WinPassword Online Documentation.
[ WinPassword Home Page ] [ PasswordTools ] [ Win 9x ]
(c) LastBit Corp.
WinPassword home page: http://LastBit.com/winpsw
WinPassword (formerly known as NT Password) is an application for NT / 2000 / XP / 2003 / Vista / 2008 / Windows 7 system administrators for finding breaches in system security. It tries to recover plain-text passwords by analyzing user password hashes. If it is possible to recover a password within reasonable time, the password should be considered insecure. Windows Password can also be used to recover lost passwords of particular users. Please note that this program is for advanced users and system administrators with good understanding of the NT security model
We have done all we could to make WinPassword as fast as it could possibly run. All critical fragments of the code are written in Assembler and optimized to the maximum. It utilizes all features of modern processors, such as SSE2 instructions, hyperthreading, multicore and multiprocessor; that allows getting the most from a PS's computing power and reach the maximum operating speed possible.
GPU assisted password recovery. WinPassword allows utilizing the computing power of modern GPUs and reach the fantastic speeds of a billion and more passwords per second!
WinPassword allows searching for passwords to a great number of logins simultaneously. WinPassword is designed in a way that the search speed very little relies on the number of logins. WinPassword has been tested and works perfectly even on very large tasks (up to 32,000 logins)
WinPassword uses both the traditional recovery methods (Brute Force Attack, Dictionary Search) and the new Smart Rainbow Table Recovery (based on Rainbow tables) technique that allows recovering long and complex passwords quickly.
OctoPASS distributed password recovery. WinPassword is compatible with OctoPASS Distributed Password Recovery. You can utilize the power of all available computers to find the longest and most complex passwords. OctoPASS allows creating very large networks, up to thousands (and even tens of thousands) of computers working simultaneously.
Cloud Password Recovery. If you do not have a sufficient amount of your own computing power, you can rent additional computing power to recover long and complex NT hashes ( more information ).
WinPassword allows modifying registry files and resetting the password to a known one.
Quick Technical Overview
Windows does not store user's password; it stores the hash instead. Due to historical reasons, Windows keeps two different types of hashes at the same time: NT hash and LANMAN hash. NT hash is the standard MD4 algorithm appied to user password. Using Unicode allows handling passwords in different languages. It makes difference between uppercase and lowercase letters. LANMAN hash is based upon the DES encryption algorithm. There are two specific features that strongly weaken the security of LANMAN hashes. First, they do not make difference between uppercase and lowercase letters; second - and most important - the password is limited by 14 characters; moreover, those 14 characters are split into two 7-character halves, which are encrypted independently from one another. This allows finding passwords for both parts individually and simultaneously. Besides, neither NT hash, nor LANMAN hash uses salt, and that allows cracking many passwords at once, belonging to different users (even on different computers), and with all that the search speed very little depends on their quantity. Windows could be configured in a way that LANMAN hashes would be disabled - that significantly improves the cryptographic strength and hardens the recovery of passwords. WinPassword supports the recovery with both known LANMAN hash and with just NT hash. In the standard case, when the both types of hashes are available, WinPassword uses the LANMAN hash to find the password and then additionally uses the NT hash to clarify which letters in the password are uppercase, and which ones are lowercase.
Operating speed and time necessary for finding passwords
Password search speed depends on many factors; first of all, on the CPU type and clock. RAM size affects search efficiency insignificantly. The speed can be raised significantly when utilizing GPU. The search speed on a computer with an Intel Core Quad CPU is approximately 26 millions of passwords per second for LANMAN hashes abd 35 millions per second for NT hashes. When using the GPU Nvidia GTX 295, the search speed for NT hashes reaches a billion (!) of passwords per second. When using Smart Rainbow Tables, the typical time for finding a password to a LANMAN hash is several minutes, regardless to the length and complexity of the password. More detailed information on the speed and time is available here.
The application's main window displays the user list; each item on the list consists of login (user name), password (if found), LANMAN hash, NT hash and optional remark. Normally both LANMAN and NT hashes are present, but it is also possible to have only a LANMAN or NT hash available. WinPassword saves all this information (along with current recovery state) in a task file (.WinPsw file type). Use the standard File | Save or File | Save As menu command to save the task file. If the recovery process is started, current recovery state, as well as found passwords, are stored in the task file too. You can open the task file later and resume the password recovery.
An icon to the left of a login name denotes:
|The password is 7 characters or less|
|The password is more than 7 characters|
|First 7 characters of the password found*|
|Second 7 characters of the password found*|
|Password has NT hash only|
|The password is not set (empty password)|
|Password found successfully|
* Remember that Windows security system breaks the password in two 7-character parts and encrypts each part individually. This allows finding passwords for both parts individually and simultaneously. Therefore, it may happen that one part of the password is decrypted, while the other one isn't. In this case, the known part of the password will be displayed, and question marks will be displayed instead of the unknown one.
First of all, you need to obtain the password hashes. Unfortunately there is no straightforward way to do this. The following methods are available:
Dump the passwords from the memory (administrator privileges are required). This function dubs the well known PWDUMP program and is completely similar to it.
Import the password hashes from the output file of a third-party program. The file to be imported must be in the PWDUMP format.
Import the password hashes from the Windows registry files (SAM and SYSTEM ). During the operation, Windows locks these files; therefore, you will not be able to read data from the files being used by the running copy of Windows. To gain access to them, you need to load another copy of Windows; that may be another copy of Windows installed on a different partition of the same hard drive, other operating system (supporting the NTFS file system and capable of reading these files) or Windows, loaded from a CD/DVD or USB disk (for example, BART PE).
Enter the information manually (Edit | Insert New Item menu command). Use this methods if the password hashes are known.
Note that you can import multiple files into a single project. A single WinPassword project can contain a lot of hashes and recover all them simultaneously.
You can save and then Open a saved WinPassword task (.WinPsw files). This lets you pause the password search process and then resume it.
Once you have got the password hashes to be recovered, use the Audit | Start Recovery menu command to start the recovery process. WinPassword supports three recovery approaches:
Smart Rainbow Table Recovery. Smart Rainbow Table Recovery is based upon special precomputed recovery tables. They allow breaking long and complex password quite quickly.
Cloud Password Recovery
We recommend you to read our article Password Recovery Using Universal Recovery Methods that describes how to use Brute-Force Attack and Dictionary Search. Note that a dictionary is required for the Dictionary Attack. We did not include any dictionaries into the package. If you need one, you can download various dictionaries from http://LastBit.com/dict.asp (free of charge).
Autosave is now available. Windows Password will automatically save the project every ten minutes when autosave is enable. Thus, you can pause the recovery process and then resume it later. WinPassword utilizes all resources
Smart Rainbow Tables
Smart Rainbow Table Recovery is a technique that allows recovering long and complex passwords quickly by using special precomputed tables (so-called Rainbow tables). Currently, Smart Rainbow Tables are available for the recovery of LANMAN hashes only. The support for NT hashes is coming up in the next version. With Smart Rainbow Tables, you can recover arbitrary password within a few minutes. Find more information here.
Cloud Password Recovery
You can rent additional computing power to recover long and complex passwords. Cloud Password Recovery is for NT hashes only. If a LANMAN hash is available, you can recover the password within a reasonable time span using the regular recovery methods or Smart Rainbow Tables. Find more information on the Cloud Password Recovery service here.
Reset Login Password
You can use WinPassword to reset a password and replace it with a known one. Find more information here.
GPU-accelerated Password Recovery
You can utilize the computing power of modern GPUs to significantly raise the operating speed. Depending on the GPU, the speed can raise by tens of times. The current version of the software supports GPU Accelerated Password Recovery only for NT hashes. Find more information here.
Distributed Password Recovery
Distributed Password Recovery allows using multiple computers for speeding up the recovery process. That is especially current for NT hashes. We have implemented the support for distributed password recovery for LANMAN hashes too; however, please keep in mind that with Smart Rainbow Tables within just a few minutes you can recover literally any password by its LANMAN hash, utilizing the resources of just a single computer.
Distributed Password Recovery for LANMAN hashes
You can utilize multiple (up to 8) computers as follows.
You need to purchase the required number of WinPassword Pro licenses (the Standard version does not support distributed password recovery) and install it on each of the computers.
Then prepare the task file and copy it to each of the computers.
On each of the computers, launch WinPassword and then open the task file.
Make sure to have specified identical password recovery parameters on each computer. In the field "Number of computers", enter the total number of computers (same on each computer), and in the field "This computer index" on the first computer enter 1, on the second one - 2, and so on - enumerate all the computers.
Start the password recovery, and each computer will compute its portion of the task. The required password can be found on any computer.
Distributed Password Recovery for NT hashes
Distributed password recovery for NT hashes can be done with OctoPASS. OctoPASS allows creating very large networks (thousands and even tens of thousands of computers. Further information on OctoPASS is available here.
You can merge two or more WinPassword projects into a single project by using the File | Merge menu command.
Import and Export
You can import and export data in the PWDUMP file format (plain text format, one login per line, columns separated by colon).
You can add a comment to each item by using the Edit | Edit Remark menu command (or by just double clicking on the item you want to edit).
You can use the Audit | Report menu command to generate the report.
Find Same Passwords
The Audit | Find Same Passwords menu command allows finding users with identical passwords. This feature is useful for large projects
During the password search, you can lower the performance priority. That would lead to a certain decrease in the operating speed for WinPassword; however, the other applications would run faster. WinPassword utilizes the most of the computing power available in a computer; therefore, other applications may lack it. Use this function if you want WinPassword to run in the background and not interfere with other tasks.
Auto-refresh vs. manual refresh
By default Auto Refresh is on; when searching for a password, WinPassword refreshes the list in the main window. If a project is too large (contains thousands and tens of thousands of passwords), new passwords are found frequently, and Auto Refresh could slow down and make the use of the application inconvenient. In this case, we recommend you to disable Auto-refresh ( View | Auto Refresh menu command) and refresh the list manually with the View | Refresh Now menu command.
Use the Audit |Setup menu command to adjust program settings.
Pro and Standard versions
There are two different WinPassword editions available: Standard and Pro. Please refer to the table below to find out the difference.
|Maximum number of logins in a single task file||Smart Rainbow Table Recovery||Reset Password to a Known One||Distributed Password Recovery (LANMAN hashes)||Distributed Password Recovery (NT hashes)||GPU Accelerated Password Recovery|
|Standard Version||5 (i.e. you cannot recover more than 5 passwords at once)||NO||NO||NO||YES*||NO|
|Pro Version||32,000 (technical limit)||YES||YES||YES||YES*||YES|
* - OctoPASS is required for distributed password recovery of NT hashes. This is a standalone product and must be licensed separately. Please refer to this web page for further information.
Demo version limitation:
The unregistered DEMO versions display only the first two characters of the found password.
To order the fully-functional version, please visit http://LastBit.com/register.asp