UPDATE: If you don’t want to find out the password, there is a nice tutorial on how to reset any user account password in Windows XP, Vista and 7! It’s easier than this one!
Hi guys,
Today I’ll try to write my first tutorial about Windows Password recovery (often refered to as Windows Password Hacking).
This tutorial is meant to help you recovering your lost password. You may not use the information provided to hack other people’s passwords! This may also be against your local laws. I’m not responsible for any nonesense done with this information!
THIS TUTORIAL ONLY WORKS FOR WINDOWS XP!
First of all, Windows won’t give you the passwords voluntaryly. To protect them, they are encrypted and saved into a file. This file can be found here:
%WINDIR%/system32/config
So on most computers, this will be:
C:\WINDOWS\system32\config
There you can find several files, including your whole registry and other stuff. The file with the Windows Passwords is called “SAM” (Security Account Manager). When setting a password for any user, Windows uses a so called “LM hash” and a key to generate a hash of this password. When you enter it for Login, it generates this hash again and checks whether the new and the saved one are same, then your entered password is correct. This is to prevent the saving of the real passwords.
So to crack a password, you need to read out the hash from the SAM file and the key, which is stored in the same folder in a file called “SYSTEM”. So for every method you may use later, you will need these two files.
The next thing is to get the actual password from the hash. Since these hashing algorithms are designed to make reverse-engineering impossible (means: you won’t be able to get any result from the hash, because there may be millions of possibilities), there are 2 other ways of getting the password. One would be bruteforce, just trying every possible password (beginning with “a”, go to “z”, “A” to “Z”, “0″, to “9″ and all special characters and increase the lenght always by one when you checked all combinations), generating the hash of this possibility, and comparing it with the original one until you found the correct one. But this method may take days or months, depending on your computer’s speed and the password strength. Another way is using pre-calculated results, where somebody did this bruteforce job for you and saved all results in a database, where you can enter your hash and it will probably give back your password (chance is around 99.9%).
Now there are some possibilities to get the hash for every user (even Administrator):
- Use a tool called “pwdump” to read out the hashes from your computer. This tool injects some code via “DLL Injection” into the running “lsass.exe” process, which will execute it, read the hashes from the SAM file, and give them back. You can find various versions of pwdump with google, I uploaded a small file with all required stuff and a short tutorial to my server: Password dumping tool for Windows XP
Download the .zip file, extract all the contents, then doubleclick “password.bat”. This will start “pwdump6″ with all the required parameters and save the hashes for all users to “hashes.txt”.
Now open the “hashes.txt” file with notepad, and you will see in each line the name of a user followed by the hashes. The part of the hashes you need is from the 3rd colon to the three colons in the end, I marked the LM-Hash for the user “moeadmin” in the image:
This method has a few disadvantages: You need to sit in front of the computer, it must be running, and you must be logged on in Windows. It also sometimes makes problems when your account hasn’t got enough rights to access the lsass process. But it’s still the easiest one. - Use another operating system like Linux to get the SAM and SYSTEM files. For this purpose, a version called “Knoppix” is quite useful, since it runs completely from CD (LiveCD) and comes with support for NTFS and FAT32 partitions (as used by Windows) and drivers for almost all HDDs and USB sticks. Download it, burn the image to CD (using a tool like ImgBurn), insert the CD into your drive, boot it, when it’s completely loaded, click at the hda0 icon at your desktop (most probably it will be this partition, if not, try the other ones), browse to your SAM and SYSTEM files (still at C:\WINDOWS\system32\config) and copy them to another storage (eg. Mail Account if you’ve got internet access, USB stick or external HDD).
Then you go back to any other computer running Windows and download a software called “SAMInside“Â . It’s not freeware, but quite useful and free to try. Running SAMInside, click File -> Import SAM and SYSTEM registry files:
Now select the files you got via Linux. Then it will show every user and some information (RID, Passwords, Hashes):
Most probably, it won’t be able to get the passwords directly, but never mind. Right-click at the user you want and select “Copy LM-Hash”. This method has the disadvantage that booting from any other device than your HDD must be allowed, but thats quite usual. - A direct method to get the password is using a live CD which only gets your LM-hashes and directly tries to decode them. For that, you could use Ophcrack and their Rainbow Tables. Just download the LiveCD, burn, and see what happens. I won’t help you with that, see other online tutorials.
Now that you’ve got your LM hashes, you can decode them. I would suggest to use this website which does the job for you: http://www.objectif-securite.ch/en/products.php
It actually uses the Rainbow Tables from Ophcrack. Just enter your LM hash into the input field at the bottom of the page, click submit, and it will probably give you the password!
For this, you need internet access. If that’s not suitable, try using the Ophcrack’s Rainbow Tables directly.
If you just want to try it, use these SAM and SYSTEM files (got from *****JC [censored due to legal problems] in Singapore) and recover the passwords. You should get:
Administrator: **** [censored due to legal problems]
moeadmin: MOE****ADMIN [censored due to legal problems]
moeuser: PASSWORD
jae: PASSWORD
pae: PASSWORD
Thanks for reading!