Windows Password Recovery

Every now and then on the Certified Computer Examiner mail list someone asks about recovering passwords in windows. It is easy to change them with a linux boot disk. But there are times when knowing the actually passwords is important. I wrote the below long time back for the In the Trenches podcast.

Scenario:

You have a pc or laptop running windows XP that you really need to know the administrator password for. Perhaps it is a production machine you do not have time to reload and knowing the existing password will give you a hint on who may have changed the password.

Software Needed:

Hardware Needed:

Preparing Ahead of Time:

  • Sam Inside is a commercial package but you can download an eval.
    • We need this because it can import both the SAM and SYSTEM file to extract the password hashes and then export into a pwdump format that Cain can read.
  • Cain and Abel will allow us to recover the lost passwords using Rainbow Tables.
  • You can download already computed Rainbow Tables from the Shmoo group via bittorrent.
    • I keep all my rainbow tables on an external USB2-Firewire Drive.
    • For the larger table types like lanman symbol14 alphanumeric keep the tables divided into subfolders for each “disc” so it is in groups of about five files. We will discuss why in a minute.

Time to Recover a Password

Grab the hashes and use Sam Inside to recover pwdump formatted file.

  • Take the hard drive out of the source system.
    • Place the hard drive into the usb2-firewire carrier and attach to your system.
    • We need two files for Sam Inside to help us.
      • c:\windows\system32\config
        • SAM and SYSTEM registry files – Save these to your local hard drive.
      • Open up Sam Inside and choose File-Import from SAM and SYSTEM registry files.
      • Now choose File-Export as pwdump format and save it to the work folder on your system

Pull the hashes into Cain and Recover the Password

  • Open up cain and choose the Cracker Tab
    • Choose LM and NTLM hashes from tree in left pane.
    • Click the + Icon, choose import from text or sam file. Browse to the file you exported from Sam Inside
    • Select the hashes now showing in the right pane. Right click and choose Cryptanalysis Attack LM
    • Click Add Table on the dialog that comes up. Browse and add the first group of five tables. Then click Start.
    • If it does not find all the hashes then click Remove All and repeat adding the next five tables. Do this until you have used all your tables or the password is recovered.

There you go. Most passwords will be found this way without days or longer of brute force attacks. Keep in mind you are limited by the rainbow table character set you choose to use.

Counter Measures

Keep in mind this recovery process can be misused by malicious people. So if they have physical access to your system you can see your passwords are short lived. You should check out a previous segment on Laptop Hard Drive passwords on the wiki.

Share
  • Acid Reign

    …..Actually recovering the password is probably a better thing in both the corporate world, AND the less savory operations. If the password changes, it raises alarms…

    …..I’ve recently been having fun with a Linux distro called Backtrack. It’s got every hack and crack tool you can imagine. It’s a downloadable .iso, BUT, I had no luck burning it to CD. Too big, I think. A DVD-R worked just fine, though. I’m thinking of completely repurposing my old rebuilt Acer laptop with a full installation of this suite…

    http://www.remote-exploit.org/backtrack.html

  • Can I use this info on my blog using the direct link to your blog? Thanks in advance