Chntpw

From ChekMate Security Group

This little program provides a way to view information and change user passwords in a Windows NT/2000 userdatabase file. Old passwords need not be known since they are overwritten. In addition it also contains a simple registry editor (same size data writes) and an hex-editor which enables you to fiddle around with bits and bytes in the file as you wish.

If you want GNU/Linux bootdisks for offline password recovery you can add this utility to custom image disks or use those provided at the tools homepage.

Homepage: http://home.eunet.no/~pnordahl/ntpasswd/


[edit]

The Offline NT Password Editor

(c) 1997-2004 Petter Nordahl-Hagen

See COPYING for copyright & credits. See INSTALL for compile/installation instructions.

Where to get more info:

http://home.eunet.no/~pnordahl/ntpasswd/

At that site there's a floppy and a bootable CD that use chntpw to access the NT/2k/XP-system it is booted on to edit password etc. The instructions below are for the standalone program itself, not the floppy.

What does it do?

This little program will enable you to view some information and change user passwords in a Windows NT SAM userdatabase file. You do not need to know the old passwords. However, you need to get at the file some way or another yourself. In addition it contains a simple registry editor with full write support, and hex-editor which enables you to fiddle around with bits&bytes in the file as you wish yourself.

Why?

I often forget passwords. Especially on test installations (that I just _must_ have some stuff out of half a year later..) On most unix-based boxes you just boot the thingy off some kind of rescue bootmedia (cd/floppy etc), and simply edit the password file. On Windows NT however, as far as I know, there is no way except reinstalling the userdatabase, losing all users except admin. (ok, some companies let you pay lotsa $$$$$ for some rescue service..)

How?

Currently, this thing only runs under linux, but it may just happen to compile on other platforms, too. (there are dos-versions available, look for links on my webpage) So, to set a new adminpassword on your NT installation you either: 1) Take the harddrive and mount it on a linux-box 2) Use a linux-bootdisk or CD 

  one is available at: http://home.eunet.no/~pnordahl/ntpasswd/

ie. you do it offline, with the NT system down.

Usage:

chntpw version 0.99.2 040105, (c) Petter N Hagen chntpw: change password of a user in a NT SAM file, or invoke registry editor. chntpw [OPTIONS] <samfile> [systemfile] [securityfile] [otherreghive] [...] -h This message -u <user> Username to change, Administrator is default -l list all users in SAM file -i Interactive. List users (as -l) then ask for username to change -e Registry editor. Now with full write support! -d Enter buffer debugger instead (hex editor), -t Trace. Show hexdump of structs/segments. (deprecated debug function) -v Be a little more verbose (for debuging) -L Write names of changed files to /tmp/changed -N No allocation mode. Only (old style) same length overwrites possible

Normal usage is:

> chntpw sam system security 

 - open registry hives 'sam' and 'system' and change administrator account.
 Verions dated later from Feb 1999 and later also supports
 and will find the admin account, even if the name has been changed,
 or the name has been localized (different languageversion of NT
 use different admin-names)

The -u option: Specifies user to change:

> chntpw -u jabbathehutt mysam 

 - Prompt for password for 'jabbathehutt', if found (otherwise do nothing)

Or you may give RID number in hex: > chntpw -u 0x1f4 mysam 

 - Will edit administrator.

Names does not support multibyte (unicode) characters like some russian and asian locales. Give RID in hex to edit users with such names. Must start with 0x. Ex: 0x2fa

The -l option: 

 Will list all users in the sam-file.

The -i option: 

 Go into the interactive menu system.

The -d option: 

 This will load the file, and then immediately enter the
 buffer debugger.
 This is a simple hex-editor with only a few commands,
 enter ? at the . prompt to se a short command overview.
 'q' exits without saving, 's' exit and saves.

The -e option: 

 Will enter the registry editor.
 You can navigate the registry like a filesystem at the command-line prompt:
 See regedit.txt file for more info.

The -t option: 

 This is a debug function (extended -l) to show how it traces the chain
 of structs in the file. This also includes a raw interpretation
 of the different registry structures + a hex dump.

The -L option: 

 Drops the filenames of the changed hives in /tmp/changed
 Used by the floppy scripts.

The -N option: 

 Will fall back to old edit mode, disable the block allocations
 and only support overwrite-same-size. Used to ensure safety
 in testing period.

How does it work:

A struct, called the V value of a key in the NT registry was suddenly somewhat documented through the pwdump utility included in the unix Samba distribution. This struct contains some info on a user of the NT machine, along with 2 crypted versions of the password associated with the account.

One password is the NT console login password, the other the LANMAN network share password (which essentially is the first one in uppercase only, 

and no unicode)

This is how NT encrypts the passwords:

The logon cleartext password a user enters is:

  1. Converted to unicode
  2. A MD4 hash is made out of the unicode string
  3. Then the hash is crypted with DES, using the RID (lower part of the SID, userid) as the crypt key. This is the so called obfuscation" step, so it's not obvious on a hex dump of the file that two or more users have the same password.
  4. The result of stage 3 (16 bytes) is put into the V struct.

For the LANMAN password:

  1. Uppercased (and illegal characters probably removed) 14 bytes max, if less the remaining bytes are zeroed.
  2. A known (constant) string is DES-encrypted using 7 first characters of the password as the key. Another constant is encrypted using the last 7 chars as the key. The result of these two crypts are simply appended, resulting in a 16 byte string.
  3. The same obfuscation DES stage as 3 above.
  4. 16 bytes result put into the V struct.

Since the number of possible combinations in the lanman password is relatively low compared to the other one, and it's easy to see if it's shorter than 8 chars or not it's used first in brute-force-crackers.

This program, however, don't care at all what the old one is, it just overwrites it with the new one.

Ok. So, how do we find and identify the V struct? Yeah.. that was the hard part.. The files structure is not documented (as far as I know..)

But, with help from an unnamed German, and a lot of testing and guesswork from myself, it's now possible to follow the actual registry tree. (see source code for struct-defines and comments on the registry structure)

The usernames are listed in: 

\SAM\Domains\Account\Users\Names\

[2d18] \SAM\Domains\Account\Users\Names> l
ls of node at offset 0x2d1c
Node has 4 subkeys and 1 values
nk-offset      name
0x003290 - <Administrator>
0x003630 - <Guest>
0x001c88 - <luser>
0x003428 - <pnh>

Each name is a subkey, with one namless value containing the RID. 

[2d18] \SAM\Domains\Account\Users\Names> cd pnh

[3428] \SAM\Domains\Account\Users\Names\pnh> l
ls of node at offset 0x342c
Node has 0 subkeys and 1 values
vk-offs    size    type           name
0x003688     0  (unknown)        <> INLINE:  val (in type field?): 1000 (0x3e8)

To get the userinfo (V struct), access 

\SAM\Domains\Account\Users\<RID>\V

[2c90] \SAM\Domains\Account\Users> l
ls of node at offset 0x2c94
Node has 5 subkeys and 1 values
nk-offset      name
0x003320 - <000001F4>
0x0036b8 - <000001F5>
0x003550 - <000003E8>
0x001d00 - <000003E9>
0x002d18 - <Names> 

[2c90] \SAM\Domains\Account\Users> cd 000003E8

[3550] \SAM\Domains\Account\Users\000003E8> l
ls of node at offset 0x3554
Node has 0 subkeys and 2 values
vk-offs    size    type           name
0x0035a8    80  REG_BINARY       <F>
0x003228   508  REG_BINARY       <V>

For more techincal info, look it up in the source code.


[edit]

Frequently Asked Questions


The changes does not take effect. I get some errors like "read-only filesystem" and such.

  • The current version does not like to write to the NTFS filesystem if windows was not shut down cleanly.
  • Shut down windows from the login page, or from the start menu.
  • If you cannot do that try this: 
1. Run through change (which won't be saved), it will trigger a chkdsk on next windows boot.
2. Let chkdsk run until it is done, it will reboot automatically
3. When chkdsk reboots the machine, do not boot back into windows! but boot the floppy/CD.
4. Then try a new change, it should hopefully now have a clean disk to work on.
  • Earlier versions does not have this quirk! (at least not all the time)
  • Next versions may have some fix or warning about this.


Why can't I access my encrypted (EFS) files after resetting the password?

  • Because in XP and possibly later service packs in win2k the password itself is used to encrypt the keys needed for EFS.
  • Sorry, there is no way to recover the files once the password has been reset.


The .bin-file inside the .zip won't fit on a floppy.

  • You didn't read the bottom of the bootdisk download page
  • Click on the install.bat after extracting the .zip file, and follow the on screen prompts.


The keyboard does not work! I can't answer the questions!!

  • Sorry, this is at the moment a known problem with the 040116 version.
  • Reported mostly on some laptops.
  • The 040818-version may work better? or not?
  • There may be an older version on some of the mirrors.
  • Or look at here for some older pre-releases, the newest of them may work. Some of the older may be dangerous


When loading the floppy it stops with "boot failed."

  • Bad floppy. Or bad bootloader (some versions are known to give up easy)
  • Use another floppy or a new version of the ldlinux.sys file (go allthewebbing for it for instance. grab one from a linux distros bootdisks. I did.)
  • Or get the CD image from the download page.


I have the CD in my CD drive, but it starts on the haddrive.

  • Check your BIOS manual on how to boot from CD, or if the CD-ROM is on a SCSI-card, check the cards manual.
  • For those of you without manuals: Try hitting ESC or F10 or F12 for bootmenu right after the RAM-count.
  • Or enter BIOS setup and change the boot order. Either you can figure that one out from the menus, or you really need the manual.
  • I don't remember when BIOS-folks started implementing the CD boot (El Torito) standard, but it was around 1995? Older computers won't CD boot.
  • But BIOS-programmers never actually READ the bloody standard, so you may have a buggy one that only boots some CDs.
  • If it boots (first banner page), the same problems as for the floppy may show, please read on..


The floppy stuff crashes with "VFS: Unable to mount root.." and panic etc.

  • The are several ways of getting the size of the memory out of the BIOS at boot.
  • It probably selected the wrong one, and 16MB is a bit too little.
  • Strangely, this most often happens on big brand machines, like Compaq and DELL.
  • At boot, hold down LEFT SHIFT key until "Boot: " prompt appears.
  • Then enter: 
         o floppy mem=128M
  • but substitute with how much memory you have (or a bit less to be safe)
  • If this doesn't help, there is probably not support for your motherboard, CPU or BIOS.


It cannot find any NT disks or paritions.

  • Some controllers require more than one driver. Try repeating the autoprobe first.
  • It's either caused by unsupported controller or filesystem driver problems.
  • See next questions..
  • Please don't ask about inclusion of new drivers. I'm often short on time, get lot's of mail, and it's difficult to put in things I cannot test.
  • If you really insist on asking for new drivers, you must at least provide me with correct info on controller card or chip brandname, type, model etc, and a link to website(s) with drivers for linux. If there also are docs for using it on linux, I need that, too. However, as I get a lot of mail, I cannot guarantee an answer or that your needed driver will be included.
  • There are however several other things to try: 
         o Try to build Grenier's DOS floppies
         o Move harddisk to another machine as secondary, then try Grenier's chntpw.exe
         o Install new NT/2k/XP in another dir than \winnt etc, then login with new install to access the old ones sam file. 
           Either rename it (will leave admin with blank pass) or use chntpw.exe on it.


How to load a 3rd party driver

  • You need the binary driver for 2.6.x kernels (2.6.7 on the bootisk right now, but a lot 2.6-series drivers may load OK. Or not. Try!)
  • It's the .ko file you need from the driver set. If there are lot's of files in the driver archive you got, look in the readme's there to find out what's the correct module file to load.
  • Put that in the "scsi" directory on the bootfloppy (delete what's there if the disk is full)
  • Or add it to the existing drivers on the scsi-floppy.
  • Try to load it from the driver select, see bootdisk doc for this.
  • A driver will usually list the disks it finds, and also some other information if it loads correctly.
  • The load of 3rd party drivers are now forced, (insmod -f), that is there is no (or little) version check by the loader, so if the loader manages to load it in, it will try to run. And probably crash if it has some special requirements that's not present in this version.


I get some errors about extending / expanding from the FS driver when writing back!

  • This is from NTFS driver. It will only write over the exact same size. No expand, no delete, no new files, no rename etc.
  • Actually I don't try to write past end of existing file, but sometimes it complain anyway. Maybe some internal stuff in the filesystem.
  • Usually the file is actually written OK, so relax.
  • There is nothing to do about this. Quit bugging my mailbox with it.
  • If it does not get written, I still cannot help. Sorry.


It seems to change the password, but NT won't agree.

  • The NTFS code wasn't that great after all (probably didn't write things properly)
  • My code wasn't that great after all. (it didn't change or changed in the wrong place. The V struct is still marked "here be dragons..")
  • Try blanking the password instead (entering * at the prompt), this may straighten things out. In fact, reports indicate: BLANKING RECOMMENDED!
  • If it still won't work, see the previous solution.
  • Blanking will probably be the only option beginning from some release in 2004.


I'm told that the account is locked, even if I know it is not.

  • Ok, then the code to identify lockout is not good enough. Sorry for that.
  • Just ignore, don't change the lockout it asks for.
  • Really nice if you can tell me more about what happened.


I'm not told that the account is locked out, even Windows says it is. How can I reset it?

  • Oops, probably more to the lockout stuff than I know about.
  • You probably can't reset it in the current release.
  • Unless you'd like to play with the registry editor yourself and figure it out. I cannot give lessons in registry edit.


I tried it on Win2k PDC (Active Directory), and it didn't change the password.

  • ActiveDirectory (AD) is a completely different database.
  • There is no support for directly changing passwords in AD.
  • To clear things up: The Active Directory SERVER itself is not directly supported, but workstations (w2kprof) and servers (w2k server) that is just MEMBERS of the domain can have their LOCAL passwords changed by the utility.
  • But..
  • John Simpson has made instructions on how to reset that pesky lost administrator password in AD.
  • Many thanks goes to John for this!
  • And I may as well in a future relase make a frontend for the screensaver trick he uses, so it will be even easier.


What is the 'Can't access tty...' error message when I quit the floppy/cd procedure?

  • It's from the shell, and has nothing whatsoever to do with the password edit.
  • My scripts don't allocate the terminal correctly.
  • Only thing it means is that ctrl-c to break etc won't work on console 1. Should work on console 2-4 (ALT-F2 and so on)
  • Please don't ask about this in mail AGAIN!


My language uses characters in the usernames that are not readable with the floppy, and i cannot enter/search for them, thus not edit.

  • There is no support for the full unicode character set. Perhaps never will.
  • Select user with the RID (user ID) instead.
  • At the username prompt, enter the RID in hex, just as it is listed in the user listing. 0xfa0 for instance.


What about support? and I just paid $$ for it on eBay!

  • Yes, some people sell it on eBay.
  • Most of them didn't bother to ask me, but I haven't cared too much about it, at least not yet.
  • If the price is reasonably low (for media, shipping etc), they offer some kind of help and support if customers need it, that's good, and no problem for me.
  • Please do not blaim me if eBay sellers can't deliver or it doesn't work, or you feel ripped off. Leave feedback on eBay instead.
  • I DO NOT ENDORSE ANY SPECIFIC SELLER ON eBAY!
  • I give my tool away for free here, because I do not have the time for real support.
  • Usually I go through my mail 1 or 2 times a week, and I usually end up replying about 40-50% of it.
  • What I answer depends on my mood that day, what the problems are, and how they are presented.
  • Mails with questions for which an answer can be found here in the FAQ or on the other webpages will not be answered.
  • Questions for drivers will almost never be answered. They take too much time to figure out. Sorry.
  • And.. I understand English, Norwegian, Swedish and Danish. And if I really try, a little bit French, German and Icelandic, but don't count on it.
  • My answers are either in English or Norwegian. (as appropriate :-)
  • Thank you all for a lot of positive feedback or small tips for improvement, I appreciate it :-) even if I often don't reply to you. :-(


Can I donate money?

  • Yes. But it is not required, the program is free to use anyway, and the current economic situation isn't that good, I understand that.
  • Consider donating to a charity!
  • Or if you really want to give me something (which will probably be used to buy stuff off eBay since cashing out is rather expensive)
  • My paypal ID is the same as my mailaddress. pnordahl@eunet.no
  • Or click here
  • You decide how much. It is of course completely voluntary.
  • I have got quite a lot of donations! Thanks folks! (however, not many have told me they have donated to a charity. shame...)
  • Thanks!
Retrieved from "http://www.chekmate.org//wiki/index.php/Chntpw"