星期六, 12月 27, 2008

利用chntpw重新設定Windows 密碼

明天有一場研討會
要講綠色軟體 or Wireshark

就把之前的4GB USB Flash disk又拿出來
想說要用隨身碟來簡報
就想說要有多一些功能

前陣子有注意到有個套件
是用offline的方式來變更Windows管理帳號的密碼
但是是使用 Live CD or floppy的方式
自己沒有很喜歡, 也沒有花時間
所以今天就花一下時間看看他
順便安裝到我的OpenSuSE Flash Disk上面

套件的官網
chntpw
http://home.eunet.no/pnordahl/ntpasswd/

本來上去rpmfind.net
但是上面都是Fedora的RPM
想說就自己下載source code來玩好了

下載source code (假設下載到/root/Desktop)
http://home.eunet.no/pnordahl/ntpasswd/chntpw-source-080526.zip

#cd /root/Desktop
#unzip chntpw-source-080526.zip
#cd /root/Desktop/chntpw-080526
編譯
#make

︿︿
簡單就搞定

開始作實驗
#suse-usb:~ # fdisk -l

Disk /dev/sda: 4108 MB, 4108320768 bytes
255 heads, 63 sectors/track, 499 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x04030201

Device Boot Start End Blocks Id System
/dev/sda1 1 53 425691 82 Linux swap / Solaris
/dev/sda2 * 54 499 3582495 83 Linux

Disk /dev/sdb: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x1fb51fb4

Device Boot Start End Blocks Id System
/dev/sdb1 * 1 9807 78774696 7 HPFS/NTFS
/dev/sdb2 9808 60801 409609305 7 HPFS/NTFS

看到我的Windows 磁碟機在 /dev/sdb1

建立掛載目錄
#mkdir /mnt/usb

掛載起來
#mount -t ntfs-3g /dev/sdb1 /mnt/usb/

使用 chntpw -l 列出系統內的帳號資料
一般來說 SAM資料庫會在 WINDOWS/system32/config 內

# /root/Desktop/chntpw-080526/chntpw -l /mnt/usb/WINDOWS/system32/config/SAM

chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen

Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 295/21536 blocks/bytes, unused: 10/2848 blocks/bytes.


* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | |
| 01f5 | Guest | | *BLANK* |
| 03e8 | HelpAssistant | | dis/lock |
| 03f2 | ines | ADMIN | *BLANK* |
| 03ec | Max | ADMIN | |
| 03f8 | root | | *BLANK* |
| 03ea | SUPPORT_388945a0 | | dis/lock |
| 03f6 | __vmware_user__ | | |

發現Max是ADMIN權限但是有密碼
root一般使用者 密碼為空白

移除Max的密碼

#/root/Desktop/chntpw-080526/chntpw -u Max /mnt/usb/WINDOWS/system32/config/SAM
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 295/21536 blocks/bytes, unused: 10/2848 blocks/bytes.


* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | |
| 01f5 | Guest | | *BLANK* |
| 03e8 | HelpAssistant | | dis/lock |
| 03f2 | ines | ADMIN | *BLANK* |
| 03ec | Max | ADMIN | |
| 03f8 | root | | *BLANK* |
| 03ea | SUPPORT_388945a0 | | dis/lock |
| 03f6 | __vmware_user__ | | |

---------------------> SYSKEY CHECK <-----------------------
SYSTEM SecureBoot : -1 -> Not Set (not installed, good!)
SAM Account\F : 1 -> key-in-registry
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)

***************** SYSKEY IS ENABLED! **************
This installation very likely has the syskey passwordhash-obfuscator installed
It's currently in mode = -1, Unknown-mode

SYSTEM (and possibly SECURITY) hives not loaded, unable to disable syskey!
Please start the program with at least SAM & SYSTEM-hive filenames as arguments!


RID : 1004 [03ec]
Username: Max
fullname: Max
comment :
homedir :

User is member of 3 groups:
00000221 = Users (which has 5 members)
00000220 = Administrators (which has 3 members)
0000022b = Remote Desktop Users (which has 1 members)

Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |

Failed login count: 0, while max tries is: 0
Total login count: 48

- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
q - Quit editing user, back to user select
Select: [q] > 1 詢問如何處理,輸入1清空密碼

接下來
Password cleared!

Hives that have changed:
# Name
0
Write hive files? (y/n) [n] : y 詢問如何處理,輸入y寫入

使用指令查詢Max的密碼是否有被清空 chntpw -l SAM
#/root/Desktop/chntpw-080526/chntpw -l /mnt/usb/WINDOWS/system32/config/SAM
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 295/21536 blocks/bytes, unused: 10/2848 blocks/bytes.


* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | |
| 01f5 | Guest | | *BLANK* |
| 03e8 | HelpAssistant | | dis/lock |
| 03f2 | ines | ADMIN | *BLANK* |
| 03ec | Max | ADMIN | *BLANK* |
| 03f8 | root | | *BLANK* |
| 03ea | SUPPORT_388945a0 | | dis/lock |
| 03f6 | __vmware_user__ | | |


Okay~~
enjoy it

沒有留言: