Domain Cached Password on Encrypted Disk?

[jackman19258]

So, to answer some simple questions: Yes, I am trying to hack a Windows XP laptop that is on a domain. No this isn't a request for help. Yes this is a request for helpful information and possible links to articles for me to learn.

Here's the situation: My friend gave me a laptop to crack the password of. I thought, simple: ERD Commander 2k5. Oh wait, this has a password before the bios. Well, let's just remove that. (Tinkered with it, removed the bios password). Ok, lets move on.

Turned it back on, made it to a Windows XP boot screen and then a user name, password, and domain are requested. I thought, ok, maybe ERD commander can change the standard administrator password for the local machine. I booted it up, and it told me there was no partition to login to. Uh-oh... maybe it's an encrypted disk? Or maybe the partition is bad? But wait, that can't be since I have a fully working login screen right here...

Several domains to login to. Can't change the password or view the contents on any secondary computer, (tried adding it as an external, it asks me if I want to format. Tried data recovery while in that mode, and it picked up nothing). Now, this is where I get stuck. There must be a way around this aside from endless guessing. But how? It seems like a pretty locked up computer, and this is the first one I really can't get around the password with. I have all tools and utilities available to me, and I will spend personal cash to get the right tools if necessary.

One other thought I had, but I could just be an idiot not thinking right as of now, but could it be possible the said encryption is at the beginning of the LBA and all I need to do is wipe that out near the boot sector to gain access? Also, what other methods or programs would you recommend? And yes, this is in networking because I believe that it has to do with an AD scheme and cracking a cached password from a previous login may be of assistance.

[jackman19258]

Ok, brain flash! What if I created my own domain with server 2k3 with the same domain name as the computer and create a fake separate account in which to login with that has admin privileges?

[Rijnzael]

Sounds like you need to talk to an MCSE. I very seriously doubt the target machine would ever connect to an unauthenticated domain controller, as machines on a domain have certificates which they are able to use to authenticate domain controllers.
If the disk is encrypted, then you'll definitely have a tough time accessing any passwords in general.

[jackman19258]

Hmm... indeed.

I broke down and tried it. Yeah, no luck. Apparently its encrypted by Pointsec. They seem pretty tough, however I noticed a few things they forgot to protect such as the "Windows did not start correctly" boot options... lol. (The advanced windows option is locked, so all you can do after pressing F8 at startup is click "start windows normally)

Good stuff... Hmm... I'll keep poking around but if I don't find anything tonight, I suppose I'll just format it and call it a loss... =P

[jv_amarnath]

else you could boot into the pc using some other os whish is in a usb drive..
then mount the file " c:/windows/system32/config/sam..
now using samspade software or rainbow colours u can decrypt is
voila!!! there u have the passwod!!!

[Rijnzael]

else you could boot into the pc using some other os whish is in a usb drive..
then mount the file " c:/windows/system32/config/sam..
now using samspade software or rainbow colours u can decrypt is
voila!!! there u have the passwod!!!

Active Directory passwords are stored in the registry, not the SAM file. You also completely missed the fact that the drive is encrypted in the first place.