I recently ran into the problem of loosing all access to a computer in my possession.  I would hope to say that I am not one of those many computer users that simply forgot their password, in this case it was a bit more complicated.  I have a laptop that was previously part of a Windows 2003 domain.  When I brought it home everything worked fine except that I could not access my XP machine's files from the laptop.  The XP machine can access the laptop but not vice-versa.  This was a minor inconvenience but I still wondered what the real problem was.  I found several help sites that suggested disjoining the laptop from the domain and setting it to the same workgroup as the XP machine.  Without giving it a second thought, the connection was cut and I ended up in a world of hurt.  The primary account on the laptop that I used was a domain account that consequencely got the ax.  I had no idea what the Administrator password was and the user account was gone and the account was locked.  Very valuable information was on the laptop so I gave a wince as the thought of reformatting went through my brain.  The only thing to do was to get that password back.

As many Linux users know, the windows file system is nothing special.  Of course you may be limited by Windows in what you can do to the file system while said Windows is running, such as deleting system files, deleting the paging file, or even clearing the Internet Explorer cache.  (The IE cache is a whole other world of Microsoft stupidity which I will get into in a different article but just be sure to realize that clearing the cache from the IE settings will not clear the history.)  If you mount the Windows file system under Linux, you will have full control over any file.  Just so happens that there is a particular file that stores the passwords for the Windows NT family.  NT in this case is NT/2000/XP, if you are having the same problems on a 9x machine, simply hit the esc key.  Somewhat similar to the Linux passwd file, the SAM database stores the hashes used to validate users.  The passwords are not kept in plain text because they have to be kept somewhat safe.  Instead, the password you type in at your login screen is run through an encryption algorithm and produces a one-way hash.  This resulting hash is compared to the SAM database and if it matches then you are let in.

With this knowledge, what if you can boot from Linux and reset the password hash in the SAM database.  Several tools are provided free of charge that will do this very thing.   In this case resetting the password will only set a new password and you can not get the original, at least not directly.  If you do this nasty trick to someone else then they will mostly likely figure it out because the next time they login, their password will be different.

Additionally I want to know what the password was.  To do this I will download the SAM database and all associated files onto my thumb drive for later analysis.  I will make cracking the Windows password a separate tutorial.

Goal

Reset my Windows 2000 password on my laptop after it was disjoined from a Windows domain.  In addition I would like to know what the password was.

Needed

Windows 2000 or XP machine with missing password CD burner Knoppix-STD - [http://www.knoppix-std.org/ ] Thumb drive (optional)

Instructions

1. Knoppix [ http://www.knoppix.org/ ] is a distribution of Linux that is capable of being run entirely off of CD or DVD.  There is a second unofficial Knoppix version called Knoppix-STD [ http://www.knoppix-std.org/ ] used by many security professionals.  Knoppix-STD is pre-built with all of the commonly needed security tools so you will not have to worry about rebuilding the kernel.  Go to the Knoppix-STD site, find a mirror, and download the CD image. 
2. Once the .iso is downloaded, burn it to a CD.
3. In the injured computer, attach the thumb drive (optional) and boot from the Knoppix-STD CD.  If the CD does not boot then you may have to change the BIOS settings to do so.  After the boot is complete you are left with black screen and the STD logo on the back.
4. Right-click and XShells>Root Aterm.  You are presented with the root Aterm shell.
5. Type "cat /etc/fstab"

root@0[knoppix]# cat /etc/fstab proc /proc proc defaults 0 0 pts /dev/pts devpts mode=0622 0 0 /dev/fd0 /mnt/auto/floppy auto user,noauto,exec,umask=000 0 0 /dev/cdrom /mnt/auto/cdrom auto user,noauto,exec,ro 0 0 # Added by KNOPPIX /dev/sda1 /mnt/sda1 vfat noauto,users,exec,umask=000,uid=knoppix,gid=knoppix 0 0 # Added by KNOPPIX /dev/sda2 /mnt/sda2 auto noauto,users,exec 0 0 # Added by KNOPPIX /dev/hda1 /mnt/hda1 vfat noauto,users,exec,umask=000,uid=knoppix,gid=knoppix 0 0 # Added by KNOPPIX /dev/hda2 /mnt/hda2 ntfs noauto,users,exec,ro,uid=knoppix,gid=knoppix 0 0 # Added by KNOPPIX /dev/hda3 /mnt/hda3 ext3 noauto,users,exec 0 0 # Added by KNOPPIX /dev/hda5 none swap defaults 0 0

This lists all of the attached mountable hardware that Knoppix detected during booting.  Everything is in /dev/ and is followed by a *da*.  The first star indicates the device type.  "h" indicates a hard drive and "s" is some sort of extended or SCSI device; USB thumb drives fall into the later category.  This is a 2000 system and I know that it is formatted as NTFS.  The only NTFS partition detected is at /dev/hda2 as indicated by the red text.  This makes sense because it is the second partition on the primary hard drive.  If you have ever looked at the partitions for 2000 or XP you will remember that an 8MB FAT32 is always the first partition and the NTFS partition follows.  Secondly I want to also mount my thumb drive so I locate it as /dev/sda1 as indicated in yellow.  I had to guess at this as there are two USB ports but I hit it lucky the first time.

6. Type "mount -o rw /dev/hda2 /mnt/hda2" and then "mount -o rw /dev/sda1 /mnt/sda1"

root@0[knoppix]# mount -o rw /dev/hda2 /mnt/hda2 root@0[knoppix]# mount -o rw /dev/sda1 /mnt/sda1

This actually mounts the file system in the proper place.  You will notice the files are mounted under the same name but in the /mnt/ directory.

7. Make sure you have done is right.  Type "cd /mnt/hda2/WINNT/system32/config" and then "ls -l"

root@0[knoppix]# cd /mnt/hda2/WINNT/system32/config root@0[config]# ls -l total 45591 -rw------- 1 root root 524288 Oct 19 2005 AppEvent.Evt -rw------- 1 root root 167936 Oct 19 2005 DEFAULT -rw------- 1 root root 1024 Oct 19 2005 DEFAULT.LOG -rw------- 1 root root 81920 Jul 10 2003 DEFAULT.SAV -rw------- 1 root root 32768 Oct 19 2005 SAM -rw------- 1 root root 1024 Oct 19 2005 SAM.LOG -rw------- 1 root root 40960 Oct 19 2005 SECURITY -rw------- 1 root root 1024 Oct 19 2005 SECURITY.LOG -rw------- 1 root root 34004992 Oct 19 2005 SOFTWARE -rw------- 1 root root 1024 Oct 19 2005 SOFTWARE.LOG -rw------- 1 root root 536576 Jul 10 2003 SOFTWARE.SAV -rw------- 1 root root 4808704 Oct 19 2005 SYSTEM -rw------- 1 root root 4808704 Oct 19 2005 SYSTEM.ALT -rw------- 1 root root 1024 Jul 10 2003 SYSTEM.LOG -rw------- 1 root root 352256 Jul 10 2003 SYSTEM.SAV -rw------- 1 root root 655360 Oct 14 20:41 SecEvent.Evt -rw------- 1 root root 524288 Oct 19 2005 SysEvent.Evt -rw------- 1 root root 0 Jul 10 2003 TempKey.LOG -rw------- 1 root root 139264 Jul 10 2003 USERDIFF -rw------- 1 root root 1024 Jul 10 2003 USERDIFF.LOG -rw------- 1 root root 344 Jun 22 21:02 netlogon.ftl

You are looking at the equivalent of c:\winnt\system32\config which happens to be where the SAM database and the password hashes are stored.

8. (optional) If you want to save the hashes for later analysis then you should copy them to the thumb drive.  Type "cp /mnt/hda2/WINNT/system32/config/* /mnt/sda1" replacing the mounted devices as needed.

root@0[config]# cp /mnt/hda2/WINNT/system32/config/* /mnt/sda1

9. Run the chntpw program.  Type "chntpw"

root@0[config]# chntpw chntpw version 0.99.1 030126, (c) Petter N Hagen chntpw: change password of a user in a NT SAM file, or invoke registry editor. chntpw [OPTIONS] <samfile> [systemfile] [securityfile] [otherreghive] [...] -h This message -u <user> Username to change, Administrator is default -l list all users in SAM file -i Interactive. List users (as -l) then ask for username to change -e Registry editor. Now with full write support! -d Enter buffer debugger instead (hex editor), -t Trace. Show hexdump of structs/segments. (deprecated debug function) -L Write names of changed files to /tmp/changed -N No allocation mode. Only (old style) same length overwrites possible See readme file on how to extract/read/write the NT's SAM file if it's on an NTFS partition! Source/binary freely distributable. See README/COPYING for details NOTE: This program is somewhat hackish! You are on your own

10. Now lets check out the users registered on the system.  Type "chntpw -l sam system security".  This lists the windows users and the status of the accounts.  Notice the use of the system and security file.  This is because many times the SAM itself is encrypted with a key in both the system and security registry hives.  The first time that I attempted this I left off the system and security attributes and got a cryptic warning about not being sure if the password was set.  Sure enough after booting back into windows, it didn't work.  After adding the two arguments it worked perfectly.  Also notice that some accounts are locked or disabled.

root@0[config]# chntpw -l sam system security chntpw version 0.99.1 030126, (c) Petter N Hagen Hive's name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 File size 32768 [8000] bytes, containing 7 pages (+ 1 headerpage) Used for data: 314/25456 blocks/bytes, unused: 14/2992 blocks/bytes. Hive's name (from header): <SYSTEM> ROOT KEY at offset: 0x001020 File size 4808704 [496000] bytes, containing 1146 pages (+ 1 headerpage) Used for data: 85912/4739768 blocks/bytes, unused: 10/28168 blocks/bytes. Hive's name (from header): <emRoot\System32\Config\SECURITY> ROOT KEY at offset: 0x001020 File size 40960 [a000] bytes, containing 9 pages (+ 1 headerpage) Used for data: 615/32784 blocks/bytes, unused: 10/3792 blocks/bytes. Hello, this is SAM! Failed logins before lockout is: 0 Minimum password length : 0 Password history count : 0 RID: 03f0, Username: <ACTUser>, *disabled or locked* RID: 01f4, Username: <Administrator> RID: 03ec, Username: <ASPNET>, *disabled or locked* RID: 03eb, Username: <Joe Bob> RID: 01f5, Username: <Guest>, *disabled or locked* RID: 03f1, Username: <SQLDebugger>, *disabled or locked* Hives that have changed: # Name None!

11. Now lets do our damage.  Simply exchange the -l for -u username and in this case it will be "chntpw -u Joe Bob sam system security"

root@0[config]# chntpw -u Joe Bob sam system security chntpw version 0.99.1 030126, (c) Petter N Hagen Hive's name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 File size 32768 [8000] bytes, containing 7 pages (+ 1 headerpage) Used for data: 314/25456 blocks/bytes, unused: 14/2992 blocks/bytes. Hive's name (from header): <SYSTEM> ROOT KEY at offset: 0x001020 File size 4808704 [496000] bytes, containing 1146 pages (+ 1 headerpage) Used for data: 85912/4739768 blocks/bytes, unused: 10/28168 blocks/bytes. Hive's name (from header): <emRoot\System32\Config\SECURITY> ROOT KEY at offset: 0x001020 File size 40960 [a000] bytes, containing 9 pages (+ 1 headerpage) Used for data: 615/32784 blocks/bytes, unused: 10/3792 blocks/bytes. Hello, this is SAM! Failed logins before lockout is: 0 Minimum password length : 0 Password history count : 0 RID: 03f0, Username: <ACTUser>, *disabled or locked* RID: 01f4, Username: <Administrator> RID: 03ec, Username: <ASPNET>, *disabled or locked* RID: 03eb, Username: <Joe Bob> RID: 01f5, Username: <Guest>, *disabled or locked* RID: 03f1, Username: <SQLDebugger>, *disabled or locked* ---------------------> SYSKEY CHECK <----------------------- SYSTEM SecureBoot : 1 -> key-in-registry SAM Account\F : 1 -> key-in-registry SECURITY PolSecretEncryptionKey: 1 -> key-in-registry ***************** SYSKEY IS ENABLED! ************** This installation very likely has the syskey passwordhash-obfuscator installe It's currently in mode = 1, key-in-registry-mode SYSKEY is on! However, DO NOT DISABLE IT UNLESS YOU HAVE TO! This program can change passwords even if syskey is on, however if you have lost the key-floppy or passphrase you can turn it off, but please read the docs first!!! ** IF YOU DON'T KNOW WHAT SYSKEY IS YOU PROBABLY DO NOT NEED TO SWITCH IT OFF NOTE: On WINDOWS 2000 it will not be possible to turn it on again! (and other problems may also show..) NOTE: Disabling syskey will invalidate ALL passwords, requiring them to be reset. You should at least reset the administrator password using this program, then the rest ought to be done from NT. Do you really wish to disable SYSKEY? (y/n) [n] n RID : 1010 [03f2] Username: Joe Bob fullname: Joe Bob comment : homedir : Account bits: 0x0210 = [ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 0, while max tries is: 0 Total login count: 3 Crypted NT pw: Hidden Crypted LM pw: Hidden MD4 hash : Hidden LANMAN hash : Hidden * = blank the password (This may work better than setting a new password!) Enter nothing to leave it unchanged Please enter new password: * Blanking password! Do you really wish to change it? (y/n) [n] y Changed! Hives that have changed: # Name 0 <sam> Write hive files? (y/n) [n] : y 0 <sam> - OK

User actions are highlighted in red.  You will notice that I decided to just blank the password which seems to work the best.  The actual password hashes are hidden as shown in yellow you you will have a hex string here instead.

12. From the desktop right-click > reboot.  If everything went to plan then you will boot into Windows and simply hit enter key at the login screen to access the blanked account.

Conclusion

This handy little trick saved me a bunch of time and crying compared to reformatting.  Even as I write this tutorial I had a second computer placed in my care because the owner forgot the password.  As always, use this knowledge responsibly.  Knowledge is not power, how you use it is.