Posts tagged tutorial

Have you ever wondered how to retrieve the Windows admin password for a computer? I’ll try to be brief and explain how to do just that without using too many advanced techniques. Of course they are many ways of doing this, so I’ll outline what I find easy. Remember that this is only for educational purposes, don’t try to hack someone’s computer (unless you really need to…). Also remember that you need physical access to the computer and some time. This tutorial is for Windows XP, not sure what else it will work for.

Tools you will need:

• 1GB or bigger USB key (or a CD and CD burner)
• Another any size USB key
• Any distribution of Linux. I used Pendrive Linux and a USB key but any combination will work.
• A computer on which to do all the installing and other work
• The computer for which you want to retrieve the password
• Rainbow table program Ophcrack
• A 700MB rainbow table (if the password is more complex you can use a bigger one. More on that a bit later)

I will write this tutorial as if you are using Pendrive Linux and USB, but you can easily port this method to CD/DVD or other variants. Below is the step by step tutorial on what exactly you need to do.

• Format your USB stick and set the filesystem to FAT32 while formattting. If the Linux won’t work with FAT32 try FAT.
• Download Pendrive Linux from HERE
• Using Winrar or another extraction program, extract the contents of Pendrive Linux into the root of your newly formatted USB drive
• When it finishes extracting, open the USB directory, and open the file makeboot.dat. This will make your USB drive bootable
• Your USB is ready for booting. Plug it into the computer you want to find the password for. Reboot/Start the computer
• When booting, make sure you select USB as the boot device. This is different for every BIOS, so you will just have to figure it out yourself. It’s sometimes F9, F8, or Del key, but it could by something else
• Wait for Pendrive linux to finish booting. You will arrive at the main screen.
• Open the window that allows you to see all storage devices on the computer. One of the them will be the hard drive, open it and navigate to C:\Windows\system32\config/
• Stick your other USB key into the computer, and copy all the files from this directory onto another directoy on your USB key. You can ignore the systemprofile directory, you don’t need it.
• Just to be safe and make sure you have the files you need, you can also copy the contents of C:\Windows\repair to another folder on your USB Key. This is just in case the other files don’t work, but most likely they will.

OK, you are now finished with copying the system files. What’s stored in the /config/ directory is all the passwords that are saved on the current computer, but they are encrypted, so we need a way of decrypting them. It would take forever to bruteforce, so what we will use is Rainbow Tables. These are pregenerated hashes, so what the computer will do is check the hashed version of the password from the file and compare it with the table. Of course, the bigger the table the more possibilities it has, and also it’s faster. Now it’s password-cracking time

• Download Ophcrack. It will allow us to crack the passwords.
• Download this 700MB rainbow table
• If the password is not alpha-numeric and contains special characters, you will need a bigger table. What I recommend is to download a 35 GB rainbow table from a torrent. The torrent is available from HERE. Make sure you download the right now, or otherwise that’s a lot of bandwidth wasted!
• Open up Opcrack and click the Tables icon. Point to your tables directory and click Install
• Click the Load icon, and select “Encrypted SAM”. Now point the tree view to the directory to which you dumped all the files from the system32\config directory
• Click crack and wait a little. If the passwords are complicated it might take longer. After it finishes, it presents you with all the passwords stored for this computer!

If it didn’t work, it might be because you are using the alphanumeric table and the password has non alphanumeric characters. If you Download the 35 GB table there is a much higher chance you will be able to crack the password! Also, it might be possible that the passwords are salted, in which I think you are out of luck, since a salt makes it really hard to decrypt the hash. Still, try the method and see what you come up with! You now have administrator access to the machine! I hope you enjoyed reading, and that you learned something. Also, remember that this is for educational purposes only, don’t use it for criminal activities! Also, sorry for no pics, maybe I”ll come up with some a bit later!