Password Recovery Tools & Tricks

Here are several techniques you can use to either change or recover a lost password. Most of them involve using hacker tools and administrative utilities.

Using the system account to your advantage
If you're running Windows NT 4.0, you can actually change any password, including the Administrator password, without using any tools at all. This technique exploits the system account, which is built-in and normally used to run only specific services. As you might guess, the system account has unlimited privileges. The trick is to make it work to your advantage.

Any time you log on to Windows NT 4.0, it runs the Spooler Service. Since the Spooler Service requires a lot of permissions, it's run by the system account instead of running under the privileges of the user who's logged in. Therefore, if you can trick the system into running User Manager instead of the Spooler Service, User Manager will be running with all the privileges of the system account. This gives you free rein over any user account on the system.

Although it might sound tough to trick the system into running an alternate file, it really isn't. Just log on to the machine using any known username and password. The account's permissions are irrelevant at this point. Once you've logged on, rename the Spoolss.exe file to Spoolss.bak. Then, rename Usrmgr.exe to Spoolss.exe. Reboot the system, and you'll have unlimited access to the user accounts through User Manager. Just don't forget to rename the files to their original names and reboot the system when you're finished.

ERD Commander
My all-time favorite password utility is ERD Commander from Winternals Software. The idea behind ERD Commander is that you can boot the machine using a set of floppy disks or a CD. Rather than booting to Windows, you're booting to the ERD Commander's own operating system. By doing so, you have access to the system's partitions, but Window's security is not in effect. This gives you the freedom to do what needs to be done without any restrictions. ERD Commander allows you to reset the Administrator or any other password without logging on to the system. All you need is physical access to the machine.

One of the things I like about ERD Commander is that it's based on the original Windows code. This means that if your hard disks are part of a RAID array, the utility will still recognize them, in most cases. You can access and reset the Administrator password on a machine with almost any hardware configuration.

ERD Commander is available from Winternals for $399. It's also included in the Administrators Pack, which offers even more cool utilities, for $699.

Password Recovery XP
So far, this article has focused on cracking the Windows logon password. However, many applications maintain their own passwords. If you require administrative access to such applications, you must know the application-level password. The problem is that these types of passwords are easily forgotten because they tend to be used so infrequently. There are lots of specialized crackers available on the Web for cracking all sorts of applications' passwords. But one general cracking utility recently caught my eye.

Password Recovery XP from iOpus can recover just about any password that's masked by asterisks. Although lots of utilities can reveal these types of passwords, Microsoft recently changed its password-encoding scheme. As a result, the vast majority of password crackers designed to crack masked passwords will work only in pre-Windows XP environments. Password Recovery XP is designed specifically to work with all versions of Windows.

Password Recovery XP has minimal system requirements. On a hardware level, it requires a 486 or higher processor and 1 MB of hard disk space. The utility is equally lenient with operating systems, supporting Windows 95, 98, Me, NT, 2000, and XP.

You can go to the iOpus Web site and either download a free trial of the software or buy the full version. The free trial will reveal only the first three characters of passwords you attempt to recover. That may not always be enough to help you guess the passwords stored on an unfamiliar system, but at least you can determine whether the software will work on your system before you shell out the money for the full version.

The price for the full version is $29.95, plus $7.99 for shipping and handling if you want the software on CD-ROM. Before you purchase the software, though, be advised that the license is based on the machine rather than on the user. To stay legal, a support tech will need to buy a separate copy for every machine that he or she plans on using the software with.

Using the software is extremely simple. The download arrives in the form of a self-extracting executable file, and the installation process is almost completely automated. Once the software has been installed onto a machine, you can run it by selecting the iOpus Password Recovery XP command from the Start | All Programs | iOpus Password Recovery XP menu.

When the program initiates, you'll see an interface similar to the one shown in Figure A. Simply click on the key icon and then drag it to the field containing the password you're trying to decrypt. The decrypted password will then appear within the Password Recovery XP window. The decryption process is extremely fast. In my own experimentation, I had a little trouble decrypting some Web-based passwords, but all of the others that I tried were quick and easy to decrypt.

Figure A

This is the iOpus Password Recovery XP interface.

Hacker tools
So far, I've been showing you techniques that you can use to recover lost passwords either directly through the operating system or by using legitimate commercial applications. However, you shouldn't rule out using hacker tools if they help you to accomplish the task at hand.

Before you go scavenging around the Internet for hacker tools, though, I need to offer a word of caution. In general, hacker Web sites can't be trusted. You should exercise extreme caution when downloading hacker utilities because you never know what you might be getting.

Red Button
If you're trying to do some work on a computer, and no one knows the Administrative password, there's a possibility that the owner of the computer may not even know the name of the Administrator account. After all, renaming the Administrator account has long been a popular security technique. If the system is running Windows NT, though, you can use a hacker tool called Red Button to find out whether the Administrator account has been renamed, and if so, its new name. You can see a sample of Red Button in Figure B.

Figure B

Red Button can tell whether the Administrator account has been renamed

You might have noticed that in the figure, the built-in Administrator account was listed as N/A. That's because when I was writing this article, I didn't have a Windows NT server handy, so I ran Red Button against a Windows 2000 server. Microsoft designed Windows 2000 in a way that would prevent the name of the Administrator account from being compromised.

Dictionary and brute-force password cracking
If you haven't been able to use any of these techniques to crack the elusive Administrator password, you might consider performing a brute-force crack as a last resort. This approach has its good and bad points. On the positive side, a properly performed brute-force password crack is pretty much guaranteed to work. It simply tries every possible combination of numbers, letters, and symbols until it finds one that matches the password hash.

On the downside, a brute-force crack can take a long time. For every character in the password, the cracking time increases exponentially. For example, suppose for a moment that you were performing a brute-force crack on a password that could contain only the numbers 0-9. A one-character password would have 10 possible combinations; a two-character password would have 100 possible combinations; and a three-character password would have 1,000 possible combinations.

In that example, I used numeric passwords to keep the math easy. In the world of PCs, though, there are 256 possible values for each digit in the password. Some of those values are invalid, but even so, a one-character password could have 256 possible values; a two-character password could have 65,536 possible values; and a three-character password could have 16.7 million possible combinations.

If, after seeing these staggering numbers, you think that a brute-force crack could take forever, you're right. But what's weird is that a good brute-force cracker can crack a four-digit password in a matter of just a few minutes. Over the course of a day, you might be able to crack up to a seven-digit password (depending on your software and the speed of your machine). However, the amount of time required to crack a password goes way up for anything beyond seven digits. Although a seven-digit password could conceivably be cracked in a day, I've seen it take well over a week (running 24/7) to crack an eight-character password.

With any luck, you can find a password-cracking technique other than brute force that works for you, especially if the machine's previous administrator was really into using long passwords. If you do have to use a brute-force cracker, though, my tool of choice is LOphtCrack.

The current version of LOphtCrack requires administrative access before you are allowed to crack passwords. However, the LOphtCrack Web site contains some utilities you can use to extract password hashes from the registry. You can then use LOphtCrack to crack the hashed passwords. I'm not sure whether the current version supports this type of cracking, but some of the older versions floating around the Web do.

The reason LOphtCrack is one of my choice tools is that it optimizes the cracking process by first running a dictionary-based crack. As the name suggests, a dictionary crack tests words found in a dictionary to see whether they match the machine's password. Most dictionary-based cracks search for common terms, common misspellings, and technical terms. For example, if your password is PASSWORD, a dictionary crack would have no trouble deciphering it. If your password is WhAtz~Da*PasssWoyd, there's no way that a dictionary-based crack would work, and you'd have to rely on brute force.

Cracking up
Passwords can add security to your network, but they can also cause you headaches. When passwords get lost, you need a way to get them back. Using the tools discussed here, you may be able to recover lost passwords and get back to other, more pressing jobs.