Bijlage 2. Het Windows beheerderswachtwoord kraken met de Offline NT Password & Registry Editor vanaf een bootdiskette


> Index <

Terug naar: Het vergeten beheerderswachtwoord .


Hieronder beschrijft ik de methode van de Offline NT Password & Registry Editor om het Windows beheerderswachtwoord te resetten.

Om te beginnen moet u een Linux boot diskette of CD maken. U pakt het zip-bestand uit en typt install. Dit kunt u als gewoon gebruiker doen. Want u installeert Linux niet op NTFS, maar op een onbeschermde diskette. Hier maak ik een bootdiskette aan op drive A: (Enter target diskette drive: a:)

S:\BOOTDISK\BD050303> ####################################
 # #
 # Offline NT Password and Registry Editor Installation #
 # Version: bd050303 #
 # This installation creates a bootable floppy disk. #
 # #
 # Offline NT Password and Registry Editor must be booted #
 # from a floppy disk. #
 # #
 #########################################################
 .
RaWrite 2.0 - Write disk file to raw floppy diskette

Enter target diskette drive: a:
Please insert a formatted diskette into drive A: and press -ENTER- :

Het DOS programma raw write maakt de Linux bootdiskette aan onder DOS, OS/2 en Windows.

Daarna moet u Windows afsluiten en via de bootdiskette Linux opstarten. Linux laat hierbij allerlei meldingen zien die u normaal gesproken kunt negeren. Aan het eind wordt u voor een keus gesteld:

Spawning shells on console 2 - 6 
mkdir: Cannot create directory `/floppy': File exists 
Initialization complete! 
 
************************************************************************* 
* Win/NT Registry Edit Utility Floppy / chntpw * 
* (c) 1997 - 2004 Petter N Hagen - pnordahl@eunet.no * 
* See file named "license" on floppy for licensing info and credits * 
* * 
* This utility will enable you to change or blank the password of * 
* any user (incl. administrator) on an Windows NT/2k/XP installation * 
* WITHOUT knowing the old password. * 
* Unlocking locked/disabled accounts also supported. * 
* * 
* It also has a registry editor, and there is now support for * 
* adding and deleting keys and values. * 
* * 
* Tested on: NT3.51 & NT4: Workstation, Server, PDC. * 
* Win2k Prof & Server to SP4. Cannot change AD. * 
* XP Home & Prof: up to SP2 * 
* Win 2003 Server (all?): Seems to work * 
* * 
* HINT: If things scroll by too fast, press SHIFT-PGUP/PGDOWN ... * 
************************************************************************* 
 
========================================================= 
There are several steps to go through: 
- Disk select with optional loading of disk drivers 
- PATH select, where are the Windows systems files stored 
- File-select, what parts of registry we need 
- Then finally the password change or registry edit itself 
- If changes were made, write them back to disk 
 
DON'T PANIC! Usually the defaults are OK, just press enter 
 all the way through the questions 
 
========================================================= 
þ Step ONE: Select disk where the Windows installation is 
========================================================= 
Disks: 
/dev/ide/host0/bus0/target0/lun0/disc /dev/ide/host0/bus0/target1/lun0/disc NT 
artitions found: 
 1 : /dev/ide/host0/bus0/target0/lun0/part1 4126MB Boot 
 2 : /dev/ide/host0/bus0/target1/lun0/part1 2043MB Boot
 
Please select partition by number or
a = show all partitions, d = automatically load new disk drivers
m = manually load new disk drivers 
l = relist NTFS/FAT partitions, q = quit 
Select: [1] 

Ik typ Enter want de Windows partitie bevindt zich op de eerste vaste schijf. De eerste vaste schijf wordt aangekoppeld (Mounting on /dev/ide/host0/bus0/target0/lun0/part1)

Selected 1 
Mounting on /dev/ide/host0/bus0/target0/lun0/part1 
NTFS volume version 3.1. 
Filesystem is: NTFS 
 
========================================================= 
þ Step TWO: Select PATH and registry files 
========================================================= 
What is the path to the registry directory? (relative to windows disk) 
[WINDOWS/system32/config] :

De tussen [] accolades geplaatste standaardwaarde zal meestal voldoen: Enter.

========================================================= 
þ Step TWO: Select PATH and registry files 
========================================================= 
What is the path to the registry directory? (relative to windows disk) 
[WINDOWS/system32/config] : 
-rw------- 1 0 0 262144 May 7 20:19 SAM 
-rw------- 1 0 0 262144 May 7 20:19 SECURITY 
-rw------- 1 0 0 524288 May 7 20:19 default 
-rw------- 1 0 0 10747904 May 7 20:19 software 
-rw------- 1 0 0 2621440 May 7 20:19 system 
drwx------ 1 0 0 4096 Nov 25 23:48 systemprofile 
-rw------- 1 0 0 262144 Nov 25 14:57 userdiff 
 
Select which part of registry to load, use predefined choices 
or list the files with space as delimiter 
1 - Password reset [sam system security] 
2 - RecoveryConsole parameters [software] 
q - quit - return to previous 
[1] :

Nu kies ik voor Enter (oftewel de standaardoptie [1]). Ik wil de immers de wachtwoorden aanpassen. Het wachtwoordbestand wordt nu naar de map /tmp van de Linux RAM schijf gekopieerd.

[1] :   
Selected files: sam system security  
Copying sam system security to /tmp  
   
========================================================= 
þ Step THREE: Password or registry edit  
========================================================= 
chntpw version 0.99.3 041205, (c) Petter N Hagen 
Hive's name (from header): <\SystemRoot\System32\Config\SAM> 
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf> 
Page at 0x7000 is not 'hbin', assuming file contains garbage at end 
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage) 
Used for data: 255/19864 blocks/bytes, unused: 9/4520 blocks/bytes. 
Hive's name (from header): <SYSTEM>  
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh> 
Page at 0x277000 is not 'hbin', assuming file contains garbage at end 
File size 2621440 [280000] bytes, containing 561 pages (+ 1 headerpage) 
Used for data: 45547/2521536 blocks/bytes, unused: 1213/40992 blocks/bytes. 
Hive's name (from header): <emRoot\System32\Config\SECURITY> 
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf> 
Page at 0xa000 is not 'hbin', assuming file contains garbage at end 
File size 262144 [40000] bytes, containing 9 pages (+ 1 headerpage) 
Used for data: 756/35024 blocks/bytes, unused: 12/1552 blocks/bytes. 
   
* SAM policy limits:  
Failed logins before lockout is: 0  
Minimum password length : 0  
Password history count : 0  
   
   
<>========<> chntpw Main Interactive Menu <>========<> 
   
Loaded hives: <sam> <system> <security>  
   
 1 - Edit user data and passwords  
 2 - Syskey status & change  
 3 - RecoveryConsole settings  
 - - -   
 9 - Registry editor, now with full write support! 
 q - Quit (you will be asked if there is something to save) 
What to do? [1]

Ik wil de gebruikersdata en wachtwoorden aanpassen en kies dus voor "1" of meteen Enter. Er verschijnt een lijst.

What to do? [1] -> 1  
   
   
===== chntpw Edit User Info & Passwords ====  
   
RID: 01f4, Username: <Administrator>  
RID: 03f0, Username: <atke>, *disabled or locked* 
RID: 03ef, Username: <bouke>, *disabled or locked* 
RID: 03f1, Username: <feikje>  
RID: 01f5, Username: <Gast>, *disabled or locked* 
RID: 03e8, Username: <HelpAssistant>, *disabled or locked* 
RID: 03ee, Username: <onpersoonlijk>  
RID: 03ec, Username: <root>  
RID: 03ed, Username: <sjoerd>  
RID: 03ea, Username: <SUPPORT_388945a0>, *disabled or locked* 
   
Select: ! - quit, . - list users, 0x<RID> - User with RID (hex) 
or simply enter the username to change: [Administrator] 

Ik kies voor het veranderen van het Administrator wachtwoord met Enter:

RID : 0500 [01f4]  
Username: Administrator  
fullname:   
comment : Ingebouwde account voor beheer van de computer of het domein 
homedir :   
   
Account bits: 0x0210 =  
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. | 
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account | 
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | 
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | 
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | 
   
Failed login count: 0, while max tries is: 0  
Total login count: 10  
   
* = blank the password (This may work better than setting a new password!) 
Enter nothing to leave it unchanged  
Please enter new password:

Ik kies voor wissen (*):

Please enter new password: *
Blanking password!
Do you really want to change it? (y/n)[n]

Kies y(es)

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex) 
or simply enter the username to change: [Administrator] 

Eigenlijk zijn we nu al klaar (kies "!" voor afsluiten) , maar om te laten zien wat het programma kan doen kiezen we voor de gebruikersnaam "root".

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex) 
or simply enter the username to change: [Administrator] root 
RID : 1004 [03ec] 
Username: root 
fullname: 
comment : 
homedir : 
 
Account bits: 0x0214 = 
[ ] Disabled | [ ] Homedir req. | [X] Passwd not req. | 
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account | 
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | 
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | 
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | 
 
Failed login count: 2, while max tries is: 0 
Total login count: 125 
Account is probably locked out! 
Do you wish me to reset the failed count, unset disabled and lockout, 
and set the "password never expires" option? (y/n) [n]y 

Kies Ja (y):

Unlocked! 
 
* = blank the password (This may work better than setting a new password!) 
Enter nothing to leave it unchanged
Please enter new password: 

Ik kies voor geen wachtwoord voor root met: *.

Please enter new password: *

Do you really wish to change it? (y/n) [n] y 
Changed! 
Select: ! - quit, . - list users, 0x<RID> - User with RID (hex) 
or simply enter the username to change: [Administrator]

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex) 
or simply enter the username to change: [Administrator] q 
Cannot find value <\SAM\Domains\Account\Users\Names\q\@> 

Verlaat het menu niet met "q" of "quit" maar met het uitroepteken ! De - betekent maak een lijst van de gebruikers en daarnaast kunt een gebruiker met zijn naam of NT user-id invoeren. En klaag nu niet dat Linux bootdiskette heel moeilijk is. Deze ID-gebruikersnamen methoden heeft Microsoft van Unix overgenomen.

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex) 
or simply enter the username to change: [Administrator] ! 
 
<>========<> chntpw Main Interactive Menu <>========<> 
 
Loaded hives: <sam> <system> <security> 
 
 1 - Edit user data and passwords 
 2 - Syskey status & change 
 3 - RecoveryConsole settings 
 - - - 
 9 - Registry editor, now with full write support! 
 q - Quit (you will be asked if there is something to save)

What to do? [1] -> 

En daarna een "q":

What to do? [1] -> q 
 
Hives that have changed: 
 # Name 
 0 <sam> - OK 
 
========================================================= 
þ Step FOUR: Writing back changes 
========================================================= 
About to write file(s) back! Do it? [n] : 

Opnieuw wordt u om een bevestiging gevraagd: kies "y".

About to write file(s) back! Do it? [n] : y 
Writing sam 
NTFS-fs error (device hda1): ntfs_prepare_nonresident_write(): Writing beyond i
itialized size is not supported yet. Sorry. 
NTFS-fs error (device hda1): ntfs_prepare_nonresident_write(): Writing beyond i
itialized size is not supported yet. Sorry. 
cpnt: error while writing: Operation not supported 
 
NOTE: A disk fixup will now be done.. it may take some time 
 
Mounting volume... OK 
 
Processing of $MFT and $MFTMirr completed successfully. 
 
NTFS volume version is 3.1. 
 
Setting required flags on partition... OK 
 
Going to empty the journal ($LogFile)... OK 
 
NTFS partition /dev/ide/host0/bus0/target0/lun0/part1 was processed successfull
. 
NOTE: Windows will run a diskcheck (chkdsk) on next boot. 
NOTE: this is to ensure disk intergity after the changes 
 
***** EDIT COMPLETE ***** 
 
You can try again if it somehow failed, or you selected wrong 
new run? [n]

Toets Enter voor nee.

You can try again if it somehow failed, or you selected wrong 
New run? [n] : n 
========================================================= 
 
* end of scripts.. returning to the shell.. 
* Press CTRL-ALT-DEL to reboot now (remove floppy first) 
* or do whatever you want from the shell.. 
* However, if you mount something, remember to umount before reboot 
* You may also restart the script procedure with 'sh /scripts/main.sh' 
 
 
BusyBox v1.00 (2004.12.04-21:36+0000) Built-in shell (ash) 
Enter 'help' for a list of built-in commands. 
 
sh: can't access tty; job control turned off 

Dit is Linux taal voor : het spel is afgelopen. Verwijder de diskette en reboot de computer met CTRL-ALT-DEL. U kunt nu met F8 inloggen als beheerder Administrator zonder wachtwoord en ook de Eigenaar (root bij mij) is zijn wachtwoord kwijt. Bij het opstarten doet Windows nog een schijfcontrole, reboot en daarna kunt er als beheerder zonder wachtwoord weer in.

Wat is dus de les? U kunt iedere Windows computer kraken als u er fysieke toegang toe hebt. Ook de gestolen Windows XP laptops van justitie. Alleen encryptie van bestanden biedt nog enige soelaas tegen de Linux NTFS stuurbestanden, maar van in Windows XP Professional ingebouwde versleuteling moet u niet teveel verwachten. Microsofts EFS methode om documenten op NTFS te versleutelen is al lang gekraakt.

Offline NT Password & Registry Editor

> Top <