Thursday, December 3, 2009

Another example where physical access always gets you in (using chntpw)

Chnypw is a small linux utilty that is used to (re)set the password of any valid local account on a windowsNT, 2000 and XP machine (have not tried on vista and 7). Knowledge of the old password for an account is not needed to set a new one. The tool works by modifying crypted data in the registry's SAM file. This utilty works with syskey and includes the option to turn it off.

The target Windows machine needs to be in offline mode which means that the installed OS should not be loaded. You're gonna need a bootable linux distrobution (CD or bootable usb works) with chntpw package installed.

  1. Mount the NTFS drive. Needs to be mounted for read/write and not read-only.
    # mount -t ntfs-3g /dev/sda1 /mnt/disk1 or # ntfsmount /dev/sda1 /mnt/disk1 -o default_permissions
  2. Navigate to the location of the SAM file, typically located at \windows\system32\config
    # cd /mnt/disk1/WINDOWS/System32/Config
  3. Make a back up of the SAM, security and system files.
    # cp SAM SAM.bak && cp security security.bak && cp system system.bak
  4. Run chntpw in interactive mode with the SAM, system and security file as arguments.
    # chntpw -i SAM security system
  5. You should be presented with an interactive screen where you can list the local users and change or reset their passwords.
    NOTE: It is known that changing the user's passwords here are less reliable to work than actually just resetting/blanking their passwords. I would suggest to just blank the passwords if applicable then when you get into windows, change the passwords their. Use an "*" to Blank passwords in the interactive screens in chntpw.
  6. Remember to save your changes before you exit.
  7. Reebot computer and login to windows to see if your hack worked (more than likely it did)
For more chntpw options (although you probably wont need nothing else), type:
# chntpw -h

#chntpw help and usage

chntpw version 0.99.3 040818, (c) Petter N Hagen
chntpw: change password of a user in a NT SAM file, or invoke registry editor.
chntpw [OPTIONS] [systemfile] [securityfile] [otherreghive] [...]
-h This message
-u Username to change, Administrator is default
-l list all users in SAM file
-i Interactive. List users (as -l) then ask for username to change
-e Registry editor. Now with full write support!
-d Enter buffer debugger instead (hex editor),
-t Trace. Show hexdump of structs/segments. (deprecated debug function)
-v Be a little more verbose (for debuging)
-L Write names of changed files to /tmp/changed
-N No allocation mode. Only (old style) same length overwrites possible
See readme file on how to extract/read/write the NT's SAM file
if it's on an NTFS partition!
Source/binary freely distributable. See README/COPYING for details
NOTE: This program is somewhat hackish! You are on your own!

Resources/Good reading:

No comments:

Post a Comment