Join Us!

Notifications
Clear all

winlogon Password  

  RSS
sachin
(@sachin)
Junior Member

We have received a case(OSWin XP prof) involving examination of accounting software (tally) and email analysis. We have imaged the HD for analysis and restored another copy of it by using EnCase.
When the restored HD was attached to the workstation it was asking logon password. The lon on password is created by Contl+Alt+Del key sequence.
Any suggestions regarding how to logon?
where the logon password resides created by Contl+Alt+Del key sequence?

sachin

Quote
Posted : 01/11/2006 1:54 pm
SamirDatt
(@samirdatt)
New Member

Sachin

Use the NT Access Utility that came with the Accessdata UTK you have - alternatively pls contact me off list.

ReplyQuote
Posted : 01/11/2006 5:42 pm
dj_chiro
(@dj_chiro)
Junior Member

ERD commander disk can change NT passwords as well.

ReplyQuote
Posted : 01/11/2006 7:39 pm
psu89
(@psu89)
Active Member

I have successfully used Ophcrack to recover Windows passwords. When it works, I feel it is better than changing an unknown password (as with ERD).

ReplyQuote
Posted : 02/11/2006 12:01 am
skip
 skip
(@skip)
Member

I have successfully used Ophcrack to recover Windows passwords. When it works, I feel it is better than changing an unknown password (as with ERD).

I could see some nice side effects to cracking the windows hash.
You may get some insite to the user, potentialy the password for many other relevant accounts/usernames.

Example What could you guess about a user with the follwing passwords…

sy$t3m.5 (maybe there are more systems 1-4, perhaps).
id4s!teXYZ (maybe the password for site ABC is id4s!teABC)
ciogoufiofae or
naawoaroakau or
guefaasiocooye (these are randomly generated but PRONOUNCEABLE passwords…maybe there is a password file protected by one other password, on a palm pilot or on USB key)
[email protected]^gionu (maybe it is written down some where)

and so on and so fourth….

If you have the time, crack it.

ReplyQuote
Posted : 02/11/2006 12:33 am
Alan
 Alan
(@alan)
Member

The passware kit from lostpasswords.com has a module for cracking windows logins. I have used this in the past and its works very well.

Alan

ReplyQuote
Posted : 02/11/2006 2:49 pm
_nik_
(@_nik_)
Member

The location of the password (or more accurately, its hash) is in the SAM hive. There are many passwords crackers that just need the SAM and SYSTEM hive.

Or you could run EnCase with the EDS module.

Nik

ReplyQuote
Posted : 02/11/2006 11:07 pm
Andy
 Andy
(@andy)
Active Member

SamInside is a good program for recovering NT and LM passwords. Extract the SAM and System files from your image and use it. Better still if you can get hold of some Rainbow tables……

ReplyQuote
Posted : 03/11/2006 3:27 am
iruiper
(@iruiper)
Active Member

I can't see the use of EnCase EDS here. Isn't it useful just for EFS? I don't think you can get a Windows logon password from it.

ReplyQuote
Posted : 06/11/2006 2:12 pm
echo6
(@echo6)
Member

I can't see the use of EnCase EDS here. Isn't it useful just for EFS? I don't think you can get a Windows logon password from it.

That is correct, EDS allows you to view files encrypted using EFS within Encase, but does not provide you with the user's password.

ReplyQuote
Posted : 06/11/2006 2:28 pm
yey365
(@yey365)
New Member

There is also the old favouraite of pressing Ctrl-Alt-Del twice to invoke the Adminstrator account. Often this account is left without a password during the installation phase and is rarely rectified post installation.

Regards,

Jim

ReplyQuote
Posted : 06/11/2006 4:24 pm
_nik_
(@_nik_)
Member

That is correct, EDS allows you to view files encrypted using EFS within Encase, but does not provide you with the user's password.

EDS does scan the autocomplete/IE, FTP and Autologon passwords and displays the found information. Autocomplete can be anaylyzed with a script. Also you can run a dictionary/bruteforce attack against the Local and Domain users' passwords.
Or you can export the PWDUMP file for the local users, so you can run rainbow over them.

Nik

ReplyQuote
Posted : 07/11/2006 1:28 am
TMD22
(@tmd22)
Junior Member

Gentleman

When we are talking about cracking the WIN Log on password, is it from the "mirrir image" or the copy of the actual hard drive copy?

Just curious, as I have never yet came across this problem.

Thanks

Mark

ReplyQuote
Posted : 07/11/2006 4:33 am
Share: