Sunday, August 14, 2011

Hack Windows passwords using the Linux application chntpw

I hate naive people…
First and foremost of all, please don’t mix a Hacker with a Cracker. A Hacker is someone that has “technical adeptness and a delight in solving problems and overcoming limits” ( While a Cracker is the popper word for someone that uses security penetration techniques in order to gain access to something. If you dare to mix the two, Linux fanatics will loose their minds and eat your soul!… Ok maybe not, but you will have a whole community on your head going “HOW DARE YOU!!!!”. Trust me, I’ve got it hard…
You don’t tell a Linux user he can’t do something… never! Ever! You will piss him off and he’ll do whatever it takes just to prove you wrong, if it’s worth the trouble (at least that’s how big my ego is, feel free to disagree). I’m especially talking to you Windows users; you usually tend to be a lot more naive than the rest.
A friend of mine dared me to crack his Administrator account, so I did, in 30 seconds, and this is how I did it:
You need a Live Linux (CD, DVD, USB, Diskette, who cares) and the application chntpw
Note: It works for Windows XP, Vista and 7. I’ve tested it on Windows 7.
A bit of theory: Windows stores its local user accounts in the C:\windows\system32\config\SAM file. If you want to change ANYTHING that is related to the user accounts you do it from this file, but it is of course encrypted. Not a problem! While we can’t read the file and see what password is already assigned to a user, we can sure as hell overwrite it.
Now you need a version of Linux that has chntpw, for example BackTrack. Otherwise you can install it, most Debian-based distros have it in their repositories. Of course if you’re running your Linux from a LiveCD or DVD, installing it is not really an option; so you need a Linux that already has it… stick with BackTrack ;)
Without further ado, I present to you: Step by step instructions on how to crack the Administrator password…

Blanking out the Administrator password

1. Boot from Live Linux (CD/DVD/USB)
2. If not already mounted, mount your Windows Drive. Here is an example on how to mount your Windows drive presuming it is on the first partition of your hard drive:
  1. su
  2. mkdir /mnt/windows
  3. mount /dev/sda1 /mnt/windows
  4. cd /mnt/windows
3. Now we need to navigate to the SAM file, so presuming that Windows is installed in it default location, you just:
  1. cd /mnt/windows/Windows/System32/config/
3.1 OPTIONAL STEP: Some Linux distros (like BackTrack 5) don’t have the command chntpw added as an alias, so I had to do the following in order to get it to work properly, you might not need to do this on other distros:
  1. alias chntpw='/pentest/passwords/chntpw/./chntpw'
Proper explanation: this creates an alias to the chntpw executable so you can utilise the application without having to type its full executable path
Simplified explanation: lets you use the chntpw command from within any folder you may be on the system
4.Do this!
  1. chntpw SAM
This command enables you to edit the Administrator account.
5. Let’s say we just want to change the Administrator password to NOTHING. Press 1, Enter, Y, Enter aaand that’s it. Complicated I know…

Changing a user’s password

Warning! This method is not very stable, it can backfire (in my experience, it dosen’t write the new password properly), a safer bet is to change the password to nothing and then set a new password from User Accounts Control in Windows
It’s the exact same procedure, only that at step 4 instead of the above command, you use this
  1. chntpw -u user_name SAM
Remember that Linux is case-sensitive so make sure to write the username in the same exact case.
And at step 5 press 2, Enter, type in new password, Enter, y, Enter, DONE!
And that my children is how you can play a really mean prank on your girlfriend (provided you have one) making her think she forgot her own password.

No comments:

Post a Comment