Saturday, 16 July 2011

chntpw - the Offline NT password Editor !

As explained in Wikipedia, chntpw is a software utility for resetting or blanking local passwords used by Windows NT, 2000, XP, Vista, and 7. It does this by editing the SAM database where Windows stores password hashes.
I know many of you would be already knowing this or other methods e.g. utilman method.



Now first of all you need a BackTrack LiveCD or any other Security Distro with chnptw pre-installed or you can download it afterwards from BackTrack repository.

Steps to follow :
1. Boot your system using BackTrack LiveCD.

2. Mount your partition containing Windows.

root@bt:~# fdisk -l


   Device Boot      Start         End      Blocks           Id   System
/dev/sda1   *           1          10683    85811166      83  Linux
/dev/sda2           10684       14762    32764567+   83  Linux
/dev/sda3           14801       56885   338047762+    f  W95 Ext'd (LBA)
/dev/sda4           56886       60801    31455270       7  HPFS/NTFS
/dev/sda5           14802       32664   143484547+   7  HPFS/NTFS
/dev/sda6           32665       56885   194555151    83  Linux

root@bt:~# cd /media; mkdir dex
root@bt:~# mount -t ntfs /dev/sda3  /media/dex
      
Note - /dev/sda4 is partition containing Windows and /media/dex is the mount point.

3. Fire up chntpw.

Though it is pretty explanatory but here's an example as how to remove password from an Admin account which is locked.

root@bt:~# cd /pentest/passwords/chntpw/
root@bt:/pentest/passwords/chntpw#
root@bt:/pentest/passwords/chntpw# find /media/dex/ -iname sam
/media/dex/Windows/System32/config/RegBack/SAM
/media/dex/Windows/System32/config/SAM
^C
root@bt:/pentest/passwords/chntpw# ./chntpw -i /media/dex/Windows/System32/config/SAM

<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: </media/dex/Windows/System32/config/SAM>

  1 - Edit user data and passwords
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)

What to do? [1] -> 1
===== chntpw Edit User Info & Passwords ====

| RID -|---------- Username -------------| Admin?   |- Lock? --|
| 01f4 | Administrator                  | ADMIN  | dis/lock |
| 03e8 | Dexter                             | ADMIN  | dis/lock |
| 01f5 | Guest                               |                | dis/lock |

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] Administrator

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
 4 - Unlock and enable user account [probably locked now]
 q - Quit editing user, back to user select
Select: [q] > 1
Password cleared!

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] Administrator

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
 4 - Unlock and enable user account [probably locked now]
 q - Quit editing user, back to user select
Select: [q] > 4
Unlocked!              [note- this step is important as the Admin account was  locked]

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] !

<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: </media/dex/Windows/System32/config/SAM>

  1 - Edit user data and passwords
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)


What to do? [1] -> q


Hives that have changed:
 #  Name
 0  </media/dex/Windows/System32/config/SAM>
Write hive files? (y/n) [n] : y
0  </media/dexWindows/System32/config/SAM> - OK
root@bt:/pentest/passwords/chntpw#


It's done. Next time you login to your Windows with username Administrator and no password... :)

No comments:

Post a Comment