Can't Crack Windows Password With Conventional Tools

[kurt]

My company uses domain login for Windows XP. I have an old laptop which has not been connected to the network for a long time. Over that duration, many cycles of "password expired, please change" has occurred, so I can't really recall what was the password used for this laptop back then.

Ophcrack did not work for domain login.

I really need the old data from this laptop drive (which the data is encrypted with the windows password).

Company IT sucks, couldn't help retreive old passwords.

Help, anyone?

Thanks in advance.

[Sparda]

The ideal implementation of password storage makes it impossible to determine the password any thing short of already knowing it. However, Windows does have some issues, but, some these issues are correctable, some are not.

In this instance, it would appear the one of the issues ('easy to guess' passwords) has been rectified. You can try larger rainbow tables which contain more passwords, however, it may be the case that the only option remaining is to brute force the password setting rules as to the length and character contents maybe.

[digip]

You can try several things. 1, create a new user on the machine, and give him ownership of the old users files. Then, turn off the encryption. You must have administrator level access to do this. Administrators can undo the windows encryption on files and folders. 2, if it wont let you remove the encryption because you dont have admin rights, you will need something like UBCD4WIN, and then reset the admin password to whatever you want. Boot as admin (locally, not on the domain, obviously) and then take ownership of the files.

If that doesnt work, copy the files from the drive to a FAT32 drive. FAT32 cant do the EFS stuff, and should remove the encryption, also requires admin access though.

and lastly, boot off a linux disk, see what is actually encrypted and what isnt, see what you can see from there and copy off what you need, format, reinstall, restore.

Now, as far as I know the windows encryption can always be undone so long as you are #1, admin, and #2, take full ownership over all containers, sub-containers and files, replacing the default user. Then, you should be able to right click the parent container and undo the encryption. If for any reason the encryption is something other than normal windows encryption, such as true-crypt, bitlocker, 3rd party, etc, then your shit out of luck unless you can brute force the password. Also, make sure you are not trying to logon to a domain that doesnt exist any longer, set it to logon locally. Your password may be correct, but it could be trying to logon to a domain it cant reach, hence it cant authenticate you on the network. Ophcrack cant break domain passwords unless windows still has a local copy cached, which under default settings I think only survive for 14 days unless overridden by a group policy settings, which could even set it to never cache the credentials.

Edited June 17, 2010 by digip

[VaKo]

You should just be able to do the following:

*Crack* local admin password

Login as said user

re-join the domain

Login with current password.

You IT dept should take about 5 mins to do this.

[digip]

You should just be able to do the following:

*Crack* local admin password

Login as said user

re-join the domain

Login with current password.

You IT dept should take about 5 mins to do this.

If its still part of their network, they could have reset the password for him. Like you said, it would take them only a few minutes to fix the issue. I was under the impression he no longer uses it on their network, as in it is now his, at home. Otehrwise, he could have gotten work to fix it. Either way, he should have been able to crack the local admin password with ophcrack unless the password was longer than, what is it, 15 characters which would then need larger rainbow tables? Or they disabled the admin account via GPO.

Its also possible the login he used on the laptop might have only been a roaming domain login, and not a local user to the machine itself, so the Admin password would most likely be the only local user. If thats the case, the user profile would eventually stop working with no password to reset locally.

Edited June 17, 2010 by digip

[Guest Deleted_Account]

Or use Kon-Boot and logon as the account you need back up the files and all good :)

[Charles]

If it's joined to the domain, all the IT people would need to do is reset that account's password and you are good.

If the data is encrypted with the windows domain password, you are pretty much boned. You'd need to have the IT dept reset the password for you.

@digip: Thought you had to know a restore mode password or sometime to recover encrypted files?

Edited June 18, 2010 by Charles

[wh1t3 and n3rdy]

If you are going to encrypt the data you sure as fuck should know the password. I am suss on the IT dept not even thinking of resetting the password for the domain account. Smells like BS to me, or you truly have the dumbest cunts on earth working there.

[digip]

Or use Kon-Boot and logon as the account you need back up the files and all good :)

Konboot wont work for a domain login, only local logins.

If you are going to encrypt the data you sure as fuck should know the password. I am suss on the IT dept not even thinking of resetting the password for the domain account. Smells like BS to me, or you truly have the dumbest cunts on earth working there.

Yeah, it does smell a tad fishy, but if he got it from work due to upgrades and this is now his own machine, then I can see the password being a problem. My work used to give us old machines when upgrading the OS or phasing out the majority of old hardware, as there wasn't really any sensitive data on them due to users being novel clients and everything you saved was to a share on the network. The only thing local users had access to was the office products installed on the machine, which, by the time were done with them, we wiped them out anyway.

1 of two things, either he stole the laptop and wants to see whats on it, or 2, he just doesnt know much about it and his work gave him the device. If he still works there and its still supposed to be part of their network, then he should have IT reset the password, which is common sense. You cant reset a domain password locally anyway, as its part of Active Directory, and the authentication flows from them down the tree, not from the user to the domain. Changing the password locally only gives you local user access, not domain login credentials, and thats only if it was a local user of the machine, and not a roaming domain only profile.

Edited June 18, 2010 by digip

[Infiltrator]

How about using http://home.eunet.no/pnordahl/ntpasswd/, to change the administrator password.

[VaKo]

You don't even need your domain account password reset, if you can still connect to the domain with a valid account then you may need the machine re-added to the domain, but otherwise, once its connected it should just accept whatever password your using now and you'll be in.

If you can't do this, then either your a former employee or someone with a less than legitimate access to the system. Either way, you need to establish how the disk/data is encrypted and if you can retrieve the cached credentials for the target domain account by cracking/changing/enable the local admin account and running Cain&Able. Then you might be able to login as that user.

[Infiltrator]

What I was saying is that, if he has a local admin account on that laptop and can't remember what the password is, all he could try is resetting the password with ntpasswd, if worse comes to worse.