forensics – chntpw windows password reset

Backtrack 5 R1

/pentest/passwords/chntpw

1. Find PC with Windows OS installed on it.
2. Using Backtrack on a usb stick boot and locate the Windows Sam file WINDOWS/system32/config/SAM
3. Move to chntpw folder
root@bt:~# cd /pentest/passwords/chntpw
root@bt:/pentest/passwords/chntpw#

4. Options

root@bt:/pentest/passwords/chntpw# ./chntpw
chntpw version 0.99.6 100627 (vacation), (c) Petter N Hagen
chntpw: change password of a user in a NT/2k/XP/2k3/Vista/Win7 SAM file,
or invoke registry editor. Should handle both 32 and 64 bit windows
chntpw [OPTIONS] <samfile> [systemfile] [securityfile] [otherreghive] […]

-h          This message
-u <user>   Username to change, Administrator is default
-l          list all users in SAM file
-i          Interactive. List users (as -l) then ask for username to change
-e          Registry editor. Now with full write support!
-d          Enter buffer debugger instead (hex editor),
-t          Trace. Show hexdump of structs/segments. (deprecated debug function)
-v          Be a little more verbose (for debuging)
-L          Write names of changed files to /tmp/changed
-N          No allocation mode. Only (old style) same length overwrites possible

See readme file on how to get to the registry files, and what they are.
Source/binary freely distributable under GPL v2 license. See README for details.
NOTE: This program is somewhat hackish! You are on your own!

5. Use finding usernames (not required to change password but nice to see)

root@bt:/pentest/passwords/chntpw# ./chntpw -l /media/0468B080ab53212345/WINDOWS/system32/config/SAM
chntpw version 0.99.6 100627 (vacation), (c) Petter N Hagen
Hive </media/0468B080ab53212345/WINDOWS/system32/config/SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
Page at 0x6000 is not ‘hbin’, assuming file contains garbage at end
File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)
Used for data: 236/18896 blocks/bytes, unused: 6/1424 blocks/bytes.

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count         : 0
| RID -|———- Username ————| Admin? |- Lock? –|
| 01f4 | Administrator                  | ADMIN  |          |
| 01f5 | Guest                          |        | dis/lock |
| 03e8 | HelpAssistant                  |        | dis/lock |

6. Deleting the password on Administrator. Once completed, logging back into Windows OS simply leave password blank and press enter.

root@bt:/pentest/passwords/chntpw# ./chntpw /media/0468B080ab53212345/WINDOWS/system32/config/SAM

chntpw version 0.99.6 100627 (vacation), (c) Petter N Hagen
Hive </media/0468B080ab53212345/WINDOWS/system32/config/SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
Page at 0x6000 is not ‘hbin’, assuming file contains garbage at end
File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)
Used for data: 236/18896 blocks/bytes, unused: 6/1424 blocks/bytes.

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count         : 0
| RID -|———- Username ————| Admin? |- Lock? –|
| 01f4 | Administrator                  | ADMIN  |          |
| 01f5 | Guest                          |        | dis/lock |
| 03e8 | HelpAssistant                  |        | dis/lock |

———————> SYSKEY CHECK <———————–
SYSTEM   SecureBoot            : -1 -> Not Set (not installed, good!)
SAM      Account\F             : 1 -> key-in-registry
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)

***************** SYSKEY IS ENABLED! **************
This installation very likely has the syskey passwordhash-obfuscator installed
It’s currently in mode = -1, Unknown-mode

SYSTEM (and possibly SECURITY) hives not loaded, unable to disable syskey!
Please start the program with at least SAM & SYSTEM-hive filenames as arguments!

RID     : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :

User is member of 1 groups:
00000220 = Administrators (which has 1 members)

Account bits: 0x0210 =
[ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
[X] Pwd don’t expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |

Failed login count: 0, while max tries is: 0
Total  login count: 116

– – – – User Edit Menu:
1 – Clear (blank) user password
2 – Edit (set new) user password (careful with this on XP or Vista)
3 – Promote user (make user an administrator)
(4 – Unlock and enable user account) [seems unlocked already]
q – Quit editing user, back to user select
Select: [q] > 1
Password cleared!

Hives that have changed:
#  Name
0  </media/0468B080ab53212345/WINDOWS/system32/config/SAM>
Write hive files? (y/n) [n] : y
0  </media/0468B080ab53212345/WINDOWS/system32/config/SAM> – OK
root@bt::/pentest/passwords/chntpw#

7. Restart PC login as as
username = Administrator
pass = (leave blank)

One thought on “forensics – chntpw windows password reset

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s