b28a30e0180
The "saved-system-key.txt" file now contains the bootkey
2. Type "samdump2 /mnt/m57jean/WINDOWS/system32/config/SAM saved-system-key.txt > jean-passwords.txt" to extract the hashes and store them in "jean-passwords.txt".
The screen output looks something like:
samdump2 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it
Root Key : SAM
And we can view the contents of "jean-passwords.txt" by typing "more jean-passwords.txt":
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:c3bdfc311d5a1fc504f78d8f541b1278:ec90e2f6d084b8da1fd45605f51770a6:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:b4bc4c178aa19d6a32960f64e16b6944:::
Kim:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jean:1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Addison:1005:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Abijah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Devon:1007:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Sacha:1008:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Note: looking at the first hash group ("aad3b435b51404eeaad3b435b51404ee") for each login suggests that they all have the same password except for "HelpAssistant".
3. Type "john jean-passwords.txt" to brute force the password hashes. You might need to copy the "john.conf" to the local directory if you haven't already done this (see the previous post exercise's step 8).
The output should be something similar to:
Loaded 2 password hashes with no different salts (LM DES [128/128 BS SSE2])
guesses: 0 time: 0:00:00:35 (3) c/s: 9522K trying: JD43877 - JD43804
guesses: 0 time: 0:00:01:36 (3) c/s: 12533K trying: MDLIDL - MDLA39
guesses: 0 time: 0:00:01:48 (3) c/s: 12610K trying: H2OUB1$ - H2OUGY!
guesses: 0 time: 0:00:13:20 (3) c/s: 15198K trying: EL3CFR9 - EL3CFSU
guesses: 0 time: 0:00:19:48 (3) c/s: 15325K trying: VWATIBN - VWATLA.
guesses: 0 time: 0:00:27:03 (3) c/s: 15364K trying: 4VA1RWW - 4VA1TA4
guesses: 0 time: 0:00:27:09 (3) c/s: 15367K trying: R318IP8 - R318I2T
guesses: 0 time: 0:00:37:19 (3) c/s: 15617K trying: 3LP7VNZ - 3LP7V40
2KPLRCM (HelpAssistant:2)
guesses: 1 time: 0:00:39:55 (3) c/s: 15300K trying: KMX1MP1 - KMX1MCS
guesses: 1 time: 0:00:48:17 (3) c/s: 14007K trying: GMEL-1D - GMEN315
guesses: 1 time: 0:01:00:39 (3) c/s: 12784K trying: IEH;G F - IEHKIQN
guesses: 1 time: 0:01:07:02 (3) c/s: 12274K trying: HX0RW8F - HX0RJE0
guesses: 1 time: 0:01:16:48 (3) c/s: 11733K trying: J SJF5Y - J SJFP5
guesses: 1 time: 0:01:26:37 (3) c/s: 11303K trying: LL*MKH0 - LL*MKT2
guesses: 1 time: 0:01:30:49 (3) c/s: 11166K trying: MKGU97X - MKGU90L
guesses: 1 time: 0:02:03:45 (3) c/s: 10335K trying: LT8HFGI - LT8HFMG
guesses: 1 time: 0:02:21:02 (3) c/s: 10011K trying: K_)LILG - K_)LLS&
guesses: 1 time: 0:02:22:42 (3) c/s: 9970K trying: ZW6RCD@ - ZW6RB5Z
and if you keep waiting .... eventually (several hours later on my VM)
LL@1WI8 (HelpAssistant:1)
4. Typing "john -show jean-passwords.txt" will show the results in full:
Administrator::500:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest::501:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:LL@1WI82KPLRCM:1000:ec90e2f6d084b8da1fd45605f51770a6:::
SUPPORT_388945a0::1002:b4bc4c178aa19d6a32960f64e16b6944:::
Kim::1003:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jean::1004:31d6cfe0d16ae931b73c59d7e0c089c0:::
Addison::1005:31d6cfe0d16ae931b73c59d7e0c089c0:::
Abijah::1006:31d6cfe0d16ae931b73c59d7e0c089c0:::
Devon::1007:31d6cfe0d16ae931b73c59d7e0c089c0:::
Sacha::1008:31d6cfe0d16ae931b73c59d7e0c089c0:::
11 password hashes cracked, 0 left
So we can conclude that there was only one set password ("LL@1WI82KPLRCM" for "HelpAssistant"). It appears that all other logins did not use a password - Oh The Horror!
We can then infer that access to the Windows system is/was effectively uncontrolled and anyone could have access. Thus planting some seeds of doubt when trying to attribute a user's activities.
A quicker password cracking method would be to use ophcrack (also provided on SIFT) and download the XP rainbow table(s). The rainbow table contains pre-calculated results to compare the hashes to so the process should run much quicker.
Looking at the ophcrack tables info page shows that we would need to use the XP Special (7.5 Gb) table to handle the special "@" character in the "HelpAssistant" password.
This table is not free so thats where I'll choose to end this exercise (cheap b@stard!). The smaller free tables only handle upper and lower case letters and numbers - no special characters. Just for completeness, I'll probably do a future post about ophcrack using the hashed SAM passwords from the Volatility post - none of those passwords use special characters.
The (Badly) Illustrated Musings of a Cheeky Forensics Monkey ...
