Windows Login Password Recovery

OSForensics supports password recovery of Microsoft Windows user accounts by using Rainbow Tables to compare hash values that are stored in the Windows registry. For more information about password recovery in OSForensics see the sections below;
Recovering the Hash Values
Using Rainbow Tables

Recovering the Hash Values

Windows stores hash values for user passwords in the SAM registry hive file, with access to this and SYSTEM registry hive file OSForesics can recover the LM and NT hashes for the local users of a Windows installation. To retreive the hash values, go to the Windows Login Passwords tab in the Passwords section of OSForensics, select the location of the registry files to scan and click the "Retrieve Hashes" button. You should see a list of recovered users and hash value, and if you check the "Test common password" option you may see some passwords.

Once you have the hash values, click the "Save to File" button to save them as a PWDUMP formatted text file. You can now use a rainbow table to process the file and check for password matches.

Using Rainbow Tables

For this tutorial we are using the lm_alpha-numeric#1-7_0_23680x23656320_OSF hash set available for download from the OSForensics wesbite. This hash set was generated using a length of 1-7 and with uppercase characters A-Z and 0-9, which covers a very broad range of passwords. Due to the way the LM hash values are generated, although the passwords can be up to 14 characters long the final hash value is actually a concatenation of two 7 character password hashes, so the table only needs to be generated for a length of 1-7.

After you have installed the rainbow table (directions are included on the download page) click on the "Retrieve Password with Rainbow Table" tab. Select the newly install rainbow table and choose the "Select File" option. Browse to the location of the password file you have just saved and click the "Recover Passwords" button. OSForensics will then begin the process of finding matching passwords.

 

Conference banner