Slashdot Mirror

Without encryption, it can be done with http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html/ which can be found on the ultimate boot CD as well. I've used it a few times to get into machines where users have forgotten their passwords. It will reset/eliminate the multi-attempt lockout. There's others out there as well that do the same thing.

Sure, no problem.

NTPasswd

And, you don't even need a local account. Boot PC off CD and reset the adminstrator account password. The machine is yours. Or, if you only want the unexcrypted data off the HD choose the LiveCD of your choice (like Ubuntu) and click on the hard drive. All file are there and you have full permissions. Replace any one you want. Of course, all of this can be done to a *nix machine too. Fact is, if you have physical access to the machine it's really only a matter of time before you have what you want.

For what it's worth, I've used these tools for data recovery and accessing machines that have been hosed. I've done NTPasswd on XP home/pro and the data recovery in Vista and Win 7.

Actually, it's much tougher with Vista than any Linux distro I've run into.

Well, this does Vista in a split second although encrypted files remain protected until you "remember" the old password.
 
I'm confused, did they take control of Windows 7 running in a VM or did they take control of the VM that runs in Windows 7 (the one that handles UAC)? I'm obviously not an expert in Windows' security model so I could be misunderstanding
 

With physical access to any standard desktop machine, you can easily get into Windows, Linux, or Mac OS. This comes in very handy with an IT environment where there is no central authentication server of sorts, or when people bring PC's to your computer shop with forgotten passwords. I'm not sure about Mac OS, but for Windows or Linux, if you don't want their password changed... just back up the file before you change it, then copy it back when you're done. Encrypted hard drives is a different ballpark though... never messed with those.

Some (or many, or all?) distributions prompt for the root password on runlevel 1. To work around that, boot with an additional kernel argument: init=/bin/bash

If it's NT/2000/XP, there's always the NT password disk (one of my favorite Windows utilities): http://home.eunet.no/pnordahl/ntpasswd/bootdisk.html

You can replace password hashes in windows too. Microsoft also provides tools in the Server 2003 Resource Kit to use in conjunction with Directory Service Restore Mode to reset the Domain Administrator password.

Unless he's encrypted a bunch of their data a decent admin should be able to recover from a "lost" password. Trusting the integrity of the data is another question.

http://home.eunet.no/pnordahl/ntpasswd/

I've had the following tool in my collection for a long time: http://home.eunet.no/pnordahl/ntpasswd/bootdisk.html

It's quite easy, boot up the computer from that disk and you can reset the passwords in a few minutes. Linux-based too for that matter.

FTFA:
The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer. It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

Apparently just some tools-on-a-disk. If it can bypass the encrypted file systems and other secure stuff, then there is a problem and the so-called "NSA-key" is not just myth (http://en.wikipedia.org/wiki/NSAKEY).

A simple WordNumberWord combination can give you enough security as long as each login attempt is noted and tracked.

With a Windows-based network, the lack of salting of the domain password hashes means there is a much bigger vulnerability.

I performed a simulated attack against a Windows domain a few months ago. I started out with nothing other than physical access to a domain controller, and ended up with the domain password hashes which I was able to feed into OphCrack which cracked them offline without ever showing up in an auditing log. As long as you can get physical access to a domain controller, it's easy:

1 - Take the domain controller off of the network (not hard in environments with many distributed DCs, e.g. at remote locations with no on-site technical staff).
2 - Boot off a floppy or CD using the Offline NT Password & Registry Editor.
3 - Use the software to reset the "local" Administrator account's password (which is the Directory Services Restore Mode admin account on a DC).
4 - Boot the server in Directory Services Restore Mode and log on using the account you just reset the password of.
5 - Follow Sebastien Francois's instructions to create a Windows Service which will dump the domain account information at the next bootup.
6 - Reboot the server, letting it start up normally. Wait a few minutes for the service you just set up to do its job.
7 - Reboot the server back into Directory Services Restore Mode, and log on with the admin password from step 3.
8 - Copy the account/hash information file to a USB key or other portable device.
9 - Remove the service you added.
10 - Reboot the server, reconnect it to the network and let it power back up normally.
11 - Take your copy of the hashes home and run OphCrack against them. Depending on which set of rainbow tables you are using, you will get most or all passwords of less than 15 characters.

The only traces this attack leaves are the offline state (which can be blamed on a power outage), the reset DSRM admin password (which most people will just assume had been set to a nonstandard value by someone else when the server was built), and potentially the Security event log entries (which will roll off within a few hours to a few days depending on how many logon requests that particular DC handles).

Too bad they didnt mention tools in my favorites:

Knoppix
VirtualBox
MPlayer (the Hungarian one, not MS)
GParted
GRUB
NT Password Recovery Here
Cinelerra
FilmGimp
BitPim
NMap
RDesktop
VNC

And the best of all... Debian and Ubuntu

It's no use. When you have full physical access to the computer, getting administrator access is just a matter of time. Try http://home.eunet.no/~pnordahl/ntpasswd/ for Windows machines, or any LiveCD for a Linux ones (chroot and passwd can do miracles). No CD drive? Oh gee, boot it off USB. Password on BIOS? A bit of work with a screwdriver, take the battery out for a few minutes, and the BIOS is brand new. Only responsible solution is putting the laptops, once back in the company's net, in a separate - untrusted - subnet. Even better, make them boot as terminals (both solutions got mentioned earlier, I'd just like to point out the good ideas).

Petter Nordahl-Hagen's Offline NT Password & Registry Editor: http://home.eunet.no/~pnordahl/ntpasswd/
NOTE: Tested on: NT 3.51, NT 4 (all versions and SPs), Windows 2000 (all versions & SPs), Windows XP (all versions, also SP2), Windows Server 2003 (all SPs), Vindows Vista 32 and 64 bit.

So what is it? YAMIHDE [Yet Another Microsoft In-House Database Engine]?

I could have sworn that I read a few years ago that they were ditching the existing registry engine, and were going with a new engine for Longhorn/Vista.

I currently carry around with me:
Kororaa XGL live CD v0.3 and 0.2
There is nothing better than to show off the power of Linux to your friends and the non believers. 0.3 is only ATI cards at the moment, while 0.2 supports both. People are usually impressed by this.

Backtrack 1.0
The best in security analysis live cd's.

Damn Small Linux
Good for older machines :)

Offline NT Password and Registry Editor
Always good to have when people forget their admin password or something on a windows machine...

Auditor Security collection from the backtrack people. I still have this around because it supports a bit more hardware than backtrack did

Knoppix
Good when you are at public terminals and are kinda paranoid...

I also carry around various install cd's for recent versions of linux.

Here's what I have in my CD case, in approximate order of how regularly use them...

Memtest86--because the RAM in the cheap PCs I come across sucks. Some of the other tool CDs have this one as well, I like to get the latest one regularly here. Good for stress testing, and even handy for figuring out things like whether the RAM is running correctly in dual-channel mode.

SystemRescueCD--I particularly like the partition editor and imaging utilities. Been weaning myself off Partition Magic/Drive Image even for Windows work with these two.

Ubuntu live CD and DVD. The CD works in more systems, the DVD version is a completely usable system with a lot of stuff in it. What most impresses me about the Ubuntu live disc is that I can download packages over the network and install them, even thing that run as services, from the live environment. I actually got PostgreSQL installed and some database tests completed, all without a single Postgres file on the media.

Knoppix--Some days, your first choice in Linux live CDs just doesn't work on a random machine; that's why I still carry around this one as a backup.

Bart PE--A bit of a pain to build the first time, but very handy for fixing Windows machines.

Offline NT Password & Registry Editor--this one has been less useful lately, as I've been running into NTFS partitions it really doesn't want to write to. My fallback position is to use this to generate a new SAM file, then copy it over with a BartPE disc.

RedHat Enterprise 3 and 4 CDs. While not technically live CDs, you can do a lot with booting into this environment, and I deal with enough people running RedHat versions that they're worth carrying around. I still keep one of the older versions around so I have something running the 2.4 kernel to tests against; occasionally I'll run into some old hardware that 2.6 pukes on, while 2.4 still works great.

mandatory tool to have in your toolkit if you deal with Windows machines.

And if you don't have root at work, are running Windows, and there's no BIOS password and/or CD Boot is enabled, you can always make an NT Password Reset disk. No relation to the creator - just a happy customer. And, yes, I've always used the thing for white-hat purposes.

-b.

I believe this is that Linux tool (or a reasonable facsimile):

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.h tml

Found via the utilities list of the 911 Rescue CD web site.

Disclaimers: Haven't tried it, may contain spyware or viruses, scan before using, etc...

As long as you don't encrypt files, you can use a bootdisk to reset a forgotten windows password pretty easily.

Oh, and by the way, I have a copy of O'Reilly's 'Knoppix Hacks' on my desk somewhere. I think there is a recipe in that book to remove or replace the administrator password of a Windows machine using Knoppix.

It gets even easier than that. Just grab this, put it on a floppy or CD-R, boot it, and follow the prompts. IIRC, the current version works with everything up to at least WinXP SP2. It'll unlock any account and clear the password; after that, you can boot normally and set whatever password you want.

Just run the entire thing off of a thumb drive or live distribution that they can use anywhere they go that mounts your netdrive ;)

Are you nuts? Do you really think you're going to get a whole organization to run in that fashion? Do you think end users are going to keep up with thumb drives and live CDs?

More to the point, if the network security policy of the client organisation bans the use of "thumb" drives etc. you're stuffed. (As several of my client companies do. I often carry a hand-held computer with a serial cable and a terminal emulator because it's more reliable than floppies these days.)
A good reason for doing this is to ensure that any data entering/ leaving the network goes through "sheepdip" computers. Another good reason is to stop the cow-orkers from downloading stuff on the work's internet charges and taking it home. Plenty of good reasons for doing it - see "diskless workstation" in the Jargon File.
Where did I put that copy of Petter's NT electronic crowbar http://home.eunet.no/~pnordahl/ntpasswd/ ? Oh, it's in my briefcase where it should be.

NTPASSWD is your friend...

One tool I find extremely useful is the Linux Password Disk. It will boot a linux kernel and rewrite the Windows registry files to change the local Administrator password if it's forgotten.

The bootable CD image is here:
http://home.eunet.no/~pnordahl/ntpasswd/cd050303.z ip

You use this nifty registry editing boot disk to fix the registry

And you use the linux NTFS tools and TestDisk to undelete/unformat/rebuild lost or damaged files and partitions. I use these all the time, they work REALLY well.

I carry around a copy of Damn Small Linux on my USB key, customized with above tools and including an image of the registry editing floppy and endless other utilities. Not to mention, DSL Linux gives me full access to the Debian APT repository! It serves me very well, especially since it can boot entirely into RAM, so I can take my key out and boot additional system.

Offline NT Password & Registry Editor?

Runs under Linux - heck, they've got a Linux live-floppy with it on there...

I could also break into the system by using a boot floppy or CD.

I could then reset the domain servers's root password.

Or I could simply pull out the hard drive and take it home.

Controlling physical access is an important and often neglected part of computer security.

Of course I'm talking about the ever popular NT Offline Password Reset Utility ??? I mean who hasn't cracked a box with this? I used it all the time as a computer tech when people brought in their computers(verified they were theirs) and had to have fixed what little Johnny had done. Of course, little Johnny always thought he was a leet hacker on a Walmart special HP with a whopping 28.8kbs modem.... Whoo hooo.... ahhhhh memories. They usually found good porn though!

Death of the floppy indeed!

Now, rename your true admin account (via a group policy).

I have never seen a reputable source ever suggest renaming the root account on any UNIX platform, so I'm not sure why that advise is so popular on Windows. Personally, I like the method Ubuntu Linux has come up with for securing the administrative user -- root is disabled, and all administration should be done via sudo.

In theory it should be possible to extract the right dialin information from the windows registry. NTFS, FAT and the registry file format are all implemented in open source enough to give it a try. You only need read-only access.

Anyway, the read-only root certs and browser sound like a really, really smart thing. It should stop phishing and zombie pc abuse withoud messing with someones (possible infected) windows installation. This security should more then make up for the inconveniance of having to type in one phone number and a username/password.

I hope they make sure every tcp port is closed though. There is no theoretical reason why a knoppix distro can`t get worms/owned as fast as an average windows box.

Don't forget the Administrator password. I had to do a reinstall because I forgot it. Luckily, I hadn't transferred any info at the time.

You don't need to do it the hard way. Check out this guy's nt pw reset boot CD. There are probably others out there, but this one works - I recommend "blanking" the pw option as that seems to work most often.

Don't forget the Administrator password. I had to do a reinstall because I forgot it. Luckily, I hadn't transferred any info at the time.

>Don't forget the Administrator password. I had to do a reinstall because I forgot it. Luckily, I hadn't transferred any info at the time.

I've almost done this myself a few times, but I googled around and discovered Peter Nordahl's 'Offline NT Password & Registry Editor', which can just reset the Admin password and avert the problem of reformatting.

Don't forget the Administrator password. I had to do a reinstall because I forgot it. Luckily, I hadn't transferred any info at the time.

There's a Linux distribution for that.

You don't necessarily have to reinstall if you forget your Administrator password. Check out the following utility:

Depending on the reaction you'll get, you can always reset the admin password on your box to a new one of your choosing, and install away... Whether or not this is a good idea in your situation is left to your judgement.

A useful utility to accomplish this can be found here:

http://home.eunet.no/~pnordahl/ntpasswd/

While it's kinda overkill in this case, I think I'd trust it over a newly released exploit. Hope that helps a bit.

oops,

forgot the link here

ntpasswd.

~ only those with Administrator rights can modify that portion of the registry.

Okay, you might also need some cheap hardware and a universal case-opening device

Easy enough on recent Macs; boot to target mode, and the Mac's an external FW drive. (NB: this can be disabled by owner.)
Much Unix/Windows stuff gives way to a Knoppix-type boot CD-- about the easiest "parallel installation" possible.

My standard computer B&E tools:
Knoppix Linux-on-CD distro
Two USB/FW drive enclosures with cables (a SCSI enclosure, and USB/SCSI adapter for it, are in my advanced kit).
One 1GB ATA Hard drive, with DOS and a general Clear-CMOS utility. (SCSI version is in my advanced kit.)
Offline NT Password editor floppy.
DOS/Clear-CMOS boot floppy.
One "friggin huge" hard drive for putting retrieved data onto. (The first 5GB is a HFS partition with Mac OSX.3, followed by a 32GB FAT32 partition, with the remaining couple hundred GB also formatted FAT32.)
Screwdriver (Philips/Standard reversible combo)

The advanced kit also includes dual boot Windows/Linux and OS X/Debian laptops; a USB/FW DVD drive; Windows, Mac OS 9&X, Linux, and Solaris-x86 install disks; crossover ethernet and serial cables; a Torx driver set; lockpicks, bolt cutters, a mini-sledge, and a 1-liter flask for the liquid helium-- which needs to be filled shortly before using. (Haven't needed that yet, though.)

Various combinations of these will retrieve from almost anything... but be wary of RAID arrays and encrypted (eg: Windows EFS) folders; inexpert attempts may make the data unretrievable.

Thanks! Here's my list. The stuff I carry is usually for cases where I can't access the network or hardware. If the machine sees the network, I've got it made.

I mentioned these two, but here are details.

chntpw, reset NT/2k/XP passwords with the full bootable floppy version.

Bart's network boot disk built into a 2.88 meg image allows a huge load of network drivers, and with a copy of ghost I don't ever have to mess with building boot floppies for ghost again. I also included basic DOS utilities for manipulating the HDD and testing.

Bootable CDs with floppy images can be useful, and Bart provides a handy utility for building them. Put a disk image of chntpw on a bootable CD with other goodies per instructions at Bart's site.

I also carry Knoppix or perhaps a nice Bootable Business Card with lots of network drivers. With read-only NTFS access and networking, I've stripped data off of drives I couldn't even access for a fresh NT/2k install. Pour it across the network, and you're a hero. Also good for a slow clone with dd, or an emergency Remote Desktop Client. If you pick a livecd with a nice recent version of kparted, you can resize live NTFS partitions (I used SystemRescueCD). I've needed to do this more often than I'd have expected. Knoppix's NTFS tools were less useful at the time.



I'm looking forward to using the Captive NTFS drivers, but that seems less neccessary with one more set of tools from Bart's site, the bootable XP/2000 pre-execution environment in BartPE. These allow full access to NTFS, as well as providing an environment you can run Adaware and other Windows tools from. One of these made my day last week. It's dog slow to boot, but running Adaware or other utils (chkdsk, AV, undelete), from NOT the boot drive is great.

If it had chntpw integrated, it really would be good!

chntpasswd + windows PE = Done & Done. :-)

Better than local admin exploits is the NT password editor. Assuming you have physical access, no box is secure.

Admin access is much easier than that. No box to which you have physical access is secure. The offline NT/2K/XP password editor is a good example.

If you just need to unlock accounts (if, say, you forgot Administrator's password), try this. There are bootable ISOs and floppy disk images.

It's not the most intuitive thing to use, but it is pretty easy if you follow the command prompts. It could probably be extended to include more tools like KNOPPIX.

Actually, something with that, KNOPPIX, and MemTest86 would be really nice and alleviate the need for 3 CDs for performing diagnostic tests on wonky PCs.

How about Offline NT Password & Registry Editor - saved my life more than once.

http://home.eunet.no/~pnordahl/ntpasswd/

The basic principle of securing documents is logical access controls (e.g. passwords) == poor; encryption == good.

Same applies to your hard disk. If it's not encrypted, I can either change your admin password or just stick the hard drive in one of my machines.

I downloaded onto floppy disc the program here and had reset the admin password on my Win XP box within seconds. Never seen anything so simple in my life. Though others recommend LC4 which also works.

Phillip.

For Windows NT:

Tools/devices needed: 3.5" USB floppy drive and a 3.5" disk
Software: NT Password Boot Disk

1. Download floppy image of NT Password Boot disk, write to a floppy
2. Boot from floppy
3. Change the local administrator's password
4. Log in as Administrator and add you to the local Administrators group

For MacOS X:

1. Power on
2. Hold Apple+S during the startup chord
3. Release keys after text screen appears; wait for the shell prompt
4. WARNING: YOU ARE SUPERUSER !!

Armed with a google search and some free time, all sorts of things can be done. The most important criterion is that they have physical control of the box.