“Recover win XP password”

Imagine you forgot your Win XP admin password and you have been completely locked out of your own machine.
More worse your friend lost(forgot) his you get into his room when  he is just a few seconds into reinstalling the system a fresh how would you help him?
Well there are so many way to recover the password but in this post I will share What I demonstrated at our JLUG meeting.

It’s an old trick but it worked fine.[click on the images for a better view]

boot the system with a Linux live CD or flush drive(USB)in my case I used BT3 Final,login and open a terminal and you are ready to go.

logged_in screen shot
Locate the partion where win XP has been installed most probably /mnt/hda1 for IDE hdd and /mnt/sda1 for SCSI hdd they will have been automatically mounted if not don’t worry do this:
check what you have in /dev,locate hdaX where X is 1,2,3…n.Then find whichever host the windows installation i.e you can mount each of them and find out what it has(the correct one should have windows system folders like %SYSTEMROOT% usually c:\Windows\system32):
>ls /dev/ | grep hda  #this command looks for hda partitions available
>mkdir /mnt/windows && mount /dev/hdaX /mnt/windows #this creates a dir “windows” in /mnt and mount your partition on it replace X accordingly from now hence4th our partition is mounted in /mnt/windows/

>cd /mnt/windows #move to our directory (not necessary)
>ls #this displays what is there
Win XP stores password information in the two files ‘sam’ and ‘system’ you will find them in /WINDOWS/system32/config
so we create our temp directory at home and a copy of the two files
>mkdir ~/tmp  #create a tmp dir at home
>cp /mnt/windows/WINDOWS/system32/config/sam  ~/tmp/ #copy sam to ~/tmp
>cp /mnt/windows/WINDOWS/system32/config/system ~/tmp/ #copy system to ~/tmp
>cd ~/tmp ; pwd ; ls #go to our new dir confirm that we are really there n display what we have there(sam & system)

now we use a tool called <bkhive2> on the hives (system) into a file we lets call it key ,another one called <samdump> to dump the hashes or something(SAM)  from the key put them into a single file let us call it pass and finaly use <john the ripper> to crack the password and we are done![thats how I understood it]
now from /mnt/tmp:
>bkhive system > key #you might not not see confirmation info
>samdump2 sam key > pass

Now lets launch jtr or john if you like and direct and pass to him our password file and see him in action he can detect many algorithms NTLM,MD5 name them (google):
>john –incremental ~/tmp/pass #most likely you will have to launch john from were it is but type john and you get some info on what to do as for me I had to use:
>./john –incremental ~/tmp/pass #I was in john’s installation Directory
If you are lucky enough you should have you cracked passwords in seconds depending on how powerful is this machine,how strong is the password etc etc.

My machine is dearly slow by the twenty third second it had not cracked the simple password look into john for more faster means there lot of stuff use word list,cracking mode,loading only important passwords etc hope you mind is open dig more there is a lot .
IMPORTANT:there are better ways to get admin privileges in an XP machine than this using the same backtrack .This is only made to add on you knowledge.

for more on each of the above commands make good use of the man pages and Google bye bye

brought to you courtesy of ch!m3ra and JLUG

enjoy responsibly

    • frank mwangi
    • June 26th, 2010

    dude thanx 4 that so u do that on thursday{in jlug} n i loved it!!!!!u can as well be posting more of those in ur blog n trust mafans wataongezeka!!!!Thanx.

    • lucas
    • July 13th, 2010

    It did work *kudos*

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: