Backtrack 5 R1
/pentest/passwords/chntpw
1. Find PC with Windows OS installed on it.
2. Using Backtrack on a usb stick boot and locate the Windows Sam file WINDOWS/system32/config/SAM
3. Move to chntpw folder
root@bt:~# cd /pentest/passwords/chntpw
root@bt:/pentest/passwords/chntpw#
4. Options
root@bt:/pentest/passwords/chntpw# ./chntpw
chntpw version 0.99.6 100627 (vacation), (c) Petter N Hagen
chntpw: change password of a user in a NT/2k/XP/2k3/Vista/Win7 SAM file,
or invoke registry editor. Should handle both 32 and 64 bit windows
chntpw [OPTIONS] <samfile> [systemfile] [securityfile] [otherreghive] […]
-h This message
-u <user> Username to change, Administrator is default
-l list all users in SAM file
-i Interactive. List users (as -l) then ask for username to change
-e Registry editor. Now with full write support!
-d Enter buffer debugger instead (hex editor),
-t Trace. Show hexdump of structs/segments. (deprecated debug function)
-v Be a little more verbose (for debuging)
-L Write names of changed files to /tmp/changed
-N No allocation mode. Only (old style) same length overwrites possible
See readme file on how to get to the registry files, and what they are.
Source/binary freely distributable under GPL v2 license. See README for details.
NOTE: This program is somewhat hackish! You are on your own!
5. Use finding usernames (not required to change password but nice to see)
root@bt:/pentest/passwords/chntpw# ./chntpw -l /media/0468B080ab53212345/WINDOWS/system32/config/SAM
chntpw version 0.99.6 100627 (vacation), (c) Petter N Hagen
Hive </media/0468B080ab53212345/WINDOWS/system32/config/SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
Page at 0x6000 is not ‘hbin’, assuming file contains garbage at end
File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)
Used for data: 236/18896 blocks/bytes, unused: 6/1424 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|———- Username ————| Admin? |- Lock? –|
| 01f4 | Administrator | ADMIN | |
| 01f5 | Guest | | dis/lock |
| 03e8 | HelpAssistant | | dis/lock |
6. Deleting the password on Administrator. Once completed, logging back into Windows OS simply leave password blank and press enter.
root@bt:/pentest/passwords/chntpw# ./chntpw /media/0468B080ab53212345/WINDOWS/system32/config/SAM
chntpw version 0.99.6 100627 (vacation), (c) Petter N Hagen
Hive </media/0468B080ab53212345/WINDOWS/system32/config/SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
Page at 0x6000 is not ‘hbin’, assuming file contains garbage at end
File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)
Used for data: 236/18896 blocks/bytes, unused: 6/1424 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|———- Username ————| Admin? |- Lock? –|
| 01f4 | Administrator | ADMIN | |
| 01f5 | Guest | | dis/lock |
| 03e8 | HelpAssistant | | dis/lock |
———————> SYSKEY CHECK <———————–
SYSTEM SecureBoot : -1 -> Not Set (not installed, good!)
SAM Account\F : 1 -> key-in-registry
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
***************** SYSKEY IS ENABLED! **************
This installation very likely has the syskey passwordhash-obfuscator installed
It’s currently in mode = -1, Unknown-mode
SYSTEM (and possibly SECURITY) hives not loaded, unable to disable syskey!
Please start the program with at least SAM & SYSTEM-hive filenames as arguments!
RID : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :
User is member of 1 groups:
00000220 = Administrators (which has 1 members)
Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don’t expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 0
Total login count: 116
– – – – User Edit Menu:
1 – Clear (blank) user password
2 – Edit (set new) user password (careful with this on XP or Vista)
3 – Promote user (make user an administrator)
(4 – Unlock and enable user account) [seems unlocked already]
q – Quit editing user, back to user select
Select: [q] > 1
Password cleared!
Hives that have changed:
# Name
0 </media/0468B080ab53212345/WINDOWS/system32/config/SAM>
Write hive files? (y/n) [n] : y
0 </media/0468B080ab53212345/WINDOWS/system32/config/SAM> – OK
root@bt::/pentest/passwords/chntpw#
7. Restart PC login as as
username = Administrator
pass = (leave blank)
One thought on “forensics – chntpw windows password reset”