Hello, viewers. Welcome to post exploitation. Hacking, persistence and continued access is always I'm just me, Joseph Perry. You're watching this on cyber harry dot i t
and this video, we're going to do a very, very quick and brief overview of grabbing passwords out of Windows.
Ah, part of why we're doing a quick overview of it is because most of the best tools for doing this for proprietary
and most best places to find them,
really going to be gaining gaining access to very easily. However, I did one. Should you get a sense of least some of the tools that exist some of the ways that people can
go out finding passwords?
Um, the 1st 1 we're going to do and it's really a very simple one
is a file or a an application.
Gotta click in there. Yeah,
called PW dump seven. Dottie XY Um it is what it sounds like. It's a password dumping program. It queries registry keys and windows and identifies the location. It knows the location of passwords in the registry
and ah, dumps. Their hash is to the screen.
It's very straightforward. Window seven uses an anti LM hash It's kind of a tricky hash to break it. Salted. It's pretty strong. Just beating a Windows password is typically
somewhat rare. The best method for breaking the windows passwords to get physical access to the box Buddha Live CD and manually modify things. But obviously not everyone can do so.
Um, alternative for that, as we discussed in the linen video, is Rando tables getting the anti lm hash and then using an intel, um, cracker with your
ah word file or your dictionary to do the attack.
Lots of things to exist, things like Loft crack, John the Ripper. There are plenty of tools out there. They can do it. Most of them get pinned by
windows and by any anti virus. So if you have an exploit that you can throw against an anti virus, how recommend doing it? Alternatively, if you've got a nerdy P session up,
you can pretty easily point, click and turn it off and control of the air a minute and, you know,
and through the air messages with no problem.
Which again is why our DP is basically just cheating in this business. But without any further ado, we're gonna go ahead and run this program. We're gonna hit. Enter.
Ah, see an error pop up. This is because this computer is used to demonstrate lots of hacking related things. And I've done some really horrible things to this computer in the process. So ignore this. You probably won't see it if you do. Well, then go ahead and run. Check discs slash F
Anyway, So it says no password, but it actually finds passwords. Obviously defiant. Tash is
thes as I mentioned. Ready lm hashes. It's going to go in. It's gonna hash all of these things, But
you will find occasionally
Now I count three on this machine actually has no password,
no password enabled. So if that account is one that you identified is actually being active and usable, you now know you can gain access. There's also a useful thing that this does in that it lets us actually identify which accounts or which
this right here is the user. I d for the account,
um, you saw we had similar. We had an almost identical field in Lenox and identified users.
But what's handy is that if you know a little bit about windows. You know what this means?
500 is the administrator account, which they cleverly named account One
by the one is the guest account.
Which explains why there's no password is a guest account,
and then we see everyone else is to some degree or another, just a user. Not super helpful. But if you crack passwords if you want to crack passwords, you now know
what your target password should be going after this hash
or the other. You know any admin account hashes are the ones you're gonna want to target. First,
you never know. You may be able to actually crack it. Mad Men's are sort of notorious for using terrible, terrible passports.
It's sort of a weakness. Part of that comes from sort of the sense of alarm. Assis admin. I don't do insecure practices. No one's ever going to Acme, which is whatever user thinks. But
add men's don't have anyone there to tell them their stupid for it, so they usually go ahead and do it.
There's one other thing that I want to show you, and I open another window, sort of ah, pre cooked, so to speak
It's kind of tricky to find. We see
so stuff I did up here. But we see right here
is what I wanted to show you.
The directory of C users Username mapped out a roaming Microsoft credentials.
You see that this is
until I'm hash like we saw before and it's ah,
it's a user name. Where? A user password. Well, it's a file that contains the user password.
Theoretically, obviously it's encrypted, and the final name itself is encrypted.
But if you wanted to expel this, this would be a good place to start your cracker and see if you could get anything out of it.
You never know. There are other places you can look as you see here.
So we'll go ahead and copy this over. Then the admin window I have open. I can click properly.
No, that's not what I wanted. It all,
All right, we'll do this the hard way, then
see? They're at Stack overflow open. Great website. By the way, I guess you've never used it. It's got a lot of
things. A lot of questions you can answer. You can get an answer there.
always there's, I should say never any shame in admitting you don't know something because, frankly,
someone else is also not noted in the past.
I see lots of stuff in here. Config, eh?
Okay, so we do see there some interesting things here. There's a Sam. There's the same log their security security logs, all career system. These are related to actual registry keys. They contain
that information. So if you wanted to see something really
there you go so it can't actually access the Sam because it's in use, obviously by your registry.
But, um, if you've got something or you've got some means of gaining access to that and turning the registry off, it's useful. It's also useful to just know where the same is. The Sam is one of the files that contains,
all sorts of information. It's got the password. Hash is stored in it, things like that. This is useful because this shows us where our law, where all the log files are.
So if we get access, we can go in here and we can actually eliminate these logs. If we wanted to do a denial of service, we could actually
get system control and just erase one of these files and you're pretty much done.
But as you can see in our current state, we're not able to access Sam. And that's kind of a big deal.
in terms of you can't just go straight into the sandy of the password. You can try Reg queries. Uh, you can see a
There's also a Reg edit program if you've got to do it, and you could cheat.
But in general, finding passwords just by hunting through the registry is if he if they've got any sort of security up, they're gonna know you went after that area and it's just a bad way to go.
Um, which does bring you back to an important note.
this. Ah, pw dump seven here
is not at all new. It's not something that is secretive. It's something everyone knows about. I actually had to turn off the anti virus on this machine before I downloaded it because I mentioned it
Um, but there are things you can do to avoid those. If you have programming experience, you can actually use the code from her, use a similar code and actually modify it can escape ashes. You can wrap it in another ex execute herbal that will
pull it in there, all sorts of high level things you can do.
But this, like most of the jewels you're going to use, will be busted by an anti virus if you just downloaded by itself.
So, uh, I recommend not doing that.
There's no scene. C. L s, uh, So passwords, obviously in windows are stored in a much more secure manner there, a little bit harder to reach. And they're much harder to go back
if you've got money to devote to the project. There are plenty of grapes for pay password crackers out there. If you're just looking to
try things out, test them. They've got some anti LM crackers on Google. Most of them are proprietary, or most of them are in some way license. So I won't say any names here, Noah. No advertising bucks from me,
but yeah, it's always worth the look up, and it's always worth examining. And as every time when I touched the registry or come near the registry. I do recommend you open
this right here, Reg. Edit
on your own machine and kind of play with the registry. Look around, see what's in there. It's something worth familiarizing yourself with, and you never know what you might find. Hashed passwords. What have you
until next time your residents, me, Joseph Perry, and I hope you've enjoyed this video on Windows passwords.