Tuesday, October 30, 2007

Cracking Windows passwords with Linux

Disclaimer: Do not try this on unauthorized systems.

If you lose a Windows password, or you buy a system that has an OS on it, but you don't know the password, what are you to do? The best thing to do would be to throw in a Linux CD, format the drive, and install the Distro. But, what if you want to boot to the system and see what's on there, and get data off?

Well, we have quite a few options. I'm going to cover two of them. I'll start with ophcrack. http://ophcrack.sourceforge.net/

"Ophcrack is a Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a GTK+
Graphical User Interface and runs on Windows, Mac OS X (Intel CPU) as well as on Linux."

We're going to use ophcrack live cd, which is a stripped down version of slax using fluxbox, with ophcrack running on top. The cd can be downloaded here. Ophcrack LiveCD
Once you burn the ISO, you just boot the cd, and it goes right to work. In my case, because I'm running on a 64 bit system, I had to pass the noapic option on bootup.

I setup a couple different accounts to test the ability of the software. With the first account, I used a simple password "coldplay". With the second account I used a simple, but randomly generated password "wzgqptjb". For the third account, I generated a 12 character random password with symbols and special characters, "c?4"e9n^bA!t". The last account had the same criteria, "\O0//|?3>q)h".

The results were somewhat predictable, except for the last two accounts. Within 2 minutes, the first two passwords were revealed in the window. I figured the other two may take a while, so I went and played guitar hero for a while, coming back occasionally to check on them. After about 30 minutes, it had completed it's cycle, but told me that the last two passwords weren't found.

For plain character passwords, it doesn't seem to matter whether it's randomly generated, or just a word. They were discovered simultaneously. But as far as the second two go, I guess 12 random special characters is enough to stump ophcrack. I figured it would just brute force it, if nothing else. But that wasn't the case.

So with that program, I was halfway successful. I might have gotten lucky and gained administrative priviledges with those 2 accounts, but with passwords like that, they're most likely regular user accounts.

On to the next program. This is my favorite one, because it's around 3MB for the entire image, and instead of going through a crack process, it completely blanks the windows password in very little time. It's called "Offline NT Password & Registry Editor", and can be downloaded from this website.

http://home.eunet.no/pnordahl/ntpasswd/


Just download the image, unzip it, and burn to cd. Cd's are cheap, so don't complain about wasting a cd for 3MB of space.

Once you boot to it, it will try and autodetect everything. Unless you install Windows in funky directories, all defaults will do the trick. The menu is very straightforward and easy to use.

I selected the admin account (the more difficult password) which is the default. Then I used the command * to blank the password. Then I typed in the name of the other account, and blanked it as well. This took around 3 minutes total including boot time. Then I exited, making sure to save my changes. Once I rebooted into windows, I logged into my accounts with NO password. Everything worked perfectly and I had admin privilges.

With this program, it's really irrelevant how long your password is. It just blanks it with a quick registry edit. Why wait for password cracking software when you have this? Consider your system owned if someone has physical access to it. It's a great precaution to use secure passwords on your systems, but, security is relative and there's always a way around things. You could of course enable a bios password to bump the security up a notch.

Be smart, and never think that your system is impenetrable, especially if you use Microsoft's products.

If you're interested in recovering passwords in linux, here's a great article on ubuntology....
http://ubuntology.com/2007/10/30/recover-a-password-in-linux/

One last thing.....
I wanna give a big HELL YEAH to Wayne, over at fsckin w/ linux. His site is great, and it's only getting better as time goes on!

21 comments:

Anonymous said...

as soon as you start the computer hold down F8, go into safe mode, log on as administrator, then go to control panel user setting and click remove password and that works.

Anonymous said...

Way better to just reset the passwords using NetBSD! http://home.eunet.no/pnordahl/ntpasswd/

Anonymous said...

Better just RESET the password with NetBSD. no time lost cracking.
home.eunet.no/pnordahl/ntpasswd/

Legit Freebies Guy said...

Excellent tips. Thanks!

Colin Harrington said...

FTA
"The ophcrack LiveCD contains a small linux system (SLAX6), ophcrack for linux and rainbow tables for alphanumerical passwords."

http://en.wikipedia.org/wiki/Alphanumeric

Anonymous said...

how about cracking document passwords?

Anonymous said...

for ophcrack to crack passwords with extended character sets you need some rainbow tables - they're 40 gigs or so to download.

Anonymous said...

This is weird, I just went through the same process, but not by choice. I, too, used ophcrack first, and it did nothing for me. But when i tried the reg editor, I must have done something wrong, because the settings were never saved. Anyway, I figured out how to enable the admin account using the Vista DVD, and I got it fixed.

Christophe-Marie said...

That is why everyone should always lock the access of external devices during the boot, and set up a good password in the bios. Then all your live-cds would be useless. (Except if you have the possibility to take the hard drive off the machine or to hard-reset the bios... But mostly that is not the case with "public" computers with lots of users) Good article BTW...

TemporalBeing said...

"You could of course enable a bios password to bump the security up a notch."

That really doesn't solve anything as there are two ways around it: (1) you can usually disable or clear the password with a jumper setting on the motherboard; (2) if no jumper, then you can certainly do it by resetting the BIOS - all you have to do is remove the batter.

The point? Once physical security is compromised, nothing will stop someone from getting at the data. If you're that concerned about it, then it should be in a secure facility, with armed guards, video cameras, etc.

In the case of laptops, or other systems that travel, then use full hard drive encryption - but once physical security is compromised, the thieves have all the time they want to break it, hopefully it will take them longer to break than it will for you to (a) realize it, and (b) do something about it to resolve the issue.

Anonymous said...

Ophcrack can do all charicters. They just want you to purchase the special charicter table for i want to say $300

Unknown said...

That doesn't really help out of the user encrypts their data. Windows will "lose" all of it without the proper password.

Also, it's worthy to note that the owner (note: not 0wn3rz) of the machine will know that someone tampered with their computer as this doesn't get around the password; it simply removes it.

Anonymous said...

I can see the effectiveness of this, but anything encrypted with EFS will remain locked. Therefore, if you're going to use this to recover your account whenever you've forgotten the password, you'll have to leave things unencrypted.

Anonymous said...

its called Winternals. Just book the cd and run locksmith and change the password to what you want.

Anonymous said...

Thanks for this I just tested it on myself.

*enables his BIOS password*

My flatmates will quiver in fear from my l337 skillz.

Anonymous said...

...Then removes the battery from the mobo... ;)

Anonymous said...

I played with Ophcrack not too long ago. It guess my admin password without any trouble, but didn't get my standard account password. The sad part, the password is two standard words separated by a space, total length is nine characters, all letters lowercase. It couldn't guess it.

Anonymous said...

Security is inconvenient. Anyone who thinks they can have easy security is simply wrong. That is why good USB thumb-drives come with neck straps. Put the data you want to be secure on the thumb drive and _always_ take that with you. If someone gets the thumbdrive off your body, they also have your body, so passwords are kind of irrelevant.

Best African Mango said...

I like your post and everything you share with us is current and very informative.

Brent said...

A few days ago, I had met the headache things that I had forgotten Windows login password. The login screen rejected my passwords. I was frustrated because there was very important data on my disk and I couldn’t reinstall the OS. ………….
However, I fortunately got to know the Reset Windows Password utility, which is a professional windows password recovery tool for us to reset windows 7 password instantly yet no data loss.

pro user said...

better way to d this see here vere safe and easy http://resetwindowsadminpassword.blogspot.com/