Cracking windows passwords is no more difficult than any other set of passwords that need to be cracked via brute force/rainbow table lookup -- it's all about getting your hands on the right files to begin with.
Why?
I actually have a fairly legit reason for this, other than pure curiosity: the professors and lecturers who have Win 7 at this Uni aren't given administrator access, so that they need to make an appointment with IT staff everytime they want to install or upgrade something. In my opinion, that's taking things way, way too far, especially in light of OSX user and Linux users don't face the same restrictions (I requested my computer to be delivered blank, so not even the IT staff can gain access without physically accessing my hdd).
I've also twice been in situations where a lab computer was set up by a PhD student who had since left, but without telling anyone the BIOS password in one case (remove CMOS battery, drain the power by shorting) and NT 4 password in another case (boot using linux, replace the screensaver file with cmd, boot, then wait and you've got admin access). Adding a few more techniques to your arsenal makes you a more well rounded human being. Plus you might gain a bit more respect from the students. Maybe.
Windows files that you need
You'll need to copy two files from your Windows harddrive (most likely o C:). Since you can't access those files from within windows, the easiest way to do that is to make a bootable USB with linux on it, boot, then mount the windows partition and copy the files. It does require that you know how to mount devices from the command line in linux (hint: read up on mount) but it's really quite easy.
See here for how to make a linux usb install:
Arch: http://verahill.blogspot.com.au/2013/02/331-full-linux-install-on-usb-stick.html
Debian: http://verahill.blogspot.com.au/2013/03/361-installing-debian-on-usb-stick-from.html
On Windows Vista and Windows 7 you need to copy
/Windows/System32/config/SAM
/Windows/System32/config/SYSTEM.
On Windows XP you need to copy
/WINDOWS/system32/config/system
/WINDOWS/system32/config/SAM.
I prefer John the Ripper, but ophcrack is in the repos.
Ophcrack
Ophcrack is one alternative for which you can download rainbow tables, while John the Ripper can do it via password lists and brute force. You can get Ophcrack from the Debian repos as well as AUR in ARch.
Start with Xp Free Small or Vista Free, depending on whether you're going after XP or Vista/Windows 7 passwords. If your passwords still won't break, you can always get a bigger table. Put your tables in e.g. /tmp/crack/xp and /tmp/crack/vista
Do (for xp -- point towards /tmp/crack/vista for vista/windows 7)
where -n 6 means to use 6 threads (use as many as you have cores). You can also launch ophcrack with a graphical user interface by simply typing ophcrack.
John the Ripper
On Arch you can get John the Ripper via the standard repos, and on Debian you can easily compile it.
You should get a good password list to guide your cracking -- rockyou is probably one of the best:
To crack XP passwords, run
john --wordlist=rockyoutxt --format=lm crack.list
To crack Vista or Windows 7 passwords, run
john --wordlist=rockyoutxt --format=nt crack.list
If you have compiled john the ripper with mpi support, just launch it along the lines of
mpirun -n 6 john --wordlist=rockyoutxt --format=nt crack.list
There's no guarantee that you'll successfully crack all passwords -- it simply depends on 1) how common the passwords are or 2) whether they are short enough to brute force. I've used the methods above to crack passwords on a couple of machines (even virtual ones).
If you're really lazy and want a fully automated cracking experience, just use the ophcrack live cd. The downside is that you'll be occupying the machine which holds the windows installation until you're done cracking. With the method here you can crack at your leisure on your own windows machine.
Windows login passwords by using LM/NT hashes through rainbow tables. Tips: A rainbow table is just a large database of precomputed hashes for a. If it's empty, you need to download the rainbow tables from Ophcrack website. Windows 7/Vista/XP/2008/2003 if I Forgot Administrator Password. Ophcrack is a free Linux Live CD that cracks Windows login passwords by using LM/NT hashes through rainbow tables. The most common issue you may experience with Ophcrack is “Tables not found” or “No tables found”. You need to download the rainbow tables from Ophcrack website. Unzip it and copy the contents to a USB thumb drive.
Note that Vista and Windows 7 are the same in terms of how the passwords are stored. XP is different. You'll need to appropriate hash tables when cracking using Ophcrack-- you can't use XP hashes to crack Vista/7 and vice versa.Why?
I actually have a fairly legit reason for this, other than pure curiosity: the professors and lecturers who have Win 7 at this Uni aren't given administrator access, so that they need to make an appointment with IT staff everytime they want to install or upgrade something. In my opinion, that's taking things way, way too far, especially in light of OSX user and Linux users don't face the same restrictions (I requested my computer to be delivered blank, so not even the IT staff can gain access without physically accessing my hdd).
I've also twice been in situations where a lab computer was set up by a PhD student who had since left, but without telling anyone the BIOS password in one case (remove CMOS battery, drain the power by shorting) and NT 4 password in another case (boot using linux, replace the screensaver file with cmd, boot, then wait and you've got admin access). Adding a few more techniques to your arsenal makes you a more well rounded human being. Plus you might gain a bit more respect from the students. Maybe.
Windows files that you need
You'll need to copy two files from your Windows harddrive (most likely o C:). Since you can't access those files from within windows, the easiest way to do that is to make a bootable USB with linux on it, boot, then mount the windows partition and copy the files. It does require that you know how to mount devices from the command line in linux (hint: read up on mount) but it's really quite easy.
See here for how to make a linux usb install:
Arch: http://verahill.blogspot.com.au/2013/02/331-full-linux-install-on-usb-stick.html
Debian: http://verahill.blogspot.com.au/2013/03/361-installing-debian-on-usb-stick-from.html
On Windows Vista and Windows 7 you need to copy
/Windows/System32/config/SAM
/Windows/System32/config/SYSTEM.
On Windows XP you need to copy
/WINDOWS/system32/config/system
/WINDOWS/system32/config/SAM.
Generating input
First set up your linux system and install bkhive and samdump2. On Arch you can get these from the AUR (here and here), and on Debian you can install it from the repos by doing
sudo apt-get install bkhive samdump2
First set up your linux system and install bkhive and samdump2. On Arch you can get these from the AUR (here and here), and on Debian you can install it from the repos by doing
sudo apt-get install bkhive samdump2
Once you have bkhive and samdump, do
Ophcrack
Ophcrack is one alternative for which you can download rainbow tables, while John the Ripper can do it via password lists and brute force. You can get Ophcrack from the Debian repos as well as AUR in ARch.
To crack with Ophcrack you'll need tables -- you can get them from here: http://ophcrack.sourceforge.net/tables.php
Start with Xp Free Small or Vista Free, depending on whether you're going after XP or Vista/Windows 7 passwords. If your passwords still won't break, you can always get a bigger table. Put your tables in e.g. /tmp/crack/xp and /tmp/crack/vista
Do (for xp -- point towards /tmp/crack/vista for vista/windows 7)
where -n 6 means to use 6 threads (use as many as you have cores). You can also launch ophcrack with a graphical user interface by simply typing ophcrack.
John the Ripper
On Arch you can get John the Ripper via the standard repos, and on Debian you can easily compile it.
You should get a good password list to guide your cracking -- rockyou is probably one of the best:
To crack XP passwords, run
john --wordlist=rockyoutxt --format=lm crack.list
To crack Vista or Windows 7 passwords, run
john --wordlist=rockyoutxt --format=nt crack.list
If you have compiled john the ripper with mpi support, just launch it along the lines of
mpirun -n 6 john --wordlist=rockyoutxt --format=nt crack.list
There's no guarantee that you'll successfully crack all passwords -- it simply depends on 1) how common the passwords are or 2) whether they are short enough to brute force. I've used the methods above to crack passwords on a couple of machines (even virtual ones).
If you're really lazy and want a fully automated cracking experience, just use the ophcrack live cd. The downside is that you'll be occupying the machine which holds the windows installation until you're done cracking. With the method here you can crack at your leisure on your own windows machine.