How can the assertively most secured operating system in the world be cracked for passwords? How can you crack windows passwords?
If you have read my second article also available in this issue -
Security Issues and Solutions, I stated that no system in this world
can be fully secured. There are always loop holes and conflicting
situations in which by securing one part would reveal some other parts
vulnerabilities. So you are guessing it right, in a step or two we'll
be able to crack passwords.
Before further discussion let me clarify that Windows 2000 is available in two broad categories:

1. Windows Server
2. Windows Workstation (Win2K Professional)

Windows Professional passwords are easy to break as compared to Server
because Servers mostly have Active Directory Enabled which means there
are separate databases for stand-alone environment users and ADS users,
and normally you will need to crack in to ADS users not normal users. I
will be writing about this in the next articles.

The idea of
this article is not to show off the number of ways I know to crack
Win2K passwords, but rather rather just give you an idea How it could
be done. Recover windows passwords that is. Being a network
administrator for a long time, time has taught me many ways which work
under specific situations. I would like to discuss one very effective
way to perform such task which is effective in almost all situations,
even if you have got most updated version of Windows 2000 Professional,
a version which is completely (assertively) protected by the patches
from Microsoft Windows Update site.

The following technique
will help you disable and change passwords for Server (without ADS) and
Professionals Local Users Password.

This solution is not
recommended for EFS File Systems, so be careful, you won't be able to
access your files unless you remember your original password with which
you encrypted your files. Also, Windows 2000 Server with ADS installed
arent eligible for this solution. You will need to have an empty floppy
with nothing on it, please ensure that its error-free, otherwise it
will cause you a lot of havoc should it you get stuck during the
process. Download this utility which comes with a floppy image writing
program from:
Obviously you need to have WinZip as well so you can unzip this file.
You can download it from if you dont have it. Unzip
the file to any folder, now you will see three unzipped files. Insert a
blank floppy in your floppy drive and double-click or Run install.bat.
Now the file is extracted from the zip. Follow the onscreen
instructions to create a bootable floppy Once the process completes, it
is recommended that you collect the following information about the
target hard drive: - Number of Partitions and logical drives it has The
name of folder in which windows is installed The exact path to the
systemconfig folder The name of the security databases: sam, security
etc. After you have noted down all these things you should reboot
computer and boot it using the newly created bootable floppy. Follow
the onscreen instructions It is recommended that you blank your
administrator password rather than change it as sometimes changing the
password to some new one doesnt work properly. This was the simple
procedure using which you can change your local administrator and other
users passwords.

The above will work even if you have got syskey installed with highest possible encryption.

But what to do if your file system is encrypted? Well, a simple
solution would be to somehow ger sam.dat hive from the config folder
(get it from your backups or however possible) and then use the utility
called L0phtcrack by @stake from their web site. The use of this
utility is pretty simple, you can retrieve the LANMAN Hash, Syskey HASH
and System MD5 Hash by using the previous procedure, i.e. using the
bootable floppy thing. While working, this procedure will show you the
hashes named above. You can note those hashes down and then use any
password cracking utility like L0phtcrack or John the password ripper
etc. to crack the password.

One of the most effective but
relatively slow (not that slow, very-very fast as compared to other
brute force techniques) is that you boot your computer using the target
hard drive ensuring that you are connected to the LAN. You will need to
have two Network computers to perform this. One will be the target
computer and the other you can use to crack the password to any
specific user.

Download the and install the utility named NAT from the internet (I cannot provide you specific links,
use any good search engine like to search for that filename)
on the source computer. It would be very good if you could download a
text with all possible combinations of alphanumeric characters. You can
also find those types of files in the internet pretty easily. And use
those files as your passwords dictionary, though only if you really
dont have a clue of what the password could be. Otherwise you can
create a password file of your own and write down all the possible
passwords which you could have set and use the same utility to crack
into that system.

NAT comes with a fair amount of documentation so I won't need to explain it any further.

I'l give you a bonus tip - If you want to crack passwords to network
shares on windows 95 or 98 clients, use this nifty utility: xIntruder
( just provide the IP address and network share
name to this GUI utility and it will crack the password for you within
20 seconds maximum. Do keep in mind the fact that you provide the
computer name and the share name in the exact same case as original.

this helps a lot of network administrators like me, who are craving to
have such information to lessen their re-installation work every time
they forget the password.