Mar 5, 2018
Bypassing Windows Logon Passwords
Bypassing Windows Logon Passwords
Introduction
So I had a friend who had an old laptop sitting around collecting dust at home. He knew I was into computers and asked me if I wanted it. And you know a techie…. when someone throws out free hardware you just can’t complain or say no!!
However, he realized he did not remember his password, and wanted to see what files still were on the machine before he let me have it. He was sure he backed all files up awhile back when he got his new laptop. But, he wanted to be sure, and knowing I am a Security Analyst wondered if I could help him out. So, I went ahead and was able to obtain his password so he could login to delete or save any data he still wanted.
After I completed the task to recover the password, I decided it would make a great blog article to write about.
So here it is……
History Lessons
All Windows machines have a SAM file which hosts local user credentials. We will look at modifying this file to gain access to the machine.
If you have ever wondered where your username and passwords were stored… well now know!!
The SAM file
Windows SAM File
Why Would I Need To Recover A Password?
Why would someone need to use this tutorial?
I’ve written it up because sometimes people do actually forget their password. Now, they are locked out of their machine and may have some important files on there.
In no way do I suggest users use this tutorial for malicious or illegal purposes. It is strictly for educational purposes for those users that need to gain access back to their own windows machines.
Tools Required
The tool used for this tutorial can be obtained here –> https://www.kali.org
Additionally, you will also require a 4GB USB stick. (This is so you can boot Kali off of the USB and run it as a live OS)
What to expect
In this tutorial you will learn how to do any of the following:
- Reset a Windows Password (Either as a blank password or your own created password)
- Modify an existing local account so it gains “local administrator” privileges.
- Unlock a locked out user account
The Tutorial
You will need to boot the tool via USB.
Load it in Live Forensic Mode.
Once the OS loads do the following:
Open the “My Computer” Window.
Find the hard drive and open it by double clicking on it (every
Find the hard drive name. (Every hard drive will have a different name)
Open up a terminal window
We now need to locate the Windows SAM file, which contains the usernames and password of all the local accounts on the machine.
Navigate to the following path: (it will be different for each user as every user will have a different hard drive name)
/media/hard_drive_name/Windows/System32/config
Screenshot from 2016-12-18 16_46_09
Navigate to the path where the SAM file is located () as your working directory.
Run the following command
chntpw -l SAM
Screenshot from 2016-12-18 16_47_32
The above command will list out all of the usernames that are on that specifc Windows system. The tool is able to go through the SAM file and obtain the usernames and local accounts.
chntpw -u “Administrator” SAM
Screenshot from 2016-12-18 16_49_29
At this stage we can see (below) there is a local account called “Win Lui”. This is the account that is being targeted for to obtain the password.
In the next section, option 1 is selected to “clear” the password or enter in a blank password for that associated user account.
Screenshot from 2016-12-18 16_49_59
Next we save the change made to the SAM file and confirm that the change was made without any errors or issues.
Screenshot from 2016-12-18 16_50_45
I used a well known tool called John The Ripper. It’s a great tool for password cracking
Cracking The Password
Now the last step allowed you to insert a blank password for a specific username. Another option and an additional step would be to use a tool to crack the passwords in the SAM file.
I’ve listed the steps below in my screenshot.
Screenshot from 2016-12-18 18_28_00
You take a DUMP of the SAM file and the information within that file. And, you use a password cracking tool such as John the ripper to find the password.
As we can see the password for the account is displayed as “winpeg”.
Screenshot from 2016-12-18 18_28_53
Reboot the machine and pull out the USB as it will no longer be needed.
Logon with the account. If you entered a blank password, then no password will be needed. If you entered a newly assigned password, then enter in the new password.
You should now be able to log into the machine with the assigned username.
Completed Task
And there you have it!
You now have access to your account and machine once again. I hope this helps out those users that get locked out of their machines.
If you find any other interesting methods to obtain passwords please feel free to share them in the comments section below.
My name is Harry Taheem
I am a Cyber Security Engineer.
My aim is to post things I learn or find interesting and allow others to hopefully gain some more insight. I also plan on posting general IT related issues, as I’d like 
Leave a Reply