Taylorbyte.com

Documentation Wiki

Recover windows password

Install the required tools. rcrack bkhive samdump2

Switch to root

This should be obvious, but for the sake of completeness, here it is.

su

Find the correct partition

This will usually be the biggest partition, list partitions using this command.

echo 'pq' | sudo fdisk /dev/sda

It will give an output like this:

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048      206847      102400    7  HPFS/NTFS/exFAT
/dev/sda2          206848   976771071   488282112    7  HPFS/NTFS/exFAT

Its most likely the one with the biggest number of "blocks" (in our case, sda2) Note: If you have more than one hard drive, go through the other disks (sdb, sdc, sdd etc) until you find a partition with alot of blocks and System type "NTFS".

Mount the hard drive

Mount the hard drive and navigate to the correct directory

mkdir /tmp/windows-mount
mount /dev/sda2 /tmp/windows-mount
cd /tmp/windows-mount/Windows/System32/config

Decrypt and dump the SAM file

bkhive SYSTEM /tmp/SYSTEM-decrypted
samdump2 SAM /tmp/SYSTEM-decrypted > /tmp/windows-pwdump

You now have a pwdump format file you can use with most recovery programs. Eg

username:1000:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::

The first hash after "1000" is LM. These are not stored after WinXP (aad3b... is a blank password). The last hash is the one you are interested in, NTLM.

Cracking the password

To crack with rcrack (http://project-rainbowcrack.com/index.htm#download) use the following commands

cd /opt/rainbowcrack
./rcrack /path/to/rainbow/tables/ntlm* -h 8846f7eaee8fb117ad06bdd830b7586c
./rcrack /path/to/rainbow/tables/ntlm* -n /tmp/windows-pwdump

Use the first one for a single hash or the second one to crack all passwords from the system.