Tutorial: Windows Password Recovery
Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Tutorial: Windows Password Recovery

  1. #1
    Senior Member
    Join Date
    Jun 2004
    Posts
    460

    Lightbulb Tutorial: Windows Password Recovery

    Windows password recovery

    Every once in awhile, I will come across a computer where a person just changed their password and now don’t remember what they changed it to. In the past I was able to just delete their password file and we would go on our merry way. Microsoft however realized that this was a possibility and released a patch that started making windows look to make sure the password file was signed by a security ID and it was registered in the registry. I then had to come up with a new way to get a person back into their system without rebuilding. I came up with this method for recovering their password.

    First, before I get started, I will introduce you to some of the terminology I will be using:
    SAM – this is the Security Accounts Management file (the password file in windows)
    SID – the Security Identifier
    Windows live – this is a version of Windows XP that runs completely off of a CD. I made it using Bart PE, and will eventually be writing a HOWTO for this later.
    NTFSDOS – another way to read a NTFS file system without having to learn Linux (for those who don’t know how to use Linux)

    First you are going to want to start by making either a Windows Live CD or NTFSDOS boot floppy because either one of these will let you read the NTFS file system. NTFSDOS will only let you have read-only access unless you decide you want to pay way too much for the product. Windows Live is completely free, and can be downloaded in a zip file that is less than 1 MB in size.

    Next, you will want to boot off of one of these discs that you made, and go to c:\winnt\system32\config (or c:\windows\system32\config) and copy the file named SAM to a floppy disk.

    Once this process is complete you will want to download a program that lets you get a PWDUMP file from a SAM file. I recommend SAMInside since from there you can export the hashes to a file and recover the passwords from there.

    This final step can be either the hardest or the most time consuming depending on which way you choose. You could either brute force the hashes, dictionary attack, or you could use rainbow crack. A Dictionary attack will definitely be the quickest, but if the password is complex, it will most likely not be in the dictionary. I will go into detail with brute forcing, with rainbow crack, I will tell you how to use it, but there is another tutorial about it and I will probably write more later on how to make a rainbow table library quickly and easily.

    Finally if you are going to brute force/dictionary attack the hashes I recommend L0phtCrack 4 or John the Ripper. They seem to be the best out there at the moment, and easy to use. The method I am going to describe is for L0phtCrack because it is the one I have used the most. All you have to do is import the hash file (and specify a custom dictionary if you want) and start it up.

    If you are going to use Rainbow crack, then you have to have the rainbow tables (which do take forever to generate, but I have generated the 18 GB version in a month, so I know it can be done). Once you have these tables, you type into the command line “rcrack *.rt -l hashfile.txt”. It takes about 11 minutes for me on a P4 2.3 GHz with 1 GB RAM and an 18 GB rainbow table.

    Once either of these methods are done you will have an output with passwords. You can then log in and change the password back to something that they can remember.

    **NON-DISCLAIMER** I am not giving this information out in order to promote illegal activities. I am not responsible for what is done with this information
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Then again, you could go the easy way.

    I take it you're Adam Scheblein?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    yeah, thats me -- i had to put that at the bottom because i also in the process of publishing some security stuff in a computer magazine (not advertising)

    that, and i always do things the hard way because i don't trust automated systems (especially if they are not officially part of the operating systems, and they are overwriting parts of my critical operating system files)
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  4. #4
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Resetting passwords is a very common occurance where I work. From a personal point of view, dumping the SAM file and using a brute force method may be feasible, if you have the time to do it. However in a business environment, a practice like this would never succeed. If you told your boss it'd take more than 5 minutes to recover his password (especially if it took you a month to generate the file), you may as well just start heading for the door. We use two pieces of software for password recovery. The first is the bootdisk on the link that MsM provides... it's absolutely wonderful. The other tool is ERD Commander. However for personal use, it's price tag may not justify it's use. Another tool we have recently started using is Passware Kit. It also contains a tool for generating a bootdisk for Admin password recovery. We also have a BartPE built bootable XP at work. There are many modules available for BartPE, which includes modules to use Nero, AdAware, AV Software, the ERD Utilities. I used all of those when I built the CD. Now it does password recover, virus and malware removal and we can burn off data if the drive is a lost cause (assuming we can even read the drive). It is definately very handy software.

    Anyways Nice tutorial, just from a personal point of view, not the business aspect that a lot of people here would look to it for. For those the commercial/free tools that are out there are more realistic. Good read though.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  5. #5
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    It is also quite typical where i work, however, most people there are on a domain so life is easy when we are changing passwords...

    I will, however, have to make sure i do include these easier ways just cause not everyone likes doing stuff the hard way...

    thanks
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  6. #6
    just look at my tutorial on this forum, there are different other possibilities to get in the system and clear the pw.

    also for a windows 2k system you can just boot with a bootdisk or ntfsreader to remove the sam file, windows will create a new one automatically during the first start up, the only accounts left are the admin account and guest account, both with no password!


    ****** the above thing does NOT work with xp, it will result in an error, so you'll have to use one of the other methods in my tutorial or your options... *******

    you can get to my tutorial by clicking on the digit behind the string "Security tutorials written" that is located under my name

  7. #7
    Junior Member cybersamurai's Avatar
    Join Date
    Apr 2004
    Location
    At tha beach!
    Posts
    25
    first of all it's unlikely that the SAM will be on the box, usually it's on the server so effectively zero access to PWL, and a BF almost never works cause like where i work wild card characters are a must for every password and must be at least 16 characters long so thats a nono on BF what you can do is login in normally load your own SAM from another box onto the box you want access to. login in as admin to get access to files on the box however network folders will be unavailable! so i don't really understand your method
    see the sarcasim in my smile ????

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    first of all it's unlikely that the SAM will be on the box, usually it's on the server so effectively zero access to PWL,
    The SAM would be on the box if it's a non-AD machine. And it would be on the box if you did rdisk /s. Usually in the Repair directory. Even if part of the ADS (and thus Kerberos), a box will have local passwords and these can be seperate from the Kerberos (or other) passwords. My work box has a different password than the Kerberos/LDAP system that's used.

    Even still, as an admin, if I've forgotten a password (for whatever reason) I'll have access to the physical part of the server. This can be helpful way of recovering the password.

    a BF almost never works cause like where i work wild card characters are a must for every password and must be at least 16 characters long so thats a nono on BF what you can do is login in normally load your own SAM from another box onto the box you want access to.
    While it may be a "must", it's not a required for passwords. Different environments have different requirements and expectations. I know of many ADS systems where it's simple. Users chose what they remember -- password, username,etc. -- not what is most secure. In addition, tools like L0phtCrack (or LC4) still do their job exceptionally well. With faster, more powerful machines and a good BFer, it can work.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    but now your talking about a system in a domain, this would not be possible that easy, that's right, for this you can better ask your admin to change your password...

    there are ways to get the password for a system in a domain, but those include hacking the DC and i don't think it would be such a good thing to explain how to do that!

    so if you want to get a password for a system in a domain, just ask your admin.

  10. #10
    Junior Member cybersamurai's Avatar
    Join Date
    Apr 2004
    Location
    At tha beach!
    Posts
    25
    true domain systems are harder but they are the most common scenarios right?? it's in an admins best interests to mitigate any holes, last time i checked!!!
    see the sarcasim in my smile ????

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides