What we’re going to do (in concept at least) is quite simple: Boot to DOS (instead of Windows), steal the necessary registry files, and crack them on a computer we have access to. Usually people boot to Linux LiveCDs and use those to swipe/crack the necessary files, but there are a million tutorials out there about doing that. This is a much more old-fashioned, retro way to do it.
All you need to start are the following:
- A computer other than the one you’re trying to get into (or at least an account on that one)
- Internet access (to download some files)
- Two floppy disks
You’ll also need to know a couple basic DOS commands:
dir “__” — This will list all the files in the specified directory
copy “file” “location” — This will copy the file to the specified location
del “file” — This will delete the specified file
ctl+alt+del — This instantly reboots the computer
Begin
(Tutorial note: If the computer you are using is Windows NT or 2000, use the WINNT/system32 directory where ever the Windows/system32 directory is listed in this article.)
1)
Download DOS 6.22. This specific file is a self-extracting boot-disk creator. Just stick your floppy in the drive, double-click it, and it will create the DOS 6.22 boot disk. Once it’s done, delete the file “edit.hlp” on the disk to make room for future files we’ll be putting on there.
2)
Download himem.sys and copy it do your disk. Open your “config.sys” file (you may have to enable the viewing of Operating System protected files to find it) and add the following two lines, preferably at the top:
DEVICE=himem.sys
dos = high, umb Having completed this, you have now enabled DOS to view more RAM than it originally could — by nature DOS can only see 640K worth of RAM. Doing this tho won’t necessarily let DOS see everything the machine has to offer, but it should get up to about an extra 32MB (called extended memory), more than enough for what we’re going to do. In the future, once you’re in DOS, for your reference, you can type “mem” and get a synopsis of your RAM supply.
3)
Now you need to get yourself a shiny little compression program for DOS so you can compress and swipe the registry files you’re after. I recommend PKZip 2.50 because it’s small and works very nicely, and is also Windows compatible, although you don’t need that feature. I’ll assume that’s what you’re using from here on, as it’s what you should be. After you download it, unzip it and copy all the files to your SECOND floppy disk. Now take the disk out, as you won’t need it for a few more steps.
—> At this point, you will need to know if the operating system containing the files you want is on a FAT32 or NTFS formatted partition. It is most likely that it be NTFS, which will make our life harder, but not impossible. To determine which, simply boot to the DOS disk and see if you can find the drive it’s one (use “dir C:”, “dir D:”, etc to find a drive with the “Windows” directory on it). If don’t see it, it’s on NTFS. If you can, it’s FAT32 and you can skip down to the “FAT32″ section.
NTFS
4) Now, since we know that DOS cannot read from NTFS formatted drives, we will need to find a way to make it. Download NTFSDOS and copy it to your DOS disk. Open your “autoexec.bat” file and add the simple following line, preferably at the end of the file:
NTFSDOS.EXE
Now when you boot to DOS, it will run the NTFSDOS program, which allows DOS to read NTFS partitions. It will come up and inform you which drives it is mounting and what drive letter it is assigning to each. For some reason, it usually mounts the first one as ‘D’, so I’ll assume it does the same for you in the following steps. Unfortunately, NTFSDOS only allows us to read NTFS partitions, we still can’t write to them.
5)
Later on when we try to zip the registry files we’ll find that, although the resulting zip file would be small enough to fit onto the disk, it won’t ever appear. This is because PKZip will try to create temporary files for the process, and because you’re zipping to the floppy, you’ll run out of space to work with. And we can’t zip the files to the hard drive because, as I already said, we can’t write to an NTFS partition using NTFSDOS, we can only read from it. The solution is to create another drive, one that is big enough to house both the temp files and the final zip file that will contain the compressed registry files. Creating this drive may not seem as hard as it sounds. Once again, you’ll have to download a program (isn’t freeware great?), this time it’s RAMDRIVE.SYS. Copy this to your DOS floppy, and once again open config.sys, this time add the following line (preferably above the bottom one that contains “lastdrive”):
devicehigh = ramdrive.sys /E 5120.
The number “5120″ is the size of the drive that it will create, in KB. You can set it at anything you want so long as you have the RAM to do it, but don’t underestimate what you’ll need. 5120KB equals 5MB, and that will be ample for our needs. If you’re worrying that a RAMdrive will be harder to use than a normal drive, don’t worry at all. Once it’s been created you can write to and from it as easily as anything else — as far as you are concerned, it IS a normal drive, only the computer knows better.
CHECKPOINT:
Now, to summarize: You should have one DOS boot disk that has the the extra files himem.sys, NTFSDOS.EXE, and RAMDRIVE.SYS, and should have added their respective lines of code to the appropriate files. Your second disk should strictly contain PKZip files.
6)
“Buckle your seatbelt Dorothy, ’cause Kansas is going bye-bye” — we are now about to *gasp* actually use DOS. Place your boot disk in the computer you wish to gain access to and boot it. After the preliminary BIOS checking and stuff by the computer, DOS will load. Watch what’s going on and you will see, for just a second, a block of text that reflects the RAMdrive being created. If you see “RAMdrive mounted as X” then it’s been successfully created! Remember the letter used, I’ll assume from here on that it’s drive C because that’s what mine always does. (If the RAMdrive does not work, you probably either inserted the line of code in config.sys wrong, or have a bad copy of RAMDRIVE.SYS (doubtful).) Then the screen will continue scrolling down as more stuff is loaded. When NTFSDOS is loaded, you will see a list of the drives it’s mounting and corresponding letters that they have been mounted as. These are NTFS partitions that NTFSDOS has found. The first one should be the one with Windows on it (it’s usually ‘D’ for me).
7)
Now we’re done with all the preparation and can get down to the real business. When you boot to DOS, it’s actually loaded into memory, so you can issue most commands without even needing the disk in there. This will work to our advantage in a moment. Right now, take the DOS disk out and replace it with the disk containing PKZip. Then enter the following line of code:
pkzip c:\tocrack.zip d:\windows\system32\config\SAM d:\windows\system32\config\system The first word, “pkzip”, simply addressed the PKZip program, the next one “c:\tocrack.zip” tells PKZip where to place the ZIP file and what to name it, the next two are the locations of the registery files you want to take. In all, this will take the SAM and SYSTEM registery files that you need and zip them to your RAMdrive. This should take about a minute, so be patient, DOS isn’t quite as fast as Windows. When it’s done, it’ll ask you to insert the disk with “/command.com”, this is your DOS disk, so re-insert it and “press any key”, then remove the DOS disk again and put the PKZip disk back in. Next copy the tocrack.zip file to your PKZip disk with the following command:
copy c:\tocrack.zip a:\.
FAT32
4,5,6,7) FAT32 is much easier to work with than NTFS. Simply insert your DOS disk and boot the computer. Once it’s loaded, find the drive with Windows on it (should be ‘C’). Then take the DOS disk out and replace it with the disk containing PKZip. Then enter the following line of code: pkzip c:\tocrack.zip c:\windows\system32\config\SAM c:\windows\system32\config\system The first word, “pkzip”, simply addressed the PKZip program, the next one “c:\tocrack.zip” tells PKZip where to place the ZIP file and what to name it, the next two are the locations of the registry files you want to take. In all, this will take the SAM and SYSTEM registry files that you need and zip them to your RAMdrive. This should take about a minute, so be patient, DOS isn’t quite as fast as Windows. When it’s done, it’ll ask you to insert the disk with “/command.com”, this is your DOS disk, so re-insert it and “press any key”, then remove the DOS disk again and put the PKZip disk back in. Next copy the tocrack.zip file to your PKZip disk with the following command:
copy c:\tocrack.zip a:\. Then get rid of the file your just created on the hard drive so you can eliminate the “evidence”, do this by entering:
del c:\tocrack.zip
NTFS and FAT32 merge
Congratulations! If you executed the second to last command correctly, you now have swiped the needed files and are close to being done. Just to be sure, tho, that you do have the precious tocrack.zip file on your floppy, type dir a:\ and look for it in the listing. If it’s there, all is well (it will only be missing if you screwed up somewhere along the line).
8)
Now take the PKZip disk to a machine that you have an account on, and copy the tocrack.zip file off of it to your desktop, then unzip it.
9)
Now you’ll need a way to actually crack the files (assuming that’s what you’re doing). For this, you will need the program PWSEX. Download it and install it, don’t worry that it’s only the trial version. Once it’s installed, open it and don’t touch any of the options except the button next to “Registry files (SAM, SYSTEM)”, check that one and click the “Dump from memory” button. Then find the locations of the SYSTEM file for the top input, and the location for the SAM file for the bottom one. Then click the “Dump” button. PWSEX will then crack the usernames and corresponding passwords for the machine that the files came from. Simply look at the list it generates and, well, you should be able to figure that part out.
This entire process is much easier if you just use a Linux LiveCD and a USB flash drive, but this way is more intriguing and amusing.
