Hi guys... Today I'll try to write my first tutorial about Windows Password hacking. It is actually quite easy when you understand the concept. *** THIS TUTORIAL ONLY WORKS FOR WINDOWS XP! *** First of all, Windows won't give you the passwords voluntary. To protect them, they are encrypted and saved into one file. This file can be found here: %WINDIR%/system32/config So on most computers, this will be: C:\WINDOWS\system32\config There you can find several files, including your whole registry and other stuff. The file with the Windows Passwords is called "SAM" (Security Account Manager). When setting a password for any user, Windows uses a so called "LM hash" and a key to generate a hash of this password. When you enter it for Login, it generates this hash again and checks whether the new and the saved one are same, then your entered password is correct. This is to prevent the saving of the real passwords. So to crack a password, you need to read out the hash from the SAM file and the key, which is stored in the same folder in a file called "SYSTEM". So for every method you may use later, you will need these two files. The next thing is to get the actual password from the hash. Since these hashing algorithms are designed to make reverse-engineering impossible (means: you won't be able to get any result from the hash, because there may be millions of possibilities), there are 2 other ways of getting the password. One would be bruteforce, just trying every possible password (beginning with "a", go to "z", "A" to "Z", "0", to "9" and all special characters and increase the lenght always by one when you checked all combinations), generating the hash of this possibility, and comparing it with the original one until you found the correct one. But this method may take days or months, depending on your computer's speed and the password strength. Another way is using pre-calculated results, where somebody did this bruteforce job for you and saved all results in a database, where you can enter your hash and it will probably give back your password (chance is around 99.9%). Now there are some possibilities to get the hash for every user (even Administrator). 1. Use a tool called "pwdump" to read out the hashes from your computer. This tool injects some code via "DLL Injection" into the running "lsass.exe" process, which will execute it, read the hashes from the SAM file, and give them back. You can find various versions of pwdump with google, I uploaded a small file with all required stuff and a short tutorial to my server: http://multimolti.mu.funpic.de/download/hacks/getwinpw.zip This method has a few disadvantages: You need to sit in front of the computer, it must be running, and you must be logged on in Windows. It also sometimes makes problems when your account hasn't got enough rights to access the lsass process. But it's still the easiest one. 2. Use another operating system like Linux to get the SAM and SYSTEM files. For this purpose, a version called "Knoppix" (http://www.knoppix.org/) is quite useful, since it runs completely from CD (LiveCD) and comes with support for NTFS and FAT32 partitions (as used by Windows) and drivers for almost all HDDs and USB sticks. Download it, burn the image to CD, insert the CD into your drive, boot it, when it's completely loaded, click at the hda0 icon at your desktop (most probably it will be this partition, if not, try the other ones), browse to your SAM and SYSTEM files and copy them somewhere you may use them (eg. Mail Account if you've got internet access, USB stick or external HDD). Then you go back to any other computer running Windows and download a software called "SamInside" (http://www.insidepro.com/eng/saminside.shtml). It's not freeware, but quite useful and free to try. Running SamInside, click File -> Import SAM and SYSTEM registry files -> select the files you got via Linux. Then it will show every user and some information (RID, Passwords, Hashes). Most probably, it won't be able to get the passwords directly, but never mind. Right-click at the user you want and select "Copy LM-Hash". This method has the disadvantage that booting from any other device than your HDD must be allowed, but thats quite usual. 3. Use a direct method to do that is using a live CD which only gets your LM-hashes and directly tries to decode them. For that, you could use Ophcrack (http://ophcrack.sourceforge.net/) and their Rainbow Tables. Just download the LiveCD, burn, and see what happens. --- Now that you've got your LM hashes, you can decode them. I would suggest to use this website which does the job for you: http://www.objectif-securite.ch/en/products.php It actually uses the Rainbow Tables from Ophcrack. Just enter your LM hash into the input field at the bottom of the page, click submit, and it will probably give you the password! For this, you need internet access. If that's not suitable, try using the Ophcrack's Rainbow Tables directly. I hope you enjoyed & understood my tutorial! When it doesn't work for you, please answer this thread or PM me! Any suggestions/corrections? Answer! I would like to have some feedback! And if some words are not fitting into the context, then I'm sorry, I'm not a native english speaker and only 16 years old :P But I try to do my best... Thanks for reading!