win 7 home sam file for admin and user password discovery
i have a dd image of a win7 Home premium with two user profile.
One is admin, the other one is a normal user.
Analyzing SAM file with RegRipper i discover that both users have no passwd (the phrase is password not required) and going in user\appdata\local\microsoft\credential any file is present.
So I think both admin and user have no password….can anybody suggest me other info on how to discover password for user profile?
You could download Ophcrack (open source/free) along with the free NTLM rainbow tables. Then you can feed it with the SAM and SYSTEM registry files. It will indeed tell you which user profiles are on the machine. If no password is set, it should tell you right away. If some passwords are set, it will try cracking it for you.
However, the free tables are quite limited. They have "commercial" tables that cover a wider range of characters and number of chars but they may be a bit expensive (about 1000$ last time I checked.)
Want to be sure?
Image the machine, fire it up in a VM, login. If no password works, then the user account has no password.
Image the machine, fire it up in a VM, login.
… provided it does "fire up" and it does not stop with a BSOD, often a 0x0000007b one. 😯
Some intermediate Physical to Virtual conversion steps might well be needed.
I think if there isn' t any file in appdata\microsoft\windows\credential it means no password is set…, perhaps it is better to boot up the image in VM or using ophcrack or something similar
I think if there isn' t any file in appdata\microsoft\windows\credential it means no password is set…,
That is not about login password, it is about stored credentials (for external logins/access, like Domain ones)
The Windows login password is still in the SAM hive.
Can't you simply try running SAMINSIDE
and have a look at what it finds on a copy of the SAM and SYSTEM Registry hives?
Also, cracking the password, in some situations may have probative value and/or offer insight into the psyche of the password creator.
I had a case where the laptop owner created a new user account (Windows 7), then used ccleaner to delete volume shadow copies, and then finally he deleted the user account which he used to delete the VSCs.
Early on in my analysis, I thought it was very strange that there was so little evidence being recovered from a five year old laptop.
I was seeing different Windows SIDs depending on which tool I used to reveal and identify RIDs (-500 / -1000 / -1001 / -1001_1001 / etc.) which confused me at first, but led me to use one of TZWorks tools to carve unallocated space in the MFT, thus leading to the identification of the previously deleted SID.
So, it may be worth listing up your SID account numbers in at least a few tools to see if all of your tools report the same number of accounts.
If you have the coin, I also highly recommend purchasing Passmark's OSForensics tool at $500 USD. OSForensics will create a full text index of your image and automatically create project specific dictionary attacks in its password module. This has worked a charm for me more than once.
OSForensics module will also provide an easy report on the SID user account encrypted password values in case you want to try to crack them elsewhere. If there is no encrypted password exposed in OSForensics, then perhaps there is no password to recover.
I think the demo version will allow you to at least pull out the SIDs it sees in the SAM file and display a (encrypted) password if there is one.
I have no professional affiliation with nor interests in Passmark, but am gently pressuring them to roll out certification process. This tool is the best economic deal in forensics in my humble opinion, but does not seem to get the exposure it deserves.
+1 for ophcrack and then double check with firing up a vm.
For vm stuff look at justaskweg or download liveview (or whatever the names been changed to now)
side note, has anyone created a test where they put a password hint on the machine and then disabled the password. if the hint field is cleared when the password is removed then that would be a decent test to say that there was a password on the machine (but not to say there wasnt a password)
Solved! Sam inside e pro active password are the solution! Bath two software specify if there is a password and atterra two Hours pro active hai broken the passwd
Along with the other tools mentioned, in this thread, "Windows Registry Forensics" includes tools and a process for determining if a user account has a password, and then cracking it, if that's what you need to do.
The misinterpretation of the flag setting is pretty common.
I tried the this program. I downloaded from the link here.
Then I got nthash of user. then I put the hash value on "https://crackstation.net/".
it could not find.
Can we find exact passwords belonging to windows users using FTK PRTK or Encase?