winxp home password recovery

[TheGeek]

hello guys,

i am trying to recover my win xp home password. i used this thing that i got from loginrecovery.com. the bad thing is that i have to wait 48 hours and i dont have time. as far as i know the tool already knows the password but it's encrypted. here is what the file reads:

VERSION:02

Administrator:500:0:0:::

Guest:501:0:0:::

Owner:1003:0,E5,2C,AC,67,41,9A,9A,22,92,AC,E6,7E,FF,9F,3B,65:

_C5,63,D7,E0,2A,67,AE,94,33,65,8B,BA,C2,D7,EB,37,0997F:::

family:1007:0:0:::

 

 

i have figured out that the family and administrator password is nothing that is why it says ":0:0:::" does anyone know what the owner password is.(is anyone good at decrypting codes) what is the pattern?

 

if you cant figure out the pattern then please post a link to a program that i can use to recover the password instently.

 

thanks

fell free to pm me also

[5614]

Would this kinda thing help

http://home.eunet.no/~pnordahl/ntpasswd/

???

[Klaynos]

Just out of interest why do you want this?

 

And can't you change passwords using the admin account?

[TheGeek]

Would this kinda thing help

http://home.eunet.no/~pnordahl/ntpasswd/

???

 

i did see this before but i dont want to reset my password i would like to see what it is.

 

Just out of interest why do you want this?

 

And can't you change passwords using the admin account?

 

I am trying to see the admin password. Mainly i am trying to see how the code is encrypted. This is only for learning purposes and i promise i will do no harm with this. It's also kind of interesting how "1007:0:0:::" stands for no password, what does "1003:0,E5,2C,AC,67,41,9A,9A,22,92,AC,E6,7E,F F,9F,3B,65:

_C5,63,D7,E0,2A,67,AE,94,33,65,8B,BA,C2,D7,EB,37,0 997F:::

" stand for.

 

i always thought that my password was encrypted thus if anyone wants to see my documents they would need to change the password with something like 5614 reffered. when i saw this i dont understand how they are able to access the encrypted password.????

[5614]

If this is purely educational then surely you can wait 24hours until they decrypt it for you?

 

I am now interested in how the service works.

 

Do you know what file it takes? Or is all you know that you booted off the floppy they supply, send them the file it auto makes and then they magically know the password?

 

One would assume they have some kind of decrypter, or maybe if it's a simple encryption (e.g. C5 = lower case b) they could have just set their own passwords to each and every character and just discovered the encryption that way, maybe.

 

I am going to email their "General enquiries" email to ask how they do it, will post the reply they send here.

[TheGeek]

If this is purely educational then surely you can wait 24hours until they decrypt it for you?

 

I am now interested in how the service works.

 

Do you know what file it takes? Or is all you know that you booted off the floppy they supply, send them the file it auto makes and then they magically know the password?

 

One would assume they have some kind of decrypter, or maybe if it's a simple encryption (e.g. C5 = lower case b) they could have just set their own passwords to each and every character and just discovered the encryption that way, maybe.

 

I am going to email their "General enquiries" email to ask how they do it, will post the reply they send here.

 

i already have figured out what the password is. Now i am trying to figure out how it works too. i could have just changed it but i want to know how this is posible.

 

As far as i know thi is how it works( the company would obiously not post how it works, but i think i am pretty close to figuring it out)

when you boot from the disk it boots a diffrent os, then it runs a utility and it records the password in a file called upload.txt. once you upload this file on their website they will tell you the password in 48 hours or you can pay to get it right away.

what i will do is keep changing the password from a to Z, from capital to small, from 0-10, and all the characters. i will then make a chart of what it gives me as results. this way i will know what each character is converted to. if anyone wants to help me with this then please help.

 

if you figure out anything then please keep me updated!

 

thanks

[5614]

You know what your own password is... well, that's a start!

 

Do that thing I suggested with every character, I spose you could test it, once you know the code for letters a,b,c,d,e,f you could make a password like cbbdef and see if you can decrypt it by yourself.

 

The fact that if you pay it takes 10mins makes me think that this is a computer done system, I doubt humans are available 24/7 on that site, and they must know how to decrypt it, so programming a program to do it for them isn't that hard.

 

Please post what you find as to the algorithms, I'll work on finding out exactly where they get the info from, then we should we be able to do the extracting info and decryption by ourselves!

[5614]

Details on getting the info in the 1st place:

 

Utilities used:

FreeDos -- The main operating system (kernel and FreeCom used.) -- http://www.freedos.org

NTFSDOS -- NTFS access -- http://www.sysinternals.com/ntw2k/freeware/ntfsdos.shtml

ATXOFF -- Turns off the computer -- http://www.gknw.com/atxoff.html

 

Then this:

 

if exist %1:\windows\system32\config\sam if exist %1:\windows\system32\config\system goto windows
if exist %1:\winnt\system32\config\sam if exist %1:\winnt\system32\config\system goto winnt
goto end

:windows
echo. >> log.txt
echo %1: (Windows) >> log.txt
get %1:\windows\system32\config\sam %1:\windows\system32\config\system >> upload.txt
goto end

:winnt
echo. >> log.txt
echo %1: (Winnt) >> log.txt
get %1:\winnt\system32\config\sam %1:\winnt\system32\config\system >> upload.txt
goto end

:end

 

I don't fully understand it. Obviosuly it is reading from

C:\windows\system32\config\sam

Which is what I expected to find out all along, but it doesn't say where within the file the password exists.

 

Ahhhh, I think I get it.... it uploads the whole file to the floppy, they need to boot off the floppy because if you don't then you can't access the file through windows.

 

From the read-me:

"All the tools on this disk are shareware, freeware or licenced under the GNU GPL (Source code available on request)."

So I think I will go and ask for the source code now, may as well, it won't tell me more than I know, in fact, I don't think it will tell me anything I don't know, but it can't harm to ask!

[Klaynos]

It's probably some form of hashing that is very difficult to work backwards like and md5 hash...

[TheGeek]

i was just thinking to hex it with a hex editor.

what language is it using?does anyone know?

[TheGeek]

i booted knoppix and opened up "sam" with a hexeditor i dont know what kind but there is also some encryption on this file. the best way to figure out what is going on is by getting the source code for the freeware. If it's under gpl then the owner might just give you the source.

have you tried the program for your self?

try booting from a live linux cd and hex the file sam.

good luck, i'll see what i can do

[5614]

The source code is "on order"! (I emailed requesting it).

 

I haven't looked much into FreeDos, NTFSDOS or ATXOFF much, I'm guessing they won't really tell us exactly what we are looking for. Will post source code and reply to what I mentioned in post #5 when I get the replies.

 

have you tried the program for your self?

No I haven't yet, there's little need to, I know what I'll see (I can read it by converting the .bat files into .txt) and I know the end result (you posted an example) so I don't see the need.

[TheGeek]

ok, thanks for all the support

because of you it'll save me alot of time because otherwise i would have had to reboot my computer more then 100 times to see what each character means and to find out how the encryption works.

thanks

[5614]

No problem, I'm finding this very interesting and am almost desperately awaiting their response!

 

I don't think them giving us the source code to the disk will allow us to decrypt it. What they are giving us in source code (this is all my assumption) is how to retrieve the information, they will want us to pay for them to decrypt it. We will need to try and work out (maybe with help of the reply to my email) how to decrypt it ourselves.

 

If the source code and email doesn't help with decryption maybe if we say try passwords with 1 character in, say like 5 or 10 each and that way we will compile a list of 20ish character and their corresponding code, this is all IF it's a simple char-->code encryption system though.

[Zanthra]

Windows XP uses a hashing algorithm to encrypt the password into the file. Hashing algorithms are one way algoriths that turn a hunk of data into another hunk of data. When the password is first created the OS turns the password into a hash code then stores that in hexadecimal values in the password file. Whenever the user attempts to log in, it will again hash the entered password and check the hexadecimal code against the one on file. Once you enter the password the OS has no way to turn the hash code back into a readable password.

 

Programs like the one offered in this thread will do what is called brute force. They will take the hash algoriths and go through each and every password possible and hash them and check them against the code in the password file. This can take a very long time depending on the hashing algorithm and the speed of the processors that it is running on, but can find the password. Many such programs also have a dictionary of common passwords that it can check against the user password, and is the most common attempts to hack computers.

 

Two of the more common hashing algorithms are MD5 and SHA, and microsoft does have a proprietary hashing algorithm that can be used to store passwords on windows machines.

[5614]

But the website said it takes about 2mins to do. Considering that when you run this program windows will not even be loaded are you sure this is how it works?

 

Looking at the coding for the .bat files involved (there are other .exe files I haven't seen the code for yet though) it seems like it just copies the sam file.

 

Also if it did use a brute force method, then the password would be stored on the disk itself, this would not require the user to send the file to the company. Instead of charging for you to send it to them, they'd just charge to buy the program in the 1st place.

[TheGeek]

trust me it's not using brute force, my password is 12 characters and includers numbers, the program took less then 30 seconds to finish.

[TheGeek]

i don't mind sharing the password i used to test this out.

the password i used was "PassWord4Now" try to see if you can figure out what it's doing.

 

i also tried the password "a" and it returned : Owner:1003:0,75,84,24,8B,8D,2C,9F,9E,AA,D3,B4,35,B5,14,04,EE:

_18,6C,B0,91,81,E2,C2,EC,AA,C7,68,C4,7C,72,99,04,08DE6:::

 

so it's not simple as switching a with nother letter but something diffrent. what is going on?

 

i also think what it's doing is just copying the hex to notepad. look at the numbers they are all hexadecimals.

[Zanthra]

i don't mind sharing the password i used to test this out.

the password i used was "PassWord4Now" try to see if you can figure out what it's doing.

 

i also tried the password "a" and it returned : Owner:1003:0' date='75,84,24,8B,8D,2C,9F,9E,AA,D3,B4,35,B5,14,04,EE:

_18,6C,B0,91,81,E2,C2,EC,AA,C7,68,C4,7C,72,99,04,08DE6:::

 

so it's not simple as switching a with nother letter but something diffrent. what is going on?

 

i also think what it's doing is just copying the hex to notepad. look at the numbers they are all hexadecimals.[/quote']

 

 

Try changing the password from PassWord4Nox x is one letter higher than w, and that is the least significant location, the code will significantly change despite the minor difference in the password.

 

Most of the hashing algorithms that are used by brute force hackers are very very well written, making very miminal clocks to do each password. This means that they can do maniy millions of passwords per second per CPU.

[TheGeek]

i have been trying to figure out what chaning the password does to the reply here are the passwords i tried it for. i dont see a pattern if you see something let me know.

 

password set as "a", the reply i got was:

Owner:1003:0,75,84,24,8B,8D,2C,9F,9E,AA,D3,B4,35,B5,14,04,EE:

_18,6C,B0,91,81,E2,C2,EC,AA,C7,68,C4,7C,72,99,04,08DE6:::

 

password set as "A", the reply i got was:

Owner:1003:0,75,84,24,8B,8D,2C,9F,9E,AA,D3,B4,35,B5,14,04,EE:

_C5,DD,1C,2B,C8,71,9C,01,B2,5B,4E,B2,69,2C,9F,EE,086C5:::

 

password set as "b", the reply i got was:

Owner:1003:0,90,21,39,60,6B,6D,16,B5,AA,D3,B4,35,B5,14,04,EE:

_A0,47,EE,4A,9D,B8,BC,8B,4F,3F,8A,03,D7,2D,EB,80,0842B:::

 

password set as "Ab", the reply i got was:

Owner:1003:0,48,5A,44,50,01,A3,2B,7C,AA,D3,B4,35,B5,14,04,EE:

_BE,E4,12,0A,86,C7,D2,EB,79,FD,36,E2,8B,BB,BE,4A,0911B:::

 

does anyone see a pattern or something???

[TheGeek]

would it be okay(legal) to decompile this file? how would we do so?

[Zanthra]

The point of a hash code is to turn a string of bits into another string of bits in a way that can check weather two hashed strings of data only have a very small chance of beeing the same.

 

MD5 is one common hashing algorithm. It is a 128 bit hash, meaning that any 2 hashed datasets have a 1 in 340282366920938463463374607431768211456 chance of beeing the same. This can be used to check a password for authenticity. When the hash it cannot be turned back into a string of binary data that will hash into that particular hash code. When the password is entered it can be hashed again, and if the password matches the origonal one, the hash code will also match.

 

 

Not only are hashes used for passwords however. When transfering a very large file over the internet, lets say 100MB, there is a possibility that a bit may end up reversed, and the file becomes corrupted. If the file is not meant to be used, but instead to be served out again to someone else, having such a corrupt file can be a very bad thing. Since hashes have such a rare chance to come out the same, you can run the entire file through the hash algorithm on one side, and get 128 bits more data to send along with the file. On the other end the recieved file gets hashed, and if the hash matches the one passed from the provider, there is only a astronomically small chance that the file was corrupted in any way through the transfer.

 

Once again there is no way to turn the hash code back into anything. If there was, then the hashing method would be broken, and there would be a gaping security problem.

[TheGeek]

there has to be some way because the program is able to get your password. the question is how does it do that?

 

lets say if x is your current password. You want to logon so you put in y. the program converts it to f(y). if f(y)=x then you put in the currect password. If you can figure out how the password what encrypted cant you alway decrpyt it??

[5614]

there is no way to turn the hash code back into anything.

This is true, it's how hash algorithms work.

 

I was talking to a friend about this earlier and he first suggested what Zanthra thought in post #15, after explaining my views he suggested that maybe the floppy drive just copies your sam file and you send it to them. They then use brute force to work out the password.

 

The thing here is that sam file copied to floppy, sent to them, they use brute force.

 

If this is correct all we need is a brute force program... the source code of how to get the same file has been requested by me yesterday, although making it yourself shouldn't be too hard, in theory. You just boot in FreeDOS or some such (you could probably do it off a Linux Recovery CD) as long as it has NTFS access, and just browse to the sam file and it's all yours.

[5614]

Well I'm currently experimenting with this:

http://www.elcomsoft.com/ppa.html

free 30 day trial available... I've successfully discovered my own password, well, you just select 'Memory of this computer' and brings up every username/password on this computer, which means you can get everyone's password on a computer if you have your own account on that computer!

 

I'm working on importing .txt files like the one we get from the boot floppy thing, I don't know where the option (if there is one) is yet.

 

---[edit]---

 

later on, no success on getting it to deduce password from loginrecovery.com's upload.txt file. I think that if you just get NTFSDOS and you'll need a command line compression utility like RAR http://www.rarlab.com/download.htm and then copy over the SAM and SYSTEM files (the SYSTEM file for me is current around 3MB, I haven't tried doing this yet and am away for the next few days) but it should compress to 1.4MB, then you just upload the 2 files into that program I mentioned in this post and it'll work it out.

 

===

 

This is a method of doing it...

 

The retrieving method is not as quick and easy as loginrecovery.com's and our brute force decryption method doesn't work with their retrieving method and should work with ours.

 

Our method is not as good as loginrecovery's so lets keep trying to get it better! I think the aim should be to take the upload.exe file and deduce the password from that, that's the main aim.