I have a system admin who really shouldn't call himself a system admin. He thinks he knows a lot and one day he challenged me to change his domain account password. Just to give him a preview, I changed his machines's (local) administrator password with the help of the following tutorial. I also changed a domain account's password- without the admin password - but this tutorial doesn't cover that. This tutorial does not teach you to hack, but it just helps people who have either forgotten or lost their administrator password.
Note: You would need to burn a disc in order to complete this simplified process. If you can't burn a disc, then read the
section on creating floppy images.
Please print the following before proceeding:
1. Download this file: cd050303.zip (approx. 3 MB)
2. Unzip and burn the image on to a blank CD. CD should have 3.03 MB of data after the burning process.
3. Leave the CD in the CD-ROM and reboot your computer from the CD-ROM (varies from computer to computer, but most probably it will boot from a CD-ROM, otherwise go to BIOS settings and make the appropriate changes)
4. When your system reboots from the CD-ROM, you will see some stuff loading and messages scroll by real fast- meaning you have succesfully loaded the CD
5. You will see the following msg on your screen:
===================================================
. Step ONE: Select disk where the Windows installation is
===================================================
Disks:
Disk /dev/ide/host0/bus0/target0/lun0/disc: 2147 MB, 2147483648 bytes
NT partitions found:
1 : /dev/ide/host0/bus0/target0/lun0/part1 2043MB Boot
Please select partition by number or
a = show all partitions,
d = automatically load new disk drivers
m = manually load
new disk drivers
l = relist NTFS/FAT partitions, q = quit
Select: [1]
- If you have only one partition on HDD, select [1]
- If not, then choose the correct partition with the Windows Installation (i.e. where the Windows/WinNT directory resides)
6. Upon entering the correct partition, you will see the following msg:
===================================================
. Step TWO: Select PATH and registry files
===================================================
What is the path to the registry directory? (relative to windows disk)[windows/system32/config] :
- Press enter if the red line is correct.
- Otherwise, mention the path for the registry directory (i.e.: winnt35/system32/config - for Windows NT 3.51; winnt/system32/config - for Windows NT 4 and Windows 2000; windows/system32/config - for Windows XP/2003 and often Windows 2000 upgraded from Windows 98 or earlier.
7. After pressing enter you will see the followin' msg:
-r-------- 1 0 0 262144 Jan 12 18:01 SAM
-r-------- 1 0 0 262144 Jan 12 18:01 SECURITY
-r-------- 1 0 0 262144 Jan 12 18:01 default
-r-------- 1 0 0 8912896 Jan 12 18:01 software
-r-------- 1 0 0 2359296 Jan 12 18:01 system
dr-x------ 1 0 0 4096 Sep 8 11:37 systemprofile
-r-------- 1 0 0 262144 Sep 8 11:53 userdiff
Select which part of registry to load, use predefined choices
or list the files with space as delimiter
1 - Password reset [sam system security]
2 - RecoveryConsole parameters [software]
q - quit - return to previous
[1] :
- Select option [1] and press enter.
8. Now you shall see the following data on screen:
Loaded hives: <sam> <system> <security>
1 - Edit user data and passwords
2 - Syskey status & change
3 - RecoveryConsole settings
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)
What to do? [1] -> 1- Go for option [1] again to reset the password.
9. Now the user account information would be displayed infront of your screen.
===== chntpw Edit User Info & Passwords ====
RID: 01f4, Username: <Administrator>
RID: 01f5, Username: <Guest>, *disabled or locked*
Select: ! - quit, . - list users, 0x - User with RID (hex)or
simply enter the username to change: [Administrator]
- Here you can either press enter to select the administrator account, or enter the username of the account that you want to reset the password of.
10. You will see the account info now of the user you selected in the previous step.
RID : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :
Account bits: 0x0210 =
[ ] Disabled [ ] Homedir req. [ ] Passwd not req.
[ ] Temp. duplicate [X] Normal account [ ] NMS account
[ ] Domain trust ac [ ] Wks trust act. [ ] Srv trust act
[X] Pwd don't expir [ ] Auto lockout [ ] (unknown 0x08)
[ ] (unknown 0x10) [ ] (unknown 0x20) [ ] (unknown 0x40)
Failed login count: 0, while max tries is: 0
Total login count: 3
* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
Please enter new password: *
- This is pretty straightforward, but DO NOT set a new password. Just blank the password by entering * and then change the password after logging in normally. Setting a new password might corrupt your account!
Please read the original author's website for more info or FAQs. I have just tried to simplfy the procedure here. If you have any questions or need help, I am always here. :)
Source: Link
Simplified: by ME :)
![[G3]-Technews](http://img157.echo.cx/img157/8606/g3technews5le.png)
Important:
To Read MOST UPDATED News Items browse to HOME page.
5 Comments:
SD ... Thanks for contributing this post.
Well the first level of security is "Physical Security" ... if this is bypassed ... no matter how tough the protection, that could be bypassed.
Lesson of the story ... First Step to security ... Keep the PC in a physically secure environemnt.
By
G3nu1n3, at 6/06/2005 08:29:00 PM
well said by g3, now if the anti ms crowd comes flamming here saying huh this is how secure your windows is then you should let them know that in linux you dont need any 3rd party tool etc, you dont need to burn any cd etc to achieve the similar but total access to every thing on the fs etc
By
digitalsurgeon, at 6/06/2005 08:53:00 PM
I already did the above and cracked the local as well as the domain admin password using the above on a (secure) network 2 years ago. While I used social engineering to the trick for me, what did you use to get the domain admin password? Would really love to know.
By
alias, at 6/07/2005 12:27:00 AM
There are alot of softwares you can use to do that. Also Linux Live CDs now can boot a machine and give you open Access to the System resources and then you can do what want to do.
I work for a University and we constantly break passwords on user machines due to people create very complex passwords and then forget them. on a local machine one can use something like ERD Commander and for live CD you can use something like Knoppix.
By
Rubeel, at 9/09/2005 08:02:00 AM
there's a very nice knoppix based linux LiveCD distribution called STD (Security Tools Distribuition). which you can use to reset the local windows passwd.
the domain password can't be changed unless you have access to the domain controller; how'd you manage that?
By
Anonymous, at 10/16/2005 01:49:00 AM
Post a Comment
<< Home