Recover Windows Password Part 1 |
![]() |
![]() |
![]() |
Written by David Noel-Davies | |
There are various offline attacks. Do you have auditing turned on so you can detect when a server has been turned off? Making it vulnerable to offline attacks. If you are not aware of it: Without physical security, there can be no security. If you have a resource which needs to be protected, the single most important protection is to restrict physical access. Easiest: Linux boot disks There are Linux boot disks that have DOS and NTFS filesystem drivers and software that will read the registry and rewrite the password hashes for any account including the Administrators. It is as simply as:
This process requires physical access to the console and an available floppy drive. The following site provides the downloadable boot disk image, image to disk utility, source code, and supporting documentation: Offline NT password utility. This version can disable syskey protect. They do note that turning off syskey under Windows 2000 damages the SAM and is not to be attempted except as a last resort to reinstallation. Watch for updates. See Analysis of Alleged Vulnerability in Windows 2000 Syskey and the Encrypting File System for Microsoft's perspective. I have seen the Linux boot disks fail primarily on scsi-based boxes when the boot disk did not have the proper scsi driver or when there was some problem detected in the scsi setup. I have also seen PCs where the Linux boot disk works but the SAM seems to be invisible to Linux (although its in its standard location and later access with NTFSDOS allows it to be copied). What would raise barriers to these types of tools?
It is not practical in most environments to have high security applied to workstations. But one or more of the less intrusion barriers would increase the time to break in and would increase the probability of exposure to the hacker. This would increase the probability of management acceptance of usage of these tools by legitimate support personnel trying to solve a difficult problems. Some of the Linux boot disk utility variants leave a footprint. The password is changed. Some include backup/restore features for the sam. With this feature, one could boot a Windows NT PC; backup the sam data; overwrite the pw; reboot; login using the compromised account and do mischief including sending inappropriate email or deleting bits and pieces here and there - darn those unreliable PCs; restore the sam and the owner's pw; since the attack was offline, unless the shutdowns are monitored, the episode is essentially invisible. The automated nature of these tools makes this available to putzes, baby hackers, and the guy/gal in the office next door. It took me 5 minutes with a very simple search to find the utilities and procedures documented on this page. The security by ignorance barrier is incredibly low. The level of expertise to take advantage of physical access does vary. These baby tools for NT should make one seriously consider how to improve server and workstation security. Server physical security is generally good except in departmentally distributed servers. Workstation security is a nonentity in all but the most paranoid shops. These tools should give one pause, a act to protect your officers and other PCs with highly sensitive data from hackers. Sunbelt released NTAccess which can replace the administrator password of a Windows NT; Windows 2000 system with or without Active Directory; or XP. It can bypass syskey protection. NTAccess can replace the administrator password of a Windows XP, Windows NT or Windows 2000 system by rebooting the computer with a special set of boot disks or CD-ROM (XP only). This is useful if you forgot the administrator password and cannot access the Windows XP/2000/NT system. AccessData are in the business of password recovery and sell toolkits which can reset the administrator password under Netware and NT as well as office and personal application products such as Word and Quicken. They provide technical support should things go awry. Given the consequences of problems, tech support can be worth every penny. They also have a set of freebies utilities. The Passware Kit also offer a fairly extensive password recovery suite including NT and many applications fairly inexpensively. They have recently announced a version of their product to reset Administrator password, secure boot password or key disk if lost: Windows 2000 password product with the following features:
WInternals offer NTLockSmith to reset lost NT passwords. It only works in conjunction with NT Recover which is designed to recover data from damaged NT boxes. It sounds much like the Linux solution but uses NT Recover to get to the registry of the target NT box. I suggest you take a close look at their admin tools. Their product is Windows 2000 compatible. Dieter Spaar's NTAccess uses boot disks to access the NT / Windows 2000 system and change the administrator password. It can turnoff Syskey protection at the cost of the loss of all passwords except the administrators account which it resets. My guess is that they achieve this by deleting the LSA SecureBoot value and replacing the Administrator's password hash. They are not breaking the encryption. Just are turning it off. See my Syskey tip for more information. Many sites document a rather complex method of resetting the administrator's password. The method takes advantage of the fact that certain system services, such as the spooler, operate under the security context of the local system. By changing the file name of the spooler to another executable it is possible to launch an application with privilege to change password. There are several versions. They work. They are complex. They have the advantage that they do not appeal to hackers - take too long - too much danger of exposure. This technique has the disadvantage that there must be enough space to install another copy of NT. This method is documented : here, here, here, and many other locations. Some take a much more direct approach. This is actually a method to escalate a user's account to admin level. If you have another account on the box, even though it is not admin, lets say account manager or backup account, you can log onto the system, rename spoolss.exe to spoolssbak.exe, rename usrmgr.exe to spoolss.exe, reboot. When you logon after reboot, User Manager will be running in the foreground running as localsystem. This gives you the ability to reset the admin password to whatever you want, or to create an new admin account for example. You need to logoff and back on using the administrator command to get the renamed files back under their proper names.
|
< Prev | Next > |
---|