We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


SAM / Recover Password

pma111 asked
Medium Priority
Last Modified: 2012-05-06
Considering a criminal had stole a corporate laptop. What techniques do hackers use these days to get hold of the actual password for the PC's local users / profiles. The Laptop is XP OS and when on the network logs into our active directory. I have read local user passwords live in the SAM hive.

Fortunately, we have not had any laptops stolen (yet), and are looking into disc encryption. We can engage an external pen tester to see how susceptible our group policies are to passwords being obtained by a malicious source. But if I could find out which settings help protect a users password that would be a good starting point.
Watch Question

Speshalyst Tech Support professional
this should help you get started..

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
My favorite tool for finding passwords is either NToffline recovery or 0phcrack live cd.

youve probably heard of NToffline it lets you change or blank out a local password.

This functionality is also available in tools like ERD commander, ultimate boot cd, or BartPE cds.

My favorite tool is the 0phcrack live cd. This will actually go through the sam and try to uncover the plaintext of the password. The free live cd will only work on weak passwords (no special characters) but you can get tables that cover all characters.

also forgot to mention it is not really necesary for them to break the password to get to the files. They can simpy use a live linux cd to go in and browse any directories on the computer. As mentioned above BartPE, Knoppix, and any other live CD distribution out there.

They could also simply take the hard drive out of the laptop/desktop and slave it into another system. Then it acts just like any other storage device.


Is there anything to do that would prevent any of the above mentioned cracking techniques.

Interesting you mention slaving, I did think about a cracker just adding it onto their ribbon cable and setting the jumpers to slave, but I wasnt sure if the NTFS permissions / share permissions remained in place though?


And can you use the boot CD's you mention and copy files out to attached storage drive, or just browse directories?

Well in regards to your questions.

1. As far as I know there isnt really a defense against the NT offline password recovery. The link speshalyst posted may be able to defeat it but I do not have any experience testing against it.

2. The rainbow table attack can be minimized although not completely defeated. Basically the long and more complex the password the larger the rainbow table needs to be to expand all of those possible cobinations. The following link while not specific to windows will give you an idea of the sizes of rainbow tables needed for certain character sets. I have seen windows cracking tables on torrent sites where some are larger than 50, 100, 150 gb.  

3. I think that when you slave the drive you may be able to access the files regardless of the NTFS permissions. However I may be wrong on this.

4. With bootable CDs you can copy the files to other media wether it is a usb stick, usb hdd, network share, and some even come with cd/dvd burning utilities. I know for sure tha NTFS permissions are completely disregarded when using most of these as alot are linux based.

Hope this helps.


I'll get reading on the slave / master thing. Thanks for your advice. Will try and get some of these linux discs see whats what on them.

Id reccomend knoppix and ultimate boot cd 4 windows. I have used these in the past. I know thye have file browsers and can remove data from drives. The ultimate boot CD has an unlocker program i believe. Once you start looking at the live CDS im sure youll find some with hacking abilities.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.