Tools of the trade for Hacking

[Bubba Grizz]

I am in a network security class and our first real assignment is to hack into another student's work station hard drive.
The instructor took all our work station hard drives, relabeled them, and distributed them out to us. So we have physical access to the drives.
Now for the grading.
1: Top points for finding the Administrator password for the box.
2: Getting in and out again without changing the admin password.
3: Passing grade for just being able to get in.
4: Can't get in you get no points.

So the first thing I do is gather the tools. The software I pick up is:
Ophcrack
Slax
Bart PE
LC5
LCP
Cain & Able
Offline NTPW

(disclaimer: I have no experience with any of this software nor the concepts behind them at this time)

So this morning I had some time before work and went to the lab to try and hack this thing. First thing I run is Ophcrack and that gives me the user names and surprisingly enough the Administrator password of 123456.
My first thought is that this has to be a bogus account so I proceded then to use Bart PE so I can get to the Hash files. I find the Hash files no problem and copy them to my flash drive.

I figured I may as well try the admin login just to see. I fully expected it to be a disabled account. Upon boot up he had the generic windows xp login screen with his name as the only user. I control-alt-delete twice and get the login prompt and put in the administrator and the password of 123456.

It worked. So am in and I am thinking I'll just run my LC5 right on the machine instead of moving to a different one to crack the passwords. I load the program and it tells me that I need to have admin rights to run this program. I figured at this point I am kind of screwed if I want to run it on the drive itself but I figured I'd go to the user groups and see if I can't add a user for shits and giggles. I open up the administrators group and there it was, the Administrator account. I was kind of shocked. So I start the program and found that while his Administrator password was easy enough to get (top points btw) his user password was tougher. As in over 14 chars. So I tried to see if I could crack it in the time I had (about 30 mintues) knowing that wasn't likely but hey if I got lucky enough to get a sucker who didn't change his admin name or at least give it a decent password I may get lucky here.

Nope. So I took the hashes I collected (sam, security, system) and went to work. I have been running a hybrid attack using LCP (LC5 wouldn't load for some reason) against the nthash. It has been about 7 hours now and I am only 18% through all the combos. I am sensing that I will be running this all weekend. I really want to get this password so I can feel as if I accomplished something. My class is on Monday night.

So I come here now asking if there is a better tool out there that I can use to beat this password?

[Zaelath]

Nah, in the past you could attack the Lanman hash instead of the kerberos password, but you don't get that past 2000 or in "compatibility mode", and your tools would probably already be doing that if they could. (the lanman hash was in groups of 7, which made the complexity of a 14 char password O2 instead of O^2)

[Deward]

Most hackers ouldn't bother with any other passwords if they have the admin password. Install a rootkit with keylogger and telnet and just wait for them to log in. Sign in later and pick it up. If the guy has a 14 digit password then it is going to be pretty hard to crack that bitch with brute force techniques.

A properly installed rootkit is nearly impossible to detect.

[Boogahz]

It sounded like the drives were completely removed, so a keylogger may not be of much use if nobody but the one hacking it would be accessing the drive.

[Bubba Grizz]

Well as it turns out, only I and one other person were able to do the "A" work. This is mainly because the drives we cracked belonged to stupid people. My teacher basically said that he didn't expect anyone to be able to do it other than how it was already done. (working on a stupid person's drive) However, he did say that why bother trying to brute force an admin password when you can wipe it when stealth and finesse is not needed.

Got a new tool this week. Backtrack 2. Very nice.