command and software to crack windows user's password

Cracking Windows XP passwords is relatively straightforward, but you don't do it on the machine that you are trying to crack the password on, so I shouldn't think that the evidence would be particularly interesting !

Try http//www.openwall.com/john/ for John the Ripper …

You'll need to boot the machine from a CD or Floppy to get the hash to crack in the first place.

Alternatively you can just wipe the password, which gives you access, but you lose EFS access when you are logged in, as the password is used for decryption …

May I also suggest the use of Google ? There are 29,600,000 hits for something like "windows password crack", there may well be something better out there -)

thanks for the help azrael
and also for suggesting google….D

hello
i have downloaded john the ripper for windows and after decompressing the file i have got two directoriesone run and the other is doc.
next, i have opened a command windows (start->run->cmd) and entered the run directory (of john the ripper) and then i wrote the command "john" but as a result i had this error message
'john' is not recognized as an internal or external command, operable program or batch file

for more information am using a guest account under windows and am trying to crack the administrator password all in a virtual machine

please can u tell me what's the problem?
thanks for giving a hand

You need to cd to the directory where john lives to execute the program

You also need to run the program by the name of the executable …

It is called john-386.exe in the Windows binary distribution …

You can't run the application on it's own, you need the passwords to crack. Get the pwdump2 utility from http//www.openwall.com/passwords/nt.shtml and extract the passwords from the instance that you are trying to break, you will need to run the pwdump2.exe file and pipe the results to a file ( otherwise the default is the stdout … ) so for example run …

pwdump2 > c\pwdump.out
Then pass this file to john the ripper in the run directory …

john-386 c\pwdump.out
You should then see a message something like

Loaded 6 password hashes with no different salts (NT LM DES [32/32 BS])
(SUPPORT_388945a0)
(simon)
(Guest)
(Administrator)

Then, depending on the strength of your passwords … wait … ( and wait … and wait … )

John does _not_ guarantee a crack, and it can be wise to fine tune it with custom dictionaries and rules, especially if you are trying to crack in a different language (Arabic in Tunisia ? ), as it is written with English in mind.

Also …

Have a look at the thread "how to get around/crack EFS? important", Jonathan makes a very good suggestion …

Sam Inside may get you the user account password when pointed at the exported NTUSER.DAT and Syskey and with an indexing tool such as FTK you can create a word list of every text string on the disk and then use this as your dictionary attack; you may strike lucky and find the password exists in hiberfil.sys/swap file/unallocated clusters, etc.

You should try doing this to enhance your dictionary attack as well -)

hello
when i have used the pwdump2 i received this message
"Failed to open lsass 5. Exiting."

and when i tried this command with JTR
"john1701\run> john-386 –wordlist=password.lst"
i received this message
"Password files required, but none specified."

the problem is that i have verified that password.lst is existing in the run directory and it contains a list of password but the dictionary attack doesn't work

so what shall i do?
thanks

The first error is interesting - lsass is used by pwdump2 to excecute a DLL injection, so not being able to find it is an issue … Try reading up a bit on http//www.bindview.com/Services/razor/Utilities/Windows/pwdump2_readme.cfm
Also check that you have the latest version …

The second part is nothing surprising though, making the assumption that "password.lst" is a list of passwords that you have obtained through some means. The command to start john is

john-386 password.lst
You use "–wordlist" to pass a dictionary to use in the dictionary attack. So assume that I have a file dictionary.txt that contains

aardvark
boil
crisp
door
elephant

to use this in the dictionary attack againt the passwords contained in "password.lst" the command would be

john-386 --wordlist=dictionary.txt password.lst
Try that -)

Also, and I'm not being unkind or unwilling to help, but try reading the documentation - a lot of answers are available, and examples are there, search Google for "How-to" docs or articles about tools. You'll get a lot more out of the process if you learn to learn for yourself … 😉

just as a comfort to chinigami, i made the same mistakes using John the first few times, confusing passlist with wordlist.

Took a while and some persistence to get it to work. I'd offer advice but i only use the *nix version.

Concurring with Azrael though, read up on John. Theres more than a few tutorials out there. You could save much time by understanding methods and passing it a better suited password list for the type of passes you are trying to crack. Wrong lists, switches, etc diminish your chances by increasing the cracking time wasting CPU on completely non-possible combinations.

Kern