Hacking/Recovering windows XP passwords


Please note, this article is for educational purpose only.

Goal: To recover windows xp account passwords when you obviously don't have an admin privilege.

Prereq: 1. You either have access to booting via CD (in many places CD boots are disabled in bios)
2. Any other OS - XP or Linux is also installed to which you have access to.

Tools needed: OphCrak Live CD, rainbow tables

Lets start.


How does it work?

Generally XP account passwords are stored as hashes in the encrypted SAM file, located in c:\windows\system32\config\SAM
The process requires you to get a hashdump of this SAM file and pass it to OphCrack, which will then use this beautiful method involving rainbow tables to recover the password for you. Rainbow tables are way faster than the usual dictionary and brute force method.



1. If bios allows you to boot via a CD, you are in luck. Burn the OphCrak Live CD and it will take care of the rest. Simply specify which XP instance you want to recover the password.
It will automatically get a hash dump and start the recovery password.

2. Alternate way, the one I describe here in detail is using your other OS. Say, you already have Linux as the second OS. Get an access to it either using your legitimate account or using the "Hacking Linux root accounts via grub" article.

a) Download OphCrack from the website.

b) Download a rainbow table depending on your ram.

c) Copy SAM and SYSTEM file from the following location (assuming you know how to mount ntfs partitions)

cp /mnt/win_C/WINDOWS/SYSTEM32/Config/SAM ./


cp /mnt/win_C/WINDOWS/SYSTEM32/Config/SYSTEM ./

where /mnt/win_c is where your windows NTFS partition is mounted and the current folder is OphCrack/linux tools/ folder

d) Run the Bkhive and samdump2 tools

bkhive SYSTEM temp.txt

samdump2 SAM temp.txt > hashes.txt

both these are available in your OphCrack/linux tools folder

e) Run OphCrack. Load the rainbow table and the hashes.txt file and wait.
The process timing depends on the strength of the stored password.

Great! You have recovered your account password.
Note: You can selectively extract only "your" account password, if you do have any ;)
Now login using the username/password recovered and check.

Places to experiment: SOC 1 lvl 8 PC labs (NUS)

Caution: It is a criminal offense if you don't have the right to access the system. Also, accounts authenticated using LDAP cannot be recovered this way. There is generally a debugger account which will give you some admin rights to add remove users for the pc.