Navigation

Windows NT, 2000, XP and
2003 Local and Network Admin
Password Recovery Freeware

I would definitely try freeware here first. The password can in fact be cracked with a floppy disk, administrative access and a PC with Internet Access, see "2nd Note."

Name - Login Recovery

Download URLs - http://www.loginrecovery.com/

Developer - Idea Capital Limited

OS - Windows NT/2000/XP/2003/Vista

File Size - 312 KB

Supported Software Versions or File Systems - FAT32/NTFS

Developer Provided Description - "Login Recovery is a service to reveal user names and recover passwords for Windows NT, 2000, XP, 2003 and Longhorn. As long as you have physical access to the computer, your passwords can be recovered.

By following three simple steps, over 98.5% of passwords can be recovered within less than ten minutes. This service does not overwrite passwords, it does not write anything to the hard drive, it does not alter the computer in any way. It simply reads the encrypted passwords for processing through our servers.

A free low priority service is provided which can take up to two days to process passwords. If you wish immediate access to the passwords, a priority service is available for a fee of GBP 10.00 + VAT (approx USD 21.48 or EUR 17.66). (Fee introduced to cover costs of the dedicated server farm)"

Comment - This service will reveal an encrypted file's password! This is great, because Windows uses the same password key for both the user's password and an encrypted file. If you have access to an encrypted file, you upload it to the service, it gets decrypted, and now you know your Windows login too as well as letting you know the magical word for all your encrypted files. All that is required is a blank floppy.

The way I gather it works, is the program sets up a boot disk for you which accesses the sam file and syskey file to get your LM hash. The LM hash is your password which has been sent through a super complicated math formula and produces output, which is always the same if you start with the same word. He then has a an enormous table of hashes that has been optimized for quick efficient searching. This is called a rainbow table. Your hash will be matched with a hash in the table, and all hashes prerecorded in the table have word entries associated with them. So he looks up your hash, and gets the password. I think this will work for all passwords up to 14 characters. 15 characters or more get a different hash called the NT hash, which is more difficult to crack. See the next entry if you want to do this yourself.

Name - OPHCRACK

Download URLs - Online service no direct downloads except to download pwddump2 or similar.

Developer - Philippe Oechslin

OS - Windows NT/2000/XP/2003/Vista

File Size - Online service no direct downloads except to download pwddump2 or similar.

Supported Software Versions or File Systems - FAT32/NTFS

Developer Provided Description - "Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman's original trade-off, with better performance."

Comment - If:

You can get your LM hash (see here to see how - hint, it's the 3rd and long string after the user name and colon (":") and the four digit number and colon (":"))

Your password is just letters and numbers and no special characters,

Go to OPHCRACK site above , scroll down to the bottom, enter in your hash,

Even in your password is 14 characters it will be cracked!

I tried it with my 11 character password and it came back perfect. Note the "login Recovery" method above probably extracts the syskey and encrypted hash, and decodes the hash for processing in a similar way.

Name - Offline NT Password & Registry Editor

Download URLs - bd050303.zip (~1.1MB) - Bootdisk image, date 050303 (md5sum: 4c85bc15286e69f9fd347e07711636eb)

sc050303.zip (~1.4MB) - SCSI-drivers (050303) (only use newest drivers with newest bootdisk, this one works with bd050303) (md5sum: 745a1889b6580bc8f1bfb565e73666d3)

Developer - P. Nordahl-Hagen

OS - Windows NT and XP Pro but not NT or 2000 Server

File Size - 1.1 MB - 3 MB

Supported Software Versions or File Systems - FAT32/NTFS

Developer Provided Description - "Forgot your NT admin password? Reinstall? Oh no.. But not any more.. This is a utility to (re)set the password of any user that has a valid (local) account on your NT system, by modifying the crypted password in the registry's SAM file. You do not need to know the old password to set a new one. It works offline, that is, you have to shutdown your computer and boot off a floppy disk or CD. The bootdisk includes stuff to access NTFS partitions and scripts to glue the whole thing together. Works with syskey (no need to turn it off, but you can if you have lost the key) Will detect and offer to unlock locked or disabled out user accounts!"

Comment - Changes NT-XP password, does not recover it. Do not do if you have encrypted files with Windows encryption! (Unless you want to invest $99 in a Windows file decryption program.

My brother tried this or a similar system to logon to a Windows 2000 where the password was lost. He reported it worked and was easy done. This will also work with Windows NT and XP Pro but not NT or 2000 Server Domain Admin Password, for that see the next entry.

A message from here http://www.aota.net/forums/
showthread.php?postid=91419 suggests the following for XP home: "OKAY, If you are trying to reset a pwd in XP home, simply boot up in safe mode, as administrator go to control panel, users, and change the account! So simple it can be easily overlooked, as I didn't think about it until last....". I don't have the program so I can't verify this. For instance how can you boot into safe mode without logging in? The latter may be an ignorant question.

Name - NTFS driver & Change a NT password from MSDOS

Download URLs - http://www.cgsecurity.org/ntfs.zip

Developer - Christophe Grenier

OS - NT (2000/XP /2003)

File Size - 599 KB

Supported Software Versions or File Systems - Use from DOS, Works on NTFS

Developer Provided Description - "You can access in read/write mode to your NTFS partition files from MSDOS and you can change NT administrator password :)) It works for NT 3.5 and NT 4. Support for >8Gb hard disk. To protect your system against this tools, you only have to forbid floppy disk boot."

Comment - DOS version of the Offline tool above.

Name - Changepw

Download URLs - http://www.joeware.net/win
/free/tools/changepw.htm

Developer - Joe

OS - Windows

File Size - 73.5 KB

Supported Software Versions or File Systems - ?

Developer Provided Description - "Command line tool to set passwords..This requires at least account operator on Domains and administrator on member and standalone machines..The should actually be called setpw because it does a set operation, not a change, but too late now, this thing has been floating around the web for a good 5 years already."

Comment - What Joe's last name is, is like cracking a password. I don't have the answer yet, but I'm hacking his Website looking for a slip of this seemingly well hidden fact.

Name - LCP

Download URL - http://www.lcpsoft.com/
download/lcp504en.exe

Developer - nh

OS - Windows NT/2000/XP /2003

File Size - 2.29 MB (with installer)

Supported Software Versions or File Systems - Not currently available. May be added later.

Developer Provided Description - "LCP is a password auditing and recovery tool for. It can be used to test password security, or to recover lost passwords. The program can import from the local (or remote) computer, or by loading a SAM, LC, LCS, PwDump or Sniff file. LCP supports dictionary attack, brute force attack, as well as a hybrid of dictionary and brute force attacks."

Comment - Not currently available. May be added later.

Name - Dictionary Based Hash Cracker

Download URL - hashcrack.php

Developer - SecurityStats.Com

OS - Windows NT/2000/XP/2003

File Size - NA/Online Tool

Supported Software Versions or File Systems - FAT32/NTFS

Developer Provided Description - "The "Golden Rule" of password security is NOT to choose a password that is easily guessable, or one that might be found in a dictionary. The reason for this is that many hacker tools can crack dictionary-based passwords in mere seconds.

This web based demonstration shows how truly easy it is to break dictionary based passwords, regardless of the type of encryption algorithm used to encrypt them. Simply paste in an encrypted password value, and then count the seconds it takes to return the password associated with that encrypted value (won't be long...)

Here is an example:

LANMAN HASH: FDA95FBECA288D44AAD3B435B51404EE

-OR-

NTLM HASH: 066DDFD4EF0E9CD7C256FE77191EF43C

Will return a value of "hello", within about 5 seconds (even using this crude web interface.)"

Comment - Requires the same process but has available a much small dictionary than OPHCRACK.

Name - Project RainbowCrack

Download URL - rainbowcrack-1.2-win.zip

Developer - Zhu Shuanglei

OS - Windows NT/2000/XP/2003

File Size - 547 KB

Supported Software Versions or File Systems -

Developer Provided Description - "RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique.

In short, the RainbowCrack tool is a hash cracker. A traditional brute force cracker try all possible plaintexts one by one in cracking time. It is time consuming to break complex password in this way. The idea of time-memory trade-off is to do all cracking time computation in advance and store the result in files so called "rainbow table". It does take a long time to precompute the tables. But once the one time precomputation is finished, a time-memory trade-off cracker can be hundreds of times faster than a brute force cracker, with the help of precomputed tables.

Some ready to work lanmanager and md5 tables are demonstrated in Rainbow Table section. One interesting stuff among them is the lm #6 table, with which we can break any Windows password up to 14 characters in a few minutes."

Comment - You can buy a precomputed table 64 GB in size that will allow you to crack any NT password up to 14 characters long in seconds. The table cost $400.

Name - How to reset the Domain Admin
Password under Windows 2003 Server

Download URL - srvany.zip

Developer - Sebastien Francois

OS - Windows 2003 Server

File Size - 23 KB

Supported Software Versions or File Systems - NTFS

Developer Provided Description - "I have recently installed a Windows 2003 Server at home and I set up a local domain using Active Directory features. Everything worked fine until I changed the Domain Admin password. It seems that I mistyped the new password twice (which I would attribute to the previous heavy night out), and, well, I could not log on the Domain Controller anymore (I did not have a backup admin account, I do now!).

A few tricks about resetting the Domain Admin Password on Windows 2000 Server have been published, but after Microsoft strengthened some security aspects on Windows 2003 Server, those hacks do not work anymore.

After struggling a few days, I finally managed to reset the domain account and I am going to present the trick to you in this paper.."

Comment - Sebastien Francois wrote the paper in February 2004. Microsoft might have plugged the security hole by now, or maybe not..

No screenshot available

Download URL - http://home.eunet.no/~pnordahl/ntpasswd/

Developer - Petter Nordahl-Hagen

OS - Windows NT and 2000 server

File Size - 53 KB

Supported Software Versions or File Systems - NTFS

Developer Provided Description - Petter Nordahl-Hagen has written a Windows NT/2000 offline password editor. I have been using various versions of this disk for a few years and have had very good results with it. Thank you, Petter! However, the program only resets the password for the MACHINE Administrator account, not the DOMAIN Administrator account. And wouldn't you know it, on a Windows 2000 server which is an Active Directory controller, you CANNOT log into any machine-level account. Which means that resetting the MACHINE Administrator password is pretty much useless. Or so it would seem. It turns out that "Directory Service Recovery Mode" uses the MACHINE-level accounts, since the whole point of this mode is that the AD control databases may be corrupted and you need a way to manually edit them (presumably using some high-priced third-party software package..) I was able to reset the password on the DOMAIN Administrator account using the following procedure: This page is wonderful if you are an IT administrator type.

Comment - Not currently available. May be added later.

Download URL - netpass_setup.exe

Developer - NirSoft

OS - Windows 98/ME (for network passwords only), XP (full functionality). Will not work in Windows 2000.

File Size - 79.2 KB

Supported Software Versions or File Systems - Not currently available. May be added later.

Developer Provided Description - "When you connect to a network share on your LAN or to your .NET Passport account, Windows XP allows you to save your password in order to use it in each time that you connect the remote server. This utility recovers all network passwords stored on your system for the current logged-on user."

Comment - None

Download URL - netbrute-3.1.zip

Developer - dfg-crew.com

OS - Windows 9X/NT/2000/XP

File Size - 170 KB

Supported Software Versions or File Systems - FAT32/NTFS

Developer Provided Description - "I made this password cracker before we knew about the bug in Windows 9x/ME that made it possible to gain access to folders only knowing the first character. This means that it actually attacks the share using pure brute forcing (or dictionary attack, depending on your settings..)

This sucks because it has to try a helluva lot of passwords, but it's also great, since it doesn't exploit the "share level" bug, it works on Windows 95/98/ME/NT/2000/XP and Linux running Samba!

The oldest of my password crackers is the one that's the least obsolete. Ironic, isn't it? :)

I tried it against a share I've got on a Linux box here, and it tried somewhere around 165 passwords per second. It's not too shabby, it's just that a good password (lots of characters, special characters, etc.) will take forever to crack. It's good fun, though.

I can remember when I first made this program. We used to attend different LAN parties, and people usually had some shares that only their closest friends was supposed to have access on. The thing was, they never had any strong passwords, just a couple of characters long, so this program was cool at the time.

Then came WNNSRPR, and a little later Gahnomen, and they were even cooler! :)

And then Microsoft made a patch. And released Windows 2000. And they became obsolete. So now we're back at step one. "

Comment - Not currently available. May be added later.

Name - RockXP

Download URL - According to McAfee the program is a threat or possible one, see: http://www.siteadvisor.com/sites/s2services.com
/downloads/389424/ . I disagree with this, but please follow the Rock XP site link to get the software.

Developer - Korben

OS - Windows XP

File Size - 420 KB

Supported Software Versions or File Systems - NTFS/FAT32 Microsoft Office XP

Developer Provided Description - "RockXP allows you to retrieve and change your XP product key that you used when you installed Windows XP. This can come very handy if you need to reinstall but have misplaced or lost the CD cover with the serial sticker. In addition, the program also lets you save the product activation to a file, enables you to recover usernames and passwords contained in the Windows Secure Storage, recover your Microsoft Windows Products keys and have password generator."

Comment - Not currently available. May be added later.

Name - Magical Jelly Bean Keyfinder

Download URL - According to McAfee the program is a threat or possible one, see: http://www.siteadvisor.com/sites/
s2services.com/downloads/389621/. I disagree with this, but please follow the Magical Jelly Bean Keyfinder site link to get the software.

Developer -Aleks Ozolins

OS - Windows 95/98/ME/NT/2000/XP /Server 2003

File Size - 251 KB

Supported Software Versions or File Systems - FAT16/32/NTFS; Office 97/2000/XP

Developer Provided Description - "The Magical Jelly Bean Keyfinder is a freeware utility that retrieves your Product Key (cd key) used to install Windows from your registry. It has the options to copy the key to clipboard, save it to a text file, or print it for safekeeping. It works on Windows 95/98/ME/NT/2000/XP /Server 2003, Office 97, and Office XP. This version is a quick update to make it work with Windows Server 2003."

Comment - Not currently available. May be added later.

Download Links - Linux Version DOS version NT version

Developer - Christophe Grenier

OS - Linux, DOS, Windows NT/2000?/XP?/2003?

File Size - 6 KB

Supported Software Versions or File Systems - Ext2/Ext3/DOS/FAT16/FAT32/NTFS

Developer Provided Description - - "LILOPwd dump LILO map file where are saved passwords in clear text."

Comment - Unless I misunderstand, apparently i f you use the LILO OS Loader freeware, your OS passwords (including Windows ones) are stored in clear text in an easily accessible file.

Screenshot Not Available

Download URL - Data Protection and Recovery in Windows XP

Developer - Microsoft

OS - Windows

File Size - Not Specified

Supported Software Versions or File Systems - Not Specified

Developer Provided Description - This article provides a technical walkthrough that illustrates how to use important data recovery and protection features in Windows XP. Also included are best practices and the steps you need to take to build an effective data recovery and protection strategy.

Comment - Not currently available. May be added later.

Download URL - SAMInside Download

Developer - InsidePro.com

OS - Windows NT/2000/XP/2003

File Size - 480 KB

Supported Software Versions or File Systems - Not Specified

Developer Provided Description - SAMInside program is designated to recover Windows NT/2000/XP/2003 users' passwords. The program has small size, doesn't require installation and can be run from diskette, CD/DVD-disk or USB-drive. Includes over 10 types of data import and 6 types of passwords attack. The program is the first utility in the world which started to work with passwords encrypted by system key SYSKEY!

Comment - Not currently available. May be added later.

Download URL - XP Syspad

Developer - Xtort.net

OS - Windows

File Size - 792 KB

Supported Software Versions or File Systems - Not Specified

Developer Provided Description - XP SysPad is a Windows system monitoring utility that allows easy access to Windows system information and system utilities, such as the individual control panel applets, as well as putting the "hidden" applications in Windows at your fingertips. It recovers lost Windows & MS-Office product keys and provides easy access to Windows System utilities!

Comment - Not currently available. May be added later.

Please note: For commercial software always be sure to try the demos first to see if the program works before buying. Also the difference in prices for software that does the same thing can be a large price range like in this case $50 - 299. If possible, try several software solutions before buying. For services if there is such a thing, be sure there is a guarantee.

Commercial software and services for getting around a lost password in Windows NT based systems, might be found through the links on my commercial links page (you can also click the link on the navigation structure on the upper left).