Microsoft

Get IT Done: Recover lost passwords with these tricks and tools

Put these password recovery techniques in your bag of tricks


It recently occurred to me that hacking is one of the most misunderstood concepts in all of IT. When I tell friends or family that I have hacking experience, they always tell me that I'm going to get caught and go to prison. What most people don’t understand is that not only are there legal types of hacking, but that hacking is sometimes even necessary in the course of day-to-day IT operations.

Take password recovery for example. On more than one occasion, I’ve had someone pay me to hack his or her network because the IT guy quit and the new IT person has no idea what the Administrator password was. Here are several different techniques that you can use to either change or recover a lost password. Most of the techniques that I’ll show you involve using hacker tools and administrative utilities.

Using the system account to your advantage
If you’re running Windows NT 4.0, you can actually change any password, including the Administrator’s password, without using any tools at all. This technique exploits the system account. The system account is a built-in account that’s normally only used to run specific services. As you might guess, the system account has unlimited privileges. The trick is to make the system account work to your advantage.

Any time you log on to Windows NT 4.0, Windows runs the Spooler Service. Since the Spooler Service requires a lot of permissions, it's run by the system account, rather than running under the privileges of the user that’s logged in. Therefore, if you can trick the system into running User Manager instead of the Spooler Service, the User Manager will be running with all of the privileges of the system account. This gives you free rein over any user account on the system.

While it might sound tough to trick the system into running an alternate file, it really isn’t. Just log on to the machine using any known username and password. The account’s permissions are irrelevant at this point. Once you have logged on, rename the SPOOLSS.EXE file to SPOOLSS.BAK. Then, rename USRMGR.EXE to SPOOLSS.EXE. Reboot the system, and you’ll have unlimited access to the user accounts through the User Manager. Just don’t forget to rename the files back to their original names and reboot the system when you’re done.

ERD Commander
My all time favorite password utility is ERD Commander from Winternals Software. The idea behind ERD Commander is that you can boot the machine using a set of floppy disks or a CD. Rather than booting to Windows, you’re booting to the ERD Commander’s own operating system. By doing so, you have access to the system’s partitions, but Window’s security is not in effect. This gives you the freedom to do what needs to be done without any restrictions. ERD Commander allows you to reset the Administrator or any other password without having to be logged on to the system. All you need is physical access to the machine.

One of the things that I like so much about ERD Commander is that it’s based on the original Windows code. This means that if your hard disks are part of a RAID array, the utility will still recognize them in most cases. You can access and reset the Administrator password on a machine with almost any hardware configuration.

ERD Commander is available from Winternals for $399. ERD Commander is also included in the Administrators Pack, which includes even more cool utilities for $699.

Password Recovery XP
So far, this article has focused on cracking the Windows logon password. However, there are many applications that maintain their own passwords. If you require administrative access to such applications, you must know the application-level password. The problem is that these types of passwords are easily forgotten because they tend to be used so infrequently. There are lots of specialized crackers available on the Web for cracking all sorts of different applications' passwords. However, there is one general cracking utility that recently caught my eye.

Password Recovery XP from iOpus can recover just about any password that’s masked by asterisks. While there are lots of utilities that can reveal these types of passwords, Microsoft recently changed its password-encoding scheme. That means that the vast majority of password crackers designed to crack masked passwords will only work in pre-Windows XP environments. Password Recovery XP is designed specifically to work with virtually all versions of Windows.

Password Recovery XP has minimal system requirements. On a hardware level, Password Recovery XP requires a 486 or higher processor and 1 MB of hard disk space. The utility is equally lenient on the operating system. Password Recovery XP supports Windows 95, 98, ME, NT, 2000, and XP.

You can download a copy of Password Recovery XP from the iOpus Web site. The URL that I’ve just provided allows you to either download a free trial of the software or buy the full version. The free trial will reveal only the first three characters of the password. Although three characters may not always be enough to help you guess the passwords stored on an unfamiliar system, the free trial version will at least show you whether the software will work on your system before you shell out the money for the full version.

If you choose to purchase the full version, the price is $29.95 plus $7.99 for shipping and handling, if you want the software on CD-ROM. Before you purchase the software though, be advised that the license is based on the machine rather than on the user. This means that a support tech would need to buy a separate copy for every machine that he or she planned on using the software with, in order to stay legal.

Using the software is extremely simple. The download arrives in the form of a self-extracting executable file, and the installation process is almost completely automated. Once the software has been installed onto a machine, you can run it by selecting the iOpus Password Recovery XP command from the Start | All Programs | iOpus Password Recovery XP menu.

When the program initiates, you’ll see an interface similar to the one shown in Figure A. Simply click on the key icon and then drag it to the field containing the password that you're trying to decrypt. The decrypted password will then appear within the Password Recovery XP window. The decryption process is extremely fast. In my own experimentation, I had a little trouble decrypting some Web-based passwords, but all of the others that I tried were quick and easy to decrypt.

Figure A
This is the iOpus Password Recovery XP interface.


Hacker tools
So far, I’ve been showing you techniques that you can use to recover lost passwords either directly through the operating system or by using legitimate commercial applications. However, you shouldn’t rule out using hacker tools if they help you to accomplish the task at hand.

Before you go savaging the Internet for hacker tools, though, I need to offer a word of caution. In general, hacker Web sites can’t be trusted. Therefore, you should exercise extreme caution when downloading hacker utilities, because you never know what you might be getting.

Red Button
If you’re trying to do some work on a computer and no one knows the Administrative password, then there’s a possibility that the owner of the computer may not even know the name of the Administrator’s account. After all, renaming the Administrator account has long been a popular security technique. If the system is running Windows NT, though, there is a hacker tool called Red Button that you can use to find out if the Administrator account has been renamed, and if so, what it has been renamed to. You can see a sample of Red Button in Figure B.

Figure B
Red Button can tell if the Administrator account has been renamed.


You might have noticed that in the figure, the built-in Administrator account was listed as N/A. The reason for this is that at the time that I was writing this article, I didn’t have a Windows NT Server handy. Therefore, I ran Red Button against a Windows 2000 Server. Microsoft designed Windows 2000 in a way that would prevent the name of the Administrator account from being compromised.

Dictionary and brute force password cracking
Hopefully, you’ve been able to use one of the techniques that I’ve shown you to crack the elusive Administrator password. If you haven’t yet had any luck, you could perform a brute force crack as a last resort. A brute force crack has its good points and its bad points. The good point is that, if performed properly, a brute force password crack is pretty much guaranteed to work. That’s because a brute force crack simply tries every possible combination of numbers, letters, and symbols until it finds a combination that matches the password hash.

The biggest downside to a brute force crack is that it can take a long time. For every character in the password, the cracking time increases exponentially. For example, suppose for a moment that you were performing a brute force crack on a password that could only contain the numbers 0-9. A one-character password would have 10 possible combinations. A two-character password would have 100 possible combinations, a three-character password would have 1000 possible combinations.

In this example, I’ve used numeric passwords to keep the math easy. In the world of PCs though, there are 256 possible values for each digit in the password. Some of those values are invalid, but that’s beyond the scope of this article. For demonstration purposes, a one-character password could have 256 possible values. A two-character password could have 65,536 possible values. A three-character password could have 16.7 million possible combinations.

If, after seeing these staggering numbers, you think that a brute-force crack could take forever, you’re right. What’s weird, though, is that it’s been my experience that a good brute-force cracker can crack a four-digit password in a matter of just a few minutes. Over the course of a day, you might be able to crack up to a seven-digit password (depending on your software and the speed of your machine). However, the amount of time required to crack a password goes way up for anything beyond a seven-digit password. While a seven-digit password could conceivably be cracked in a day, I’ve seen it take well over a week (running 24/7) to crack an eight-character password.

Hopefully, you can find a password-cracking technique other than brute force that works for you, especially if the machine’s previous administrator was really into using long passwords. If you do have to use a brute-force cracker, though, my tool of choice is LOphtcrack.

The current version of LOphtcrack requires administrative access before you are allowed to crack passwords. However, the LOphtcrack Web site contains some utilities that you can use to extract password hashes from the registry. You can then use LOphtcrack to crack the hashed passwords. I’m not sure if the current version supports this type of cracking or not, but some of the older versions floating around the Web do.

The reason why LOphtcrack is one of my tools of choice is that it optimizes the cracking process by first running a dictionary-based crack. A dictionary crack is a crack in which words found in a dictionary are tested to see if they match the machine’s password. Most dictionary-based cracks search for words that appear in the dictionary, common names, common misspellings of words in the dictionary, and technical terms. For example, if your password is PASSWORD, a dictionary crack would have no trouble deciphering the password. If your password is WhAtz~Da*PasssWoyd, there’s no way that a dictionary-based crack would work and you’d have to rely on brute force.

Cracking up
Passwords can add security to your network, but they can also cause you headaches. When passwords get lost, you need a way to get them back. Using the tools discussed in this Daily Drill Down, you may be able to recover lost passwords and get back to other, more pressing jobs.

Editor's Picks