Windows password recovery

Every once in awhile, I will come across a computer where a person just changed their password and now don’t remember what they changed it to. In the past I was able to just delete their password file and we would go on our merry way. Microsoft however realized that this was a possibility and released a patch that started making windows look to make sure the password file was signed by a security ID and it was registered in the registry. I then had to come up with a new way to get a person back into their system without rebuilding. I came up with this method for recovering their password.

First, before I get started, I will introduce you to some of the terminology I will be using:
SAM – this is the Security Accounts Management file (the password file in windows)
SID – the Security Identifier
Windows live – this is a version of Windows XP that runs completely off of a CD. I made it using Bart PE, and will eventually be writing a HOWTO for this later.
NTFSDOS – another way to read a NTFS file system without having to learn Linux (for those who don’t know how to use Linux)

First you are going to want to start by making either a Windows Live CD or NTFSDOS boot floppy because either one of these will let you read the NTFS file system. NTFSDOS will only let you have read-only access unless you decide you want to pay way too much for the product. Windows Live is completely free, and can be downloaded in a zip file that is less than 1 MB in size.

Next, you will want to boot off of one of these discs that you made, and go to c:\winnt\system32\config (or c:\windows\system32\config) and copy the file named SAM to a floppy disk.

Once this process is complete you will want to download a program that lets you get a PWDUMP file from a SAM file. I recommend SAMInside since from there you can export the hashes to a file and recover the passwords from there.

This final step can be either the hardest or the most time consuming depending on which way you choose. You could either brute force the hashes, dictionary attack, or you could use rainbow crack. A Dictionary attack will definitely be the quickest, but if the password is complex, it will most likely not be in the dictionary. I will go into detail with brute forcing, with rainbow crack, I will tell you how to use it, but there is another tutorial about it and I will probably write more later on how to make a rainbow table library quickly and easily.

Finally if you are going to brute force/dictionary attack the hashes I recommend L0phtCrack 4 or John the Ripper. They seem to be the best out there at the moment, and easy to use. The method I am going to describe is for L0phtCrack because it is the one I have used the most. All you have to do is import the hash file (and specify a custom dictionary if you want) and start it up.

If you are going to use Rainbow crack, then you have to have the rainbow tables (which do take forever to generate, but I have generated the 18 GB version in a month, so I know it can be done). Once you have these tables, you type into the command line “rcrack *.rt -l hashfile.txt”. It takes about 11 minutes for me on a P4 2.3 GHz with 1 GB RAM and an 18 GB rainbow table.

Once either of these methods are done you will have an output with passwords. You can then log in and change the password back to something that they can remember.

**NON-DISCLAIMER** I am not giving this information out in order to promote illegal activities. I am not responsible for what is done with this information