Recovering a Windows 7 password by cracking the SYSKEY and the SAM hive using Linux Ubuntu 11.10

UPDATE: Also works with Ubuntu 12.04
     
Recently, while working on a case, I came across the need to look at a computer in a live manner.  I wanted to see the computer boot up to get a better idea of how the computer was set up by the user.  I sometimes do this so that I can either validate or disprove whether the user has a password protected account.  Also, when you look at a computer live, there are many other discoveries that can be made as opposed to looking at an image of a dead box.

     To avoid working on the original, I cloned the drive and placed a new cloned drive into the computer (We may discuss cloning a drive on another post).  After the computer boots up, more often than not you will be greeted by the always annoying password protected screen.  Document that the account is password protected and power off the computer.  Since you don't know the password yet, that is all you can do for now.

     By now you are probably asking yourself: Why go through the trouble of recovering the password, when I can just rename it or delete it using a boot CD like Hirens Boot CD.  In the past, I have used password renaming software to get past the password log-in screen, but there are reasons why recovering the password might be worth it.  One example is that when logging into a computer where the user has used Windows to encrypt files, not having the correct password will keep you locked out of those files.

     In this article we are going to use two tools used to recover the password of a password-protected account on Windows 7.  The tools that we will be using are bkhive and samdump2.  We will be doing it using Linux Ubuntu 11.10.  You are going to need the SYSTEM and SAM hive from the computer and an examination computer with Ubuntu 11.10 installed on it.  Lets get started! 

Our setup:

     For the purposes of this article I used a computer that already had both of the operating systems that we will be using (Windows 7 and Ubuntu 11.10) installed on two different partitions of the hard drive.  I logged into the Windows 7 partition and created a new account named “Test”, I password-protected that account with the password “Forensics1”.  I chose a 10 digit password with an upper case letter, lower case letters and a number.  A normal user would believe this to be a strong password.  I logged off the “Test” account and turned off the computer.  We will not be needing Windows anymore.

Installing the tools: 

     All of the tools that we are going to use are in the Ubuntu Software Center.  Click on the Dash Home circle, located on the top left of your screen, type in “software” and click on the Ubuntu Software Center icon that will appear.

     After the Ubuntu Software Center opens, you will see a search box on the top-right corner of your screen.  Type in “bkhive” and click on the install button.  You will be prompted for your root password.  Enter your root password and wait for the program to install.  Bkhive comes pre-bundled with samdump2.  When you install one, the other is installed by default. 

     Now the next step is to prepare the folder where will be dumping the files that we create.  Go to your desktop, right click on your desktop and select “create new folder”, name it “Test”.

     Now open a Terminal Window.  In Ubuntu you can accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in “terminal”.

     Once the terminal window is open, we need to navigate to the previously created Test folder on the desktop.  We will use the CD command to change directory into the desktop.  Type the following into the terminal. 

cd /home/carlos/Desktop/Test/ 

     Replace “carlos” with the name of the user account you are currently logged on as.  After doing so, press enter.  You should receive these results. 

carlos@XPS-M1330:~$ cd /home/carlos/Desktop/Test/
carlos@XPS-M1330:~/Desktop/Test$    

     The dollar sign after Test indicates that “Test” is your current directory, exactly what we wanted.  Now we need to extract the syskey out of the SYSTEM hive.  The syskey is a utility that encrypts the hashed password information in the SAM hive.  We are going to use the program bkhive and we are going to point it to the SYSTEM hive so that we can extract that key.  The SYSTEM hive is located in “Windows/System32/config/”  In our setup, I will have to navigate to my windows partition, I will use the following command to tell bkhive to look at the SYSTEM hive and extract the syskey into a txt file appropriately named syskey.txt into our current directory (which if you remember is the Test folder, located on the Desktop).  

bkhive /media/8ADCBB5EDCBB42ED/Windows/System32/config/SYSTEM syskey.txt 

     After pressing enter, if everything worked, you should have received the following: 

carlos@XPS-M1330:~/Desktop/Test$ bkhive /media/8ADCBB5EDCBB42ED/Windows/System32/config/SYSTEM syskey.txt
bkhive 1.1.1 by Objectif Securite
http://www.objectif-securite.choriginal author: ncuomo at studenti.unina.it
Root Key : CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5}
Default ControlSet: 001Bootkey: 90bb26a726a7bf1150f2edf4acb8382b
carlos@XPS-M1330:~/Desktop/Test$ 

     Lets see if we have a file named syskey.txt in our current directory.  For that we will use the LS command, which stands for list (files).  Type “ls” and press enter. 

carlos@XPS-M1330:~/Desktop/Test$ ls
syskey.txt
carlos@XPS-M1330:~/Desktop/Test$ 

     Notice that we are in the Test Directory and Yes, we do have a txt file in our directory named syskey.txt.  You can open the file with a text editor and you will see unreadable characters.

     Now we are going to use the program samdump2 to point it to both the SAM hive and the syskey.txt file so that it can use the syskey and extract the hashed passwords out of the SAM hive into our current directory, into a file appropriately named hashes.txt.  We will accomplish this with the following command.

samdump2 /media/8ADCBB5EDCBB42ED/Windows/System32/config/SAM syskey.txt > hashes.txt

     After pressing enter, if everything worked, you should have received the following:

carlos@XPS-M1330:~/Desktop/Test$ samdump2 /media/8ADCBB5EDCBB42ED/Windows/System32/config/SAM syskey.txt > hashes.txt
samdump2 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo at studenti.unina.it
Root Key : CMI-CreateHive{C4E7BA2B-68E8-499C-B1A1-371AC8D717C7}
carlos@XPS-M1330:~/Desktop/Test$

     Lets see if we have a file named hashes.txt in our current directory.  For that we will again use the LS command.  Type ls and press enter.

carlos@XPS-M1330:~/Desktop/Test$ ls
hashes.txt  syskey.txt
carlos@XPS-M1330:~/Desktop/Test$

     Notice that we are still in the Test directory and Yes, we do have a txt file in our directory named hashes.txt along with the syskey.txt.  You can now open the hashes.txt file with a text editor.  Once opened, you will see a password hashdump for all of the users stored inside of the SAM hive.  We are only interested in the previously created user profile that we called Test.  Below is Test's hashdump.

Test:1003:aad3b435b51404eeaad3b435b51404ee:9b600b4e30254213f574bc7449524c12:::

     The 32 character alphanumerical word, after the colon is the the hash of the Test user password (9b600b4e30254213f574bc7449524c12).  To crack the hash, find one of the many websites that offer free hash decrypting.  For the purposes of this article, I used www.xdecrypt dot com.  Go to www.xdecrypt dot com and paste the hash into the top box.  Click on the “decrypter” button, and wait for the results.  Xdecrypt had this hash stored and provided us with the translation of this hash back into plain text. 

9b600b4e30254213f574bc7449524c12(ntlm)=Forensics1

     If this procedure worked for your case, and you are able to use it in the course of your investigation, we would like to hear from you.  Please post your comments or email the author of this article at carlos@epyxforensics.com.

 

Comments

12

Good work.

Nice article. Good solution to a problem I have run into before.

Awesome write up. Very clear instructions and excellent screen shots. Keep up the good work!

Great article with nice step by step instruction. Very nice site, keep up the good work

Great job on the walkthrough. Very comprehensive!

Another well written and useful technical work.
Thanks Carlos !

Hey Carlos,

Good article - very well laid out and comprehensive.

Another option worth mentioning is that you could achieve similar results by booting a live CD (or flash drive which would be faster) on the cloned system to extract the syskey and hashes. Of course, if doing this using this setup, you'd need to write the extracted information to another flash drive before shutting down or rebooting to save it once done.

Thanks!

Very good suggestion!  Thanks. 

Nice work Carlos. Good Step-by-Step articles like this one can certainly help save time. I'm definitely going to add EPYX Blog to my Resource list for future reference. Thanks again.

you can either use chntpw to clear the password which takes only two minutes
try it . it is the best solution

Valid point, Thanks.  Yes, deleting it is easier, but as mentioned in P3 this procedure is used when you wish to recover the PW.

The dollar sign after the current directory actually indicates that you are operating as a non-root user. If you happen to log in as root, you will notice that the dollar sign is instead a '#' pound sign. Otherwise, great article!

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.