To brute force the password you would want to find out what algorithm hashed (encrypts) the password and then write a program that hashes a dictionary of possible passwords and compares them to the one stored in the SAM. If the "guess" matches the one in the SAM, you will have figuered out the password. The only thing is that you would have to program a very complex mathematical algorithm, but it could be done.
Hopefully, this makes sense and is correct. I am not sure this is the easiest way to do it, but it's how I would try it. If I'm wrong, please correct me.
Good luck!