You are here >  theory >  passwords



In this article we will discuss various ways through which user can recover or reset his current as well as remote system password. Sometimes it is more easy to reset the password than actually recover the password provided user has access to physical system. Often its more important recover the password especially when file system is encrypted or when file system is analyzed for Forensic cases.

Windows 98 used to store the user account passwords in .pwl files in Windows directory. Later version of Windows more better technique and stores the account password into registry hive files named 'SYSTEM' and 'SAM' at following location,


These files are highly protected and not accessible while Windows is running even for the administrator user. However hackers have found a way to circumvent these protections and access these system files.

Live Password Recovery


This section deals with recovering all user account passwords from currently logged in system. In addition to the currently logged on user, you can also recover passwords of all other user accounts on the same system. For this you need to have an account with administrative privileges.

There are couple of tools available for live windows password recovery such as pwdump, cain & abel, LC5 etc. Entire process involves 2 steps

  • Dumping the LM/NTLM password hashes of target user account
  • Recovering the password using RainbowCrack/BruteForce/DictionaryCrack method.

Here is the snapshot of various user accounts and their LM/NTLM hashes dumped by Cain & Abel tool

*To zoom in - click the image*

It will dump the password hashes for all the user accounts and mention if any of the user account don't have any password. After getting these hashes, you can submit it to online rainbow cracking services to quickly recover real password. For more details refer to our 'Rainbow Password Cracking Article' [5]. You can also give it try using LC5's dictionary or brute force cracking approach in parallel to recover any easy passwords.

Offline Password Recovery


This section is throw light on how we can recover the password from offline system or just plain hard disk. Generally this is the case with Forensic investigations where in person's disk has been brought in for acquiring further foot prints in the case. In such scenarios it is important to recover the user's login password as the disk may have been encrypted and some of the prominent applications uses user's logon password to secure their data and other credentials.

Here we will discuss both scenarios, resetting the current user password as well as recovering the password from offline system or hard disk.

Resetting the password


Here we are going to use chntpw tool from BackTrack live CD. Here are the typical steps involved in resetting the password :

  • Connect your target Hard disk whose accounts needs to be reset to the running system.
  • Boot the system using BackTrack live cd.
  • After login, unmount the target hard disk and remount it in read/write mode using following commands
    • # umount /mnt/hda1
    • # modprobe fuse
    • # ntfsmount /dev/hda1 /mnt/hda1
    • # mount
  • Next launch the chntpw tool from the \Windows\System32\Config folder passing 'SAM' file as parameter as shown below
    • #/mnt/hda1/Windows/System32/Config > chntpw SAM
  • Chntpw will display all users and you are asked to select particular user to reset the password.
  • On selecting the user, you can choose option to reset the password, where you can enter '*' to set the password to blank. After that you can save the changes and quit the tool.
  • Finally unmount the drives and restart the system from hard disk. Now you can login to the system with that user and blank password.

Offline recovery of Windows account password


Offline recovery involves copying SYSTEM and SAM registry hive files from target system. You can use any of the LIVE CD or other mechanism to access the Hard disk and get the files. Here we will explain how we can get those files using BackTrack Live CD.

  • Make sure that target hard disk is connected to the system.
  • Now boot the system using BackTrack Live cd.
  • By defaults target hard disk file system is mounted on to /mnt/hda1 (or /mnt/sda1). You can check the mount points using the 'mount' command.
  • Then move on to following folder and copy SYSTEM & SAM files to USB or any other media.
    • /mnt/hda1/Windows/System32/Config
  • Once these files are copied, you can use emote system password recovery wizard of either LC5 or 'Cain & Abel' tool to dump the hashes by passing these files.
  • Once password hashes are obtained, next task is to use Rainbow cracking service [5] or Dictionary/BruteForce operation to recover the password as mentioned earlier.

Here is the screenshot of recovering the password from SAM file using the LC5 tool.

*To zoom in - click the image*

Remote System Password Recovery


Often in the corporate environment, there is a need to remotely troubleshoot user login problems, such as recovering or resetting the password. Generally in such scenarios, every client system will have one administrator account and one or more user accounts. Using this administrator can remotely recover the user passwords using the tools like pwdump.

Pwdump is the great tool which can dump the password hashes not only from live system but also from the remotely running system. Here is the screenshot of pwdump dumping the password hashes for all account from running remote system.

*To zoom in - click the image*

Here pwdump prints it to the console, instead you can make it to write to text file which can be later fed into LC5 or Cain & Abel for brute force/Dictionary crack operation. Alternatively you can submit the hashes to online Rainbow cracking service [5] to quickly recover the password.



[1]. Tool: LC5 (

[2]. Tool: Cain & Abel (

[3]. Tool: Pwdump (

[4]. Tool: BackTrack (

[5]. Rainbow Cracking to quickly recover Windows Password.

EvilFingers Arsenal

Socialize with RootkitAnalytics

Twitter Feed Blogspot

Socialize with EvilFingers

Twitter Feed Blogspot LinkedIn Delicious Google