Back when I was a Windows user, I know I'm not the only one who has experienced password loss—that moment where you just can't remember your password. Sometimes it happens to the best of us. So, how can we get into the system without paying a local geek or geeksquad to do it? First, we have to look into how Windows stores their passwords.
When Windows saves your user passwords, it stores them in a SAM file. It stores users' passwords in a hashed format (in LM hash and NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords. However, this can still be bruteforced.
Some time ago there was an exploit that allowed you to delete the SAM file and log into any account without a password. This is fixed, since Windows no longer allows access to the SAM file while Windows is running. For this Null Byte, we are going to use a Linux Live CD to remove a Windows password using the chntpw tool.
- BackTrack 5 on a DVD, or a Linux install with chntpw
- A password on a Windows installation
Step 1 Boot From BackTrack
Text in bold is a terminal command.
- Put the disc in your computer.
- Hit the the setup button.
- Change CD/DVD to be first on the boot order.
- Exit the setup and save your settings.
- When you get to the console, boot with; user:root paswword:toor.
- Boot into the KDE desktop environment:
- Open a terminal.
Step 2 Mount Drive & Change Windows Password
Now we have to mount the Windows drive partition to modify the password, or remove it completely.
- First, wehave to mount the hard drive partition that the Windows installtion is located on..
mount /dev/sda1 /mnt/
- Change to the directory that the SAM file is in so that we can prepare to modify its contents.
- List the users on the computer contained in the SAM file.
chntpw -l SAM
- Change a specific user account password.
chntpw -u USERNAME SAM
- Now, lets unmount the drive and boot from Windows to use the updated or cleared password.