Webupon

There are a multitude of reasons as to why somebody would want to gain access to a computer when they have lost, forgotten or simply don’t know the correct authentication credentials. Possible reasons include:

Authentication Credentials Unknown – Not knowing a user account authentication credentials such as the correct user logon name and password is the most common reason for needing to conduct a password recovery procedure or specialized password recovery software.

Regular User Unavailable – Regular user absenteeism is another situation whereby the person who normally uses that machine is unavailable as they may be on holiday, sick or no longer employed or associated with the organization and there are important files that need to be accessed.

Incomplete Documentation – With incomplete or outdated documentation not only may the user have forgotten their password but the network administrator may not have an accessible record of it either.

Malicious Intent – It may well be the case that somebody has changed or modified the genuine authentication credentials. A number of malwares do exactly this. They don’t want you to visit your antivirus software’s updates.

Before we have a look at how to recover lost or forgotten Windows user account passwords we need to review some essential background information.

Windows Password Recovery Backgrounder

When it comes to recovering lost or forgotten Windows user account passwords you have a number of different alternatives. Which one you use will depend very much upon the password you wish to recover, the operating system, the type and strength of encryption, various application software, password length and complexity, as well as user accounts configuration. Other concepts of weight and relevance here include:

Password Location – Windows passwords are stored in a SAM file which is usually located in the Windows directory ( C:\WINDOWS\system32\config). See Figure 1 Windows Security Accounts Manager (SAM) Database File Location below.

Figure 1 Windows Security Accounts Manager (SAM) Database File Location

Image Source: Screen Shot by Author

Encryption – Recent versions of the Microsoft Windows operating systems store all passwords in an encrypted format. The algorithm used to encrypt passwords is usually the secure hash standard. If the passwords were to have been stored in an unencrypted format they would be readily available for use once you had located the SAM file where they are stored. Many other applications also store passwords encrypted using the secure hash standard.

Brute Force – One of the easiest to implement methods of “cracking” an encrypted password is by a technique known as “brute force”. The brute force approach essentially tries every possible combination of characters and numbers until it finds a password that works.

Modern PCs – Modern computers can typically succeed in cracking an encrypted password using a brute force attack within a matter of seconds for passwords of less than 6 characters and a day or so for medium length passwords. Longer more complex passwords will take longer to crack/recover.

Now let us have a look at the possible avenues open to us.

Network Administrator/Help Desk

This is probably the easiest way to recover your lost or forgotten passwords. Get somebody else to do it for you.

In a client/server network environment you are best advised to go to your network administrator or help desk and apply for a new password. An authorized person can access Active Directory and reset your password for you.

Probably the easiest method for them is to change the password to something simple such as “password”. Then reset the account such that you can logon using your usual user logon account’s user logon name and the new one-time (single use) password (e.g. “password” as the password). You will now be presented with the change password dialogue.

Don’t worry when you see a notification saying that your password has expired and must be changed. This is the dialogue where you change from the once only “password” password to whatever your new password will be. You will see the standard enter new password and retype new password input boxes.

Note that you will most definitely need to change the password as the machine will not allow you to proceed past the change password dialogue otherwise.

Using another Account

If the above method is not available to you then your next strategy will depend upon how the machine has been setup. If there is another account to which you do know the password then you can use this to log onto the machine. The Guest or Anonymous accounts will do fine if they have not been disabled.

If you can do this then once logged in all you need to do is to use some password cracking software to recovery the lost passwords. I will explain about how to use this type of software shortly.

If you cannot logon to the machine using an account with a known password or the account that you can logon with does not permit you to install and run the password cracking/recovery software on the machine you wish to recover the passwords from then you will need to recover the user accounts password file and copy it to removable storage device (floppy disc, flash drive etc.).

Multi Boot Systems

If you cannot log onto the machine and you have another operating system to which you know a valid logon account then reboot the machine into the other OS. Once the machine has finished booting and your alternative desktop environment becomes available you can browse your machine and locate the Windows user account password file.

This is the SAM file which I mentioned above and it is usually located in the Windows directory (C:\WINDOWS\system32\config) see Figure 1 above.

You may find that the drive letters are different since you are in another operating system. Do not worry; just locate the installation of the OS from which you need to recover the passwords and then drill down its directories to locate the above mentioned SAM file.

Once located make a copy of it onto removable media. You can then use the copy to recover the passwords from by using a brute force password cracking tool such as Cain and Abel or LCP. I will explain more about them shortly.

No Accessible Local Machine User Accounts Available

If you cannot logon to the machine using another valid account or alternative operating systems then you will need to boot the machine using a “Live” media. This could be a DOS boot disk or bootable CD-ROM boot disk such as one with Knoppix (a Linux distribution which runs from the CD-ROM) or Windows Mini-PE.

There are also many other utility discs that will do the job. Once the machine has booted using this media you will need to locate the SAM file mentioned above and copy it to removable media.

Knoppix – To use the Knoppix method you will first need to burn a copy of Knoppix (a port of Linux); if you don’t already have one. Then insert the Knoppix CD into the machine’s optical drive and then boot the machine (press the power button while the CD-ROM is in the drive).

You may need to enter the BIOS and change the boot sequence so that the boot from CD-ROM drive is the first boot option in the boot menu. With this done the machine will boot using the CD-ROM. Knoppix doesn’t install anything it runs directly from the CD and loads what it needs into memory (RAM).

Windows Mini-PE – Contains a small pre-installation environment upon which a full Windows installation can be performed. The mini-PE disk also contains a number of tools such as disk partitioning tools, ram drive and password recovery tools.

Guess what? It’s the password recovery tools that we want to use. They can be run directly from the disk. However; there are occasions when this is not able to be done. In these cases we will simply use the mini-PE disk to recover the SAM file mentioned above.

Secondary Emergency Hard Drive

It is also possible to install a new blank hard disk and install an operating system on it. You can then use this OS to browse to the SAM file you need to recover the passwords from. Copy it to your new hard disk and run the password cracking/recovery software and wait till the passwords have been recovered.

Note that many network administrators will have just such a hard drive already prepared for occasions like this. In enterprise situations this is a reliable method since the vast majority of workstations will all have the same basic hardware which makes driver incompatibility issues a no show. I use a generic install myself on a 120 GB hard drive for recovery situations like this.

Network Access

It is also possible for a user with network administrator privileges to access the SAM file via the network. However; there are still some situations when this can’t be done. For example if the SAM file was created using local users and groups rather than domain network parameters (Active Directory and Group Policy).

Just the Data

If it is just the data that you are after and the user account is expendable then use the secondary hard drive to boot the machine. Once booted you can copy the user data to whatever location you desire.

After validating the integrity of the recovered data you can install a new OS on the machine and it will be back in business. Of course if you have already backed up the data you can simply verify the backup’s validity and if all is OK proceed with the new installation.

Locate and Copy Target SAM File

Anyway; once you are in Knoppix, or the machine has booted using whatever option you chose (DOS boot disk, Mini-PE etc) locate the SAM file in the Windows directory which is usually:-

C:\WINDOWS\system32\config

With the SAM file located copy it to removable media such as a USB thumb drive, floppy disk, optical media or even a network location. Some people even copy this file to the Internet which I can assure you is a really bad idea from a security perspective.

Password Recovery Software

As mentioned there are a number of password cracking/recovery software applications out there that can do the job.

• Cain and Abel – A long standing very robust and reliable application that comes with a large range of features and capabilities
• LCP – One of the easiest to use
• Other Possibilities Include – John the Ripper, THC Hydra, Brutus, RainbowCrack, Pwdump and many others that have additional features such as packet sniffing capabilities.

For legitimate password recovery procedures such as when you have forgotten or lost the correct password those applications with the additional features are unnecessary since you have legitimate authentic access to your machine; it’s just that you can’t use the correct authentication credentials. There is no need to perform any packet sniffing etc.

LCP Password Recovery on Target Machine

To recover passwords on the target machine using LCP you will need to:

1. Load LCP and select Import/Import from local computer
2. A list of user accounts and hashes should appear
3. Now select the brute force attack button and select Session/Begin audit
4. Now for the sometimes long wait for the program to find the right password

LCP Password Recovery from SAM File

To recover passwords from the SAM file using another machine simply:

1. Take the SAM file once you have located and copied it to removable media to the machine with LCP installed
2. Now copy the SAM file directly into the LCP directory
3. Start LCP and select Import/Import from SAM file. This will load the hashes.
4. Now you will be able to execute a brute force attack on them to recover your lost or forgotten passwords