Every now and then on the Certified Computer Examiner mail list someone asks about recovering passwords in windows. It is easy to change them with a linux boot disk. But there are times when knowing the actually passwords is important. I wrote the below long time back for the In the Trenches podcast.
You have a pc or laptop running windows XP that you really need to know the administrator password for. Perhaps it is a production machine you do not have time to reload and knowing the existing password will give you a hint on who may have changed the password.
- You will need a 3.5″ enclosure to hold a desktop hard drive.
- If you want to work on a laptop hard drive you will need a 2.5″ enclosure.
Preparing Ahead of Time:
- Sam Inside is a commercial package but you can download an eval.
- We need this because it can import both the SAM and SYSTEM file to extract the password hashes and then export into a pwdump format that Cain can read.
- Cain and Abel will allow us to recover the lost passwords using Rainbow Tables.
- You can download already computed Rainbow Tables from the Shmoo group via bittorrent.
- I keep all my rainbow tables on an external USB2-Firewire Drive.
- For the larger table types like lanman symbol14 alphanumeric keep the tables divided into subfolders for each “disc” so it is in groups of about five files. We will discuss why in a minute.
Time to Recover a Password
Grab the hashes and use Sam Inside to recover pwdump formatted file.
- Take the hard drive out of the source system.
- Place the hard drive into the usb2-firewire carrier and attach to your system.
- We need two files for Sam Inside to help us.
- SAM and SYSTEM registry files – Save these to your local hard drive.
- Open up Sam Inside and choose File-Import from SAM and SYSTEM registry files.
- Now choose File-Export as pwdump format and save it to the work folder on your system
Pull the hashes into Cain and Recover the Password
- Open up cain and choose the Cracker Tab
- Choose LM and NTLM hashes from tree in left pane.
- Click the + Icon, choose import from text or sam file. Browse to the file you exported from Sam Inside
- Select the hashes now showing in the right pane. Right click and choose Cryptanalysis Attack LM
- Click Add Table on the dialog that comes up. Browse and add the first group of five tables. Then click Start.
- If it does not find all the hashes then click Remove All and repeat adding the next five tables. Do this until you have used all your tables or the password is recovered.
There you go. Most passwords will be found this way without days or longer of brute force attacks. Keep in mind you are limited by the rainbow table character set you choose to use.
Keep in mind this recovery process can be misused by malicious people. So if they have physical access to your system you can see your passwords are short lived. You should check out a previous segment on Laptop Hard Drive passwords on the wiki.