Thursday, February 25, 2010

Reset and Change Windows NT/2000 Administrator or User Password with chntpw in Linux

Windows NT, Windows 2000 and Windows XP users who have forgotten the administrator account password has many ways to hack, crack, recover or reset the administrator password. Another way to break into a Windows PC which locks with forgotten or unknown password is to use chntpw, a Linux based program to change and reset the password of a Windows administrator account.

Chntpw is a program designed to overwrite and set Windows NT or Windows 2000 SAM password of any user that has a valid (local) account by modifying the encrypted password in the registry’s SAM file. User of chntpw does not need to know the old password to set a new password. Actually, chntpw is now available in the form of bootdisk or LiveCD which includes necessary stuff to access NTFS partitions and scripts to glue the whole thing together.

Chntpw works on NT system which is offline (turned off), and can only be used on local machine and cannot be used on a remote machine. However, chntpw can be installed on a Linux system such as Ubuntu, and then used to recover by resetting Windows user account password by mounting the Windows drive, connected via physical IDE/SATA/SCSI interface or USB portable disk.

Chntpw can be installed using aptitude for user using Debian based system,

It is pretty easy to use and can be found and installed using aptitude if your using debian based system, or can be downloaded and installed in Ubuntu with a simple “sudo apt-get install chntpw” command. Chntpw is likely to be contained in other distributions package manager too, or the source code can be downloaded from http://home.eunet.no/~pnordahl/ntpasswd/editor.html.

Chntpw Usage Guide

1. Mount the Windows NTFS, FAT or FAT32 partition to the Linux system, allowing read and write access support.
2. Locate the SAM file for Windows 2000, Windows NT or Windows XP, which is normally located at the either \Windows\System32\config or \Winnt\System32\config folder. Change directory to inside the folder, there are a number of files such as SAM, SYSTEM and SECURITY.

Inside the folder, issue the following command to automatically change the administrator password:

chntpw SAM

Issue the following command (replace USERNAME with actual user name on the computer) to change the password for a normal restricted user account:

chntpw -u USERNAME SAM

Tip: To list all the users in the SAM file, use the chntpw -l SAM command.
3. Chntpw will display some information on screen, and then prompt for new password to reset the existing password. Enter a new password for the administrator or user account.

Tip: To reset the password to blank (no) password, enter * (asterisk).
4. Unmount the drive, and then restart the Windows computer. The password for the administrator or user account reseted should be changed accordingly.

There are other options for chntpw, which can be displayed with the following command:

chntpw -h

# chntpw help and usage

chntpw version 0.99.3 040818, (c) Petter N Hagen
chntpw: change password of a user in a NT SAM file, or invoke registry editor.
chntpw [OPTIONS] [systemfile] [securityfile] [otherreghive] [...]
-h This message
-u Username to change, Administrator is default
-l list all users in SAM file
-i Interactive. List users (as -l) then ask for username to change
-e Registry editor. Now with full write support!
-d Enter buffer debugger instead (hex editor),
-t Trace. Show hexdump of structs/segments. (deprecated debug function)
-v Be a little more verbose (for debuging)
-L Write names of changed files to /tmp/changed
-N No allocation mode. Only (old style) same length overwrites possible
See readme file on how to extract/read/write the NT's SAM file
if it's on an NTFS partition!
Source/binary freely distributable. See README/COPYING for details
NOTE: This program is somewhat hackish! You are on your own!

No comments: