The following is a tutorial on how to go about recovering a local Administrator password from a machine. Use the following section to find the area of the guide that best suits your situation. Depending on which situation you choose you will either be performing a password audit or change. An audit will tell you what the local administrator password is, a change will simply change the password to what ever you want. *Please note that the sites referenced for cracks are nasty. Do not visit them without a firewall and virus protection.*

1) You are logged in with administrator privileges or have the ability to install software to the machine. (Audit)
2) You do not have administrator privileges and there is no BIOS password on the machine. (Audit or Change)
3) You do not have Administrator privileges and there is a BIOS password that keeps you from changing the boot sequence. (Audit or Change)
4) You do not have the Administrator privileges, the case it locked, and you can’t boot to any drive. (Audit)


1) If you can install software to the C drive on the computer (add items to the registry and what not) download lc4 or lc5 from the following link http://secwatch.org/download.php?cat=2. Then go to http://www.andr.net or http://www.astalavista.box.sk and search for the crack to get the full functionality of the program. You may need WinRAR to extract the crack which you can get from http://www.download.com. WinRAR can also be cracked from the previous two sites. Please note that these sites have tons of popups and viruses so proceed with caution. Do not click yes or agree to anything that pops up just close them out. Once you get the crack you need to install LC5 or LC4 and say register which will then come up with a screen with a number in it. Type that number in the key generator and the correct key will be generated. Then you need to type that key into LC4 or LC5 and it will give you the full functionality. Once you have the program cracked we can continue. (If you have trouble with the cracks let me know I may be able to help you) These programs will present you with a set of options once installed. Click “next” until you see auditing method where you will select “strong password audit” otherwise you can choose “custom” and add additional dictionaries and symbols if the strong audit does not work. Click next again and check all the boxes. Continue to click next until the wizard exits. The program will then begin to audit all the local passwords on the machine. If you can’t leave it running for a long time on that machine save your progress to a file and take it home. A password audit could take seconds or weeks depending on the complexity of the password. Go to file->save and once you get home or to a computer that will not be disturbed, install lc4 or lc5 and repeat the process but open the file you saved and it will continue to audit where you left off. Once it completes you will have all the passwords. Periodically check the progress you may get some passwords before others. If you do not get any of the passwords you may want to rerun the program using the “custom” option and add everything such as spaces and other characters. This of course will increase the over all audit time. After all is said and done you may think about removing the software as it may cause suspicion if it is located.


2) If you do not have administrator privileges you will need to take a slightly different approach. First of all you will need to decide weather or not you want to audit change the passwords. I would recommend audit when ever possible because for one thing if someone that knows the admin password tries to log in they won’t able to if you changed it. Suspicion may be aroused. Also if you are at a school or business the local admin passwords are usually the same on all of the computers so if you audit it you will be able to log into all the machines not just the one you changed. We will first start with the audit.
Begin by going to the following link http://www.xppasswordrecovery.co.uk/. You will need a formatted floppy disk. Follow the instructions there to create a bootable floppy disk. After you create the disk I would create a text file on the floppy and past the web site in it because you will need it later. Now that you have your disk insert it into the computer you want to audit and power it off. Next turn it on and let it run through what it needs to do. If successful the PC will boot to the floppy and turn it self off when it done. If the computer does not boot to the floppy you will need an extra step. As soon as you turn the computer .. pressing the “F” keys. Most likely F1 or F2 will get you into the BIOS. Once you are in the BIOS search for the section that says “boot order” or “boot sequence”. Look for the floppy drive and move it to the first thing in the list probably by pressing + or – I’m not sure. After it is the first in the boot order save the changes and power off the computer. Insert your floppy and power on. It should now boot to the floppy and get the SAM file in the PC and the password hashes. When it finishes remove the disk and log onto a computer you have access to. Put the floppy in the drive and return to the web site you saved on the disk. Go to the instruction tab and read what it says. You need to type in A:..UPLOAD.TXT and your email in the form given. This will upload the password file to a server which does the same thing as the lc5 and lc4 in the step above. After 2 days or so you will receive and email with your passwords in it. If you pay money you may get the passwords faster but if you wait at least two days they are free.
If you want to change the password you will need the following program Winternals ERD Commander. In order to obtain this software you will need to use a file sharing program like BitComet which can be downloaded from http://www.download.com. Once this is installed you need to select a site, I prefer torrentreactor and search for the file. If you find it you will need a crack to use it. You can get a crack from http://www.andr.net or http://www.astalavista.box.sk. I have found that ERD Commander 2004 or 2003 is easier to crack then 2005 but I’m not sure. If you see an earlier version it will do the same thing as a new one as far as you’re concerned. So once you get the program and the crack try to install it and refer to the help guide that should be included with the crack. If you are successful you will be able to access the program and create a boot disc. You can do so by going to ERD Commander and select create boot disk if I’m not mistaken. If you have an older version you will not have to crack the boot disk, the newer versions may need a crack. Unless you are good with cracking programs get the older version like 2003. If you have any issues let me know. After you create the boot disk you will need Nero or another burning program to burn the image to a CD. You can download Nero and other software from http://www.download.com. If you are using Nero you will start it and I think it is advanced mode in smart start and you will need to tell it to burn an image. After you locate the image it will do the rest. Once you have the disk you can begin. Put the CD in the drive and restart the computer. If it works you will boot to the CD, if not you will need to change the boot order in the BIOS. Please refer to the section above except you need to make the CD the first item. After this change is made you should be able to boot to the CD. If you get in you should see what looks like windows but it not. You need to go to the start menu and go to programs, I think, and administrator tools then to locksmith. Once in locksmith you need to select the administrator account and type a new password. The password may have restrictions such as minimum length or required numbers/letters or something so keep this in mind or the new password will not work when you try it out. After you change it restart the computer and remove the disk. As with the other steps try out the password by changing the domain to local machine and user account o administrator.

3) If the computer that you want the administrator password on has a BISO password and you cannot boot to a floppy or a CD there is still hope. If the case is not locked we need to open it up. Make sure the computer is unplugged before you proceed further. Look on the mother board for a flat battery the size of a quarter. Pop it out and wait a minute. Put the battery back in and start up the computer. If the batter is clamped in, there should be a set of like 4 or 3 little pins on the mother board with a jumper on two of them. Remove the jumper and place it on the two it was not on for a minute then move it back. This does the same thing as removing the battery. The BISO password should be erased and you can refer to the problem above on what to do next. Once this is complete you can audit or change the password.
Another option is to attempt to erase or crack the BIOS password. This is very risky and may cause damage to the computer so proceed with caution. You need to be able to boot to DOS. The following link has boot disks downloads http://www.bootdisk.com/. If these are successful you will boot into DOS once there you can execute the following command:
A:..>DEBUG
- o 70 2E
- o 71 FF
- q (Quits to DOS)
This should erase the password in CMOS. If not you may be able to use a program like http://www.cgsecurity.org/index.html?cmospwd.html but more on this is there is an interest shown in it.

4) If the case is locked and none of the other schemes worked we still have one more option. There are items called key loggers that can be used in this situation. The following is a link to a site that sells them http://www.keyghost.com/. If you have the money, get a hardware key logger. You can do a lot more then get admin passwords you can get everything someone types. Once you get this you plug the keyboard into this and plug the key logger into the computer. If it is a USB keyboard I think you can get a converter. Once this is installed you will capture every key stroke. So you’ll have to wait for someone that knows the administrator password to log in. Once they leave, remove the device and access it to see what was typed.

There are many different methods to gain unathorized access to an account. This is a list of methods I have compiled:


1. ERASE SAM FILE
==========================
Erasing the SAM file will cause Windows to recreate a generic Admin and guest account, and delete every other account on the machine, and all the information on those accounts. If this doesn’t matter to you use one of the following methods.

A. If you want to use a tool use Lock Smith from EDR. it does not mess any thing up unless you are on an Active Directory based network.
B. http://uneasysilence.com/archive/2007/02/9486/
C. Use system recovery cd.

2. AUDIT SAM FILE (View Without Changing)
============================================
Cracking the password to an account can be done with many methods.

A. Easiest way is to just grab a copy of bartsPE:
http://www.nu2.nu/pebuilder/
You boot to disk then has a program that will let you reset password for windows accounts and even create new windows accounts.
Create a new windows account, and then crack the other passwords using Cain and Abel.
B. Use backtrack2 on a live cd.
C. If all else fails, download LC4. It is a program that works on breaking the Windows XP SAM file. If you don’t have admin rights at all, then you will need a special boot disk so you can access the SAM file. Once you have it copied, run LC4 and it will tell you all the passwords to all the account on that computer or you could just ERASE the SAM file and forget LC4 all together and this way all passwords are erased (make sure you get the backup file too).
D. Use ophcrack on a live cd.

3. CHANGE ACCOUNT PASSWORD
==================================================================
Removing/Reseting/Changing the password does can be accomplished with many different methods.


A. Turn on computer.
Press F8 a bunch of times.
-A Black Window with with text will pop up
Go up (by using the arrows on your key board) and high light SAFE MODE
Hit Enter
-A bunch of random text will show up ( just showing you what windows will is doing)
Then 2 (Or more) accounts will show
Click the Administrator account.
After the account has loaded.
Go to Start
Go to Control Panel
Go to Users accounts
Go to Change Another Account
Click on Remove Password
Then Restart Computer.
Of course this is assuming that you do not have a password on that Administrator account.


4. REMOTE ACCESS SOFTWARE
===========================================
One of the ways to gain remote access to a system is to install remote access software on the computer. This software allows you to put in a password on another computer and take control of the targeted computer. Of course, this software requires you to have physical access to the system and downloading and installing priveledges. There are many services that offer these programs, but I only listed the ones that are free. Install any of the following software on the computer to remotely access the system

A. Teamviewer: http://www.teamviewer.com/index.aspx
B. Logmein123: https://secure.logmein.com/home.asp?lang=en
C. List of avivable remote access software downloads: http://www.download.com/Remote-Access/31...0_4-0.html
D. UltraVNC: http://www.uvnc.com/

Users most commonly protect data on their systems with a standard Windows password.

This is a good first step that keeps out the average user, but it can be circumvented in just a few minutes. Find out what I’m talking about on "The Screen Savers" when I give you the ultimate guide to recovering lost Windows passwords.

Where oh where is my password?

Windows 2000 and XP passwords are stored in a file called SAM (Security Accounts Manager). It’s located in the C:..windows..system32..config directory. Passwords are encrypted and stored within SAM as a password hash. Passwords look something like this: 8F J7 F3 GK S3 lL O4 E1 G9. To figure out your lost password, you have to extract the encrypted hash from SAM and crack it.

To crack or not to crack?
Before you proceed, you must make a decision. Do you want to recover the old Windows password, or do you want to reset the password? If you want to reset the password, use a nice little utility called ntpasswd. Ntpasswd uses password hash insertion -- it inserts a new password hash that you’ve created into the SAM. This works great, but remember, if you have encrypted anything using the Windows Encrypted File System (EFS), you will need the original user password. That means you have to crack the password.

Cracking Windows passwords
To crack a Windows password you need to extract it from SAM.

1. Boot with Knoppix STD and launch a shell.
2. From the shell, you can view all your NTFS partitions via the LinuxNTFS built into Knoppix STD.
3. Navigate to the C:..windows..system32..config directory.
4. Copy the SAM and system files to a cheap USB thumbdrive.
5. Take each of these files back to another Windows machine and fire up SAMInside. SAMInside uses SAM and system files to extract the encrypted hash (the SAM file is double encrypted with SYSKEY. SAMInside gets around that).
6. Launch LC4. It will brute-force and dictionary-attack the hash marks. Once the hash has been matched, the final password is displayed.