How to retrieve your Windows password
Although it does sound like something that is not in the scope or work of a “regular” (i.e. not hacker) IT professional, you’d be surprised how often administrators forget passwords. If you follow all the rules about choosing and keeping passwords then you use difficult to remember, non-pronounceable, non-personalized constructions. And if you have few servers to maintain (but you do not log in every day), you have a recipe for disaster. And whoever forgot password for windows machine knows how painful it can be.
BTW – the method that I will present requires physical access to the computer, and if unauthorized person gets physically to your computer, this article is the least of your problems.
Before we start you will need Backtrack CD which can be downloaded from http://www.backtrack-linux.org/downloads/. BackTrack is LINUX distribution designed by Jason Dennis based on the Ubuntu, for the purpose of digital forensics and penetration testing use.
Reboot your computer from Backtrack CD, and start Backtrack operating system. Do not panic, your Windows is still there, it is just a live CD.
Now you need to to check the file system of your machine by typing:
cat /etc/fstab
The cat command is one of the most frequently used commands on Linux operating systems. This will display contents of the system configuration file.
Now we look for line with NTFS or FAT32 (Windows file systems). If there’s more than one line, we look for one with word “windows” in the path. That’s how we find the path to the windows operating system directory.
Now, when we found our windows folder (in our case it is /mnt/sda1/WINDOWS/) we try to retrieve the password of windows using bkhive, which is designed to recover the syskey bootkey from a Windows system hive. We do it by typing:
bkhive /mnt/sda1/WINDOWS/system32/config/system /root/key
bkhive will save the result in file /root/key.
Backtrack also provide us with a tool called “samdump2” which dump Windows password hashes from a SAM file (in our case it is the file we retrieved with “bkhive”). This is a syntax we use:
samdump2 /mnt/sda1/WINDOWS/system32/config/SAM /root/key > /root/base
After typing “cat /root/base” we will see the list of users with their hashed passwords.
Now we use cat with grep to retrieve a line with Administrator’s password (but you can also use the same for any other user) by typing:
cat /root/base | grep Administrator > /root/mypassword
The result will be stored in /root/mypassword file, but the password is hashed. To make any use of it, we need to crack it.
Backtrack Linux system has a package named “john” installed. We will use it to brute-force attack our password, by typing:
cd /usr/local/john-1.7.2/
john –i:lanman /root/mypassword
Executing this command will display Administrator’s password in a couple of seconds.
Now, write down the password, and exit from Linux OS with the command:
halt
Finally, reboot your machine and test the password you retrieved.
