With forensics in mind, there’s literally a ton of ways to gain access to Windows. From clear text password exploits that dump the password in plaintext to your screen to bootable CDs that reset the Windows password outright (just search Google for “Windows Password Recovery” to see what I mean). This post isn’t meant to cover all password recovery bases, just briefly explain why reset tools may not be forensically sound and provide some links that may be of value to you if you need a good tool (my current favorite method is utilizing tool known as Ophcrack).
For those that don’t know, 0phcrack is a free but powerful utility that makes use of rainbow tables to crack NT HASH and LM passwords. It utilizes a method known as Time-Memory Tradeoff (discussed earlier on the blog). The best tables that support different types of characters for use in password extraction (and for different OS types) can be rather large. Cracking passwords can also be time consuming.
Distributions like the now-defunct free version of e-fense’s Helix 3 (no longer supported in favor of a paid pro version), and DEFT Linux, made/makes use of 0phcrack and provided access to basic rainbow tables for this purpose. If you don’t have Helix or 0phcrack as part of your forensic tool-set, you should. If you are interested in expanding your tables and have access to a large enough medium, feel free to check FreeRainBowTables.com to get more tables generated using distributed computing methods). The basic tables can also be found on 0phcrack’s Sourceforge and are suitable for basic use, but they also have paid tables as well.
0phcrack can be used during the analysis of a target’s SAM and SYSTEM Hivehive. It can be run as an executable from within Windows or in a bootable environment. Such information could provide forensically invaluable in accessing EFS-protected files on the system. From what I know, using methods like chntpw in Backtrack do reset Windows passwords but do then make accessing EFS encrypted files impossible.
Check this video created and posted by TechnologyCrazy to see how to setup 0phcrack (completely unaffiliated with this site).
As I always state, this site does not condone illegal activity. Link posts are links to pre-existing content (I’m actually considering making my own informational videos at some point when I have the time. Maybe even a step-by-step guide).
For links to computer security related tools or resources, feel free to check this Neuralhub post.
If you have access to any related instructional video please post it in the comments! If they are any good (and they are publicly accessible), I’ll share them.
Edit: This post is fairly old and I’ve used some really great programs since then. Here are some further notes to help you decide which encryption auditing tool you should use and when:
Ophcrack Project Homepage
This tool is good for LM and NT hash; quick and easy SAM hive cracking which is ideal if you don’t happen to have a license for PRTK but do for FTK and wish to crack EFS; uses rainbow tables for speed (pre-calculated hashes), for brute force see l0phtcrack below.
l0phtcrack Password Auditor
Offers excellent brute force, support for rainbow tables and dictionary attacks. Some that are coming from PRTK may note l0phtcrack seems to be missing PRTK’s biographical dictionary attack… one of my favorite tools. But that’s not necessarily true: you can accomplish this by loading biographical information in by creating your own dictionaries. Also one of the coolest features of l0phtcrack is the network sniffer which pulls password hashes transmitted across a network… but fair warning: it doesn’t always work, if in doubt, read the documentation).
** Note: thanks to my nameless friend for letting me try his l0phtcrack. Much appreciated.
AccessData’s PRTK
One of my all time favorite tools. Although brute forcing and standard dictionary attacks may take a long time and be resource intensive, PRTK also includes some pretty powerful dictionaries straight off the bat. Also nothing beats the simple and straight forward interface. I’m a huge fan of the biographical dictionary attack in which you can import string data from FTK and FTKi to accomplish a user-specific attack (that is to say, things like directory listings, FTK dtIndex’d results, etc. can all be imported to speed up attacks). I used PRTK extensively in my AccessData Certified Examiner studies and found it to be one of the best tools to date.
Interesting side note regarding EFS cracking if you have a license to FTK but not to PRTK:
If you are running FTK4+, you can first crack the Windows user password in Ophcrack (SAM & SYSTEM hives) and then, after selecting the EFS encrypted file, allow FTK to decrypt it with the password you’ve discovered. FTK also includes allows you to list multiple passwords if you’re unsure of which it may be. If PRTK is installed on the same system, it’ll use PRTK in the background and decrypt the file. Of course, as an ACE, I advocate getting a license to PRTK if you can, but thankfully PRTK can be used for this at the back-end with little trouble.