Windows Passwords: Security Hole

http://www3.nd.edu/~dpettifo/tutorials/chntpw.html

Home

Tutorials

Software

Linux Gaming

Exploiting Windows Weak Password Security Storage Methods

"Learn how to modify the SAM le within the Windows system conguration to remove/change passwords or promote users." --Note To Reader-Please do not use this information to obtain information illegally or do anything that would damage the trust others have put into you. This information is provided as a last-resort for cases such as users forgetting their passwords and needing a method to change their password without creating a new account.

This tutorial will demonstrate how to change or remove any Microsoft Windows password using nothing more than a LiveLinux CD and a small utility called "chntpw" (Change NT Password). Obviously, this utility was created to change Windows NT/2000 passwords, but as it turns out, it works for anything from Windows 95 to Windows 7 (according to other user testamonies). This tutorial will cover the removal of Windows 7 passwords. NOTE: This utility will not work on network logins. Those passwords are stored on the server they log into. This is intended for home PC's with local logins only. REQUIREMENTS: Live Linux CD (Ubuntu 10.04 is used in this tutorial) Internet Access (if utility is not already installed; hard-wired, DSL or faster recommended) Access to the computer with Windows on it "Boot From CD" option enabled in BIOS Name of the Account to remove/change password PERMISSION from computer owner!

How It Works:
Before we begin, let's look at how this utility works. Microsoft Windows stores all of its account information (we're specically interested in the username and password) in a le called the SAM le. If you've done any work in IT or computer security, you've probably heard of this le. It is located in the .../system32/cong/ folder, specically (in most PC's):

1 of 9

Monday 10 March 2014 06:18 PM

Windows Passwords: Security Hole

http://www3.nd.edu/~dpettifo/tutorials/chntpw.html

"C:\WINDOWS\system32\cong\SAM". Microsoft Windows locks this le when someone is logged in, so modifying it while logged in is pretty much impossible (though I'm sure there's utilities out there that hault the processes using it, it seems insecure and dangerous to do so). Also, the passwords stored in here are encrypted with a "one-way" encryption method (meaning you can't reverse the encryption process) so decrypting is improbable (but not impossible with brute-force/dictionary attack software like Ophcrack). This is why the utility "chntpw" cannot display the encrypted passwords, only over-writes them. It is much easier to encrypt a new password (or delete it for that matter), than to decrypt it (look up more information on high-security encryption such as PGP (Pretty Good Privacy) which uses large prime numbers as the secret keys, but resulting in an easy way to encrypt, but dicult to decrypt). Because we cannot make changes to the SAM le while logged in, a LiveLinux CD is the perfect solution to this problem. On that note, lets dive right in to step 1...

Step 1: Boot Into A LiveLinux CD

If you do not have a LiveLinux CD (or don't know how to create one), you can visit the tutorial how to make a LiveLinux CD. Some LiveLinux CD's have the utility "chntpw" (the utility we'll be using) already installed, a few would include: BackTrack (any version) KnoppixSTD - Security Tools Distribution SystemRescue CD This tutorial will be using Ubuntu 10.04, which has LiveCD capabilities. Once you have your LiveLinux CD, insert it into the CD tray and boot into it. Most computers will boot from the CD-ROM, but if it does not, you may need to make changes in the BIOS - changing the boot order to include the CD-ROM before the hard drive. The most common boot order is: 1 - Floppy, 2 - CD-ROM, 3 - Hard Drive (most BIOSes only allow three boot methods). If your BIOS is password protected, you can contact your system administrator, or try "tcbebe" as the password (this is the factory default password for any "AWARD! BIOS" chips - which are the most common BIOS chips out there). Wait for your LiveLinux CD to boot (select "live" mode if needed). If not set by default, get into the graphical mode (Ubuntu, BackTrack, and Knoppix:STD does by default). If it does not, you can start the graphical mode by typing "startx": [username@comp.local]$ startx

2 of 9

Monday 10 March 2014 06:18 PM

Windows Passwords: Security Hole

http://www3.nd.edu/~dpettifo/tutorials/chntpw.html

Step 2: Get "chntpw" Utility

Now that we are in Linux, let's see if we have the utility installed. If you know you do, you may skip this step. Open a terminal (usually in the "Start Menu" -> Accessories -orTools -> Terminal). In Ubuntu, it's the computer monitor with the ">_" text in it on the task bar (quick-launch button) at the top. To test if you have this utility, type the following: "chntpw -h" [username@comp.local]$ chntpw -h

If you have this utility installed, you will see a list of options. The "-h" option is the "help" for this utility, displaying all of our options. If you do not have it installed, you will see something like: -bash: chntpw: command not found

If you do not have it, you can rst check your distro's repositories to see if it's oered (most of the popular ones should, including Ubuntu). You can get to the repositories by going to "System -> Administration -> Synaptic Package Manager". In the little search box at the top, type "chntpw". When the package comes up, click on the box next to it and select "Mark for Install". Then click on "Apply" and when the next window appears, click on "Apply" again. This will download and install the package for you. You may now skip ahead to step 3. If you do not have the package listed in your repositories, you can download this .deb package for Debian-based systems (Knoppix/Ubuntu). Then open it with the installer.

Step 3: Mount Hard Drive With Write Permissions

Before we can make any changes, we need to mount the main hard drive with write permissions. Some LiveLinux CD's do this automatically (maybe SystemRescue?) but most do not. In Ubuntu, it does not automatically mount hard drives/separate partitions for us, but mounting them with read and write permissions is very simple. To do this, we simply click on "Places". In the drop down menu are 4 sections: Local Folders, System Drives, Network Drives, and Search/Recent Documents. The place we're interested in will be the second section down. If you only have one hard drive (with one partition) in the computer, there will be one logical option. It will most likely label it as the size of the partion followed by "Filesystem". Note in my

3 of 9

Monday 10 March 2014 06:18 PM

Windows Passwords: Security Hole

http://www3.nd.edu/~dpettifo/tutorials/chntpw.html

example below, the one hard drive I have is labeled "266 GB Filesystem":

You can determine which hard drive we want (if you have more than one option) by exploring it. Clicking on the hard drive will bring up the same results as if going to the "C:\" drive in Windows. As soon as you open it, you should see a few folders including the "WINDOWS" folder. If you do not see it, you probably have the wrong hard drive. Below is the contents of my example partition:

A few things to note about the above picture: on the side where it lists our drives/folders, notice the "Eject" arrow next to the

4 of 9

Monday 10 March 2014 06:18 PM

Windows Passwords: Security Hole

http://www3.nd.edu/~dpettifo/tutorials/chntpw.html

drive name. This shows us that it is mounted, and clicking on that arrow will unmount the drive (like ejecting it). The other thing to notice is the actual location that the drive is mounted on (displayed towards the top). In my example, this partition was mounted at: "/media/C86CA9E56CA9CF0E". Of course, yours will be dierent, but it is important to take note of this location - it may not be a bad idea to write it down, but there are shortcuts to this as long as you can remember the rst few letters.

Step 4: Making A Backup Of The Current SAM File (optional)

It's not a bad idea to make a backup of your SAM le. Doing this will ensure us of being able to x anything that might go wrong. Also, if you only want to remove/change a password temporarily, you can always restore the SAM le later. This will allow you to get into the account, do your business, and then restore the old SAM le which would restore the old password. Making a backup is as easy as "Copy -> Paste". Open the le browser (or click on the hard drive) and navigate to "Windows/System32/cong/". In this folder, nd the SAM le. It will contain no extension. Right-click on it and select "Copy". Now, because LiveLinux CD's run entirely in RAM, and the nature of RAM means it is cleared as soon as we lose power (reboot), anything we have that isn't written to the hard drive will be lost. So we need to copy this le into a seperate media (I suggest using a ash-drive). You can do anything though, like pasting the le into a seperate folder on the hard drive (not really recommended), upload it to a website or email it as an attatchment (REALLY not recommended). Later, once everything is nished and you're done doing what you need in Windows, you can (but don't have to) restore it by booting back into the LiveLinux CD and locating the old SAM le (in the place you kept it - i.e. ash-drive), copying it and pasting it back into the "Windows/System32/cong/" directory. If you do so, remember to select the option that over-writes the old le when prompted.

Step 5: Make Our Changes

Now that we have everything setup (chntpw and write permissions), we can begin. The "chntpw" utility is a text-based program, but it is still very easy to use. Open a terminal and change your directory to the hard drive that has the Windows folder in it. This is where we need that location - in my example, the location was "/media /C86CA9E56CA9CF0E": [username@comp.local]$ cd /media /C86CA9E56CA9CF0E

5 of 9

Monday 10 March 2014 06:18 PM

Windows Passwords: Security Hole

http://www3.nd.edu/~dpettifo/tutorials/chntpw.html

The short-cut to this would be typing the "cd /media/" and then typing the rst two or three characters after that, and then pressing the "tab" button. In Linux, pressing tab tells the system to search the directory you have typed so far, and nd the folder that starts with what ever we've typed so far, and auto-ll the rest. So if I typed "cd /media/C86" and pressed "tab", Linux will know what drive I'm talking about, and automatically ll in the rest: "cd /media/C86CA9E56CA9CF0E". Now type "ls" to see the list of directories in our location. You should see the "Windows" folder. If you see this folder, you know you're in the right hard drive. Now change your directory to "Windows/System32/cong/": [username@comp.local]$ cd Windows/System32/cong

And again, type "ls" to see what's in the directory. You should see a le named "SAM". This is what I saw:

Note that the "SAM" le is located pretty much in the middle of the terminal - right below the blue-ish "RegBack" directory. The rst thing we should do is run the "chntpw" utility with the "-l" option to view the list of users there are, and which ones have password protection/administrative rights. To do so, type the following: [username@comp.local]$ chntpw -l SAM

Note that we also have to tell it the name of the SAM le by typing "SAM" at the end of the command:

Already we're given a bunch of information just by analyzying

6 of 9

Monday 10 March 2014 06:18 PM

Windows Passwords: Security Hole

http://www3.nd.edu/~dpettifo/tutorials/chntpw.html

this le. For example: we can see that the minimum password length is "8" characters. We can also see that Windows has two built-in accounts for Help Support, and that these accounts are locked. You can also see which of the users have administrative rights, and which ones have password protection. Users who are administrators: Administrator David

And users with passwords: Administrator David HelpAssistant SUPPORT_388945a0

Here is a summary of the "Locked?" values: "dis/lock": either disabled or locked (locked meaning Windows can't blank it's password) "*BLANK*": doesn't require a password to log in empty eld: requires a password that was setup by an administrative user

NOTE: Most of the accounts that may be "locked" mean they require a password and/or are locked out. In the situation of the account "Guest", it is labeled as "dis/lock" because the "Guest" account is not enabled on that Windows. If I were to enable it, there would be a "*BLANK*" value instead. In this tutorial, we're gonna remove the password for the administrator, "Administrator". So we need to call the utility again, only instead of "-l" as the option, we're gonna tell it we want to modify a specic user. We do so by typing "-u" (for user) followed by the user name ("Administrator"), followed by the name of the SAM le (tip - pressing the "up-arrow" brings your last command, so you only have to edit it to look like the following): [username@comp.local]$ chntpw -u Administrator SAM

If you wish to edit a dierent user (probably will...) just type a dierent username than "Administrator". TIP: if we left the "-u username" out, the utility would automatically assume "Administrator" as the user to edit, but for demonstration purpooses, I'm including it in this tutorial. Here's a screenshot of our options once this command is executed:

7 of 9

Monday 10 March 2014 06:18 PM

Windows Passwords: Security Hole

http://www3.nd.edu/~dpettifo/tutorials/chntpw.html

We have 5 options: 1 - Clear user password 2 - Edit user password 3 - Promote user 4 - Unlock and enable user account q - Quit editing user, back to user select

The rst two are pretty simple to understand. Clearing the password simply removes the password from this account - so no password is required to login. Editing the password allows us to change the password of this account (I have heard that changing the password in XP and up can cause errors, so try this at your own risk). Note that to do any of these operations, you do NOT need to know the original password. Promoting a user simply makes them an administrator - meaning they can install anything, edit other user accounts, edit system information and such, etc... Unlocking an account means if the user account is locked - their les cannot be accessed by other users, even administrators, and their account is password protected. I've read threads where people accidentally lock themselves out, and can't get back in. If that's the case, this option will x that. Obviously, you can type "q" to quit the editor. Because I want to remove the password for my account, I typed "1" to "Clear user password". If you have successfully changed the permissions for the hard drive, you will see "Password cleared!" and show a list of "Hives" that have changed. It will then ask you if you want to "Write hive les? (y/n) [n] :", type "y" and press enter:

8 of 9

Monday 10 March 2014 06:18 PM

Windows Passwords: Security Hole

http://www3.nd.edu/~dpettifo/tutorials/chntpw.html

Step 6: Reboot
That's pretty much it! Now all you have to do is reboot your computer and you're done! You can reboot by typing: [username@comp.local]$ sudo reboot now

Or by going to the top-right menu (power button) and "Reboot" (or "Shutdown" if you'd prefer) - then clicking "Reboot" when prompted. If something didn't work out right, or you tried changing the password and it didn't take, you can always try this tutorial again, or if you made a backup of the SAM le, simply redo steps 1 and 3 (ommit 2) and put the old SAM le back in "Windows/System32/cong/". I certainly hope this tutorial will save many headaches and help out in the future!

9 of 9

Monday 10 March 2014 06:18 PM