Monday, February 18, 2008

if u lost ur password of folder then

access the SAM file in system32

The SAM tcl file would be:


module disable ConfigManager
talk DHInput
# Adjust the max files to ensure you dont time out!
maxFiles set 40
include dataset $env(SAM_DATASET)
cache set SAM
show include
exit

There is an command analogous to DCache cache set SAM indicating that we want SAM to manage access to this particular dataset. The disabling of the ConfigManager is needed to ensure the program does not crash after waiting for a tape and loosing its database connection. Since files will automatically be delivered to each process, and since it can take time for processes to get started, it is necessary to ensure that the maximum number of files any process gets can be processed within the time allowed for the batch queue. For example, if 15 files take 30 min (typical AC++Dump time), then 60 files is the maximum that the short queue (2 hours) can handle. You would want to make sure you set a maxFiles to 50 or 55 to be on the safe side. If you have 690 files in your dataset (as jbot0h does) then you need 13 processes and would want to submit ``from 1 to 13''. Since CAF puts 10 procesees in a section, you may want to submit 1 to 20.
The shell script (caf_sam.sh) one would use to run a SAM job would look like:

#!/bin/sh

# Normal cdfsoft setup
...
#SAM setup
setup sam -q prd
export CDF_USER_NAME=stdenis
# For Beta testing, please use this!
export SAM_INPUT_DEBUG=1
# Analysis execution command, clean up, etc
...

The only difference is that you have to setup sam explicitly.

You could also access the SAM file and save it up into Floppy using DOS and used lOpht Crack to decode the password.

Introduction
L0phtCrack is designed to recover passwords for Windows NT. NT does not store the actual passwords on an NT Domain Controller or Workstation. Instead it stores a cryptographic hash of the passwords. L0phtCrack can take the hashes of passwords and generate the cleartext passwords from them.

Installation
Unzip the distribution archive, lc2exe.zip into a directory. Create a shortcut to the executable l0phtcrack.exe (or l0phtcrack95.exe for Win95) and you are done unless you want to use the network sniffing feature.

To do network sniffing you need install an NDIS network driver. This driver will only work on ethernet network devices. Go to the Network settings in the Control Panel. Select the Protocols tab and press the Add.. button. Press Have Disk... and specify the directory where you installed L0phtCrack. This is where the Oemsetup.inf file is. You will need to restart before the new driver takes effect.



Accessing the Password Hashes
Before the passwords can be computed you need to retrieve the password hashes. There are 3 main methods to get the password hashes: from the registry directly, from a SAM file on disk, or by sniffing the network.
Dumping From the Registry
If you have administrator priviledges you can get the password hashes using the 'Tools Dump Passwords form Registry' command. Specify a computername or IP address in the format \\computername or \\ipaddress. NT can be configured to disallow access to the registry remotely over the network so you may need to be on the local machine if this is the case. Microsoft introduced the SYSKEY utility in NT SP3. If SYSKEY is running the password hashes are encrypted and cannot be retrieved in this manner.

If you are using a non-english language version of NT your version may use a different word for Administrators. If so you need to modify a registry key to get Dump Passwords to work. Run regedit.exe and edit the value of the key:

HKEY_CURRENT_USER\Software\LHI\L0phtCrack\AdminGroupName

Set it to your language version of 'Administrators'.



Extracting From a SAM File
The next method is new for L0phtCrack 2.0. You can retrieve the password hashes from the SAM file on the hard disk, from an NT Emergency Repair Disk, or from a backup tape. The NT registry is actually stored in several different files on the system disk in the d:\winnt\system32\config directory.

These files cannot be accessed while NT is running since they are opened exlusively by the operating system. If you have physical access you can boot the machine with a DOS floppy and use a program such as NTFSDOS (http://www.ntinternals.com/ntfs20r.zip) to copy the SAM file from d:\winnt\system32\config to a floppy disk. You can then use the L0phtCrack command 'File Import SAM' to extract the password hashes from the SAM file.

Another place to find the SAM file that doesn't require rebooting the machine is in the d:\winnt\repair directory or on an Emergency Repair floppy disk. Whenever a repair disk is made the contents of the SAM in the registry is saved and compressed into the file 'sam._'. This file can be uncompressed with the command:

expand sam._ sam
The expanded SAM file can be imported into L0phtCrack.

The SAM file is also backed up onto tape when a full backup is performed. If you have access to a backup tape you can restore the SAM file from d:\winnt\system32\config to another machine and import it into L0phtCrack.

If SYSKEY from NT 4.0 SP3 is installed all of the SAM files are encrypted and cannot be read by L0phtCrack.

Sniffing on the Network
If SYSKEY is installed and you have no network access to the registry or physical access don't fret. There is a 3rd method for obtaining the password hashes, network sniffing. Network sniffing requires that you are on a physical segment of the user or the resource they are accessing. The sniffer, readsmb.exe, included with L0phtCrack 2.0 will only work on Windows NT 4.0.

Follow the instructions in the Install section for installing the network driver necessary for using the network sniffer.

The network sniffer is a command line program named readsmb.exe. Run it and redirect its output to a file with the command:

readsmb > passwd

You probably want to let this run for a day or so to collect enough password hashes. You can then open this file into L0phtCrack using the command File Open.

Readsmb.exe also has a verbose mode that can be enabled by using the -v command: readsmb -v This output is not formatted properly for opening with L0phtCrack but it may be useful to you. On slow machines the -v option may cause readsmb to miss some packets so it is really just for debugging and exploring.



Computing Passwords
So now that you have the password hashes loaded into L0phtCrack you want to start computing. You start computing by using the command Tools Run. The default options are set to first run a dictionary computation using the default dictionary, words-english that comes with the L0phtCrack distribution and then run a Brute Force computation using the default character set, A-Z.

L0phtCrack will save the state of the computation every 5 minutes to a .LC file.
Readsmb.exe also has a verbose mode that can be enabled by using the -v command: readsmb -v This output is not formatted properly for opening with L0phtCrack but it may be useful to you. On slow machines the -v option may cause readsmb to miss some packets so it is really just for debugging and exploring.



Computing Passwords
So now that you have the password hashes loaded into L0phtCrack you want to start computing. You start computing by using the command Tools Run. The default options are set to first run a dictionary computation using the default dictionary, words-english that comes with the L0phtCrack distribution and then run a Brute Force computation using the default character set, A-Z.

L0phtCrack will save the state of the computation every 5 minutes to a .LC file.

The Tools Options menu command lets you select whether you want to do a dictionary attack and/or brute force attack
Password Crackers
NTFSDOS - (http://www.sysinternals.com)

pwdump2 - (http://www.webspan.net/~tas/pwdump2/)

John the Ripper - (http://www.openwall.com/john/)

L0phtCrack - (http://www.atstake.com/research/lc3/)

chntpw - (http://home.eunet.no/~pnordahl/ntpasswd/)