Windows 2k &2003 Password Reset

This is my first howto/tutorial, so if there are any suggestions of any kind or questions, please let me know.
my email is: mvogels [at] white-scorpion [dot] nl
<i'm not responsible for any of this info i will give you here, it is for educational purposes only, what you do with it is your business, not mine!!>

<For all the tools i've mentioned i will give the link to download them or the original site of that tool at the bottom of this article.>
I thought this info might interest lot of other people so here it is:

Ok now for the passwords,

The windows 2000 and XP passwords are stored in the SAM file.

SAM stands for Security Account Manager.

This is the service which stores the passwords in the registry and in the SAM file. This is done by using a LM-hash (for compatiblity with older
versions of windows) and a MD5-hash.
This file can not be accessed when the OS is running.
if that's not all, Windows also uses syskey to encrypt the file, so that offline viewing ( with a dos bootdisk) doesn't work. But there still are ways to
get them....

Let's start with getting administrator rights on a local machine.

If you have complete access to the system, then there are several tools to use to change the admin password or any other for that matter. here are
the tools:

Offline NT password & registry editor:

this is a linux based tool ( the program for making a bootable disk is for windows ) and allows you to change any password on a windows system,
although it is advised not to use it on NTFS partitions for it can crash the system. But you can even disable syskey with this proggie so that all
passwords are reset to blank.
And best of it, it's free! (with source)

CIA commander:

This tool only works on NTFS partitions, but it works great! You can even use it to copy data from one place to another. But it is not for free.

Passware password recovery kit:

This is a complete kit which allows you to get almost every password for anything you want (zip-files, msoffice documents, saved passwords in
IE, etc) and ofcourse a tool in it to set the administrator password to '12345', and this can also be undone if you like, so no one will ever know you
were there..
Also not for free but very very good!

These are the tools i mostly use, and i haven't seen a system yet where i didn't got in (with local access that is )

And now the registry, here the passwords are stored in HKEY_LOCAL_MACHINE\SAM.
this can only be accessed by administrators, but even then you don't have the possibilities of seeing them without using some kind of tool (unless
you can make yourself 'system' but that isn't neccessary here.)
Here the tool 'pwdump2' comes in handy, this will give you a complete dump of all the local passwords on the system.

Another tool is 'lsadump2', you know the screen where you have to put in your name and password if you want to connect to internet using a
modem?
Even if you don't save the password, it will be saved for you in the registry by windows and can be viewed with this tool. Also the default
password (if there is any) will be shown.

there is another version of this tool 'pwdump3' which allows you to do the same on a remote machine, you'll need the admin password for that
machine too for this tool.

And last but not least the tool i mentioned before:

The passware IE key, which allows you to get all the stored passwords (including sites) on the system.
This tool can be found too in the Passware password recovery kit.

Now, i hope that this is of any use to anyone, i did my best writing it, that's for sure
if you like this tutorial (or if you don't) please let me know with voting for it..

here are the links i promised:

Offline NT password & registry editor:

http://home.eunet.no/~pnordahl/ntpasswd/

CIA commander:
http://www.datapol-technologies.com/en/Products/Business/CIACommander/main.htm

Passware password recovery kit:

http://www.lostpassword.com/

pwdump2:
http://razor.bindview.com/tools/files/pwdump2.zip

pwdump3:
http://packetstormsecurity.org/Crackers/NT/pwdump3.zip
(this link should work, but the site is down at the moment)

lsadump2:
http://razor.bindview.com/tools/files/lsadump2.zip

btw, pwdump 2 & 3 and lsadump2 are free tools...

hope this helps

grtz

lepricaun
_________________
Errors, Vulnerabilities & Exploits explained
The Syringe - My Latest Project.

I'm not a complete idiot, some parts are missing.

Last edited by White Scorpion on Sat Mar 17, 2007 11:20 pm; edited 1 time in total

Back to top
 Posted: Fri Jun 25, 2004 1:15 pm Post subject:
Location: india
is ther any simple prosedure like renaming SAM to recover lost password on Win 2k domain controller??????

Back to top

Back to top

Deep Viewer Posted: Fri Jun 25, 2004 4:17 pm Post subject:
New Member
Locksmith Utility -->> http://www.winternals.com/products/repairandrecovery/locksmith.asp
_________________
Imagination is more important than knowledge.
Albert Einstein

Joined: 30 Nov 2003

Posts: 35
Location: Europe

Back to top

MattA Posted: Fri Jun 25, 2004 4:36 pm Post subject:

Trusted SF Member
Amazingly Mel I wrote documentation earlier today on how to reset the administrative password on a DC in the Act
here http://www.security-forums.com/forum/viewtopic.php?t=16217
_________________
All across the Internet, routers whisper paths they learn to their peers,directing ideas,business transactions and messa
holding my breath for fear of killing it with a twitch.

Joined: 13 Jun 2003

Posts: 1794
Location: Eastbourne + London

Back to top
ThePsyko Posted: Fri Jun 25, 2004 5:29 pm Post subject:
SF Mod
mel wr
is the

Renaming the SAM won't allow you to recover any passwords, but it is possible to create an administrative account and access the

Here's the tutorial I wrote a while back:

Joined: 17 Oct 2002 Creating an Administrative Account without being an Administrator

Posts: 1427
Location: California
Next time you're faced with an NT or 2k system that you need to logon to
with an administrative account and nobody knows the passwords, do the
following 12 steps to create a new account while preserving the existing
account profiles.

1) boot to a windows boot disk

2) if the C drive is NTFS use ntfsdos to mount it

3) maneuver to c:\winnt\system32\config

4) rename the SAM. file to anything you want

5) reboot and login as 'administrator' and a blank password

At this point you have administrative access, but any changes you make to
the profiles will not be saved to the proper SAM file and will be lost.
All other changes (configurations, installations, etc) made at this point
will be saved.

6) open notepad

7) type '@echo off

net user newuser mypass /ADD
net localgroup /ADD administrators newuser'

save as c:\useradd.bat

9) open a command prompt and type

at <enter a time 10 minutes or so into the future> "c:\useradd.bat"

10) reboot to your floppy

11) delete the c:\winnt\system32\config\SAM. file and rename the old one
back to SAM.

12) reboot and wait 10-15 minutes for the batch file to execute. The batch file will execute with system privledges and create the '

You can then logon with your newuser account with local administrative rights and can reset the original administrator account, cl

Unfortunately, the only way to defend against something like this in the wild is to ensure you have proper auditing and hope whom

Back to top
piccolo_21 Posted: Fri Jun 25, 2004 5:53 pm Post subject:
Forum Addict
that is all usefull info you can also use LC4 once you get the sam to see the passes it has store or the most simples way is to get th
wonders when my users forgets the pass.
_________________
A wise man asked question, a fool is afraid of knowledge>>>>
Joined: 07 Jan 2004
Posts: 294
Location: NYC, USA

Back to top

White Scorpion Posted: Sat Jun 26, 2004 11:27 am Post subject:
Forum Junky
there is one other way to reset the password on a DC pretty easy, this is also by using a tool from passware recovery kit, but this ti

it is pretty expensive, but for a company it might come in handy.

here is the link to order it, it's the one at the top.
_________________
Errors, Vulnerabilities & Exploits explained
The Syringe - My Latest Project.

Joined: 19 Sep 2003 I'm not a complete idiot, some parts are missing.
Posts: 878
Location: The
Netherlands

Back to top

RoboGeek Posted: Wed Jan 24, 2007 8:05 pm Post subject:

SF Mod
There are now several new tools out there to assist you in recovering/changing passwords:

http://www.loginrecovery.com/

Quote:
Login Recovery is a service to reveal user names and recover passwords for Windows NT, 2000, XP
computer, your passwords can be recovered

Joined: 13 Jun 2003

Posts: 2182
Location: LeRoy, IL

http://ebcd.pcministry.com/

Quote:
change password of any user, including administator of Windows NT/2000/XP OS. You do not need
 http://trinityhome.org/Home/index.php?wpid=1&front_id=12

Quote:
Here 's a sumup of some of the most important features, new and old:
-easily reset windows passwords
-4 different virusscan products integrated in a single uniform commandline with online update capa
-full ntfs write support thanks to ntfs-3g (all other drivers included as well)
-clone NTFS filesystems over the network
-wide range of hardware support (kernel 2.6.19.1 and recent kudzu hwdata)
-easy script to find all local filesystems

http://www.ubcd4win.com/contents.htm

Quote:
(re)set the passwords of any user that has a valid local account, create a new local user with admin
on your NT system

_________________
ASCII stupid question, get a stupid ANSI!

Business Network Solutions

Back to top

Battousai Posted: Mon Jan 29, 2007 7:14 pm Post subject:

Frequent Member
If the world really knew how easy is to break into windows I wonder what would happen?!?!

By the way, anyone know if the same tools will work with Vista?
_________________
If water is hydrogen and oxygen why doesn’t it burn?

Joined: 27 Jul 2004

Posts: 227
Location: Doncaster,
UK

Back to top
majo323 Posted: Wed Jan 31, 2007 11:28 pm Post subject:
Lurker
I use software with name ERD Commander 2003, It works well
_________________
Ask Google first

Joined: 30 Jan 2007

Posts: 13
Location: Slovakia

Back to top

loraandbush Pos
Just Arrived
Best

Joined: 11 Apr 2008

Posts: 8

Back to top

capi Posted: Mon May 12, 2008 5:26 pm Post subject:

SF Mod
loraandbush wrote:
Best way to reset the password is format the system

Uh, no.
_________________
main(_){for(_=')';_;_+=~!&_["]["]){char l;write(!_!=_,(l=_["mI}., m0:0,$6/\3,\
$6/m/&\"10*\177c,$6\17cm\4c/&\"10\12"]^unix["CC me on *nix"],&l),_==_);}}

Israel G. Lugo

Joined: 21 Sep 2003

Posts: 3501

Back to top

ThePsyko Posted: Tue May 13, 2008 12:04 am Post subject:

SF Mod
loraandbush wrote:
Best way to reset the password is format the system
.
Joined: 17 Oct 2002
Posts: 1427 ??? actually that is the WORST way since you lose everything you were after.
Location: California

Back to top

moondoggie Posted: Tue May 13, 2008 6:10 am Post subject:

Forum Fanatic
it seems like ever since the invention of winxp that there is a huge class of people who think reformat is the solution to just about

"i lost my password"

reformat

"my computer is slow"

reformat

"my clock is five minutes off"

Joined: 27 May 2005 reformat
Posts: 1220

Back to top