• Dumping the LM/NTLM password hashes of target user account
• Recovering the password using RainbowCrack/BruteForce/DictionaryCrack method.

It will dump the password hashes (LM/NTLM) for all the user accounts and mention if any of the user account don't have any password. After getting these hashes, you can submit it to online rainbow cracking services to quickly recover real password. For more details refer to our 'Rainbow Password Cracking Article'.

You can also give it try using Windows Password Kracker tool to recover the dictionary based passwords.

• Connect your target Hard disk whose accounts needs to be reset to the running system.
• Boot the system using BackTrack live CD.
• AAfter login, unmount the target hard disk and remount it in read/write mode using following commands
  • umount /mnt/hda1
  • modprobe fuse
  • ntfsmount /dev/hda1 /mnt/hda1
  •  mount
• Next launch the chntpw tool from the \Windows\System32\Config folder passing 'SAM' file as parameter as shown below
  • /mnt/hda1/Windows/System32/Config > chntpw SAM
• Chntpw will display all users and you are asked to select particular user to reset the password.
• On selecting the user, you can choose option to reset the password, where you can enter '*' to set the password to blank. After that you can save the changes and quit the tool.
• Finally unmount the drives and restart the system from hard disk. Now you can login to the system with that user and blank password.

• Make sure that target hard disk is connected to the system.
• Now boot the system using BackTrack Live cd.
• By defaults target hard disk file system is mounted on to /mnt/hda1 (or /mnt/sda1). You can check the mount points using the 'mount' command.
• Then move on to following folder and copy SYSTEM & SAM files to USB or any other media.
  • /mnt/hda1/Windows/System32/Config
• Once these files are copied, you can use emote system password recovery wizard of either LC5 or 'Cain & Abel' tool to dump the hashes by passing these files.
• Once password hashes are obtained, next task is to use Rainbow cracking service or Dictionary/BruteForce operation to recover the password as mentioned earlier.

In case you have forgotten password to your Windows box and just want to login without doing any recovery or reset then Kon-Boot will help you get into any Windows box (and some Linux boxes too) without any password.

Kon-Boot is an prototype piece of software which allows you to access any password protected Windows system without any knowledge of the password. It dynamically modifies the Kernel memory to completely bypass the default authentication mechanism leading to complete access to any Windows box.

Often in the corporate environment, there is a need to remotely troubleshoot user login problems, such as recovering or resetting the password. Generally in such scenarios, every client system will have one administrator account and one or more user accounts. Administrator can remotely recover the user passwords using the tools like pwdump.

Pwdump is the great tool which can dump the password hashes not only from live system but also from the remote system. Here is the screenshot of pwdump dumping the password hashes for all account from remote system.

Here pwdump prints it to the console, instead you can make it to write to text file which can be later fed into LC5 or Cain & Abel or Windows Password Kracker for brute force/Dictionary crack operation.

Alternatively you can submit the hashes to online Rainbow cracking service [5] to quickly recover the password.