Dear colleagues,
i have a dd image of a win7 Home premium with two user profile.
One is admin, the other one is a normal user.
Analyzing SAM file with RegRipper i discover that both users have no passwd (the phrase is password not required) and going in user\appdata\local\microsoft\credential any file is present.
So I think both admin and user have no password….can anybody suggest me other info on how to discover password for user profile?
Thanks
You could download Ophcrack (open source/free) along with the free NTLM rainbow tables. Then you can feed it with the SAM and SYSTEM registry files. It will indeed tell you which user profiles are on the machine. If no password is set, it should tell you right away. If some passwords are set, it will try cracking it for you.
However, the free tables are quite limited. They have "commercial" tables that cover a wider range of characters and number of chars but they may be a bit expensive (about 1000$ last time I checked.)
Want to be sure?
Image the machine, fire it up in a VM, login. If no password works, then the user account has no password.
Image the machine, fire it up in a VM, login.
… provided it does "fire up" and it does not stop with a BSOD, often a 0x0000007b one. 😯
Some intermediate Physical to Virtual conversion steps might well be needed.
jaclaz
Be careful misinterpreting the "password not required" flag.
http//
I think if there isn' t any file in appdata\microsoft\windows\credential it means no password is set…, perhaps it is better to boot up the image in VM or using ophcrack or something similar
I think if there isn' t any file in appdata\microsoft\windows\credential it means no password is set…,
WHY? ?
That is not about login password, it is about stored credentials (for external logins/access, like Domain ones)
http//
The Windows login password is still in the SAM hive.
Can't you simply try running SAMINSIDE
http//
https://
and have a look at what it finds on a copy of the SAM and SYSTEM Registry hives?
jaclaz
Also, cracking the password, in some situations may have probative value and/or offer insight into the psyche of the password creator.
I had a case where the laptop owner created a new user account (Windows 7), then used ccleaner to delete volume shadow copies, and then finally he deleted the user account which he used to delete the VSCs.
Early on in my analysis, I thought it was very strange that there was so little evidence being recovered from a five year old laptop.
I was seeing different Windows SIDs depending on which tool I used to reveal and identify RIDs (-500 / -1000 / -1001 / -1001_1001 / etc.) which confused me at first, but led me to use one of TZWorks tools to carve unallocated space in the MFT, thus leading to the identification of the previously deleted SID.
So, it may be worth listing up your SID account numbers in at least a few tools to see if all of your tools report the same number of accounts.
If you have the coin, I also highly recommend purchasing Passmark's OSForensics tool at $500 USD. OSForensics will create a full text index of your image and automatically create project specific dictionary attacks in its password module. This has worked a charm for me more than once.
OSForensics module will also provide an easy report on the SID user account encrypted password values in case you want to try to crack them elsewhere. If there is no encrypted password exposed in OSForensics, then perhaps there is no password to recover.
I think the demo version will allow you to at least pull out the SIDs it sees in the SAM file and display a (encrypted) password if there is one.
I have no professional affiliation with nor interests in Passmark, but am gently pressuring them to roll out certification process. This tool is the best economic deal in forensics in my humble opinion, but does not seem to get the exposure it deserves.
+1 for ophcrack and then double check with firing up a vm.
For vm stuff look at justaskweg or download liveview (or whatever the names been changed to now)
side note, has anyone created a test where they put a password hint on the machine and then disabled the password. if the hint field is cleared when the password is removed then that would be a decent test to say that there was a password on the machine (but not to say there wasnt a password)