Getting in windows 2k and xp with local access.
This is my first article, so if there are any suggestions of any kind or questions, please let me know.
my email is: lepricaun2003@yahoo.com
<i'm not responsible for any of this info i will give you here, it is for educational purposes only, what you do with it is your business, not mine!!>
I'm working on a repaircenter for computers, very often we get a system in from a customer who forgot to give us his password to test the system.
At first we called the customer everytime to get the password, but i was so sick and tired of that, that i began to do some research to remove them on my own.
<For all the tools i've mentioned i will give the link to download them or the original site of that tool at the bottom of this article.>
I thought this info might interest lot of other people so here it is:
Ok now for the passwords,
The windows 2000 and XP passwords (i think this also goes for NT and ME) are stored in the SAM file.
SAM stands for Security Account Manager.
This is the service which stores the passwords in the registry and in the SAM file. This is done by using a LM-hash (for compatiblity with older versions of windows) and a MD5-hash.
This file can not be accessed when the OS is running.
if that's not all, Windows also uses syskey to encrypt the file, so that offline viewing ( with a dos bootdisk) doesn't work. But there still are ways to get them....
Let's start with getting administrator rights on a local machine.
If you have complete access to the system, then there are several tools to use to change the admin password or any other for that matter. here are the tools:
Offline NT password & registry editor:
this is a linux based tool ( the program for making a bootable disk is for windows ) and allows you to change any password on a windows system, although it is advised not to use it on NTFS partitions for it can crash the system. But you can even disable syskey with this proggie so that all passwords are reset to blank.
And best of it, it's free! (with source)
CIA commander:
This tool only works on NTFS partitions, but it works great! You can even use it to copy data from one place to another. But it is not for free.
Passware password recovery kit:
This is a complete kit which allows you to get almost every password for anything you want (zip-files, msoffice documents, saved passwords in IE, etc) and ofcourse a tool in it to set the administrator password to '12345', and this can also be undone if you like, so no one will ever know you were there..
Also not for free but very very good!
These are the tools i mostly use, and i haven't seen a system yet where i didn't got in (with local access that is :P )
And now the registry, here the passwords are stored in HKEY_LOCAL_MACHINE\SAM.
this can only be accessed by administrators, but even then you don't have the possibilities of seeing them without using some kind of tool (unless you can make yourself 'system' but that isn't neccessary here.)
Here the tool 'pwdump2' comes in handy, this will give you a complete dump of all the local passwords on the system.
Another tool is 'lsadump2', you know the screen where you have to put in your name and password if you want to connect to internet using a modem?
Even if you don't save the password, it will be saved for you in the registry by windows and can be viewed with this tool. Also the default password (if there is any) will be shown.
there is another version of this tool 'pwdump3' which allows you to do the same on a remote machine, you'll need the admin password for that machine too for this tool.
And last but not least the tool i mentioned before:
The passware IE key, which allows you to get all the stored passwords (including sites) on the system.
This tool can be found too in the Passware password recovery kit.
Now, i hope that this is of any use to anyone, i did my best writing it, that's for sure :)
if you like this tutorial (or if you don't) please let me know with voting for it..
here are the links i promised:
Offline NT password & registry editor:
http://home.eunet.no/~pnordahl/ntpasswd/
CIA commander:
http://www.datapol-technologies.com/...ander/main.htm
Passware password recovery kit:
http://www.lostpassword.com/
pwdump2:
http://razor.bindview.com/tools/files/pwdump2.zip
pwdump3:
http://packetstormsecurity.org/Crackers/NT/pwdump3.zip
(this link should work, but the site is down at the moment)
lsadump2:
http://razor.bindview.com/tools/files/lsadump2.zip
btw, pwdump 2 & 3 and lsadump2 are free tools...
enjoy the knowledge,
grtz
lepricaun