Bypassing Windows Login – The easy way

Recently I came across an office laptop which everyone had forgotten the password of. Little to my surprise all the standard combinations that we use didn’t work either. Being part of a startup we do not have a domain controller or an super admin account like the ones available in enterprise environment, such that this admin account can manage the users on the PC/Machine in a define and proper way.

However, we don’t have any such provisions – I know it sucks !

Unfortunately after trying multiple password combinations and combing through BIOS settings, i decided to reset it using a different mechanism. The one way – how forensics guys extract data from locked machines.

Method:

• I downloaded a copy of pop os(doesn’t matter which one Kali will work fine to) –

• Created a bootable iso with Balena

• Plugged in the USB into the windows machine

• Booted into the live PopOS

• Connected the live OS to a WiFi for downloading some tools

Tools required:

• lsblk – to find out where the windows partition is mounted

• samdump2 – do dump LM/NTLM hashes from SAM file(\Users\Windows32\system\SAM)

• blkhive – to read the SAM file as it is in windows registry format

• chntpw – to edit the SAM file

Execute:

#chntpw -l SAM (returns the list of users in the SAM file)
//Select your user
#chntpw -r 
//This tool will ask you to reset or clear the password
- Just select option 2 to clear password for your user
- If the user is locked - unlock with 
#samunlock -U 
- then run the chntpw again to clear the password

If this is success – Reboot – Remove the Live USB !

Password should be reset for that user name and must be empty login now.

Done !

Note: This might not work for a number of below scenarios:

• Bitlocker is enabled

• Some tool is protecting SAM file

• SAM file is stored encrypted

• Some password is set to protect SAM file

• You can also try to crack the LM/NTLM hashes mentioned in the SAM file – but if the password is strong then you will be out of luck.