For more info and a list of supported computer models visit here:
BIOS Password Recovery Service

Enter Challenge Hash and click “Pay Now”:

* EFS certificates
* MSN Messenger credentials
* Internet Explorer form passwords
* Outlook passwords
* Google Talk credentials
* Google Chrome form passwords
* Wireless network keys (WEP key and WPA-PMK)
* Skype credentials

Of course you need to know the user’s current password, you can recover it from the SAM.
Download Here
You can also read an excellent article on the undocumented process of recovering DPAPI passwords here

1 LM vs. NTLM
2 Syskey
3 Cracking Windows Passwords
   3.1 Extracting the hashes from the Windows SAM
      3.1.1 Using BackTrack Tools
         3.1.1.1 Using bkhive and samdump v1.1.1 (BT2 and BT3)
         3.1.1.2 Using samdump2 v2.0.1 (BT4)
         3.1.1.3 Cached Credentials
      3.1.2 Using Windows Tools
         3.1.2.1 Using fgdump
         3.1.2.2 Using gsecdump
         3.1.2.3 Using pwdump7
         3.1.2.4 Cached Credentials
   3.2 Extracting the hashes from the Windows SAM remotely
      3.2.1 Using BackTrack Tools
         3.2.1.1 ettercap
      3.2.2 Using Windows Tools
         3.2.2.1 Using fgdump
   3.3 Cracking Windows Passwords
      3.3.1 Using BackTrack Tools
         3.3.1.1 John the Ripper BT3 and BT4
            3.3.1.1.1 Cracking the LM hash
            3.3.1.1.2 Cracking the NTLM hash
            3.3.1.1.3 Cracking the NTLM using the cracked LM hash
            3.3.1.1.4 Cracking cached credentials
         3.3.1.2 John the Ripper - current
            3.3.1.2.1 Get and Compile
            3.3.1.2.2 Cracking the LM hash
            3.3.1.2.3 Cracking the LM hash using known letter(s) in known location(s) (knownforce)
            3.3.1.2.4 Cracking the NTLM hash
            3.3.1.2.5 Cracking the NTLM hash using the cracked LM hash (dumbforce)
            3.3.1.2.6 Cracking cached credentials
         3.3.1.3 Using MDCrack
            3.3.1.3.1 Cracking the LM hash
            3.3.1.3.2 Cracking the NTLM hash
            3.3.1.3.3 Cracking the NTLM hash using the cracked LM hash
         3.3.1.4 Using Ophcrack
            3.3.1.4.1 Cracking the LM hash
            3.3.1.4.2 Cracking the NTLM hash
            3.3.1.4.3 Cracking the NTLM hash using the cracked LM hash
      3.3.2 Using Windows Tools
         3.3.2.1 John the Ripper
            3.3.2.1.1 Cracking the LM hash
            3.3.2.1.2 Cracking the NTLM hash
            3.3.2.1.3 Cracking the NTLM hash using the cracked LM hash
            3.3.2.1.4 Cracking cached credentials
         3.3.2.2 Using MDCrack
            3.3.2.2.1 Cracking the LM hash
            3.3.2.2.2 Cracking the NTLM hash
            3.3.2.2.3 Cracking the NTLM hash using the cracked LM hash
         3.3.2.3 Using Ophcrack
            3.3.2.3.1 Cracking the LM hash
            3.3.2.3.2 Cracking the NTLM hash
            3.3.2.3.3 Cracking the NTLM hash using the cracked LM hash
         3.3.2.4 Using Cain and Abel
      3.3.3 Using a Live CD
         3.3.3.1 Ophcrack
4. Changing Windows Passwords
   4.1 Changing Local User Passwords
      4.1.1 Using BackTrack Tools
         4.1.1.1 chntpw
      4.1.2 Using a Live CD
         4.1.2.1 chntpw
         4.1.2.2 System Rescue CD
   4.2 Changing Active Directory Passwords
5 plain-text.info
6 Cracking Novell NetWare Passwords
7 Cracking Linux/Unix Passwords
8 Cracking networking equipment passwords
   8.1 Using BackTrack tools
      8.1.1 Using Hydra
      8.1.2 Using Xhydra
      8.1.3 Using Medusa
      8.1.4 Using John the Ripper to crack a Cisco hash
   8.2 Using Windows tools
      8.2.1 Using Brutus
9 Cracking Applications
   9.1 Cracking Oracle 11g (sha1)
   9.2 Cracking Oracle passwords over the wire
   9.3 Cracking Office passwords
   9.4 Cracking tar passwords
   9.5 Cracking zip passwords
   9.6 Cracking pdf passwords
10 Wordlists aka Dictionary attack
   10.1 Using John the Ripper to generate a wordlist
   10.2 Configuring John the Ripper to use a wordlist
   10.3 Using crunch to generate a wordlist
   10.4 Generate a wordlist from a textfile or website
   10.5 Using premade wordlists
   10.6 Other wordlist generators
   10.7 Manipulating your wordlist
11 Rainbow Tables
   11.1 What are they?
   11.2 Generating your own
      11.2.1 rcrack - obsolete but works
      11.2.2 rcracki
      11.2.3 rcracki - boinc client
      11.2.4 Generating a rainbow table
   11.3 WEP cracking
   11.4 WPA-PSK
      11.4.1 airolib
      11.4.2 pyrit
12 Distributed Password cracking
   12.1 john
   12.2 medussa (not a typo this is not medusa)
13 using a GPU
   13.1 cuda - nvidia
   13.2 stream - ati

Cracking_Passwords_Guide.pdf

HomeGroup makes it easy to share pictures, music, documents, videos, and printers with other people on your home network. You would have had to created a homegroup first before you will have a password to use to join other computer to your homegroup.

1. Open the Control Panel (all items view), and click on the Network and Sharing Center icon.
2. Click on the Choose homegroup and sharing options link.
3. Click on the View or print homegroup password link.
4. Write down this password down, or click on Print this page to print the passoword. When done, close this window.

NOTE: The password is case sensitive, so it will need to be typed exactly as it appears here when used to join a computer to the homegroup.

This week a friend brought me the new ipod nano which her son locked and she couldnt figure out the password. It’s a real simple fix. Connect the ipod to your computer. makes sure hidden files and folders option is set and browse to “\iPod_Control\Device\_locked” Change the file name from _locked to _unlocked. Save. disconnect. Reset your ipod by holding down the menu and center button. At this point your ipod will be unlocked but you won’t be able to set a new password without first entering the old one(which you don’t know). To set a new password, go back into _unlocked and erase all of the characters in the file and save again. Reset once more. You can now set a new password if you choose.

Did your IBM ThinkPad Supervisor password? This involves a bit more than just removing the backup battery, the supervisor (SVP) password is stored in a chip called ATMEL 24RF08. It can not be reset by disconnecting the BIOS battery or shorting any jumper. SoDoItYourself has an article detailing the retrieval of password data from an EEPROM. Although IBM claims their TP BIOS passwords are impossible to break, there is a easy and cheap way to fix this. The stuff you need cost about 5 $ at your closest radio shack type of store, you will also you need a spare PC with a serial port. Once you have done all the soldering you will also needs these 2 programs to help you dump the password
http://www.allservice.ro/forum/viewtopic.php?t=61 –programmer
http://www.allservice.ro/forum/viewtopic.php?t=56 –IBMpass Lite
http://h1.ripway.com/hdst/dl/ alternative dl site

via: sodoityourself.com/

This article will show you how you can gain full administrator access to a Cisco router, bypassing all security passwords. The password recovery process, however, can be rendered useless if the administrator has previously configured the router not to allow this process to take place. In this case, the router will warn the user and, if he proceeds, all configuration will be erased, so there will be nothing to recover!

Example Scenario

Consider we have a Cisco router (2610 for our example – this procedure is the same for all routers) and we are unable to access it due to a lost password. Console and VTY (telnet) sessions ask for a password which we do not have:

Even if we were able to successfully log into the router, but couldn’t provide the router with the correct ‘enable’ password, we would still need to perform a password recovery procedure.

To initiate the password recovery procedure, connect the rollover cable to the console port, then power the router off and back on. As soon as you receive a prompt showing the boot process, hit Ctrl-Break:

You’ll immediately see the ‘rommon’ prompt, indicating we are in ‘rom monitor’ mode. This is a mini-IOS that allows you to perform very specific tasks in order to recover your router.

Now, to skip our password-protected configuration, we instruct the router to by-pass the configuration located in NVRAM during bootup, and reset the router:

The router will now reset and start its normal bootup process, however, the current configuration will be ignored. When the bootup is complete, you will be prompted to ‘enter the initial configuration dialog’, answer ‘no’:

Next step is to enter ‘Privileged Mode’ and load the router’s configuration from nvram. Then reset the ‘enable’ or ’secret’ password. To be sure, we’re showing how to reset both, but we’ll only need to use the ’secret’ password. In addition, we are going to reset the console port’s password:

If you use the ‘login local’ command you’ll need to reset the user account of the password you have lost (in our example, it’s ‘admin’).

Lastly, we need to change the ‘configuration register’ so the router will load the newly modified configuration next time it reboots, save our settings and reboot the router:

The router will now reload and use the new configuration that contains the newly set passwords.

When the router reboots, log in and check your configuration. If you find any interfaces in the ’shutdown’ state, you’ll need to use the ‘no shutdown’ command to bring them back up. Again, don’t forget to save your configuration!

Article Summary

We’ve shown you how to recover lost passwords and gain control of a Cisco router. Of course there are mechanisms, which can be enabled, that will not allow you to perform the password recovery procedure. In this case, any attempt to recover the passwords or configuration will result in the erasure of the device’s configuration!

Via: firewall.cx

Method 1. Printer Dongle Method:

Works with Portege, Satellite, Satellite Pro, Tecra and Libretto Laptops of the following model numbers :

100(1xx) 200(2xx) 300(3xx) 400(4xx) 500(5xx) 600(6xx) 700(7xx)
1000(1xxx) 2000(2xxx) 3000(3xxx) 4000(4xxx) 7000(7xxx) 8000(8xxx)
(A15-S 127) (1415-S 173) SERIES & Some DVD Models
The “xxx” above means that each x can be any number, i.e. 1xx could be 101, 103, 111, 112 etc.

* First cut a plug from an old DB25 printer cable, and open the casing of the plug. This is how the pins look:

* Now connect:
o Pin 1 to Pin 5 and to Pin 10 ( go from 1 to 5 and from 5 to 10)
o Pin 2 to 11
o Pin 3 to 17
o Pin 4 to 12
o Pin 6 to 16
o Pin 7 to 13
o Pin 8 to 14
o Pin 9 to 15
o Pin 18 to 25

It should look something like this:

Plug it in and bootup

METHOD 2. Shorting a jumper:

In order to clear a BIOS of Compal manufactured units you need to use the NO POWER method, units manufactured by Inventec need to be to be POWERED ON to rest the BIOS.

To reset Compal units:

1. Turn off the POWER
2. Remove the battery and power cord
3. Peel back any black mylar (if any) covering the jumper
4. Using a flat screwdriver, short the jumper by connecting the two jumper points
5. Reset the computer and verify the BIOS has been reset, if not then repeat steps

Inventec units can skip steps 1 and 2

METHOD 3. Challenge/Response Code:

The challenge/response code method consists of matching a Challenge code ( power the machine up,press ctrl,then tab,then ctrl, then enter) generated on your machine and matching a Response code generated by Toshiba and calling a Toshiba Tech Support Agent.

Satellite p100 and pro p100 : with laptop off,remove wifi card and short pads marked jp8 for 10 secs

satellite l10,l20,l30 and pro l20 : with laptop of short pads marked jp1 for 15 secs (l20 short pads marked g1)

satellite m100 and tecra a6 : with laptop off ,remove memory and insulation under memory and short pads marked clr1 for 15 secs

(satellite 17** series,1100,1110,1130, 1200, 1900, 2430, 3000 P20,P30, P33, A30, A70, A80, M40X, M50,M60, M70, M100)as above

tecra a3,s2,a5,a6 : pads are by memory modules and will be labeled J1, J2, J5, J7, J9 or clr1

satellite a100,tecra m7 : remove keyboard and short pads marked c88 while turning laptop on, remove short as soon as Toshiba logo appears

Satellite A100 (PSAA2A-02C01N) : Remove Memory Cover from base of machine
Release & remove right side Memory Module,Lift black plastic insulation
Locate & short PAD500 Pin 1 & 2 together,Power on machine while still shorting Pin 1 & 2
As soon as the TOSHIBA logo appears, remove short

TECRA A4 & Satellite M40

Open modem & Wi-Fi card cover,Remove mini PCI Wi-Fi card
Lift up black plastic,Locate & short C738 Pads 1 & 2 together
Power on machine while still shorting Pads 1 & 2
As soon as the TOSHIBA logo appears, remove short

tecra s1 : TECRA S1

Open palm rest cover,Remove mini PCI Wi-Fi card
Lift up black plastic,Locate & short C5071 Pin 1 & 2 together
Power on machine while still shorting Pin 1 & 2
As soon as the TOSHIBA logo appears, remove short

NOTE SOMETIMES THESE WILL TAKE A COUPLE OF TIMES TO WORK,BUT THEY WILL WORK.

Tools Needed :

MDD

pyCrypto

Volatility 1.3 Beta

Volatility Plugin from Moyix

ManTech Memory DD (MDD) (http://www.mantech.com/msma/MDD.asp) is released under GPL by Mantech International. MDD is capable of copying the complete contents of memory on the following Microsoft Operating Systems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008 Server.

After downloading MDD from the Mantech site you need to run the program at the command line.

MDD Command Line Usage:

mdd -o OUTPUTFILENAME

Step by Step Example :

First of all, run MDD to dump the memory of the machine. The output file , would be an image of the physical memory, and MDD is often used to only dump the memory.

C:\Documents and Settings\Administrator\Desktop\MDD>mdd_1.3.exe -o dump.dd

-> mdd

-> ManTech Physical Memory Dump Utility

Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w’

This is free software, and you are welcome to redistribute it

under certain conditions; use option `-c’ for details.

-> Dumping 511.48 MB of physical memory to file ‘dump.dd’.

130938 map operations succeeded (1.00)

0 map operations failed

took 32 seconds to write

MD5 is: 78924418adaf67d22a6687dcc6ff4e23

C:\Documents and Settings\Administrator\Desktop\MDD>

Next, we will need to analyze the “memory image” – dump.dd .

For this, we will be using Using Volatility (1.3_Beta), Volatility Plugin from Moyix, and a Windows Hash/Password Finder (SamInside) to identify the passwords.

1. First of all, most of these scripts are written in python, and as such, you would need to download and install a python interpreter (Active Python ).

2. Download Volatility (1.3_Beta) , extract it to a folder.

3. Download Volatility Plugin from Moyix, extract it, and copy its content into the Volatility folder, overwriting your existing forensics, memory_objects, and memory_plugins folders.

4. Download pyCrypto and install it.

5. Copy the dump.dd file (output file of MDD) into the Volatility folder.

6. Run hivescan from volatility to get the hive offsets. Execute the following:

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta> python volatility hivescan -f dump.dd

Offset (hex)

45147992 0×2b0e758

45393752 0×2b4a758

49832984 0×2f86418

56797016 0×362a758

58091352 0×3766758

64191328 0×3d37b60

145440776 0×8ab4008

146819936 0×8c04b60

147082080 0×8c44b60

197245792 0xbc1bb60

215368912 0xcd644d0

228964464 0xda5b870

244838408 0xe97f008

271077384 0×10285008

271171592 0×1029c008

361696096 0×158f0b60

373147760 0×163dc870

401433808 0×17ed64d0

425734152 0×19603008

435642376 0×19f76008

452021088 0×1af14b60

489651040 0×1d2f7b60

506391392 0×1e2eeb60

509397104 0×1e5cc870

526976208 0×1f6904d0

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>

7. Next, Run hivelist from volatility with the first hivescan offset, from previous output. Execute the following:

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>python volatility hivelist -f dump.dd -o 0×2b0e758

Address Name

0xe1cda008 \Documents and Settings\Administrator\Local Settings\Application Da

ta\Microsoft\Windows\UsrClass.dat

0xe1cc4008 \Documents and Settings\Administrator\NTUSER.DAT

0xe1afeb60 \Documents and Settings\LocalService\Local Settings\Application Dat

a\Microsoft\Windows\UsrClass.dat

0xe1b4c008 \Documents and Settings\LocalService\NTUSER.DAT

0xe1b13870 \Documents and Settings\NetworkService\Local Settings\Application D

ata\Microsoft\Windows\UsrClass.dat

0xe1b004d0 \Documents and Settings\NetworkService\NTUSER.DAT

0xe1609b60 \WINDOWS\system32\config\software

0xe160bb60 \WINDOWS\system32\config\default

0xe1741b60 \WINDOWS\system32\config\SAM

0xe1607008 \WINDOWS\system32\config\SECURITY

0xe142e418 [no name]

0xe1036758 \WINDOWS\system32\config\system

0xe1022758 [no name]

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>

8. Now that we have the address locations, Pay attention to SAM & SYSTEM addresses. Find Password Hash using this command : python volatility hashdump -f dump.dd -y System Hive Offset -s SAM Hive Offset.

python volatility hashdump -f dump.dd -y 0xe1036758 -s 0xe1741b60

Extracted SAM :

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

HelpAssistant:1000:e342f6782d705142f81cce8f13488846:5cc6a7ed5dce2e04e648b8b6c14c9eed:::

SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:00fb5891d8488d816968e68a09a868b8:::

john:1003:972d6bbe1f00e65eaad3b435b51404ee:69bf94898385467264708f3cc51cf0a4:::

Now you can just open this as a pwdump file in SamInside and crack it !

Source: Warlock

Here’s a .pdf by Fastback68 which appears to to compiled from qasimtoep’s old website explaining how to reset a Dell BIOS password using a paperclip.The laptop that was used in this demonstration is a Model 630 type PPX.

There are a lot of people who have a dell or similar laptop that they are not able to use because of a special password chip that can’t be cleared by resetting the CMOS using software or by removing the battery. The chip that Dell uses is called a 24C02 chip. Dell will not give any help to these people without verifying that they are the original and registered owners of these laptops. Their justification is that it is part of their security / anti-theft program, and keeps people from stealing their laptops or accessing their data.

Included in the .zip file with the .pdf are instructions that show you step by step instructions on how to reset the chip  by using a paperclip and how to remove a laptop bios battery for Dell computers that support the resetting of passwords using that method (Latitude L400 is used)

Programs to create a bootable thumbdrive,CD or floppy to remove the Dell Service Tag Number from the bios.

Also as an added bonus a simple vbs script that shows you your Dell Service Tag Number while in Windows

on error resume next
strComputer=InputBox ("Enter the computer name of the server you'd like to query for Service Tag")
Set objWMIservice = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
set colitems = objWMIservice.ExecQuery("Select * from Win32_BIOS",,48)
For each objitem in colitems
Wscript.echo "Dell Service Tag: " & objitem.serialnumber
Next


also this site has a good tutorial http://www.weeklygripe.co.uk/a709.asp