Jan 01

Reset Domain Administrator Password

The following method has been tested to work on both Server 2003 and Server 2008 Domain Controllers

  • Download SRVANY and INSTSRV, which are part of the Windows 2003 Resource Kit
  • Ensure you have the Directory Service Restore Mode Administrator password, restart the server in Directory Service Restore Mode, and log in as administrator
    • If you do not have have the Administrator Password, you can attempt to get it through one of these methods
  • Create the folder: C:\reset\
    • Copy srvany.exe, instsrv, and cmd.exe(Located in C:\system32) to the C:\reset\
  • Open a command prompt and enter the following commands
    • CD “C:\reset”
    • instsrv PassRecovery “C:\reset\srvany.exe”
  • Run regedit.exe and navigate to HKLM\System\CurrentControlSet\Services\PassRecovery
  • Create a subkey called: Parameters
    • Create a new string value (REG_SZ)
      1. Name: Application
      2. Value: C:\reset\cmd.exe
    • Create a new string value (REG_SZ) where <password> is the desired password (Must Meet Password Policy Requirements)
      1. Name: AppParameters
      2. Value: /k net user administrator <password> /domain
  • Open Services and Open the Properties for the PassRecovery Service
    • On the General tab, ensure the startup type is Automatic
    • On the Log On tab, ensure the option is checked to: Allow service to interact with desktop
  • Restart the server normally, and log in with the password you specified
  • Uninstall SRVANY by entering the following commands at a command prompt:
    • net stop PassRecovery
    • sc delete PassRecovery
  • Delete C:\reset\
Jan 01

Hacking Windows Passwords

If you’ve ever been in a situation where you didn’t know a password to login to a windows computer then there are several methods you can use. These methods require local access to a computer and work on workgroup as well as domain computers. However, it is possible to extend your access throughout a domain using these techniques. I’ll assume you already understand how windows security works, and just outline the methods. If you would like more details, you can email me.

Method 1 – Password Renew

This is my preferred method in which I personally had a lot of success with. You have the option to reset the passwords of any local user account, create a new local administrator, and set administrative rights to an existing user.

Warning! – Do not attempt these on methods on EFS or encrypted disks

  • Download Bart PE and Password Renew
  • Obtain a Windows XP or Windows 2003 Server Disk in order to build the boot disk
    • Add the Password renew as a plugin and build the disk
  • Boot the Bart PE Disk and Launch Password Renew
    • Select the windows directory (Default is C:\Windows)
    • Select to reset a password or install a new administrative account
    • Select Install, then reboot

Method 2 – Offline NT Password & Registry Editor

This is a less preferred method which has about a 70% success rate, and I would recommend backing up the SAM file before editing. However, there is no need to build anything because the downloads are already images.

Warning! – Do not attempt these on methods on EFS or encrypted disks

  • Download Offline NT Password & Registry Editor
  • Select the disk to mount containing the Windows system
  • Select the path and registry files (Typically WINDOWS/system32/config)
  • Select Option 1 for password edit
  • Select Option 1 to edit user data and passwords
  • Select the account you want to reset the password on
  • Select Option 1 to Clear (blank) user password (Blanking has a higher success rate)
  • Select Option q to quit and confirm writing the files back

Method 3 – Ophcrack (Cracking with Rainbow Tables)

This method takes a different approach by dumping the password hashes from the SAM file instead of editing it. It then attempts to crack the passwords using rainbow tables.

  • Download the Ophcrack live CD otherwise, you’ll need to be a local administrator to dump the password hashes
  • Burn the ISO to disk using any CD Burning Tool
  • Boot the Ophcrack CD, which will automatically launch Ophcrack, dump the SAM file, load the built in rainbow table, and crack the passwords
    • If the password you need does not crack, save the hashes, download the Ophcrack program and larger rainbow tables to run it against. If this does not work, try one of the other crack methods with the hashes

Method 4 – PWDump + John the Ripper or Cain (Cracking with Brute Force)

This approach is similar to Ophcrack by dumping hashes from the SAM file. However, it uses a brute force which can take significantly longer.

Warning, Some Antivirus programs might detect these as virus or hacking tools

  • Download PWDump6 or FGDump
    • Depending on your situation, you can run PWDump6 or FGDump across a network or on a local machine if you have administrative credentials. If not, you’ll need to dump the SAM file offline by putting them on a live CD (ie:Linux distro or BartPE), or adding the hard drive as a secondary drive on a workstation you have access to.
  • Once you obtained the hashes, download John the Ripper
    • You’ll need to run it from the command line and use any additional parameters you wish on the crack
  • Alternatively, once you obtained the hashes, download Cain & Abel
    • Open Cain
    • Click on the Cracker tab
    • Click the “+” to add hashes to the list
    • Select your list of hashes
    • Right-click the list and select a Brute Force Attack
    • Select your character set and click start

Method 5 – Cachedump (Cracking Cached Domain Passwords)

Taking things a step further, by default computers in a windows domain will cache the last 10 user’s password hashes. We can use Cachedump to extract the hashes and then import them into a program to crack.

Warning, Some Antivirus programs might detect these as virus or hacking tools

  • Download Cachedump 1.2
  • Open a command prompt and dump the cached password hashes, which requires local administrative access
    • cachedump.exe
  • Download John the Ripper with a Patch that supports M$ Cache Hash
  • Run John from the command line using any parameters you wish, but ensure you include the following parameter:
    • -format:mscash mydump.txt
Jan 01

Recovery Console XP Password Hack

The recovery console for Windows XP requires you to enter the the local administrator password in order to access it. However, if you do not know the password you will not be able to access the recovery console… That is unless you know this little trick.

  • Obtain a Windows 2000 installation or boot disk then boot from it
  • Select ‘R’ to Repair Windows
  • Select ‘C’ to launch the Recovery Console
  • Select the windows partition you want to access, and you WILL NOT be prompted for a password