In this article we will discuss various ways through which user can recover or reset his current as well as remote system password. Sometimes it is more easy to reset the password than actually recover the password provided user has access to physical system. Often its more important recover the password especially when file system is encrypted or when file system is analyzed for Forensic cases.
Windows 98 used to store the user account passwords in .pwl files in Windows directory. Later version of Windows more better technique and stores the account password into registry hive files named 'SYSTEM' and 'SAM' at following location,
C:\Windows\System32\Config
These files are highly protected and not accessible while Windows is running even for the administrator user. However hackers have found a way to circumvent these protections and access these system files.
This section deals with recovering all user account passwords from currently logged in system. In addition to the currently logged on user, you can also recover passwords of all other user accounts on the same system. For this you need to have an account with administrative privileges.
There are couple of tools available for live windows password recovery such as pwdump, cain & abel, LC5 etc. Entire process involves 2 steps
Here is the snapshot of various user accounts and their LM/NTLM hashes dumped by Cain & Abel tool
It will dump the password hashes for all the user accounts and mention if any of the user account don't have any password. After getting these hashes, you can submit it to online rainbow cracking services to quickly recover real password. For more details refer to our 'Rainbow Password Cracking Article' [5]. You can also give it try using LC5's dictionary or brute force cracking approach in parallel to recover any easy passwords.
This section is throw light on how we can recover the password from offline system or just plain hard disk. Generally this is the case with Forensic investigations where in person's disk has been brought in for acquiring further foot prints in the case. In such scenarios it is important to recover the user's login password as the disk may have been encrypted and some of the prominent applications uses user's logon password to secure their data and other credentials.
Here we will discuss both scenarios, resetting the current user password as well as recovering the password from offline system or hard disk.
Here we are going to use chntpw tool from BackTrack live CD. Here are the typical steps involved in resetting the password :
Offline recovery involves copying SYSTEM and SAM registry hive files from target system. You can use any of the LIVE CD or other mechanism to access the Hard disk and get the files. Here we will explain how we can get those files using BackTrack Live CD.
Here is the screenshot of recovering the password from SAM file using the LC5 tool.
Often in the corporate environment, there is a need to remotely troubleshoot user login problems, such as recovering or resetting the password. Generally in such scenarios, every client system will have one administrator account and one or more user accounts. Using this administrator can remotely recover the user passwords using the tools like pwdump.
Pwdump is the great tool which can dump the password hashes not only from live system but also from the remotely running system. Here is the screenshot of pwdump dumping the password hashes for all account from running remote system.
Here pwdump prints it to the console, instead you can make it to write to text file which can be later fed into LC5 or Cain & Abel for brute force/Dictionary crack operation. Alternatively you can submit the hashes to online Rainbow cracking service [5] to quickly recover the password.
[1]. Tool: LC5 (http://www.securityfocus.com/tools/1005).
[2]. Tool: Cain & Abel (http://www.oxid.it/cain.html).
[3]. Tool: Pwdump (http://www.foofus.net/~fizzgig/pwdump/downloads.htm).
[4]. Tool: BackTrack (http://www.backtrack-linux.org/).
[5]. Rainbow Cracking to quickly recover Windows Password.
