Recovering a Windows 7 password by cracking theSYSKEY and the SAM hive using Linux Ubuntu 11.10

UPDATE: Also works in Ubuntu 12.04

Carlos Cajigas MSc, EnCE, CFCE

Recently, while working on a case, I came across the need to look at a computer in a live manner. I wanted to see the computer boot up to get a better idea of how the computer was set up by the user. I sometimes do this so that I can either validate or disprove whether the user has a password protected account. Also, when you look at a computer live, there are many other discoveries that can be made as opposed to looking at an image of a dead box.

To avoid working on the original, I cloned the drive and placed a new cloned drive into the computer (We may discuss cloning a drive on another post). After the computer boots up, more often than not you will be greeted by the always annoying password protected screen. Document that the account is password protected and power off the computer. Since you don't know the password yet, that is all you can do for now.

By now you are probably asking yourself: Why go through the trouble of recovering the password, when I can just rename it or delete it using a boot CD like Hirens Boot CD. In the past, I have used password renaming software to get past the password log-in screen, but there are reasons why recovering the password might be worth it. One example is that when logging into a computer where the user has used Windows to encrypt files, not having the correct password will keep you locked out of those files.

In this article we are going to use two tools used to recover the password of a password-protected account on Windows 7. The tools that we will be using are bkhive and samdump2. We will be doing it using Linux Ubuntu 11.10. You are going to need the SYSTEM and SAM hive from the computer and an examination computer with Ubuntu 11.10 installed on it. Lets get started!

Our setup:

For the purposes of this article I used a computer that already had both of the operating systems that we will be using (Windows 7 and Ubuntu 11.10) installed on two different partitions of the hard drive. I logged into the Windows 7 partition and created a new account named “Test”, I password-protected that account with the password “Forensics1”. I chose a 10 digit password with an upper case letter, lower case letters and a number. A normal user would believe this to be a strong password. I logged off the “Test” account and turned off the computer. We will not be needing Windows anymore.

Installing the tools:

All of the tools that we are going to use are in the Ubuntu Software Center. Click on the Dash Home circle, located on the top left of your screen, type in “software” and click on the Ubuntu Software Center icon that will appear.

After the Ubuntu Software Center opens, you will see a search box on the top-right corner of your screen. Type in “bkhive” and click on the install button. You will be prompted for your root password. Enter your root password and wait for the program to install. Bkhive comes pre-bundled with samdump2. When you install one, the other is installed by default.

Now the next step is to prepare the folder where will be dumping the files that we create. Go to your desktop, right click on your desktop and select “create new folder”, name it “Test”.

Now open a Terminal Window. In Ubuntu you can accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in “terminal”.

Once the terminal window is open, we need to navigate to the previously created Test folder on the desktop. We will use the CD command to change directory into the desktop. Type the following into the terminal.

cd /home/carlos/Desktop/Test/

Replace “carlos” with the name of the user account you are currently logged on as. After doing so, press enter. You should receive these results.

carlos@XPS-M1330:~$ cd /home/carlos/Desktop/Test/carlos@XPS-M1330:~/Desktop/Test$

The dollar sign after Test indicates that “Test” is your current directory, exactly what we wanted. Now we need to extract the syskey out of the SYSTEM hive. The syskey is a utility that encrypts the hashed password information in the SAM hive. We are going to use the program bkhive and we are going to point it to the SYSTEM hive so that we can extract that key. The SYSTEM hive is located in “Windows/System32/config/” In our setup, I will have to navigate to my windows partition, I will use the following command to tell bkhive to look at the SYSTEM hive and extract the syskey into a txt file appropriately named syskey.txt into our current directory (which if you remember is the Test folder, located on the Desktop).

bkhive /media/8ADCBB5EDCBB42ED/Windows/System32/config/SYSTEM syskey.txt

After pressing enter, if everything worked, you should have received the following:

carlos@XPS-M1330:~/Desktop/Test$ bkhive /media/8ADCBB5EDCBB42ED/Windows/System32/config/SYSTEM syskey.txtbkhive 1.1.1 by Objectif Securitehttp://www.objectif-securite.choriginal author: ncuomo@studenti.unina.itRoot Key : CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5}Default ControlSet: 001Bootkey: 90bb26a726a7bf1150f2edf4acb8382bcarlos@XPS-M1330:~/Desktop/Test$

Lets see if we have a file named syskey.txt in our current directory. For that we will use the LS command, which stands for list (files). Type “ls” and press enter.

carlos@XPS-M1330:~/Desktop/Test$ ls syskey.txtcarlos@XPS-M1330:~/Desktop/Test$

Notice that we are in the Test Directory and Yes, we do have a txt file in our directory named syskey.txt. You can open the file with a text editor and you will see unreadable characters.

Now we are going to use the program samdump2 to point it to both the SAM hive and the syskey.txt file so that it can use the syskey and extract the hashed passwords out of the SAM hive into our current directory into a file appropriately named hashes.txt. We will accomplish this with the following command.

samdump2 /media/8ADCBB5EDCBB42ED/Windows/System32/config/SAM syskey.txt > hashes.txt

After pressing enter, if everything worked, you should have received the following:

carlos@XPS-M1330:~/Desktop/Test$ samdump2 /media/8ADCBB5EDCBB42ED/Windows/System32/config/SAM syskey.txt > hashes.txtsamdump2 1.1.1 by Objectif Securitehttp://www.objectif-securite.choriginal author: ncuomo@studenti.unina.itRoot Key : CMI-CreateHive{C4E7BA2B-68E8-499C-B1A1-371AC8D717C7}carlos@XPS-M1330:~/Desktop/Test$

Lets see if we have a file named hashes.txt in our current directory. For that we will again use the LS command. Type ls and press enter.

carlos@XPS-M1330:~/Desktop/Test$ lshashes.txt syskey.txtcarlos@XPS-M1330:~/Desktop/Test$

Notice that we are still in the Test directory and Yes, we do have a txt file in our directory named hashes.txt along with the syskey.txt. You can now open the hashes.txt file with a text editor. Once opened, you will see a password hashdump for all of the users stored inside of the SAM hive. We are only interested in the previously created user profile that we called Test. Below is Test's hashdump.

Test:1003:aad3b435b51404eeaad3b435b51404ee:9b600b4e30254213f574bc7449524c12:::

The 32 character alphanumerical word, after the semi colon is the hash of the Test user password (9b600b4e30254213f574bc7449524c12). To crack the hash, find one of the many websites that offer free hash decrypting. For the purposes of this article, I used www dot xdecrypt dot com. Go to xdecrypt dot com and paste the hash into the top box.

Update:As of 01/13/2013 xdecrypt appears to be down.

Continued:Click on the “decrypter” button, and wait for the results. Xdecrypt had this hash stored and

provided us with the translation of this hash back into plain text.

9b600b4e30254213f574bc7449524c12(ntlm)=Forensics1

If this procedure worked for your case, and you are able to use it in the course of your investigation, we would like to hear from you. Please post your comments or email the author of this article at carlos@epyxforensics.com.