본문 바로가기
Software/Utilities

[OS Password] Offline NT Password Crack

charom 2007. 8. 6. 14:07

   

Forgot your NT admin password?

Reinstall? Oh no... But not any more...

  • This is a utility to (re)set the password of any user that has a valid (local) account on your NT system.
  • You do not need to know the old password to set a new one.
  • It works offline, that is, you have to shutdown your computer and boot off a floppydisk or CD.
  • Will detect and offer to unlock locked or disabled out user accounts!
  • It is also an almost fully functional registry editor!

NT stores its user information, including crypted versions of the passwords, in a file called 'sam', usually found in \winnt\system32\config. This file is a part of the registry, in a binary format previously undocumented, and not easily accessible. But thanks to a German(?) named B.D, I've now made a program that understands the registry.

THIS SOFTWARE COMES WITH NO WARRANTY WHATSOEVER. THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE CAUSED BY THE (MIS)USE OF THIS SOFTWARE!
It's VERY ALPHA yet, and relies heavily on undocumented structures and methods. You have been warned!

No problem.. It's right here, and free!

Look here for more info on:

Ports & other versions:

Sitedesign by http://www.ice-warrior.info


Offline NT Password & Registry Editor, Bootdisk / CD

I've put together a single floppy or CD which contains things needed to edit the passwords on most systems.

The bootdisk should support most of the more usual disk controllers. You most likely have to select "d" to auto-load the drivers, it should then detect PCI based hardware. For ISA hardware, you have to load manually. Both PS/2 and USB keyboard supported.

Tested on: NT 3.51, NT 4 (all versions and SPs), Windows 2000 (all versions & SPs), Windows XP (all versions, also SP2), Windows Server 2003 (all SPs), Vindows Vista 32 and 64 bit.

DANGER WILL ROBINSON!
If used on users that have EFS encrypted files, and the system is XP or Vista, all encrypted files for that user will be UNREADABLE! and cannot be recovered unless you remember the old password again If you don't know if you have encrypted files or not, you most likely don't have them. (except maybe on corporate systems)

Please see the Frequently Asked Questions and the version history below before emailing questions to me. Thanks!

Also take a look at Grenier's DOS port

How to fix it if you lost your admin password for your ActiveDirectory. Thanks to John Simpson.

Other ways to recover lost password etc at MCSE World

How to use?

Yes, long text. Please read it all and the FAQ before mailing me questions

If you have the CD, all drivers are included. If you use the floppy, and you need the SCSI-drivers set, either prepare a floppy with the scsi-drivers .zip file unzipped (in \scsi), or put a selection of the drivers you need in the \scsi folder on the main floppy, there should be enough space for maybe a couple of drivers. In the latter case you don't need to carry around and swap floppies.

Overview

  1. Disk select, tell which disk contains the Windows system. Optionally you will have to load drivers.
  2. PATH select, where on the disk is the system?
  3. File select, which parts of registry to load, based on what you want to do.
  4. Password reset or other registry edit.
  5. Write back to disk (you will be asked)

DON'T PANIC!! - Most questions can usually be answered with the default answer which is given in [brackets]. Just press enter/return to accept the default answer.

1. DISK SELECT

Which disk contains your Windows system? 

=========================================================
. Step ONE: Select disk where the Windows installation is
=========================================================
Disks:
Disk /dev/sda: 2147 MB, 2147483648 bytes
NT partitions found:
 1 :   /dev/sda1    2043MB  Boot

Please select partition by number or
a = show all partitions, d = automatically load new disk drivers
m = manually load new disk drivers
l = relist NTFS/FAT partitions, q = quit
Select: [1]
  • For most machines only one disk and parition is listed, if so, just go with selection 1 (default)
  • Otherwise select partition
  • Note: When booting from USB drive, the USB drive itself may often show up as number 1 instead of the machines buildt in drives.
  • If no disks or not all disks are shown, you may need to load disk drivers, for SCSI-controllers (or some IDE-raid controllers). Select d to go to the driver select menu for auto-probe (based what's found on the PCI bus)
  • If auto-probe won't work, you may have to load something manually, select m to do that (like the old system)

2. HOW TO MANUALLY LOAD DRIVERS

Try auto-probe (d) first, only do this if you have to manually try to load some or all drivers. 

Select: [1] m
==== DISK DRIVER / SCSI DRIVER select ====
You may now insert or swap to the SCSI-drivers floppy
Press enter when done: 
Found 1 floppy drives
Found only one floppy, using it..
Selected floppy #0
Mounting it..
Floppy selection done..
SCSI-drivers found on floppy:

1 BusLogic.o.gz
2 aic7xxx.o.gz
3 sym53c8xx.o.gz
[ ... ]

SCSI driver selection:
  a - autoprobe for the driver (try all)
  s - swap driver floppy
  q - do not load more drivers
  or enter the number of the desired driver

SCSI driver select: [q]
  • Select a for auto-probe, it will try to load all drivers, and stop when one loads properly. Some drivers may need more driver modules, so you may have to redo the auto-probe several times.
  • Or if you know what you want, just enter it's number or name. 
SCSI driver select: [q] a
[ BusLogic.o.gz ]
Using /tmp/scsi/BusLogic.o
PCI: Found IRQ 11 for device 00:10.0

[.... lots of driver / card info ...]

scsi0: *** BusLogic BT-958 Initialized Successfully ***
scsi0 : BusLogic BT-958
  Vendor: FooInc   Model: MegaDiskFoo  Rev: 1.0 
  Type:   Direct-Access                      ANSI SCSI revision: 02

[ ... ]

Attached scsi disk sda at scsi0, channel 0, id 0, lun 0
SCSI device sda: 8388608 512-byte hdwr sectors (4295 MB)
Partition check:
 /dev/scsi/host0/bus0/target0/lun0: p1
Driver BusLogic.o.gz loaded and initialized.
  • You may then quit the selection with q or try for more drivers.
  • When you quit, you will get back to the disk select (see above) and hopefully see more disks.

3. PATH AND FILE SELECT

Where's the Windows system located?

On the selected partition/disk, the main files for windows can theoretically be anywhere. And we must find the registry files to be able to edit them. There are however some usual places:

  • winnt35/system32/config - Windows NT 3.51
  • winnt/system32/config - Windows NT 4 and Windows 2000
  • windows/system32/config - Windows XP/2003 and often Windows 2000 upgraded from Windows 98 or earlier.

These usual paths will be checked, and if found, they will be suggested as the default. 

Selected 1
Mounting on /dev/ide/host0/bus0/target0/lun0/part1
NTFS volume version 3.1.
Filesystem is: NTFS

=========================================================
. Step TWO: Select PATH and registry files
=========================================================
What is the path to the registry directory? (relative to windows disk)
[windows/system32/config] : 
-r--------    1 0        0          262144 Jan 12 18:01 SAM
-r--------    1 0        0          262144 Jan 12 18:01 SECURITY
-r--------    1 0        0          262144 Jan 12 18:01 default
-r--------    1 0        0         8912896 Jan 12 18:01 software
-r--------    1 0        0         2359296 Jan 12 18:01 system
dr-x------    1 0        0            4096 Sep  8 11:37 systemprofile
-r--------    1 0        0          262144 Sep  8 11:53 userdiff

Select which part of registry to load, use predefined choices
or list the files with space as delimiter
1 - Password reset [sam system security]
2 - RecoveryConsole parameters [software]
q - quit - return to previous
[1] :
  • If the directory is correct, something like the above will be listed (it may vary a bit..)
  • You may then choose some canned answers based on what you want to do.
  • Password reset is the default, and most used.
  • Option 2, RecoveryConsole is for setting 2 parameters that the Windows 2000 and newer RecoveryConsole (boot from CD, select Recovery and console mode) uses. One of the parameters allows RecoveryConsole to be run without it prompting for the admin password. If you do not know what RecoveryConsole is, don't bother. Or go search the net..
  • Or if you want to do manual edit of registry, select your hives to load. Enter all names on one line with space between.

We select 1 to edit passwords..

4. PASSWORD RESET

Everything is set and ready, let's roll! 

=========================================================
. Step THREE: Password or registry edit
=========================================================
chntpw version 0.99.2 040105, (c) Petter N Hagen

[.. some file info here ..]

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count         : 0

<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: <sam> <system> <security>

  1 - Edit user data and passwords
  2 - Syskey status & change
  3 - RecoveryConsole settings
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)


What to do? [1] -> 1

===== chntpw Edit User Info & Passwords ====

RID: 01f4, Username: <Administrator>
RID: 01f5, Username: <Guest>, *disabled or locked*
RID: 03e8, Username: <HelpAssistant>, *disabled or locked*
RID: 03eb, Username: <pnh>, *disabled or locked*
RID: 03ea, Username: <SUPPORT_388945a0>, *disabled or locked*

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator]

Here you can enter the username you want to reset the password for. NOTE: It is case-sensitive, write it exact as listed (without the < and > of course)

Or if the name uses some characters that cannot be displayed, enter it's ID number (RID), like this: 0x1f4 would select administrator.

We select the default, which is administrator. 

RID     : 0500 [01f4]
Username: Administrator
fullname: 
comment : Built-in account for administering the computer/domain
homedir : 

Account bits: 0x0210 =
[ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. | 
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     | 
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   | 
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  | 
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  | 

Failed login count: 0, while max tries is: 0
Total  login count: 3

* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
Please enter new password: *

Some information is displayed. Also, if the account is locked, you will be asked if you wish to unlock it (not shown here)

We go for the blank password option (*) WHICH IS HIGLY RECOMMENDED over setting a new one. 

Please enter new password: *
Blanking password!

Do you really wish to change it? (y/n) [n] y
Changed!


Select: ! - quit, . - list users, 0x - User with RID (hex)
or simply enter the username to change: [Administrator] !

! brings us back to the main menu here. 

<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives:   

  1 - Edit user data and passwords
  2 - Syskey status & change
  3 - RecoveryConsole settings
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)


What to do? [1] -> q

5. WRITING OUT THE CHANGES

Everything has been done, time to commit the changes. 

Hives that have changed:
 #  Name
 0   - OK

=========================================================
. Step FOUR: Writing back changes
=========================================================
About to write file(s) back! Do it? [n] : y

THIS IS YOUR LAST CHANCE! If you answer y here there will be a write to disk! 

Writing  sam

***** EDIT COMPLETE *****

You can try again if it somehow failed, or you selected wrong
New run? [n] : n

That was all.

Please answer n here and then reboot, CTRL-ALT-DEL. Remember to remove the floppy or CD.

What can go wrong?

Lots of things can go wrong, but most faults won't damage your system.

The most critical moment is when writing back the registry files to NTFS.

The most common problem is that the computer was not cleanly shut down, and my disk won't write correctly back. (it says: read only filesystem). If so, boot into Windows Safe Mode (F8 before windows logo appears) and shut down from the login window.

Also, see the FAQ for help with other common problems.

For linux-knowledged people, you may do things manually if the scripts fail, you have shells on tty1-tty4 (ALT F1 - ALT F4).

Download

Note: Some links may be offsite.

  • cd070409.zip (~3MB) - Bootable CD image. (md5sum: ffb92d9ffafaa6ed06e9b98fc14f707d )

    Bootable USB drive may be made from the files on the CD. See readme.txt on the CD.

    Last floppy release (it is old). WARNING: WILL CORRUPT WINDOWS VISTA!

    invalid-file

  • bd050303.zip (~1.1MB) - Bootdisk image, date 050303 (md5sum: 4c85bc15286e69f9fd347e07711636eb)
    invalid-file
  • sc050303.zip (~1.4MB) - SCSI-drivers (050303) (only use newest drivers with newest bootdisk, this one works with bd050303) (md5sum: 745a1889b6580bc8f1bfb565e73666d3)

Previous versions may sometimes be found here (also my site)

NOTE THAT THE BOOTDISK CONTAINS CRYPTHOGRAPHIC CODE, and that it may be ILLEGAL to RE-EXPORT it from your country.

How to make the CD

Unzipped, there should be an ISO image file (cd??????.iso). This can be burned to CD using whatever burner program you like, most support writing ISO-images. Often double-clikcing on it in explorer will pop up the program offering to write the image to CD. Once written the CD should only contain some files like "initrd.gz", "vmlinuz" and some others. If it contains the image file "cd??????.iso" you didn't burn the image but instead added the file to a CD. I cannot help with this, please consult you CD-software manual or friends.

The CD will boot with most BIOSes, see your manual on how to set it to boot from CD. Some will auto-boot when a CD is in the drive, some others will show a boot-menu when you press ESC or F10/F12 when it probes the disks, some may need to have the boot order adjusted in setup.

How to make the floppy

The unzipped image (bdxxxxxx.bin) is a block-to-block representation of the actual floppy, and the file cannot simply be copied to the floppy. Special tools must be used to write it block by block.

  • Unzip the bd zip file to a folder of your choice.
  • There should be 3 files: bdxxxxxx.bin (the floppy image) and rawrite2.exe (the image writing program), and install.bat which uses rawrite2 to write the .bin file to floppy.
  • Insert a floppy in drive A: NOTE: It will lose all previous data!
  • Run (doubleclick) install.bat and follow the on-screen instructions.
  • Thanks to Christopher Geoghegan for the install.bat file (some of it ripped from memtest86 however)

Or from unix:

dd if=bd??????.bin of=/dev/fd0 bs=18k

How to make and use the drivers floppy

NOTE: Not all files will fit on a floppy, so leave out what you think you do not need!

  • Format (or delete all contents) on a floppy
  • Unzip the drivers you think you may need to it
  • Files with names ending in .ko.gz should end up in a directory called scsi
  • Be sure to also include the files moddep.gz and pcitable.gz, they are the dependency list, and pci mappings.
  • To use, at the disk select menu, select 'd' to auto-load, and you will be asked to swap to the drivers floppy when needed.

Bootdisk credits and license

Most of the stuff on the bootdisk is either GPL, BSD or similar license, you can basically do whatever you want with all of it, the sourcecode and licenses can be found at their sites, I did not change/patch anything.

The "chntpw" program (password changer, registry editor) is licensed under GNU GPL v2. COPYING.txt

Stuff I used, big thanks:

'Software/Utilities' Related Articles

티스토리툴바