Advertisements
Oct 3, 2008:

Ever had trouble logging into a computer with an unknown password? or you just want full access to that public PC that is in your library? If so, then this is the stuff you are looking for. I had been asked this question many times: “UzEE, how on earth you got admin rights to the systems in the labs?” My answer had always been: “I just found them logged in.”

Well today I share a technique I have used for a couple of years now. The basic idea is to gain admin access to a restricted system to which you only have physical access (you can’t install programs or run scripts etc). This will be a long (but interesting) article and may have information that doesn’t apply to every case. It is also highly recommended that you have some knowledge of computers (more than just surfing the web, writing documents or playing games) and lots of patience.

Background

Disclaimer: If your purpose is just install malicious, non productive software or retrieve personal/illegal information then please do not read this. I or anyone else from Sizlopedia will not be responsible for any harm (intellectual or otherwise) caused by this information.

I would start the article with a little background of why I (or anyone else) would want full access to a system. I’m a student of computer engineering studying at Bahria University, Islamabad. We are subjected to torture worse than Guantanamo Bay, as the systems in the computer labs have no such things as Firefox, Flash Player, Windows Media Player, Photoshop/Fireworks, Messenger, or any other useful software for that matter. We only get 100 MB of a shared network drive for storage of personal files (assignments, notes etc) which also get wiped every couple of months. We are subjected to limited Internet, no social networking, video streaming or downloads (even though we have 4 and 8 Mbps servers).

The above reasons are enough for any technology lover to revolt and find means to get full (sometimes unauthorized) access to the systems. I just want to surf the web more securely, while streaming some tunes and interacting with my friends on Facebook. So after some time (actually my 3rd day in the university) I started looking for ways to gain access to a secure system. I met with random success and new challenges, and share my discoveries with you.

Resources

If you try to search online, there is a little chance that you would find technique that is almost 100% effective in all situations. Even after a certain limit, Microsoft suggests that you should reformat your drive and reinstall windows if you can’t remember your credentials.

The tools we would use here are available on the Internet. Actually its a combination of various techniques from various sources, some from Microsoft, some from the hacker and open source community, and some I engineered myself. This will probably be one of the most complete guides to recover your passwords.

Alternatives

Alternatives to this technique do exist but they have their limitations. Here is a quick list of some of the best tools I have used successfully to achieve a similar result:

  • Emergency Recovery Disk: If you are the legitimate owner of the system then you must have an emergency recovery disk with you. Its intended for system failures but will work in this case too. Just boot from that disk and restore your system.
  • Windows Password Recovery: This is the fastest recovery method I have seen to date. Provided everything goes right, you can recover your password within 10 minutes. Their limitation is that their priority service is not free and they don’t always work on all types of passwords.
  • Offline NT Password & Registry Editor: Though this doesn’t recover password, its a fast dirty way to access a restricted system.  Just download and burn the Linux shell onto a disc or a flash drive and boot from it. You can do hordes of other stuff besides resetting the password. I use this, the most.

While these alternatives do work, they are usually not applicable to the core reason this article focuses on. At some other time, I will discuss techniques about how to use them with a clean operation.

What you would need

Ok now getting to the main topic. You would need to put together a few things before you can recover the passwords. Here they are:

  • Full access to a good PC – At least a Pentium 4 equivalent processor, but a Core 2 is recommended. If you plan on using Celeron or Atom series then don’t. Ideally, you should have something as powerful as a Core i7. If you have full access to more than one PCs connected over a network then use them all (more on this below).
  • A CD-R/CD-RW if your board can’t boot USB flash drives.
  • A USB 2.0 Flash Drive, if your board supports booting from it, consider a 512 MB drive to directly boot from it.

That’s all for the hardware you need. On the software side, you will have many options, some shareware and some free. Continuing the tradition of Sizlopedia, we will be using free software only, though I would mention all the names.

  • A Pre Environment, either Microsoft Windows PE (very rare) or BartPE, both would work. Even though it is recommended, you won’t need this if you can access the registry files some other way (another operating system).
  • A Hash Decryptor. One powerful tool is SAMInside, but it isn’t free. The best alternative is to use LCP, a free NT and LM hash decryptor with lots of similarities with SAMInside.
  • A Windows XP installation disc to build the pre environment.

It would be worthy to note here that SAMInside can ease a lot of pain in some situations due to its superior features over LCP, but they aren’t always required. Both tools can bypass SYSKEY protection as well as pause and resume attacks. SAMInside can only speed up tasks thanks to its little extras (a bonus attack, dictionary tables, and option to select which passwords to recover) but that’s nothing LCP can’t handle given a little more time.

Step 1: Building the Pre Environment

I am assuming that you have downloaded BartPE Builder, and you have a system with full admin rights and a Windows XP installation disc to work on. Making sure that your Windows XP installation files are already on your hard drive (the i386 folder) or the CD is in the CD-ROM. Start pebuilder.exe, it will ask you to search for installation files. Its a waste of time, so just choose no, and then click the button next to the Source textbox. Browse to your i386 folder (L:i386 in my case, on the CD) and select it.

In the media output group box, select Burn to CD/DVD and choose StartBurn from the drop list. It will automatically select your burner. Click on Build to start building the PE image, which would burn to the disc. This will take some time, and if everything goes successful, you will get a success message.

You could also make a USB boot drive if you like (and are willing to risk it). Its not a 100% guarantee but it has worked for me. You would need at least a 512 MB of flash drive and a couple of files from Windows Server 2003 SP1. This USB Pre Environment builder gives more details on this.

Step 2: Getting the Registry Files

This is the hardest part of the process. Partly due to the fact that now you would be stealing user information and also because that its not easy to locate and access the registry hives. Actually depending on your operating system and settings, the registry information may be stored at a number of places. What you are looking for are three files; SAM (Security Accounts Manager), SYSTEM (Local System hive) and SECURITY (SYSKEY encryption information).

By default, in most operating systems, they are located at WindowsSystem32Config. They are locked by the NT Session Manager and WinLogon so you can’t access them from within Windows. If you have System Restore active, then they would also be located in System Volume Information(restore point image)(restore folder) but its not always accurate.

They safest way is to boot from a non NT Operating System (which supports NTFS) and get the files from there. This is where BartPE comes into play.

  • Boot from BartPE by inserting the CD or the USB drive into the target system.
  • When Bart finishes loading, click on the Go button and look for the A43 Filemanager. Its location changes with different versions but its easy to find (usually in Accessories, the menu is small).
  • This is like the Windows Explorer. Navigate to WindowsSystem32Config and copy the files SAM, SYSTEM and SECURITY to any other folder you can access from within windows. If Bart detected your USB Flash Drive, then you can paste there.
  • You are done with Bart. Quickly remove the boot medium and reboot the PC.
  • If you haven’t already, retrieve the files you copied from within Windows and leave the system.

Remember if you are doing this on a public PC, then be extremely careful not get caught. This whole process may take about 10 minutes depending on the system speed.

Step 3: Hash Decryption

This is the final and longest step in our process. It would take anywhere from 30 minutes to thousands of days based on the complexity of the password. You should continue this on the most powerful computer you have access to. By that I mean a system which you can use (you don’t need full privileges to run the software). I’d advise you to at least use an Intel Pentium 4/AMD Athlon 64 processor. Anything below that would be a waste of time. Plus you can double your performance if you use a multi core system like the Intel Core 2 or the Intel Core i7.

I’ll assume that you want to continue with the free LCP software, and not SAMInside. They are mostly similar in functionality and provide all the basic set of tools you may need. SAMInside has an added advantage of having an extra attack and some better options for decryption and password prediction. It can reduce the total time you need to crack a password, but anything you can do with SAMInside, you can do it with LCP (it will take a little longer in some cases).

Simple Attack

Start LCP by extracting/installing the files you downloaded (Note: you don’t have to install LCP in order to run it). LCP has an excellent documentation that comes with it while a little help material is also available on its website. While I will guide you for making the most straightforward attack, it may often help to know what else you can do with the configuration and this may dramatically reduce the time you need to crack a password.

There are a lot of ways to import the hashes into LCP, but we will use the Load from SAM file option. Click on Import > Import from SAM file… in the main menubar. You will be presented by the dialog depicted in the image to the right. There are a few things you should be careful of, like selecting the right files. Usually people mostly screw up in this part.

For the first textbox, click the browse button and navigate to the SAM file you retrieved earlier. Next, if SYSKEY was enabled, then you need to check Additional encryption is used checkbox. If you are unsure that whether SYSKEY was enabled or not, then a rule of thumb is that if you are using anything after Windows XP Service Pack 2, then SYSKEY would be enabled by default.

Even if you don’t know exactly, you can still provide a SYSKEY file, and the program would alert you if it couldn’t detect a SYSKEY. There are three ways you can provide the SYSKEY.

  • From a SYSTEM hive of the target system.
  • From a known password of the target system.
  • From a recovery disk (virtually obsolete).

We will use the SYSTEM registery hive, we retrieved earlier because its our best bet to uncover the SYSKEY. So click the Browse button and choose the SYSTEM registry hive. Click Ok, and if everything went fine, you should now see the following screen.

This basically is the list of all the user accounts extracted from the files along with some account information. The most important one here is the NT and LM (LAN Manager) hashes. The passwords would appear here when they are decoded. Another interesting set of information here is the length of the password.

If the password you desire is indicated as being less than 8 characters long, then you are (usually) in luck. It would take between 30 minutes to about 2 hours to decode them on a decent system. If they are between 8 to 14 characters, it would take up to 2 days. If its anything above 14 characters, then you should stop right here and go for a distributed attack approach. Otherwise you could be waiting for a thousand years for the password to decrypt successfully.

If you know any details about the password, then its the best time to LCP in on them. By this I mean, if you know something about the length of the password or its complexity, or even if you know a part of it (some characters) then you should configure LCP to take full advantage of that knowledge. This can dramatically reduce the time required to decrypt. I’ll show this by an example:

Suppose that you want to decrypt a hash which would result in “ilovepizza”. The password has 10 UTF-8 characters, and there are a possible 1.54814008760175e+16 combinations of the UTF-8 character set. If each combination takes 1 micro second to process, then you would need 1.54814008760175e+13 seconds (that’s millions of millions of years) to get that password. Now if you know that you’re not going to need all the UTF-8 characters, and use just the lowercase English alphabet, then the total number of possibilities is reduced to 70607460 combinations and the time required to 70607.460 seconds (under 24 hours).

Of course the above figures are just an assumption and don’t reflect any actual time required. IT was just to give you an idea of importance of making the right settings. A pretty much evolved race of humans would eventually see the password coming out at a galaxy far far away, but sadly, they wont know if pizza was a religious food item or a homosexual homicidal lunatic.

Back to the topic, we are now all set to start the attack. Make sure that Hybrid attack is selected from the main toolbar, and click the blue Play button to start. Your password is now being cracked and LCP will show you how much (just an estimate) time is left until the full password is unveiled. This is pretty much it for what you could do with the simple attack. All you have to do now is to be patient.

You can pause/resume your progress anytime on any computer. This is probably the best feature  in these software and this forms the basis for the Distributed Attack technique (below).

Distributed Attack

What if you have 10 computers with similar specs at your disposal? Now if you took the above password example, and split it evenly on 10 computers, your work would have been completed in 7060.746 seconds or about a little under 2 hours. This sure beats waiting for an entire day for a simple (but long) password like that.

LCP makes it very easy to distribute your attack load on multiple computers, and you don’t have to connect them physically. They are not requred to be on a network. I basically always use the distributed attack to uncover my paswords and last time, 7 computers got the work done in three days (which would require up to weeks if I just used one PC).

To start a distributed attack, you have to follow up to the point where you loaded the registry hives into LCP. From there you just have to configure LCP as you normally would, and then do an extra step to setup the distributed attack. Click on File > Distribute Sessions and the distributed attack manager would open up.

It will automatically load your basic configuration which you had setup. Select a naming prefix for your files, and the number of distributions you want to create (the number of PCs you are going to use). Click the distribute button and the distributed files will be generated. Click Save to Folder to save them in a specific folder.

Now you have run an instance of LCP on each computer and load one of the distribution files there and simply start the process. Once the attack on each machine finishes, you will see the respective results on one of the system (one of them will have the password).

This technique can also be used on the same processor if you have a multi core architecture (best for Core 2 Quad or Core i7). Simply make distributions as you have cores (make it double for Core i7) and run that many instances of LCP on the same computer. Then start your process manager (Task Manager or Process Explorer) and right click on each instance of LCP. What you want to do here is to set the process affinity of each process to a different core. It will work as a separate process on that same system.

Conclusion

No matter which path you will take, you will get your password after some time. The process may take long but it is worth the wait. You can always use the faster (less subtle) alternatives I listed above. If you have any further questions or comments, then you can ask them below (via comments). As stated above, I or anyone else from Sizlopedia for that matter, will not be responsible for any harm/damage this may bring. So use at your own risk.

Comments

comments

{ 24 comments… read them below or add one }

Chetan October 3, 2008 at 5:37 pm

That’s an awesome post there Saad.
Losing admin passwords is a common thing i have seen and people have been in confusion about the solution. You have explained it pretty well.

Reply

Sam Patrik April 30, 2012 at 11:03 am

Hi,Windows administrator password recovery not a big deal, because there are several password recovery tools like Stellar Phoenix windows password recovery available which easily recover your lost password in few minute’s.   

Reply

c0d3r October 5, 2008 at 9:25 am

Splendid post :) This is a Brute-Force method, but its nice to know abt it, coz sometimes, its a desperate situation when the admin passwords are lost / changed :O

To add to the post, there are two more methods, but they dont actually recover passwords. One changes the password if u have access to any login (even if its a liimited acount), and the second one requires you to repair xp partially (hence u need an xp cd). I can post abt it here if u want :D To add to the sizzling-info :D

Awesome post :D Real informative :)

Reply

Syahid A. October 6, 2008 at 3:57 pm

Decent post man! Stumbled!

Reply

Muhammad Ali Raza October 12, 2008 at 4:57 pm

dam this much for only a lost password ! hmm what if i had such issue i will boot if from linux and delete sam etc or use bkhaive utility Or copy sam and start cracking.

Reply

UzEE November 2, 2008 at 1:09 am

@Muhammad Ali Raza

deleting SAM can corrupt the registry. The Idea is to recover the Password. So that the actual owner never gets to find out that the system has been compromised.

Reply

Ars November 14, 2008 at 6:27 pm

Thanks buddy but still not confirmed how to crack the password.

Reply

windows008 July 1, 2009 at 3:33 am

There are a lot of Windows password revealers and crackers available, but I’ve found that Windows Password Recovery Tool is the most effective.:
it not only supports XP, 2003, 2000, and NT, I have personally tested it with Vista Home Premium and Ultimate. It works perfectly to reset any local user account to a blank password

You can use the ISO to burn a boot CD. Follow these instructions:

1. Download ISO file from http://www.windowspasswordsrecovery.com Windows Password Recovery Tool
2. Burn to a CD using a CD burning tool such as Nero or Roxio or MagicISO
3. Insert CD into drive and reboot.
4. You may have to select an option in the BIOS to get the computer to boot from the CD.

Booting up and clearing a password takes a minute or two works like a charm.

Reply

windows008 July 1, 2009 at 8:33 am

There are a lot of Windows password revealers and crackers available, but I’ve found that Windows Password Recovery Tool is the most effective.:
it not only supports XP, 2003, 2000, and NT, I have personally tested it with Vista Home Premium and Ultimate. It works perfectly to reset any local user account to a blank password

You can use the ISO to burn a boot CD. Follow these instructions:

1. Download ISO file from http://www.windowspasswordsrecovery.com Windows Password Recovery Tool
2. Burn to a CD using a CD burning tool such as Nero or Roxio or MagicISO
3. Insert CD into drive and reboot.
4. You may have to select an option in the BIOS to get the computer to boot from the CD.

Booting up and clearing a password takes a minute or two works like a charm.

Reply

linky1124 August 26, 2009 at 9:28 am
robfluth September 13, 2009 at 3:28 am

I have downloaded Windows Password Recovery Tool 2.0 from http://www.windowspasswordsrecovery.com. it. It works perfectly to reset any local user account to a blank password. I Wrote it to an old 128mb USB flash drive do this.

Reply

happykaka October 21, 2009 at 5:37 am

Reset /crack/hack/recovery windows password/admin password/ vista password with windows password unlocker

1. Log onto a computer that can link to the Internet. Download Windows Password Unlocker 4.0 from http://www.passwordunlocker.com/products/wpu.html and decompress it on that PC. Note that: there is a .ISO file. Burn the .ISO file to a CD.
2.Get out the newly created CD and insert it to the locked computer.
3.Re-boot the locked computer and then follow the process of instructions. Just after a few steps, the old password will be removed.
4.Set new password:
Step 1: Open the “Control Panel
Step 2: Click the “User Account
Step 3: Select the account you wanna set a new password.
Step 4: Click “Changing Account ” and “Set Up Password”, then fill out the form as listed. Click “Create Password”.

Reply

linky1124 October 21, 2009 at 6:53 am

here is the methods I know.

The first thing which you check if you forget login password. When we install Windows, it automatically creates an account “Administrator” and sets its password to blank. So if you have forget Your user account password then try this:
Start system and when you See Windows Welcome screen / Login screen, press ctrl+alt+del keys Twice and it'll show Classic Login box. Now type “Administrator” (without quotes) in Username and leave Password field blank. Now press Enter and you should be able to log in Windows.
Now you can reset your account password from “Control Panel -> User Accounts”.
Same thing can be done using Safe Mode. In Safe Mode Windows will show this in-built Administrator account in Login screen.

Windows XP and further versions also provide another method to recover forgotten Password by using “Reset Disk”. If you created a Password Reset Disk in Past, you can use that disk to reset the password. To know more about It, please visit http://www.resetwindowspassword.com/

Reply

happymark October 21, 2009 at 7:09 am

I would like to introduce Windows Password Recovery Tool 3.0 . it not only supports XP, 2000, and NT, I have personally tested it with Vista Home Premium and Ultimate. It works perfectly to reset any local user account to a blank password. I Wrote it to an old 128mb USB flash drive do this. Booting up and clearing a password takes a minute or two works like a charm. You can download it from http://www.windowspasswordsrecovery.com

Reply

happymark November 20, 2009 at 3:27 am

I have downloaded windows password key 8.0. It is a very quick and useful utility for resetting passwords. It not only supports XP, 2000, and NT, I have personally tested it with Vista Home Premium and Ultimate. It works perfectly to reset any local user account to a blank password.
Just an easy to use bootable CD/DVD . It can also be used on a USB Flash Drive. http://www.lostwindowspassword.com/

Reply

wpsabrina December 23, 2009 at 6:33 am

You can try Password Genius. It works for me.

Check this out:
http://www.password-genius.com/how-to/how-to-recover-m... It works for me.

Reply

Fiona December 23, 2009 at 7:16 am

A few days ago, I had met the headache things that I had forgotten Windows login password. The login screen rejected my passwords. I was frustrated because there was very important data on my disk and I couldn't reinstall the OS. …………. However, I fortunately got to know the Windows Password Unlocker, which is a professional windows password recovery tool for us to reset windows 7 password instantly yet no data loss.

Reply

linkywu December 23, 2009 at 12:12 pm

There's a way to reset the password and it doesn't involve reformatting and reinstalling Windows. The solution is called Windows Password Reset 7.0. It can reset almost all Windows passwords in seconds. It is a great windows password recovery tool . you can log in again just in one second. It also support windows 7 password reset.

Reply

pwrecovery December 24, 2009 at 8:51 am

Forgot or lost Windows password? reset Windows 7 password with Password Unlocker Bundle, one of whose functions is to recover windows password for Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 Server, Windows Vista, Windows 7. ect. This password recovery Bundle is based on friendly GUI, even a computer novice can control the whole process freely. Besides, password unlocker bundle saves a lot trouble. It helps to create a windows password reset CD, with which, you can remove the admin password even you have logged out the computer, yet no reinstalling, no data loss!

Password Unlocker Bundle is a professinaol password recovery kit, which contains series of password recovery tools: Windows password recovery, PDF password recovery, MS documents password recovery, MS Excel password recovery, WinZIP/ZIP password recovery, WinRAR/RAR password recovery, MS SQL password recovery, Internet password recovery, Windows Live/MSN password recovery, MS Access password recovery, Outlook password recovery, and Outlook Express password recovery, etc., No matter you are at home or in office ,the bundle helps to reset the password we forgot or lost. To grasp the opportunity.

Reply

pwrecovery December 24, 2009 at 8:56 am

Forgot or lost Windows password? reset Windows 7 password with Password Unlocker Bundle, one of whose functions is to recover windows password for Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 Server, Windows Vista, Windows 7. ect

Reply

pwrecovery December 24, 2009 at 9:01 am

Forgot or lost Windows password? reset Windows 7 password with Password Unlocker Bundle, one of whose functions is to recover windows password for Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 Server, Windows Vista, Windows 7. ect. This password recovery Bundle is based on friendly GUI, even a computer novice can control the whole process freely. Besides, password unlocker bundle saves a lot trouble. It helps to create a windows password reset CD, with which, you can remove the admin password even you have logged out the computer, yet no reinstalling, no data loss!
Password Unlocker Bundle is a professinaol password recovery kit, which contains series of password recovery tools: Windows password recovery, PDF password recovery, MS documents password recovery, MS Excel password recovery, WinZIP/ZIP password recovery, WinRAR/RAR password recovery, MS SQL password recovery, Internet password recovery, Windows Live/MSN password recovery, MS Access password recovery, Outlook password recovery, and Outlook Express password recovery, etc., No matter you are at home or in office ,the bundle helps to reset the password we forgot or lost. To grasp the opportunity.

Reply

Alise622 June 22, 2010 at 9:20 am

I have locked out of my computer for a while,and have tried everything i could do but failed.Until I found this great tool Windows Password Key 8.0 as recommend above.It works great,Such a marvellous and useful tool

Reply

Anonymous August 27, 2010 at 6:37 am

you can try to google Password Genius

Reply

Lemon Yanyan August 22, 2011 at 8:35 am

wonderful guide. thanks. by the way, I have used Windows Login Recovery software for recovering my win7 password, and it works. i recovered my win7 password and my data is all  safe. you may have a try.

Reply

Leave a Comment