Box Resuscitation 1: password recovery

We recently needed an older computer and discovered we had forgotten a login password. Our development server for designing and testing a website will most likely reside on an older laptop running in dual boot with Windows XP SP 3 and Backtrack Linux 5.

ophcrackOne possibility would be to install a LAMP on my DNS_32x NAS, but that’s not really an option as the NAS has other mission-critical stuff to do. I will thus try and see if I can use an old Toshiba Portege tablet with Pentium M and 3-500 MB RAM. Though I can remember the Windows password, the Linux password seemed forgotten, so I set out to reset it. I present techniques for recovering the Window password at the end.


To reset the password, I booted up off the latest Backtrack CD, then took over the Linux partition and simply changed my password as root.

  1. fdisk -l                    # list all the partitions on the device
  2. mount /dev/sda1 /mnt           # mount the linux partition with the forgotten password; We now have two options: either delete the root password hash in the list by vi /etc/shadow from $ to the first : exclusively then save and quit with :wq! as shown in a hip-hop video, or go the more elegant route, as follows:
  3. mount --bind /dev/ /mnt/dev   #any dev box needs its /dev :)
  4. chroot /mnt           #it is now as if we logged in on the laptop
  5. passwd root           #this allows setting a new password
  6. exit                            #get outta this mess
  7. reboot

The default login:password for Backtrack is root:toor and, unfortunately, changing the password as above does not change it for several other critical apps and services. In any event, I do not store critical data on this machine as its purpose is to be a testing tool, so it makes little sense to secure it properly.

Other methods, which I haven’t tried in a long time, include playing with the boot loader.


If your bootloader is an earlier version of GRUB, you should be able to do the following:

  1. Select the kernel
  2. Press the e key to edit the entry
  3. Select second line (the line starting with the word kernel)
  4. Press the e key to edit kernel entry so that you can append single user mode
  5. Append the letter S (or word Single) to the end of the (kernel) line
  6. Press ENTER key
  7. Now press the b key to boot the Linux kernel into single user mode
  8. At prompt type passwd command to reset password.

You may have to mount / and other partitions

    # mount -t proc proc /proc
    # mount -o remount,rw /

..before 9. issuing the “passwd” command. Afterward, issue “sync” then “reboot”.

If you have LILO, then at Boot: type “linux single”, then do as in step 9. above.

It is possible to secure a box against all these “attacks”. Hopefully, you haven’t used it. If, however, you have protected Grub with a password, you can use the above or adapt the following older instructions to your situation:

  1. Boot a Live CD (such as Knoppix) into single mode (boot: linux single)
  2. Use fdisk –l to ensure you will mount the correct partition
  3. Mount it: mount /dev/sda1 /mnt (change sda1 with your own partition from 2.)
  4. Modify the Grub menu file:
    • Debian: # cd /mnt/boot/grub; vi menu.lst
    • Suse: # cd /mnt/etc; vi grub.conf
    • Red Hat / Fedora: # cd /mnt/boot/grub; vi grub.conf
  5. Remove password line after locating it: # password –md5 so#m^e)*(gibberish/blah
  6. Save and close the file, then reboot: # sync; sync; cd /; umount /mnt; reboot
  7. Change the root password (a version of the above):
    1. Press ‘e’ at Grub prompt to edit command before booting
    2. Select second line
    3. Press ‘e’ again to edit
    4. Type at the end of kernel line init=/bin/sh or init=/bin/bash (last option less used)
    5. Press ‘b’ to boot
    6. type # passwd (it may be necessary to remount root partition before running the command)

If the step 7 didn’t work, try a variation of the previous methods.


Resetting a password here follows the general procedure for Linux:

  1. At boot> boot –s # force openbsd to boot into a single user mode
  2. Next, mount –uw /; mount /usr # mount file system in read-write mode
  3. Run passwd command
  4. Sync file system
  5. Reboot and login normally.

Above as elsewhere I used “;” to concatenate commands normally entered on separate lines.


If you forgot your Windows password, you need to determine if you want to just reset it or you want to find it without changing it. If you have encrypted some files with Windows (BitLocker I think it’s called), resetting the password will cause you to lose these files, so you’ll have to go the more complicated and risky route of trying to guess it. If, however, you have not done such thing you only need to reset the password. (Also, if you were using a “home” edition, you probably don’t need to worry about losing files in that manner, since the functionality is disabled.) Otherwise, you might want to simply install Windows again, possibly with a newer version.

a) guessing

To guess the password, consider using the free ophcrack Live CD. You download the ISO and burn it to a CD, then boot up with that CD and follow the prompts – it’s fully automatic. If your computer does not have a CD drive, you can use a USB CD drive or burn the ISO to a USB removable drive and boot off it. It can handle Windows XP, Vista and 7 (and soon, 8 as well). Unfortunately, it is limited to passwords of a maximum 14 characters.

Another is John the Ripper. It is available free and also in a “Pro” version, for Linux, Mac OS X and Windows – consider Hash Suite as well. The wordlists necessary for this cracker are available freely and can also be purchased. will employ essentially the same process as above, but it will cost you about $40 to get your password – provided that it can be found.

b) reset

If guessing didn’t work for you, you will have to reset the password. If you were wise enough to create a password reset disk before going into trouble, now is the time to use it (you can create such a disk from any working computer running the version of Windows you want to recover from). If you haven’t, don’t sweat it: few people ever did.

The main tools for resetting the password are (links in sources):

  1. Offline NT Password & Registry Editor. You download an .iso, burn it, boot up with it, then run it and let it remove your existing password. It works with Windows 7, Vista, 2000, NT and 64-bit versions as well. It will most likely work with Windows 8 final version.
  2. PC Login Now. May cause Windows to detect and report a possible hard drive problem after erasing the password. It also supports Windows XP.
  3. Ubuntu. If you have an Ubuntu CD lying around, you can use it to reset your Windows password. After bootup, enable restricted and multiverse sources in Synaptic, install chntpw, mount the Windows drive from Places, type cd /media/disk/WINDOWS/system32/config/ in terminal, then sudo chntpw SAM which changes the Administrator password. To reset a particular username, try sudo chntpw -u username SAM.
  4. Bart’s PE. This is oldskule, but some people still have the CD. It’s a minimal Windows XP environment (see the links in Sources). This, however, might work only in Windows XP.
  5. Windows CD or DVD. This procedure is for Windows 7, but it should work similarly for other versions. Also, if you don’t have such a CD or DVD but your computer is 64-bit capable, you could use the Hyper-V ISO. Additional free, official sources for Windows ISOs are known and available.
    1. Boot off the original CD or DVD.
    2. Go into Advanced Boot Options and choose  Repair your computer (after language, currency and keyboard). Then click Next.
    3. Choose the OS / drive to fix and “Use recovery tools..”, then Next.
      NOTA BENE: here you have two options. If you have recently changed your password AND remember the old password AND have been using System Restore, go on to step 5. If any of the previous conditions is false or you’re getting an error message, skip to step 6 (though even that won’t work if the whole disk is encrypted; from hj-w7).
    4. Choose System Restore and pick a restore point prior to changing the password. Remember, this obviously assumes that you remember at least your old password!
    5. Restart and log on.
    6. You may have gotten an error message in step 3 due to using an incompatible bootup drive, such as Hyper-V. To recover and continue, press SHIFT-F10 to open a command prompt and continue. If you didn’t get an error message, open a command prompt normally.
    7. Enter regedit to start the Registry Editor.
    8. Select HKEY_LOCAL_MACHINE and then choose Load Hive from the File menu.
    9. Find and open the file SYSTEM on the drive from step 3 – normally found in windows\system32\config.
    10. Enter a key name, e.g., “aaa”, then click the plus icon to the left of HKEY_LOCAL_MACHINE to open it, then select it.
    11. Select Export from the File Menu.  Change the Save as type to Registry Hive Files.  Type a name for the backup, for example, systembackup, and press Save.  (This step creates a backup of the unmodified SYSTEM registry hive as a precaution.)
    12. Open the aaa key, and select Setup.
    13. Double-click on SetupType in the right-hand pane.  Enter 2 and press OK.
    14. Double-click on CmdLine.  Enter cmd.exe and press OK.
    15. Close Registry Editor.  Type “regedit” and press ENTER to open it again.  (This step does not appear to be necessary in Windows 7, but in Windows Vista if you do not do this the next step might fail with an Access Denied error.)
    16. Open HKEY_LOCAL_MACHINE, select aaa, and choose Unload Hive from the File Menu.  Push Yes.
    17. Close the command window and the Registry Editor.  Remove the installation DVD and select Restart.
    18. When your computer boots up, another command window should appear.
    19. Type “net user foo bar”, replacing foo with the username of the account whose password you want to reset, and bar with the new password.  For example, you might type “net user Administrator G0dsmIles”.  Press ENTER.
    20. If you want to use the built-in Administrator account, you will probably need to enable it: type “net user Administrator /active:yes” and press ENTER.
    21. If you don’t know what the administrative username(s) are, type “net localgroup administrators” and press ENTER to find out.
    22. Type “exit” and press ENTER.
    23. When the logon screen appears, use the username and the new password to log in.
  6. MS ERD boot disk. It comes in 3 versions: 5 for XP, 6 for Vista, 6.5 for Win 7 and it has to match the bit version. Even simpler, you can create a recovery CD / USB key (min 1 GB) from a PC running the same version of Windows as the target computer, then boot it.
    1. Use F8 or boot from the disc, once RE loads choose repair your computer, then load Command prompt and run these 2 commands, the second command you will get a prompt to overwrite, say yes.
    2. copy c:\windows\system32\sethc.exe c:\
      copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

    3. Restart the PC, When you reach the LogOn screen hit the Shift key 5 times, a command window will open, Type the following:
    4. net user <name of the account> <any password>

    5. and hit Enter Key, and when prompted to overwrite, Type Yes, and hit Enter Key again, and close the command window, and log on with the new password you just created.
    6. After that you might want to put the original sticky key file back in its place, so go ahead and boot your PC with the repair CD or USB that you used earlier, and in the command prompt window type the following:
    7. copy c:\sethc.exe c:\windows\system32\sethc.exe

    8. press Enter, then when prompted to Overwrite, type Yes and hit Enter key again, then close the window, and restart the PC.
  7. Kon-Boot. Quite different than the above, does both recovery and reset, but it does not work with 64-bit.

In our next instalment, we’ll look at to assess the health of the old computer and to update / fix whatever problems we can find.

Sources / More info: wiki-LAMP, cybiz, acdx-how2, mo-3, Bart’s PE-Builder, Password Renew, win7-reset, Microsoft ERD 6.5 boot disk,, rb-pdf, hj-w7


Popular posts from this blog