Windows Password Recovery

There are a multitude of reasons as to why somebody would want to gain access to a computer when they have lost, forgotten or simply don’t know the correct authentication credentials. Not knowing or forgetting a user account’s authentication credentials such as the correct user logon name and password is the most common reason for needing to conduct a password recovery procedure.

Regular user absenteeism is another situation whereby the person who normally uses that machine is unavailable as they may be on holiday, sick or no longer employed or associated with the organization and there are important files that need to be accessed.

Malicious intent is yet another common reason. Some malwares change or modify user authentication credentials in order to elude detection or to prevent security updates and procedures that may detect them.

Password Location – Windows passwords are stored in a SAM file which is usually located in the Windows directory (C:\windows\system32\drivers\etc\lmhosts.sam)

Password Encryption – Recent versions of the Microsoft Windows operating systems store all passwords in an encrypted format. The algorithm used to encrypt passwords is usually the secure hash standard. If the passwords were to have been stored in an unencrypted format they would be readily available for use once you had located the SAM file where they are stored. Many other applications also store passwords encrypted using the secure hash standard.

Brute Force – One of the easiest to implement methods of “cracking” an encrypted password is by a technique known as “brute force”. The brute force approach essentially tries every possible combination of characters and numbers until it finds a password that works. Modern computers can typically succeed in cracking an encrypted password using a brute force attack within a matter of seconds for passwords of less than 6 characters and a day or so for medium length passwords. Longer more complex passwords will take longer to crack/recover.

Password Recovery Options

There are a number of different strategies that can be employed to recover lost, forgotten or unknown passwords and authentication credentials including:

Network Administrator/Help Desk - In a client/server network environment you are best advised to go to your network administrator or help desk and apply for a new password. Within a Windows domain an authorized person can access Active Directory and reset your password for you. They will also tell you about any other procedures that you may need to perform in order to complete the process.

Using another Account - If there is another account to which you do know the password then you can use this to log onto the machine. The Guest or Anonymous accounts will do fine if they have not been disabled. Once logged on all you need to do is to use some password cracking software to recovery the lost passwords. If the alternative account that you use to access the machine does not have sufficient user privileges then locate and copy the SAM file for cracking on a machine that does.

Multi Boot Systems - If you cannot log onto the machine and you have another operating system to which you know a valid logon account then reboot the machine into the other OS. Once the machine has finished booting and your alternative desktop environment becomes available you can browse your machine and locate the Windows user account password file. This is the SAM file which I mentioned above and it is usually located in the Windows directory (C:\windows\system32\drivers\etc\lmhosts.sam).

You may find that the drive letters are different since you are in another operating system but don’t worry just located the installation of the OS from which you need to recover the passwords and then drill down its directories to locate the above mentioned SAM file. Once located make a copy of it onto removable media. You can then use the copy to recover the passwords from by using a brute force password cracking tool such as Cain and Abel or LCP.

No Accessible Local Machine User Accounts Available

If you cannot logon to the machine using another account then you will need to boot the machine using a “Live” media such as a DOS boot disk or CD-ROM boot disk such as one with Knoppix or Mini-PE. There are also many other utility discs that will do the job. Once the machine has booted using this media you will need to locate the SAM file mentioned above and copy it to removable media (usually C:\windows\system32\drivers\etc\lmhosts.sam).

Another option is to install a new blank hard disk and install an operating system on it. You can then use this OS to browse to the SAM file you need to recover the passwords from. Copy it to your new hard disk and run the password cracking/recovery software and wait till the passwords have been recovered. Note that many network administrators will have just such a hard drive already prepared for occasions like this.

It is also possible for a user with network administrator privileges to access the SAM file via the network. However; there are still some situations when this can’t be done. For example if the SAM file was created using local users and groups rather than domain network parameters (Active Directory and Group Policy).

Password Recovery Software

As mentioned there are a number of password cracking/recovery software applications out there that can do the job. Cain and Abel is a long standing very robust and reliable application that comes with a large range of features and capabilities. LCP is one of the easiest to use. Other possibilities include John the Ripper, THC Hydra, Brutus, RainbowCrack, Pwdump and many others that have additional features such as packet sniffing capabilities.

LCP Password Recovery on Target Machine

To recover passwords on the target machine using LCP you will need to load LCP and select Import/Import from local computer. A list of user accounts and hashes should appear. Now select the brute force attack button and select Session/Begin audit. Now for the sometimes long wait for the program to find the right password.

LCP Password Recovery from SAM File

To recover passwords from the SAM file using another machine simply take the SAM file once you have located and copied it to removable media to the machine with LCP installed. Now copy the SAM file directly into the LCP directory. Start LCP and select Import/Import from SAM file. This will load the hashes and then you will be able to execute a brute force attack on them to recover your lost or forgotten passwords.