I Like This! I Don't Like This! Add to Favorites Flag This HISTORY COMMENTS (0) 7,822 views
How to Remove a Windows Password with a Linux Live CD
Written By
Alex Long
https://twitter.com Published 6 months ago
Last edited 6 months ago

Back when I was a Windows user, I know I'm not the only one who has experienced password loss—that moment where you just can't remember your password. Sometimes it happens to the best of us. So, how can we get into the system without paying a local geek or geeksquad to do it? First, we have to look into how Windows stores their passwords.

When Windows saves your user passwords, it stores them in a SAM file. It stores users' passwords in a hashed format (in LM hash and NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords. However, this can still be bruteforced.

Some time ago there was an exploit that allowed you to delete the SAM file and log into any account without a password. This is fixed, since Windows no longer allows access to the SAM file while Windows is running. For this Null Byte, we are going to use a Linux Live CD to remove a Windows password using the chntpw tool.

Requirements

  • BackTrack 5 on a DVD, or a Linux install with chntpw
  • A password on a Windows installation

Step 1 Boot From BackTrack

Text in bold is a terminal command.

  1. Put the disc in your computer.
  2. Hit the the setup button.
  3. Change CD/DVD to be first on the boot order.
  4. Exit the setup and save your settings.
  5. When you get to the console, boot with; user:root paswword:toor.
  6. Boot into the KDE desktop environment:
        startx
  7. Open a terminal.

Step 2 Mount Drive & Change Windows Password

Now we have to mount the Windows drive partition to modify the password, or remove it completely.

  1. First, wehave to mount the hard drive partition that the Windows installtion is located on..
        mount /dev/sda1 /mnt/
  2. Change to the directory that the SAM file is in so that we can prepare to modify its contents.
        cd /mnt//Windows/System32/config
  3. List the users on the computer contained in the SAM file.
      chntpw -l SAM
  4. Change a specific user account password.
        chntpw -u USERNAME SAM
  5. Now, lets unmount the drive and boot from Windows to use the updated or cleared password.
        umount /dev/sda1

If you have any questions regarding today's post, feel free to join us on IRC. Also, follow me on Twitter for the latest Null Byte updates.

Comments

New Comment Thread
Add your comment:
0 / 2000
Add Comment

462 Members | 68 Contributing Members (15%)

Join Our World

  • Allen Freeman
  • Matthew Herman
  • Bird andBear
  • JT Newsome
  • occupytheweb otw
  • Justin Meyers
  • chi square
  • Bryan Crow
  • ChristopherVoute
  • Alex Salas
View All Members

Null Byte

Null Byte is a world for anyone interested in science, networking, social engineering, security, and getting root. Any like-minded tech enthusiast looking to protect themselves from malicious script kiddies and shorcuts for everyday life will find their home here.

We're going to take it from an IP address to programing, all the way to reverse engineering, getting root, and finding zero-day vulnerabilities.

If you don't understand any of this, don't worry, this is the place to begin!

Join us and discuss topics in a secure and anonymous format in our channel #nullbyte on IRC2P

Google+
Twitter

FREE sup_g | FREE kayla | FREE palladium | FREE topiary | FREE pwnsauce

Allen Freeman Allen Freeman - World Admin World created 7 months ago

Useful Links Picked by the Admin

loading...