Cracking Windows Passwords

[ddrueding]

A client has a server and doesn't know the password. I believe it is Server 2008 R2. It is currently running fine, but it would be nice to be able to log in. I have full access to the machine, so booting to a CD or other is possible. What is the current state of this sort of thing?

 

[sdbardwick]

Ophcrack worked for me just fine (5 minutes to recover PW) about two years ago on Server 2003. Current version says it supports Vista, so it will probably work on 2008R2.

 

[timwhit]

http://project-rainbowcrack.com/

 

[timwhit]

I was just trying to figure out why a rainbow table attack would work on NTLM, because no one in their right mind would design a system that doesn't use salts. But, apparently NTLM doesn't use salts.

 

[ddrueding]

Thanks for the tips, guys.

 

[CougTek]

Active Password Changer. Available on older versions of Hiren's Boot CD. I don't remember if I've used it on a Server 2008 (because generally, people who operate a Server 2008 machine don't lose their passwords). It works like a charm on all Windows 2000-to-7 though. I have yet to use it on a Windows 8 system (because they are so rare).

 

[Will Rickards]

Don't you just boot into recovery, add an admin level account, login with that and reset the other accounts password?

 

[Stereodude]

I was just trying to figure out why a rainbow table attack would work on NTLM, because no one in their right mind would design a system that doesn't use salts. But, apparently NTLM doesn't use salts.

As always your system is only as secure as you're physical control of the system.

 

[timwhit]

I don't know if that's true for encryption or hashes. Imagine two scenarios with a user table/DB from a large internet company being released to the public:

1. Passwords in the table are standard SHA-256 hashes.
2. Passwords in the table are SHA-256, but there's another column in the table called SALT.

In scenario one, I can use a rainbow table to look up a large portion of the passwords in a small amount of time. In scenario two, I am stuck using a dictionary attack against each and every password assuming I know how the SALT is added to the password.

 

[Howell]

Ntpasswd still works just fine for resetting the password up through 2008 64 if that meets your requirements.

 

[Mercutio]

You guys who are advocating a straight-up password hack may or may not know that a Windows Server that has been promoted to act as a Domain Controller does not have a local password database to crack.
But it's relatively simple to get a back door in so you can do a password reset on a DC if you can tolerate a little down time and have a copy of the install media.