Windows XP Password Recovery
Posted by John Bradbury on 01/20/08 in Security, Windows XP
At some point in time we’ve all come across someone who’s forgotten their password. Normally this is a friend or family member who has you on speed dial for all those PC related emergencies. At work where we deal with domain environments resetting a users password is a simple task. Unfortunately things are not so simple if the PC is a standalone system. At least that’s what we’ve been led to believe. The simple fact is that Windows XP passwords can be easily recovered if they are less than 14 characters long.
In this tutorial I’m going to show you how to quickly recovery Windows XP passwords using software freely available on the internet.
Understanding How Passwords Work In Windows XP
Windows XP stores account information in the SAM database (Security Account Manager). The SAM is a single file found in the following location:
%systemroot%\Systems32\Config\SAM
This file contains the username and password of all local accounts. For security reasons the stored passwords are not kept in plain text format. Instead Windows XP uses LM Hashes to encrypt the passwords and this is what you’ll have to crack if you want to recovery the passwords.
One important thing to note is that passwords greater than 14 characters are encrypted using a stronger method of encryption known as NTLM Hashes. Whilst it is possible to recover passwords encrypted with NTLM Hashes it requires additional steps beyond the scope of this tutorial. By default Windows Vista also uses NTLM Hashes to encrypt passwords stored in the SAM database. This is something I hope to cover in a future post.
Windows XP can be setup to use NTLM Hashes for all passwords regardless of length. This can increase the security of your system so I recommend you take a look at the technet article.
Recovery Your Windows XP Password
The first thing we need to do is gain access to the SAM database in order to decrypt the passwords stored in it. However when Windows is running access to this file is locked. To gain access we’re going to use a third party tool called Ophcrack. This is a free open-source project based on Slax which boots as a liveCD and allows us access to the Windows system partition.
You can download the iso image from http://ophcrack.sourceforge.net/ and burn it to CD.
Once you’ve created the Ophcrack LiveCD place it in your CD-ROM drive and restart the system.
When the CD has booted into Slax you’ll see Ophcrack run automatically and you should see a list of user accounts displayed from the local system. You should also see that Ophcrack has started to run its LM Hash tables against the accounts.
As time progresses you’ll see the partially decrypted passwords in the right hand columns labelled LMpasswd1 and LMpasswd2.
The time it takes to recover passwords can vary depending on their complexity. In this case I used simple passwords which were especially weak. Ophcrack managed to recover all three in a little under 5 minutes. You can see the fully recovered passwords under the NTpasswd column.
Scary hey!
Okay so you now have a simple process for recovering passwords under Windows XP. Use it wisely and don’t get yourself into trouble.
tag this
steve | Jan 24, 2008 | Reply
Hi John,
this article was quite helpful! I knew about ophcrack but not that they had a LiveCD!
Just great, thanks.
Steve
PS: I’m visiting your blog regularly hoping to find some Linux videos again … any plans?
John Bradbury | Jan 24, 2008 | Reply
Hi Steve, thanks for dropping by the site again.
I’m working on a few small projects at the moment but I do intend to add more video content in the future.
John
Katia | Jan 25, 2008 | Reply
Awesome. Dropped by via the Linux videos, and spotted a tool I need to have on hand. Thanks!
Seanb | Jan 31, 2008 | Reply
Is there any way to do this on another computer? The computer which needs the password recovered on is rediculously slow. Is there any way to get this SAM database copied so i can run the process on another faster computer?
John Bradbury | Feb 1, 2008 | Reply
I believe this will do the trick:
http://www.oxid.it/cain.html
Anonymous | Mar 1, 2008 | Reply
Well… guys.. the speed depents on your passwords… But also on how much RAM you have..
Flinte | Mar 4, 2008 | Reply
John.. you make great videos sir. What license are you releasing them under? I ask because I want to know your opinion on redistribution. Also, have you ever considered joining the Ubuntu screencast team (http://screencast.ubuntu.com)? They make high quality ubuntu CBTs and release them under Creative Commons v3 license. I think they could use your help.
I am planning on making some Ubuntu Server videos on advance administration like setting up a LAMP or a LDAP PDC. Anyway, best of luck.
John Bradbury | Mar 15, 2008 | Reply
I’m happy for people to re-distribute these videos. I’ve released them under the creative commons license and I know several copies have been placed on youtube.
I’ve heard of the screencast team but I know so little about Ubuntu I’m not sure I’d be much use.
handbanana | Apr 11, 2008 | Reply
ophcrack live cd dind’t crack the admin ntpasswd. what can i do…..I NEED HELP
Sanjio | May 18, 2008 | Reply
I downloaded ophcrack and made the liveCD but when I loaded it from boot I did not get the same start screen as you show here allowing the choice of running the program in auto mode. There was no choice like that and when the program completed its load all I got was a blank screen. when I right click in the screen I get several menues but I don’t know which one to choose or what commands to put in. Is there another download for the version that you are using in this demo?