contact contact contact
  Articles | Editorials | Reviews | InfoSec Directory | News | Press Releases
Obtaining the administrator password
Author: Dr.T
Friday, 20 September 2002, 14:31 GMT
Reader Comments | Add your opinion

By: Niklas Bivald / The_deViL (Email: ) Contact me if you want anything. Please note that I am no expert of any kind. I simply like the knowledge.

(!) Note: I take no responsibility for what you might do. And I doesn't clame that this information is correct. (!)
Obtaining the administrator password in Windows nt/2k/xp. There are plenty of ways doing this. I will describe some diffrent ways. Remember this is for educational purpose only. I am no expert in this. And I doesn't clame to be either. But this guide might help other people to learn.

(!) Note: Backup everything before you begin. Changes are you might destroy your computer. You have been warned. Okay? (!!) Note: I am on win 2k. This article is written based on my knowledge.

Introduction

This article describes how to get a hold of the administrator password on Windows Nt/2k/xp. This is a rather simple article on password security. As stated above I am on windows 2000. I haven't tested these methods myself on other NT or XP.

The SAM File

The sam file is (one of the locations) were the password (encrypted ofcourse) is stored. You can't just goto the dir and copy it. It is slightly more complicated than that.

(!) Note: On Win 2k or newer it (most likely) _will_ be syskey encrypted. This means your favorite cracker won't break it. But there is other ways to get the none-syskey encrypted password. Check the section named Pwdump(2)

Directory were SAM is stored.

1. (The active sam file) \"windows folder(winnt/windows)"\system32\config\
2. (The "repair" sam file (Used when creating rescue/repair disc I belive)) \"windows folder"\repair\

The same file is named SAM or SAM._ Or similar.

(!) Note: The second SAM is most likely to be removed. Since it is for the repair/rescue disc (!!) Note: The SAM file(s) are hidden. If you go threw windows you probably won't see them.

If you can see them, try to simply copy them. Since you probably are a regular user (Otherwise you should goto the section "Pwdump") you cannot copy (probably you cant even see) the file. But thats okay.

So how do we get ahold of the SAM file? You are going to need a boot disc (or boot cd). The bootdisc for windows 98 works great with some minor changes. If your computer is using NTFS (Probably does) You need a program called NTFSDOS. Make a search on google for it.

Step-by-step:
1. Make a boot disc (I actually used windows 98 bootdisc (Using a prog called win98se-bootfloppy.exe))
2. Copy the file NTFSDOS.exe to it. If you used win 98se bootdisc there is no space, remove the fdisc.exe since we don't need it.
3. Boot up the computer (You might need to change the boot order in BIOS)
4. When you are in DOS. If the computer is using NTFS (Not FAT32) run NTFSDOS.exe and it will say something similar to: NTFS partion mounted to X: (Were X is the letter for the drive)
5. Go to the partition were your windows installation is. If your partition is X: simply just write: x:
6. Go to your windows\system32\config directory. Copy the SAM._ File (Might not be that file name) to list the files write 'dir' or 'dir/p' (Without the ''). The copy syntax for copying a file to a: (You might need to insert a blank disc) is: copy filename a:
7. Open the sam file in your favorite cracker such as L0phtCrack.

Success (!?).

Pwdump(2)

Pwdump, or more exacly Pwdump2, is a great program. You see, the sam file is syskey encrypted. But Pwdump2 (written by Todd Sabin) pulls out the password hash(es) from the OS memory. The none-syskey encrypted password hash(es). By using Pwdump2 you can get the none-syskey encrypted password file. You can then use your favorite cracker. But the Pwdump requires admin rights to run.

Pwdump2 is best runned from a command promt (Must be running as admin).

Step-by-step (If you got administrator rights on the computer):
1. Download Pwdump2. (Hint: www.google.com)
2. Start > Run > Cmd. Goto the directory were you have Pwdump2.exe and run the command: pwdump2 > password.txt
3. Simply import the password.txt (contains the password hashes) to you favorite password cracker (On L0phtCrack that is Import > Import from PWDUMP file).

If you haven't got administrator rights: First of all you are going to download Pwdump2.zip (Hint: www.google.com) and unpack it.

We must have a command promt running as localhost (Admin).
One way of doing this is replacing the logon.scr with cmd.exe. Simple rename the logon.src to logonbak.src and copy cmd.exe to logon.src.
Then reboot your computer and when the login (Or the press-ctrl-alt-del key now) screen comes up simply wait. It will take a while. Anywere between 5-25 minutes. Then windows tried to run the default
logon screen-saver (logon.src) and instead it runs the renamed cmd.exe as localhost (Admin).

Then simply go to the directory where pwdump2 is and write: pwdump2 > password.txt This extracts the none-syskey encrypted from the OS memory and save it into password.txt. Then simply import the password.txt (contains the password hashes) to you favorite password cracker (On L0phtCrack that is Import > Import from PWDUMP file).

Success (!?).

Resetting the administrator password.

There is diffrent ways of doing this. You can use a software called Windows XP/2000/Nt key. The plus with this program is that you can later on reset it back to it's original settings. Url: http://www.lostpassword.com/ Other way is to use a diffrent windows boot-loader. More information about this can be found on various sites on the net. I can't say I got enough knowledge to write an article about this. Maybe later

Conclusion

Hopefully you learned something form this article. That was why I wrote it. For you to read it and learn just a bit more about windows security. Or lack of it.

Written by: Niklas Bivald
Nickname: The_deViL

Email:
Icq: 35611580

Contact me if you want anything. Please note that I am no expert of any kind. I simply like knowledge.

Add IT Observer Reviews to your RSS newsreader or



Reader Comments:

No comments. Post your comment here

SecurityWatch - 24x7 advisory and vulnerability automated monitoring service.

GFI LANguard Network Security Scanner - Network-wide security vulnerability scanning & fixing - Free version available.

Network Security Software - Sponsored by GFI Network Security.

InfoSec Directory
» Smart-Phone Attacks and Defenses
» Preventing Spyware Infestation
» Preliminary study: Bluetooth Security
» An initiative extending SMTP to include email sender identity and reputation
» Identity Assurance in a Virtual World
Latest Press Releases
» Open Door Networks Announces The Doorstop X Firewall
» Defence Plus 2.0: Unyielding Line of Defence against Hacker Intrusion
» Enterprise Strategy Group Highlights Application Security, Inc. for Uniquely Addressing the Complete Application Security Lifecycle
» Elemental Names Google Executive To Its Board Of Directors, Further Broadens Experience Of Security Compliance Management Provider
» Arbor Networks Launches New Network Security and Management Platform for Service Providers
» 802.11 Wireless Networks: The Definitive Guide, Second Edition
More Articles
» Voice and Data Convergence - a Vendor’s Perspective
» Making Firewall Do the Work: Stateful Packet Inspection
» Four Things You Must Know Before Deploying Wireless LANs
» Put spyware on the security map
» Interview with Brian Carrier, author of “File System Forensic Analysis"
 Copyright © 2000 - 2005 eBCVG IT Security Affiliates :: RSS feeds :: Privacy 
Site Meter