Chntpw

I did a search for this and didnt find it anywhere, and It took me a while to figure our where the SAM file even was and - well, it all seemed slightly confusing. Anyways a friend of mine got a laptop for christmas that came with Vista on it. She was simply personalizing her machine and changed the admin password, but somehow immediately forgot it. So, she called me.

I figured if she executed the "restore to an earlier date" function she can log in using the old password again. (she didn't turn the machine off since the passwd change)

And well, that worked. But I wondered about machines that were rebooted. People have asked me that question in the past and I never had experience with anything like this.

I was playing around with BT3 and found in the /pentest/password/ directory chntpw and ran it. The output told me you can list passwords if you had access to the SAM file!

Quote:

---

1. mkdir /mnt/sam && mount /dev/<windows partition> /mnt/sam && cd /mnt/sam && ls.

2. You should see your windows files from the windows partitions. I was using Windows XP. then cd into /WINDOWS/system32/config and list whats there. In Windows XP it was "SAM"

3. cp SAM /pentest/password/chntpw/ && cd /pentest/password/chntpw && ./chntpw -l SAM

---

You should see something like this:
http://www.zombie.el.cx/images/SAM-chntpw.png

Mine was left blank because this box is just used for pentesting purposes. But if you run chntpw --help You can see all the great stuff you can do with that application:

Quote:

---

trevelyn@celeritas:/mnt/usb/chntpw$ ./chntpw --help
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
./chntpw: invalid option -- -
chntpw: change password of a user in a NT/2k/XP/2k3/Vista SAM file, or invoke registry editor.
chntpw [OPTIONS] <samfile> [systemfile] [securityfile] [otherreghive] [...]
-h This message
-u <user> Username to change, Administrator is default
-l list all users in SAM file
-i Interactive. List users (as -l) then ask for username to change
-e Registry editor. Now with full write support!
-d Enter buffer debugger instead (hex editor),
-t Trace. Show hexdump of structs/segments. (deprecated debug function)
-v Be a little more verbose (for debuging)
-L Write names of changed files to /tmp/changed
-N No allocation mode. Only (old style) same length overwrites possible
See readme file on how to get to the registry files, and what they are.
Source/binary freely distributable under GPL v2 license. See README for details.
NOTE: This program is somewhat hackish! You are on your own!

---

Hope this does good, Im sure I will reference it a few times more. If you get a chance to use this on a Vista machine please let me know where the SAM file was. :)

Quote:

---

Originally Posted by trevelyn

If you get a chance to use this on a Vista machine please let me know where the SAM file was. :)

---

Nice tutorial easy to follow I will have a closer look at it again later today and try to replicate it on my network.



Here is a link to irongeek's website irongeek
which has lots of info about vista and the SAM file
hope that helps out

I have tried that command surprisely works on Vista as i was able to clean my pwd but not workin with XP, no idea but so far thk for share the info with this tutorial, appreciated :)

It works on Xp Pro but not in home....

ive been using a new utility form a Live Vista CD, since i am a technician i need Administrator access a lot for safe mode and well, usually they give me their passwords but never remember their admin password. The utility blanks the password for me with a few mouse clicks. I'm not sure what its called, when i get the name i'll repost, but you should maybe google if your interested, it works perfectly and quickly each time.