Tuesday, August 08, 2006

Security: Physically Retrieve Windows NT/2000/Xp Local Passwords

From time to time, people will bring me a laptop that they have locked themselves out of. Kind of silly thing to do, but they are not left out in the water. There are three methods I use for retrieving passwords and getting back into the system.

My preferred method is to use OphtCrack (which, I suppose is a play on the L0phtCrack name). It is a Linux Live CD that uses Rainbow Tables to crack passwords. I must admit a complete ignorance of the Rainbow Tables method of password cracking, however this method works incredibly fast compared to other methods I have used in the past, so I will have to read up to understand it a little better. With Ophtcrack, the process is completely automated. You put the CD into the drive, boot off of it, and then when everything loads, click on the launch button. I just used this recently, and it took roughly 30 mins to get all passwords off of a Windows 2000 machine (some passwords were good one, some were incredibly bad ones). Plus, if you’re willing to pay, there are more advanced Rainbow tables available. The one drawback to this method that I have run into is the Live CD’s hardware support is pretty poor, and the video resolution on some machines I have run this on will either cause the program to be unusable, or just force a reboot.

The second method I use is to grab the SAM and System files under the C:\WinNT\System32\Config folder using an external boot disk such as Knoppix and copy it to a USB key drive. Then I can import these into something to de-SysKey the files, such as SamInside, then run something like L0phtCrack to get the passwords. I use this as a second method since it takes a little longer and there are a lot more steps.

If all else fails, I use something like “Offline NT Password & Registry Editor”, another Linux LiveCD that will blank out the Administrator password. I use this as a last resort since it has the potential to cause damage to the system. I have not yet run across that situation, but I am aware of the potential so I use it as a last resort.

No comments: