The Realm of the Verbal Processor

Jarvis's Ramblings

Cracking Passwords

When I arrived in Oklahoma on my trip to my cousin’s funeral, one of the big tasks was getting into my cousin’s computer. She had left it turned on and locked. She had changed the passwords for every administrator account on the computer to passwords that no one else knew. In particular, there were four programs running on her computer that my aunt was really wanting to be able to see what was on her computer screen. We figured one was probably a web browser, one was her instant messenger program, one was possibly her Bible program, and the fourth was an unknown.

Since I am the computer guy, they asked me to see if I could get into it. Because we didn’t know the password to any of the admin accounts, it wasn’t possible to simply change the password and log in. We also didn’t want to shut the computer down, because that would lose whatever was on her screen. That left us with guessing passwords. Over the course of two days, we probably entered three hundred potential passwords…everything we could think of related to Christianity, Lutheranism, her EMT studies, her boyfriend, other family members, birthdates, as well as some of the more common simple passwords (qwerty, 12345, asdfjkl, the word “password”, admin, a blank password, her username, etc). All to no avail. (BTW…side note…if your password is any of the common ones listed, don’t bother…anyone wanting to get into your computer will be in it within half an hour anyway. Change it to something that will actually be useful. Personally, my passwords are typically sentences…around 24-35 characters.)

I had let my aunt know that a Plan B…if we couldn’t guess the password…was to shut it down and I’d take the hard drive out, pull off the password files (SAM database and System registry hive), and crack the password offline. On Friday night we got to that point. I threw the drive into an external USB enclosure, and pulled those two files out of c:\windows\system32\config. I then downloaded and installed Cain on my computer and started the cracking process. The initial pass did not crack the password, so I loaded a dictionary file that I have used when doing password auditing for the organization I work for. That dictionary file has 1,425,824 “words”…essentially any combination of characters that you want to run through a password cracker. I don’t remember where I got the original version of that file, but it is an almost 16MB text file. Less than ten minutes later, we had her password…laryngoscope. Definitely not one that we would have guessed any time this year.

That leads me to another statement. If you don’t maintain physical security of your computer…you have no security. I couldn’t guess Carrie’s password, but once I took the hard drive out, I had all of her files within minutes. Now…if the files are encrypted…that’s a whole different ballgame. Without the encryption key, I’ll never read the files.

Advertisements

February 10, 2008 - Posted by | computers, tech | , , ,

2 Comments »

  1. Hey Jarvis!

    Wow, didn’t know you were a blogging man. Found a newsgroup post from you as I was searching for the meaning of a cryptic error message and saw the reference to a blog. Figured there couldn’t be that many Jarvis’s in IT….sure enough!

    Anyway, you have a TON of good information on here! I know it’s too late, but here’s my solution to the password problem: One, you can use the appropriately named “Offline NT Password & Registry Editor” available here http://home.eunet.no/pnordahl/ntpasswd/. It’s a bootable image that will let you reset the password on any local account (note: it’s better to blank the password than to try changing it. higher success rate). Never had it fail. Alternatively, it’s part of Hiren’s BootCD (http://www.hiren.info/pages/bootcd) which isn’t free, but is a great tool. Between that and ERD Commander of the MDOP, there’s not a whole lot else you need to carry.

    Anyway, just FYI. Hope all is well with you, and I’m adding you to my RSS list…. You’re officialy being stalked.

    Comment by Matt Turkington | March 7, 2008

  2. Turk…good hearing from you bud. What cryptic message were you searching on?

    Thanks for the encouragement about the good information. I try to do a complete writeup about any major issue that I work through.

    About the password cracking, your suggestion is a good one. I had found another program that could do a password reset…that was plan C. For my cousin’s computer, it was important to my aunt that (if possible) we find out what the password was.

    As for being stalked…do I need to remind you about my wife’s firepower abilities? :-)

    Comment by Jarvis | March 7, 2008


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s