Elcomsoft System Recovery

System: Windows

License: Commercial

Application: Password/System Recovery

Homepage: http://elcomsoft.com/esr.html

Quickstart: Suppose you find out that your administrator passwords for you system or even your server have been changed by a malicious attacker. What options do you have to recover control of your system? One option would be to reformat the system and reload everything from backups, or you can use Elcomsoft System Recovery Pro (ESR) to recover and reset your administrator or other user account passwords from your SAM or Active Directory (AD) database.

Now lets see how this is done using System Recovery Pro from Elcomsoft.

Restart your system and boot from the ESR CD or USB flash drive. Once the CD or USB flash drive has booted it allows a user to choose whether they want to recover from the Microsoft Windows SAM or AD database, restore a backed up registry file or Active Directory databse, or edit the user information on the SAM database.

Lets first look at recovering a password from the SAM database. The user will have to select the directory where the database is located and in most default installations this will be c:\windows and then ESR will find the SAM and SYSTEM information. Next the user will see the different accounts that are available and once ESR has obtained the passwords and password hashes it displays them similar to that shown in Figure 1. ESR was able to recover all the alpha-numeric passwords and most of the strong passwords that were tried. Even if it could not recover the password it can show and dump the hashes that were obtained from the SAM database so that they can be recovered using a separate application. One of the most useful features of this application is whether or not the password is recovered the user is able to change the password set in the SAM database using ESR, as long as it follows the local machines password security policy. ESR also allows account privilege escalation and the ability to disable or lock out any account. See figure 2 for some of the available options that can be set using ESR. The last feature that is available for the SAM database is the SAM database editor, which gives a user many specifiable options for any of the accounts available.

One of the last features available to ESR is the ability to recover and edit passwords for AD. The procedure to recover these passwords is exactly like that for the recovery of SAM passwords. The only exception is that the user will need to find and select the directory that contains the ntds.dit file and the SYSTEM file, but like the SAM database on a default installation the files will be in the c:\windows directory.

When using Elcomsoft's System Recovery the default options are normally all that is required to retake control of your system. ESR, according to its website, can work on any windows based system. Personally I had the opportunity to test it on Vista, XP, and Server 2003 and found that it worked flawlessly on any of these systems.

Disadvantages. The only real disadvantage is that you have to have physical access to the system in order to recover the system. This may not always be easy when a network is administered from a long way away.

by Michael Clough Gordux Development