Crack or Reset Windows Passwords

If you have forgotten the Windows Administrator password, you can either reset or even crack it. Windows XP stored it username and password information in file named SAM at %SystemDrive%:\Windows\system32\config. The SAM file is encrypted using LM hashes, which is vulnerable to rainbow table attack and bruteforce attack.

I am going to do this with already available tools in Backtrack.

cd /mnt/hda1/WINDOWS/system32/config/
bkhive system key
samdump2 SAM key > /root/pass1

This will dump the hashes in /root/pass1 file as shown below

Root Key : CMI-CreateHive{C4E7BA2B-68E8-499C-B1A1-371AC8D717C7}

Cracking using John the ripper,

john --format=NT /root/pass1
Loaded 1 password hash (NT MD4 [128/128 SSE2 + 32/32])

Or, you can directly reset it with chntpw

/pentest/password/chntpw -u administrator SAM