[Spirrwell]

This is something that's been bugging me for a while because I've run into situations where I need to be the administrator, but I've lost the password. I know about programs like Offline NT which is a LiveCD that you can boot into to remove or replace a password or ophcrack to even retrieve said password using administrative privileges or a LiveCD. Assume I don't have administrative privileges from Windows XP or the capability to boot from CD without a bios password or a CD drive. From everywhere I've read it's been said that it can't be done. I've finally thought of a way how to, but I want some confirmation. Even on the most limited of computers I can at least gain access to the main drive or "Local Disk (C:)" for most people. My question is, couldn't I simply copy the Windows directory to a flash drive or something and run a program to retrieve\remove the password on another computer that I have access to the aforementioned privileges? Somewhere in there is where the security accounts manager (SAM) is located, so I figured that something like this could be done.

It's been fun over the past few years trying to figure it out and exciting to know that I could actually be close. So long story short, can it be done?

[Hendricks266]

Could it be possible to move the hard drive to a different computer where you have CD boot capabilities, then nuke the admin password from there?

This page makes reference to a tool named "PWDump" that you can use to extract the hashes. I don't recall Win XP being very strict at all about programs and admin rights. Have you tried that?

If not, I think it would be possible to copy %WinDir%\system32\config\SAM to a flash drive and open it from another computer in RegWorkshop.

[Kathy]

Spirrwell, on 12 September 2012 - 04:52 PM, said:

Somewhere in there is where the security accounts manager (SAM) is located, so I figured that something like this could be done.It's been fun over the past few years trying to figure it out and exciting to know that I could actually be close. So long story short, can it be done?

No.

Hendricks266, on 12 September 2012 - 06:12 PM, said:

I don't recall Win XP being very strict at all about programs and admin rights.

You recall wrong.

Quote

If not, I think it would be possible to copy %WinDir%\system32\config\SAM to a flash drive

No, it wouldn't be.

And even if you could copy SAM to another drive you would still need to retrive password which might not be possible depending on method used. And AFAIK all these LiveCD programs simply change hash/password, not retrieve it.

[Master Fibbles]

In Windows XP (Home, i think, but maybe also Pro) you could boot into Safe Mode and log in as Admin (since it had no password by default on default setups).

I have seen and tried to use live CDs that would go into the hash to find passwords. I can't remember if they worked or which ones I used (or for which OS, for that matter). I'm pretty sure I never tried with Windows 7.

[Kathy]

Mr.Flibble, on 12 September 2012 - 07:42 PM, said:

In Windows XP (Home, i think, but maybe also Pro) you could boot into Safe Mode and log in as Admin (since it had no password by default on default setups).

If admin has no password then why even boot into Safe Mode?

[Spirrwell]

Burnett, on 12 September 2012 - 07:25 PM, said:

No, it wouldn't be.

And even if you could copy SAM to another drive you would still need to retrive password which might not be possible depending on method used. And AFAIK all these LiveCD programs simply change hash/password, not retrieve it.

Ophcrack can retrieve passwords. I might be able to try this out today. Windows XP does have crappy security, though, even one that's attached to a Windows Server. I can make a less restricted user from a very restricted user by using a batch file that uses the "net user [NAME] /add" command. In some cases the "net" command can even add administrators, but not on an updated Windows XP with decent security. Well, I'm going to get ready to test this, and I'll see how it goes.

[Kathy]

Spirrwell, on 13 September 2012 - 02:42 AM, said:

Ophcrack can retrieve passwords. I might be able to try this out today.

SAM file is locked by the system. Without administrative privileges you won't do shit.
(by administrative privileges I mean user who's a member of administrators/power users group)

Quote

Windows XP does have crappy security, though, even one that's attached to a Windows Server.

Care to provide some examples? Especially related to an aforementioned topic.

Quote

I can make a less restricted user from a very restricted user by using a batch file that uses the "net user [NAME] /add" command.

Yeah, right.

[Master Fibbles]

Burnett, on 12 September 2012 - 08:19 PM, said:

If admin has no password then why even boot into Safe Mode?

When you install Windows XP (at least as far as I remember), you create a user who is part of the admin group but the user "Administrator" is left without a password. If you wanted to hack into a computer, you would boot into Safe Mode and login as the administrator (which has no password).
http://www.windowspa...n-safe-mode.htm
http://www.wikihow.c...trator-Password

Outside of safe mode I think the auto login stuff supersedes (also, if you are trying to get into a computer and don't have the password of the user...)

[Kathy]

Mr.Flibble, on 13 September 2012 - 05:56 AM, said:

Outside of safe mode I think the auto login stuff supersedes (also, if you are trying to get into a computer and don't have the password of the user...)

"If you want to bypass the automatic logon to log on as a different user, hold down the SHIFT key after you log off or after Windows XP restarts."
http://support.microsoft.com/kb/315231

[Spirrwell]

Burnett, on 13 September 2012 - 03:25 AM, said:

SAM file is locked by the system. Without administrative privileges you won't do shit.
(by administrative privileges I mean user who's a member of administrators/power users group)


Care to provide some examples? Especially related to an aforementioned topic.


Yeah, right.

Alright here's my example, at school I've managed to get around the fact that they block all executable files from being launched because if you run the program directly on the desktop it will work. Every time you log out the desktop gets cleaned and reverts back to the programs that are installed on the computer that the student can use. My theory on that is that the desktop must be located on the C:\ drive or the main drive, but students only have access to their own shared drive if they were to literally go to "My Computer" they cannot access the C:\ drive. Even if you type it in the address bar, it cannot be accessed period.

What I found using a portable version of Google Chrome, I was downloading images I needed for a project, they went to the Downloads directory located on the main drive. I was able to view the directory, press up, and get on Local Disk (C:). Afterwards I've discovered that net user command which DOES in fact work by using a batch file, as when you are a restricted user you have no access to the command prompt. Although you could "start command.com" from a batch file and have some kind of DOS prompt. I cannot create an administrator from a batch file, but I was able to create a user on the local machine, login, and have direct access to the C:\ drive, command prompt, and whatnot. I was actually given permission to use that Google Chrome technique to remove some idiotic browser addon someone put on the computer as their technical people take quite some time to get there (as in days, weeks), and they had a limited amount of computers. The addon in question was interfering with the ability to browse properly.

Anyway, back to the topic, I couldn't copy the directory, it's not possible, so yes you were right. I've been working on figuring it out for years, and all I've managed to do is remove and\or change the administrator password with a LiveCD in the past. I've considered the possibility of an external hard drive with Linux installed on it and using it, but I would assume that it would still boot to the main drive if I couldn't manually select for it to boot from the external. I've got to find a way, this is just so damn fun to me for some reason.

[Hendricks266]

How patched are the Windows installations? I recall reading a technique to log in as the SYSTEM user but the last time I tried it several years ago it was already patched.

[Kathy]

Spirrwell, on 13 September 2012 - 04:05 PM, said:

Alright here's my example

What's that? Your school's security settings weren't up to notch and you blame it on Windows XP?

[Hendricks266]

Spirrwell, on 13 September 2012 - 04:05 PM, said:

I've been working on figuring it out for years, and all I've managed to do is remove and\or change the administrator password with a LiveCD in the past.

Wait... you can run a live CD?

http://www.pogostick...d/bootdisk.html

Use this live CD. Using it, you can elevate a user to the admin position. Or, just boot Linux and copy SAM off.

Spirrwell, on 12 September 2012 - 04:52 PM, said:

Assume I don't have administrative privileges from Windows XP or the capability to boot from CD without a bios password or a CD drive.

Hmm...

[Spirrwell]

Hendricks266, on 13 September 2012 - 06:09 PM, said:

How patched are the Windows installations? I recall reading a technique to log in as the SYSTEM user but the last time I tried it several years ago it was already patched.

As far as I know they are regular up to date Windows XP Professional installations bound to a Windows Server 2003. You remove access to the domain, you're just looking at a regular Windows XP.

Burnett, on 13 September 2012 - 06:21 PM, said:

What's that? Your school's security settings weren't up to notch and you blame it on Windows XP?

I'm pretty sure their security settings are as up to date as they can be with what they have to work with, XP and Server 2003, I've done the executable trick for years at different schools, only last year did I discover what I could actually do with it. I suppose it would be better to say that Windows XP is more vulnerable to things than Windows 7 may be. I managed to dump their wireless password from one of their laptops pretty easily.

Well, I'm heading onward to my research.

[Spirrwell]

Hendricks266, on 13 September 2012 - 06:56 PM, said:

Wait... you can run a live CD?

Sorry for double post, I was busy replying before you did. I used to be able to use a LiveCD, they changed the boot order and the computers have BIOS passwords on them, which I've tried to use backdoor passwords, but they didn't work, and the computer beeps each time you enter in the wrong password...

[Kathy]

Spirrwell, on 13 September 2012 - 07:04 PM, said:

I'm pretty sure their security settings are as up to date as they can be with what they have to work with

I said it was shitty, not if it was up to date or not.

"Net user blah /add" just shouldn't work. Period. And it doesn't work from a real restricted account(member of "Users" or "Guests" group).

[Hendricks266]

Google says you may be able to find a copy of the SAM file stored in %systemroot% if the NT Repair Disk Utility (rdisk) has been run and the administrator has not removed the backed up SAM file.

See if you can use any of the pwdump* utils from this page (scroll down and ignore the costly one at the top): http://passwords.ope...xp-2003-vista-7

Would this work? http://www.governmen...e-in-5-minutes/

[Kathy]

Hendricks266, on 13 September 2012 - 08:12 PM, said:

Google says you may be able to find a copy of the SAM file stored in %systemroot% if the NT Repair Disk Utility (rdisk) has been run and the administrator has not removed the backed up SAM file.

Isn't this utility too old to be used now?

Quote

See if you can use any of the pwdump* utils from this page (scroll down and ignore the costly one at the top): http://passwords.ope...xp-2003-vista-7

I doubt any program would be able to dump anything without elevating privileges first. I assume these programs exist because it is not that trivial task to dump passwords even from an administrative account, but they won't work under user/guest account.

Quote

Would this work? http://www.governmen...e-in-5-minutes/

Not while running the OS. "Go to your school (because chances are, this is what most people are using this for) and put the floppy in the drive. Restart the computer."

[Kathy]

Tried OphCrack, by the way. Could not convert NTLM hash to password.

[Spirrwell]

Burnett, on 13 September 2012 - 07:21 PM, said:

I said it was shitty, not if it was up to date or not.

"Net user blah /add" just shouldn't work. Period. And it doesn't work from a real restricted account(member of "Users" or "Guests" group).

Well of course it's shitty, it's WIndows XP, I can do the same thing by running Windows XP in VirtualBox.

[Kathy]

Spirrwell, on 14 September 2012 - 02:27 AM, said:

Well of course it's shitty, it's WIndows XP,

Admins who can't set it up properly are shitty. While of course there are vulnerabilities your batch file with "net user" command isn't the one and won't work.

Quote

I can do the same thing by running Windows XP in VirtualBox.

You can't do that under user who's a member of Users group. Unless of course you changed default behavior of Users group, but that's another question entirely.

[Spirrwell]

Burnett, on 14 September 2012 - 02:43 AM, said:

Admins who can't set it up properly are shitty. While of course there are vulnerabilities your batch file with "net user" command isn't the one and won't work.


You can't do that under user who's a member of Users group. Unless of course you changed default behavior of Users group, but that's another question entirely.

Listen, I'm not here to argue, I've done what I've done and I'm trying to figure out what I can do, although I'm a bit baffled that I got into an argument about XP security when just month or so ago I was trying to defend Windows XP and people were nailing me to a cross about it being much less secure and not as up to date as Windows 7 was. I just need to figure out how do what I can do without administrative privileges and the ability to choose to boot from a CD. It doesn't seem possible, but there's got to be a way.

[Kathy]

Spirrwell, on 14 September 2012 - 10:27 AM, said:

Listen, I'm not here to argue, I've done what I've done and I'm trying to figure out what I can do, although I'm a bit baffled that I got into an argument about XP security when just month or so ago I was trying to defend Windows XP and people were nailing me to a cross about it being much less secure and not as up to date as Windows 7 was.

Are you talking about that topic? "Nailing to a cross"? That's rich. You were asking about WinXP_x64 which is a strange beast in its own way. And while WinXP is inferior to Win7 it doesn't mean it is that bad that some really stupid cmd nonsense would nullify its security.

Quote

I just need to figure out how do what I can do without administrative privileges and the ability to choose to boot from a CD. It doesn't seem possible, but there's got to be a way.

You need to elevate your privileges to do anything with a SAM file. So unless you find vulnerabilities which would give you a chance for elevation you're not going anyway. Just like this conversation.

[Spirrwell]

Burnett, on 14 September 2012 - 12:44 PM, said:

Are you talking about that topic? "Nailing to a cross"? That's rich.

Would you prefer I used the the expression that it was like using a bazooka to kill a fly? Or that what I asked was a loaded question, everywhere I could've gone I would get shot and killed? I just picked one and went with it, and I will find a way to get that damn password. Current possibility is network booting, that's the first thing that launches. I'm not quite sure how it works, but I'll learn. I will find a way.

[Kathy]

Spirrwell, on 14 September 2012 - 01:13 PM, said:

I just picked one and went with it, and I will find a way to get that damn password.

Put a gun to admin's head then because even with SAM you might not get the password.

[Spirrwell]

Burnett, on 14 September 2012 - 03:52 PM, said:

Put a gun to admin's head then because even with SAM you might not get the password.

Uh, hell no. A keylogger of some kind would be just fine.

[Kathy]

Are there keyloggers that could be run from within a restricted user account? If there are good thing there is also a UAC since Vista.

Anyway, do you want to "hack" a specific computer or just want to know if it's possible theoretically in a good administered domain? Because on a specific computer/domain there might be quite a few easy exploitable vulnerabilities because of IT's mistakes. While in a good administered domain it could be pretty much impossible to do anything unless you want to manually bruteforce for an eternity. Especially when you don't show deep knowledge and understanding about how the OS works and where to try searching for possible vulnerabilities in the system. But even deep knowledge might not help if network/domain environment has good administration and great security supervision.

[Tea Monster]

Putting all technical aspects aside on this, depending on where you are, you could get into a LOT of trouble (police, fines, expulsion) if you are caught hacking school computers.

Security is relative. At one place I worked, typing \\(PC-NAME)\C$ got you into any desktop on the floor.

[Kathy]

Tea Monster, on 16 September 2012 - 03:37 PM, said:

Security is relative. At one place I worked, typing \\(PC-NAME)\C$ got you into any desktop on the floor.

You mean without additional authentication? Wow...

[Tea Monster]

Yep. Though, if I tell you that 3 people were sacked there for playing WoW on their workstations, it might give you a better idea of the culture there

I shouldn't complain though. They did let me install Blender and let me do Duke models between calls (and yes, I did ask).