Recovered hashes

<< Click to Display Table of Contents >>

Navigation:  System and Data Recovery Programs > Proactive System Password Recovery > Working with PSPR > Main menu >

Recovered hashes

Windows NT/2000XP/2003/2008/Vista/W7 Security Accounts Management Database (SAM) stores hashed copies of user passwords; the hash is a one-way function version of the clear text password. PSPR shows user passwords that can be recovered instantly (including empty ones), or in a very short time (according to options).

 

For these users, it is also possible to change password hashes (and thus the passwords), but that may cause loss of access to personal certificates, network passwords, EFS-encrypted files and some other data. Use this feature with caution.

 

Password history can be also extracted/decrypted (if the appropriate option is set).

 

Using this feature, you can dump password hashes not only from the local system, but also from external SAM, SYSTEM and SECURITY files, and/or replace or reset the passwords in those files. Check the Manual decryption box, browse for these files, and press the Manual decryption button.

 

Please note that the SAM database is normally encrypted with a locally stored system key, and PSPR automatically decrypts it. However, the SYSKEY utility can be used to additionally secure the database by moving the SAM database encryption key off the Windows-based computer. The SYSKEY utility can also be used to configure a start-up password that must be entered to decrypt the system key so that Windows can access the SAM database. If the local machine is configured this way, PSPR can try to recover this startup password: click on the Find SYSKEY startup password link to open a new window where you can set brute-force and dictionary attack options. The same window is opened if you dump password hashes from external SAM and SYSTEM files (in Manual mode). If the start-up password is known, you can enter it there (or if SYSKEY is stored on a floppy disk, point PSPR to that floppy disk in order to get password hashes decrypted for further attacks).

 

Password hashes of Active Directory users can be also shown (see options), and if passwords are stored using reversible encryption, plain-text passwords are recovered instantly regardless of their complexity.

 

In Manual decryption mode (i.e., for password hashes loaded from Registry files taken from another computer), You can also use the SAM database editor feature to see the details of all user accounts (in read-only mode); select the user account you are interested in and press the SAM database editor link (if no account is selected, the first one from the list will be loaded). The following information is available:

 

general information (user name, full name, comments, user ID)

hashes (LM and NTLM, including 'history' ones)

flags (a lot of)

date/time of last logon, logoff, password change/set, account expiration, last bad password

local and global groups

profile

logon hours

misc information

domain information

domain properties

domain password properties (incl. SAM session key and SYSKEY)

 

Windows logon passwords can be also audited/recovered in Proactive Password Auditor and Elcomsoft Distributed Password Recovery.