We have all been there. The user just changed their password and now they can’t remember it. Alzheimer’s Disease is an epidemic where I work. Anyway here is a useful method for recovering a user account password on a Windows 2000/2003 domain.
1. Download fgdump.
2. Extract fgdump to a directory.
3. Execute the following command within the directory:
fgdump.exe -h TargetIP -u AnAdministrativeUser
Replace the TargetIP with the IP address of the target system and An Administrative User with a user account name with administrator rights to the target machine.
4. Enter the password for the account you are using to access the remote machine.
5. Once the program completes you should have a file named host.pwdump in the same directory as fgdump.exe. This contains the password hashes for all the accounts on the target system. If you pointed fgdump.exe at a domain controller then it would contain the password hashes for every account in the domain.
6. Open the host.pwdump file and look for a line starting with the user name of the account you are trying to recover the password for. You should see something like this.
Jdoe:1011:286DEEC5993E2238AAD3B435B51404EE:17BEDF99EA84D0FF321967A7367DCC20:::
7. Copy everything after the second semicolon up to the three semicolons at the end. Like so:
286DEEC5993E2238AAD3B435B51404EE:17BEDF99EA84D0FF321967A7367DCC20
8. Now you could go through the whole process of setting up rainbow tables to reverse the hash yourself but there is an easier way. Go to http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/
9. Copy the hash string into the appropriate field on the page and hit “Submit Hash.”
10. If every thing went well then the password for the account should return in a second or two. For the above hash it was bauer44 if you wish to test it yourself.