要講綠色軟體 or Wireshark
就把之前的4GB USB Flash disk又拿出來
想說要用隨身碟來簡報
就想說要有多一些功能
前陣子有注意到有個套件
是用offline的方式來變更Windows管理帳號的密碼
但是是使用 Live CD or floppy的方式
自己沒有很喜歡, 也沒有花時間
所以今天就花一下時間看看他
順便安裝到我的OpenSuSE Flash Disk上面
套件的官網
chntpw
http://home.eunet.no/pnordahl/ntpasswd/
本來上去rpmfind.net
但是上面都是Fedora的RPM
想說就自己下載source code來玩好了
下載source code (假設下載到/root/Desktop)
http://home.eunet.no/pnordahl/ntpasswd/chntpw-source-080526.zip
#cd /root/Desktop
#unzip chntpw-source-080526.zip
#cd /root/Desktop/chntpw-080526
編譯
#make
︿︿
簡單就搞定
開始作實驗
#suse-usb:~ # fdisk -l
Disk /dev/sda: 4108 MB, 4108320768 bytes
255 heads, 63 sectors/track, 499 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x04030201
Device Boot Start End Blocks Id System
/dev/sda1 1 53 425691 82 Linux swap / Solaris
/dev/sda2 * 54 499 3582495 83 Linux
Disk /dev/sdb: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x1fb51fb4
Device Boot Start End Blocks Id System
/dev/sdb1 * 1 9807 78774696 7 HPFS/NTFS
/dev/sdb2 9808 60801 409609305 7 HPFS/NTFS
看到我的Windows 磁碟機在 /dev/sdb1
建立掛載目錄
#mkdir /mnt/usb
掛載起來
#mount -t ntfs-3g /dev/sdb1 /mnt/usb/
使用 chntpw -l 列出系統內的帳號資料
一般來說 SAM資料庫會在 WINDOWS/system32/config 內
# /root/Desktop/chntpw-080526/chntpw -l /mnt/usb/WINDOWS/system32/config/SAM
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 295/21536 blocks/bytes, unused: 10/2848 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | |
| 01f5 | Guest | | *BLANK* |
| 03e8 | HelpAssistant | | dis/lock |
| 03f2 | ines | ADMIN | *BLANK* |
| 03ec | Max | ADMIN | |
| 03f8 | root | | *BLANK* |
| 03ea | SUPPORT_388945a0 | | dis/lock |
| 03f6 | __vmware_user__ | | |
發現Max是ADMIN權限但是有密碼
root一般使用者 密碼為空白
移除Max的密碼
#/root/Desktop/chntpw-080526/chntpw -u Max /mnt/usb/WINDOWS/system32/config/SAM
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 295/21536 blocks/bytes, unused: 10/2848 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | |
| 01f5 | Guest | | *BLANK* |
| 03e8 | HelpAssistant | | dis/lock |
| 03f2 | ines | ADMIN | *BLANK* |
| 03ec | Max | ADMIN | |
| 03f8 | root | | *BLANK* |
| 03ea | SUPPORT_388945a0 | | dis/lock |
| 03f6 | __vmware_user__ | | |
---------------------> SYSKEY CHECK <-----------------------
SYSTEM SecureBoot : -1 -> Not Set (not installed, good!)
SAM Account\F : 1 -> key-in-registry
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
***************** SYSKEY IS ENABLED! **************
This installation very likely has the syskey passwordhash-obfuscator installed
It's currently in mode = -1, Unknown-mode
SYSTEM (and possibly SECURITY) hives not loaded, unable to disable syskey!
Please start the program with at least SAM & SYSTEM-hive filenames as arguments!
RID : 1004 [03ec]
Username: Max
fullname: Max
comment :
homedir :
User is member of 3 groups:
00000221 = Users (which has 5 members)
00000220 = Administrators (which has 3 members)
0000022b = Remote Desktop Users (which has 1 members)
Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 0
Total login count: 48
- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
q - Quit editing user, back to user select
Select: [q] > 1 詢問如何處理,輸入1清空密碼
接下來
Password cleared!
Hives that have changed:
# Name
0
Write hive files? (y/n) [n] : y 詢問如何處理,輸入y寫入
使用指令查詢Max的密碼是否有被清空 chntpw -l SAM
#/root/Desktop/chntpw-080526/chntpw -l /mnt/usb/WINDOWS/system32/config/SAM
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 295/21536 blocks/bytes, unused: 10/2848 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | |
| 01f5 | Guest | | *BLANK* |
| 03e8 | HelpAssistant | | dis/lock |
| 03f2 | ines | ADMIN | *BLANK* |
| 03ec | Max | ADMIN | *BLANK* |
| 03f8 | root | | *BLANK* |
| 03ea | SUPPORT_388945a0 | | dis/lock |
| 03f6 | __vmware_user__ | | |
Okay~~
enjoy it