If you’ve ever been in a situation where you didn’t know a password to login to a windows computer then there are several methods you can use. These methods require local access to a computer and work on workgroup as well as domain computers. However, it is possible to extend your access throughout a domain using these techniques. I’ll assume you already understand how windows security works, and just outline the methods. If you would like more details, you can email me.
Method 1 – Password Renew
This is my preferred method in which I personally had a lot of success with. You have the option to reset the passwords of any local user account, create a new local administrator, and set administrative rights to an existing user.
Warning! – Do not attempt these on methods on EFS or encrypted disks
- Download Bart PE and Password Renew
- Obtain a Windows XP or Windows 2003 Server Disk in order to build the boot disk
- Add the Password renew as a plugin and build the disk
- Boot the Bart PE Disk and Launch Password Renew
- Select the windows directory (Default is C:\Windows)
- Select to reset a password or install a new administrative account
- Select Install, then reboot
Method 2 – Offline NT Password & Registry Editor
This is a less preferred method which has about a 70% success rate, and I would recommend backing up the SAM file before editing. However, there is no need to build anything because the downloads are already images.
Warning! – Do not attempt these on methods on EFS or encrypted disks
- Download Offline NT Password & Registry Editor
- Select the disk to mount containing the Windows system
- Select the path and registry files (Typically WINDOWS/system32/config)
- Select Option 1 for password edit
- Select Option 1 to edit user data and passwords
- Select the account you want to reset the password on
- Select Option 1 to Clear (blank) user password (Blanking has a higher success rate)
- Select Option q to quit and confirm writing the files back
Method 3 – Ophcrack (Cracking with Rainbow Tables)
This method takes a different approach by dumping the password hashes from the SAM file instead of editing it. It then attempts to crack the passwords using rainbow tables.
- Download the Ophcrack live CD otherwise, you’ll need to be a local administrator to dump the password hashes
- Burn the ISO to disk using any CD Burning Tool
- Boot the Ophcrack CD, which will automatically launch Ophcrack, dump the SAM file, load the built in rainbow table, and crack the passwords
- If the password you need does not crack, save the hashes, download the Ophcrack program and larger rainbow tables to run it against. If this does not work, try one of the other crack methods with the hashes
Method 4 – PWDump + John the Ripper or Cain (Cracking with Brute Force)
This approach is similar to Ophcrack by dumping hashes from the SAM file. However, it uses a brute force which can take significantly longer.
Warning, Some Antivirus programs might detect these as virus or hacking tools
- Download PWDump6 or FGDump
- Depending on your situation, you can run PWDump6 or FGDump across a network or on a local machine if you have administrative credentials. If not, you’ll need to dump the SAM file offline by putting them on a live CD (ie:Linux distro or BartPE), or adding the hard drive as a secondary drive on a workstation you have access to.
- Once you obtained the hashes, download John the Ripper
- You’ll need to run it from the command line and use any additional parameters you wish on the crack
- Alternatively, once you obtained the hashes, download Cain & Abel
- Open Cain
- Click on the Cracker tab
- Click the “+” to add hashes to the list
- Select your list of hashes
- Right-click the list and select a Brute Force Attack
- Select your character set and click start
Method 5 – Cachedump (Cracking Cached Domain Passwords)
Taking things a step further, by default computers in a windows domain will cache the last 10 user’s password hashes. We can use Cachedump to extract the hashes and then import them into a program to crack.
Warning, Some Antivirus programs might detect these as virus or hacking tools
- Download Cachedump 1.2
- Open a command prompt and dump the cached password hashes, which requires local administrative access
- cachedump.exe
- Download John the Ripper with a Patch that supports M$ Cache Hash
- Run John from the command line using any parameters you wish, but ensure you include the following parameter:
- -format:mscash mydump.txt
