Cracking XP passwords - EBCD not working

[Bodine]

We had somebody in our company fired for stealing a while ago. My boss wants me to look at his laptop and see if there is anything else incriminating he should be aware of. I've tried the Emergeny Boot CD and Offline NT/XP Password Editor (which I think use the same routine), changed the password on his account and gotten "success" messages, but I still get logon failures afterward.

This is a corporate build that has policies in place of locking the administrator and guest accounts, and the only non-locked account available to manipulate is this guy's. I tried unlocking one of the locked accounts but that didn't work either - I got logon failures there too and it was just re-locked the next time I booted the EBCD. The policies also has password requirements (8+ chars, at least one number)... the first time I tried resetting this guy's password I set it to blank - thus violating the policy. The subsequent times I have followed the password guidelines but it still won't logon.

Does anyone know what might be preventing the password from being reset. Any ideas as to how to get around it?

TIA

 

[SunnyD]

Originally posted by: Bodine
We had somebody in our company fired for stealing a while ago. My boss wants me to look at his laptop and see if there is anything else incriminating he should be aware of. I've tried the Emergeny Boot CD and Offline NT/XP Password Editor (which I think use the same routine), changed the password on his account and gotten "success" messages, but I still get logon failures afterward.

This is a corporate build that has policies in place of locking the administrator and guest accounts, and the only non-locked account available to manipulate is this guy's. I tried unlocking one of the locked accounts but that didn't work either - I got logon failures there too and it was just re-locked the next time I booted the EBCD. The policies also has password requirements (8+ chars, at least one number)... the first time I tried resetting this guy's password I set it to blank - thus violating the policy. The subsequent times I have followed the password guidelines but it still won't logon.

Does anyone know what might be preventing the password from being reset. Any ideas as to how to get around it?

TIA

Log into the LOCAL MACHINE (not domain) with the administrator account. Disabled? Not a problem. Go get yourself a copy of ERD and unlock/reset the admin password.

Once you're logged in as admin, you can take any files you want........ unless he encrypted them.

 

[stash]

Or buy one of these for 10 bucks and slap the laptop drive in a desktop.

 

[fartbag]

Run ophcrack against the sam file. If the sam file is locked down, slave the HD on a machine you have admin on.

 

[Looney]

Originally posted by: stash
Or buy one of these for 10 bucks and slap the laptop drive in a desktop.

You don't even necessarily need that. You can use a linux live boot cd or BartPE to access those.

Of course that's assuming things aren't encrypted.

 

[Bodine]

Originally posted by: SunnyD

Log into the LOCAL MACHINE (not domain) with the administrator account. Disabled? Not a problem. Go get yourself a copy of ERD and unlock/reset the admin password.

That's what I thought. I unlocked the admin account and set a password within the pasword policy, but I still got a logon failure and when I booted back into EBCD the account was locked again. This is why I was wondering if policies were affecting things.

So I installed XP into a different directory hoping to crack it with John the Ripper or something... I can access all of the directories -- including his Docutments and Settings folder. Now I'm really confused. I thought this was the whole reason that I was cracking his password... that I couldn't access his Documents and Settings folder if I simply reinstalled.

Anyway nothing fishy was found, but I'm still confused as to what happened.