Passwords | Sigkill IT

The following method has been tested to work on both Server 2003 and Server 2008 Domain Controllers

Download SRVANY and INSTSRV, which are part of the Windows 2003 Resource Kit

Ensure you have the Directory Service Restore Mode Administrator password, restart the server in Directory Service Restore Mode, and log in as administrator

If you do not have have the Administrator Password, you can attempt to get it through one of these methods

Create the folder: C:\reset\

Copy srvany.exe, instsrv, and cmd.exe(Located in C:\system32) to the C:\reset\

Open a command prompt and enter the following commands

CD “C:\reset”
instsrv PassRecovery “C:\reset\srvany.exe”

Run regedit.exe and navigate to HKLM\System\CurrentControlSet\Services\PassRecovery

Create a subkey called: Parameters

Create a new string value (REG_SZ)
1. Name: Application
2. Value: C:\reset\cmd.exe
Create a new string value (REG_SZ) where <password> is the desired password (Must Meet Password Policy Requirements)
1. Name: AppParameters
2. Value: /k net user administrator <password> /domain

Open Services and Open the Properties for the PassRecovery Service

On the General tab, ensure the startup type is Automatic
On the Log On tab, ensure the option is checked to: Allow service to interact with desktop

Restart the server normally, and log in with the password you specified

Uninstall SRVANY by entering the following commands at a command prompt:

net stop PassRecovery
sc delete PassRecovery

Delete C:\reset\

If you’ve ever been in a situation where you didn’t know a password to login to a windows computer then there are several methods you can use. These methods require local access to a computer and work on workgroup as well as domain computers. However, it is possible to extend your access throughout a domain using these techniques. I’ll assume you already understand how windows security works, and just outline the methods. If you would like more details, you can email me.

Method 1 – Password Renew

This is my preferred method in which I personally had a lot of success with. You have the option to reset the passwords of any local user account, create a new local administrator, and set administrative rights to an existing user.

Warning! – Do not attempt these on methods on EFS or encrypted disks

Download Bart PE and Password Renew
Obtain a Windows XP or Windows 2003 Server Disk in order to build the boot disk
- Add the Password renew as a plugin and build the disk
Boot the Bart PE Disk and Launch Password Renew
- Select the windows directory (Default is C:\Windows)
- Select to reset a password or install a new administrative account
- Select Install, then reboot

Method 2 – Offline NT Password & Registry Editor

This is a less preferred method which has about a 70% success rate, and I would recommend backing up the SAM file before editing. However, there is no need to build anything because the downloads are already images.

Warning! – Do not attempt these on methods on EFS or encrypted disks

Download Offline NT Password & Registry Editor
Select the disk to mount containing the Windows system
Select the path and registry files (Typically WINDOWS/system32/config)
Select Option 1 for password edit
Select Option 1 to edit user data and passwords
Select the account you want to reset the password on
Select Option 1 to Clear (blank) user password (Blanking has a higher success rate)
Select Option q to quit and confirm writing the files back

Method 3 – Ophcrack (Cracking with Rainbow Tables)

This method takes a different approach by dumping the password hashes from the SAM file instead of editing it. It then attempts to crack the passwords using rainbow tables.

Download the Ophcrack live CD otherwise, you’ll need to be a local administrator to dump the password hashes
Burn the ISO to disk using any CD Burning Tool
Boot the Ophcrack CD, which will automatically launch Ophcrack, dump the SAM file, load the built in rainbow table, and crack the passwords
- If the password you need does not crack, save the hashes, download the Ophcrack program and larger rainbow tables to run it against. If this does not work, try one of the other crack methods with the hashes

Method 4 – PWDump + John the Ripper or Cain (Cracking with Brute Force)

This approach is similar to Ophcrack by dumping hashes from the SAM file. However, it uses a brute force which can take significantly longer.

Warning, Some Antivirus programs might detect these as virus or hacking tools

Download PWDump6 or FGDump
- Depending on your situation, you can run PWDump6 or FGDump across a network or on a local machine if you have administrative credentials. If not, you’ll need to dump the SAM file offline by putting them on a live CD (ie:Linux distro or BartPE), or adding the hard drive as a secondary drive on a workstation you have access to.
Once you obtained the hashes, download John the Ripper
- You’ll need to run it from the command line and use any additional parameters you wish on the crack
Alternatively, once you obtained the hashes, download Cain & Abel
- Open Cain
- Click on the Cracker tab
- Click the “+” to add hashes to the list
- Select your list of hashes
- Right-click the list and select a Brute Force Attack
- Select your character set and click start

Method 5 – Cachedump (Cracking Cached Domain Passwords)

Taking things a step further, by default computers in a windows domain will cache the last 10 user’s password hashes. We can use Cachedump to extract the hashes and then import them into a program to crack.

Warning, Some Antivirus programs might detect these as virus or hacking tools

Download Cachedump 1.2
Open a command prompt and dump the cached password hashes, which requires local administrative access
- cachedump.exe
Download John the Ripper with a Patch that supports M$ Cache Hash
Run John from the command line using any parameters you wish, but ensure you include the following parameter:
- -format:mscash mydump.txt

Sigkill IT

Code and IT Knowledge

Category Archives: Passwords

Reset Domain Administrator Password