Cracking passwords using a 4 mb bootable USB or CD
I had written a
tutorial earlier of cracking windows password from Backtrack using chntw
utility.Now i am
going to tell u instead of using backtrack ,u can have a live cd or bootable
usb of only chntw only.Its file size is only 4MB .So u can have it with u and
make it in no time.
Secondly there are no
commands to remember.Its pretty much simple as every thing is given by default
to hack passwords.
So this is the
simplest way to hack any windows password.
Overview of chntpw
- This is a utility to reset the password of any user
that has a valid local account on your Windows system.
- Supports all Windows from NT3.5 to Win7, also 64 bit
and also the Server versions (like 2003 and 2008)
- You do not need to know the old password to set a new
one.
- It works offline, that is, you have to shutdown your
computer and boot off a CD or USB disk to do the password reset.
- Will detect and offer to unlock locked or disabled out
user accounts!
- There is also a registry editor and other registry
utilities that works under linux/unix, and can be used for other things
than password editing.
A little bit of theory
Windows stores its user information, including crypted versions
of the passwords, in a file called 'sam', usually found in \windows\system32\config. This file is a part of the registry, in a
binary format previously undocumented, and not easily accessible. But we can
edit it with chntpw.
Download links
How to make a bootable USB drive
1. Copy all the files that is inside the usbXXXXXX.zip or on
the CD onto an usb drive, directly on the drive, not inside any
directory/folder.
2. It
is OK if there are other files on the USB drive from before, they will not be
removed.
3. Install
bootloader on the USB drive, from command prompt in windows (start the command
line with "run as administrator" if possible)
X:syslinux.exe
-ma X:
4. Replace
X: with the drive letter the USB drive shows up as (DO NOT USE C:)
5. If
it seems like nothing happened, it is usually done.
6. However,
a file named ldlinux.sys may appear on the USB drive, that is normal
It should now in theory be bootable.
Instruction for making bootable USB or CD are given in their respective files
Working
Get the machine to boot from the CD or USB drive.
- Load drivers (usually automatic, but possible to run manual select)
- Disk select, tell which disk contains the Windows system. Optionally you will have to load drivers.
- PATH select, where on the disk is the system?
- File select, which parts of registry to load, based on what you want to do.
- Password reset or other registry edit.
- Write back to disk (you will be asked)
Output
After the chntpw is booted u can follow the following steps:
***************************************************************************
* *
* Windows NT/2k/XP/Vista Change Password / Registry Editor / Boot CD *
* *
* (c) 1998-2007 Petter Nordahl-Hagen. Distributed under GNU GPL v2 *
* *
* DISCLAIMER: THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTIES! *
* THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE *
* CAUSED BY THE (MIS)USE OF THIS SOFTWARE *
* *
* More info at: http://pogostick.net/~pnh/ntpasswd/ *
* Email : pnh@pogostick.net *
* *
* CD build date: Sun Sep 23 14:15:35 CEST 2007 *
***************************************************************************
======== chntpw Main Interactive Menu ========
Loaded hives:
1 - Edit user data and passwords
2 - Syskey status & change
3 - RecoveryConsole settings
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)
What to do? [1] ->1
===== chntpw Edit User Info & Passwords ====
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 03e8 | admin | ADMIN | |
| 01f4 | Administrator | ADMIN | dis/lock |
| 03ec | grumf1 | | |
| 03ed | grumf2 | | |
| 03ee | grumf3 | | |
| 01f5 | Guest | | dis/lock |
| 03ea | jalla1 | ADMIN | *BLANK* |
| 03eb | jalla2 | | *BLANK* |
| 03e9 | petro | ADMIN | *BLANK* |
Select: ! - quit, . - list users, 0x - User with RID (hex)
or simply enter the username to change: [Administrator] admin
RID : 1000 [03e8]
Username: admin
fullname:
comment :
homedir :
User is member of 1 groups:
00000220 = Administrators (which has 4 members)
Account bits: 0x0214 =
[ ] Disabled | [ ] Homedir req. | [X] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 0
Total login count: 3
- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
q - Quit editing user, back to user select
Select: [q] > 1
Password cleared!
Select: ! - quit, . - list users, 0x - User with RID (hex)
or simply enter the username to change: [Administrator] !
======== chntpw Main Interactive Menu ========
Loaded hives:
1 - Edit user data and passwords
2 - Syskey status & change
3 - RecoveryConsole settings
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)
What to do? [1] -> q
Hives that have changed:
# Name
0 - OK
=========================================================
¤ Step FOUR: Writing back changes
=========================================================
About to write file(s) back! Do it? [n] : y
Writing sam
***** EDIT COMPLETE *****