Wednesday, 18 March 2015

Password recovery with Elcomsoft System Recovery

(Part three of Three ways to recover from a forgotten Windows password)

You've forgotten your Windows password. What now?

You will need to buy a copy of Elcomsoft System Recovery and burn the provided ISO file to a CD.

Boot off this CD and choose the hard disk containing the Windows installation from the list supplied. Continue through the Wizard choosing the default options if you are a regular home user or your work PC is not on a Windows domain.

With any luck your password will appear in the list. You can reboot and type it in. If you have created a good, secure password then you have more work to do.

Dump the hashes
Return to the main menu and select ‘Dump password hashes for further audit/recovery’. This will create a text file containing the hash values of your password(s). Use a USB flash drive to help move these files to a computer over which you have control.

You can now use any number of tools and websites to determine your password.

We’ll use HashKiller.co.uk, which lets you submit a hash and returns the associated clear-text password. Paste the hashed password into the left field and press Submit at the bottom to discover your password.

If your password was very complex and you wisely don’t want to disclose it to any cracking website you could buy specialist cracking software. Elcomsoft also sells this, specifically the Proactive Password Auditor. At £299 this is quite expensive but a free trial version allows you to use it for up to 60 days and can check only 10 accounts. If you’ve forgotten your password, rather than conducting an investigation, this should do the job.

Password reset accessibility hack

(Part two of Three ways to recover from a forgotten Windows password)

You've forgotten your Windows password. What now?

Windows provides accessibility tools at the login screen when the user pressing the Shift key five times. Behind the scenes at least two programs run when this happens. These are utilman.exe and sethc.exe. If we could replace either of these with the command line then we could run commands before logging in. If one of those commands was to reset a user’s password we’d gain easy access. The downside is you will not be able to access files encrypted by EFS.

You will need a Windows installation disc for this.

Boot from the installation disk and, instead of installing Windows, choose the ‘Repair your computer’ option. Use the default option of ‘Use recovery tools’ and choose ‘Command Prompt’ from the following screen.

Decide which file you want to 'hijack': utilman.exe or sethc.exe. We’ll use sethc.exe.

Type the following to back a backup of the file and replace it with the command line program:
copy c:\Windows\System32\sethc.exe c:\
copy c:\ Windows\System32\cmd.exe c:\ Windows\System32\sethc.exe
Click the Restart button on the System Recovery Options window and wait for the login screen to appear.

At this stage you have replaced one of the programs that is called by the accessibility system with a command prompt. When the login screen loads press the Shift key five times and Sticky Keys will load as expected. And so will a command prompt. The following commands will help grant you access to the system:

List users
net user

Change Fred’s password to qwerty123
net user Fred qwerty123

Add a user called Wilma and make her password asdfgh098
net user Wilma asdfgh098 /add
net localgroup Administrators Wilma /add 

You’ll need to restart if you want to log in as a newly-created user.

You may wish to restore sethc.exe. Open the command prompt and type:
copy c:\sethc.exe c:\Windows\System32\sethc.exe