Use Ubuntu to Bypass or Crack Windows XP Passwords

If you forget your password it can be annoying. Here is how to get past those dark days.

Download and burn the latest Ubuntu distribution to CD, this can be found here www.ubuntu.com.

The Bypass Method

Use the CD as a boot disk and load up Ubuntu without installing it onto the hard disk, it can run from the CD. Once loaded fire up the Terminal and run

sudo synaptic

In the window that opens, go to 'Settings > Repositories' in the popup make sure its all ticked except 'Source code'. Then close the popup and any warnings and hit 'Reload' a button on the main toolbar. Once that is complete close the window and head back to the terminal.

sudo apt-get install chntpw

Using this application you can reset of any user IF syskey is not installed. First mount the windows disk, go to places and click on the disk that holds your windows installation. Then its back to the terminal for more command line action.

First navigate to the directory where windows stores the passwords.

cd /media/"something"/windows/system32/config

the 'something' being the name of your HDD where Windows is installed. Run the application to see where you stand.

Here is an example of what you might see

andy@andy-ubuntu:/media/Win7/Windows/System32/config$ chntpw SAM

chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x19000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 8 pages (+ 1 headerpage)
Used for data: 296/55856 blocks/bytes, unused: 11/42192 blocks/bytes.


* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator                  | ADMIN  | dis/lock |
| 03e9 | Andy                           | ADMIN  |          |
| 01f5 | Guest                          |        | *BLANK*  |
| 03ed | HomeGroupUser$                 |        |          |
| 03eb | xbox                           |        |          |

---------------------> SYSKEY CHECK <----------------------- SYSTEM 

SecureBoot : -1 -> Not Set (not installed, good!)
SAM Account\F : 0 -> off
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
Syskey not installed!

RID : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :

User is member of 1 groups:
00000220 = Administrators (which has 2 members)

Account bits: 0x0211 =
[X] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |

Failed login count: 0, while max tries is: 0
Total login count: 1

- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
4 - Unlock and enable user account [probably locked now]
q - Quit editing user, back to user select
Select: [q] >


So from this you can see the different users and the state of their accounts. To access the Administrator account first we have to 'Unlock' it with option 3 and then reset the password with option 1. Its apparently not a good idea to type a new password, just do that once you logged into Windows.

So all is good, go back to Windows log in as the 'Administrator' and reset the other users passwords.

However if the line above "Syskey not installed" in fact reads something like "Syskey is installed" you have to try a different approach.

The Crack Method

Fire up the Terminal

sudo apt-get install ophcrack && sudo ophcrack

this will install and run the application, you will also need to load firefox, it comes pre-installed and there should be an icon on the bar at the top. Head to ophcrack.sourceforge.net and download the the first XP table, they get bigger as you go down, so just start on with the first. Save this file to the windows disk and then install the table from Ophcrack by clicking the 'Tables' button.

Load the Encrypted SAM file by clicking the 'Load' button and navigating to the .../Windows/System32/config... folder and clicking choose.

Again you will see a list of users, you only want to focus on the Admin so remove the others by clikcing on them and pressing delete. (This only removes they from the Cracking process, it wont delete the actual user)


Add the tables you need, if hashes are in the NT column use VISTA tables if the LM hash column has values use the XP tables.

Select the appropriate table and hit 'Crack' and then sit back and cross your fingers.