1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158
|
The Offline NT Password Editor
(c) 1997-2004 Petter Nordahl-Hagen
See COPYING for copyright & credits.
See INSTALL for compile/installation instructions.
Revision history
(chntpw utility only, see website for info on bootdisk revisions)
* v 0.99.2 040105
- Added RecoveryConsole parameter change
- Try to guess type of hive loaded (sam, system, security etc), this
is used by the user edit, syskey edit, RecoveryConsole edit
to look up into the right hive.
- Do not confirm save if the change-tracking option is set (-L)
(assume wrapper does it..)
- Hid the hash-stuff during password reset. I got all kinds of
confusing questions about it (most often: can I find the original
pw? Answer: NO if win2k or higher)
Option -v turns this on again for debugging.
- Also reduced some other debug output, -t and/or -v turns on again
most of it.
- Fixed some bugs:
- check of return value from open()
- corrected prototype defs for some calls into OpenSSL,
this fixes some compilation errors people have reported.
Thanks to Alexander Poquet for that.
- Probably _added_ more bugs :-} but they are yet unknown :)
* v 0.99.1 030126
- Fixed bug in ntreg, seems some files has garbage instead of zero
pages at end. Now stops enumerating on first non 'hbin' page.
Thanks to Jim Andersen for giving me a hive file that showed this.
- Reports strongly indicates that blanking a password
(* at the prompt) works more often than changing passwords.
Changed some wording regarding this.
* v 0.99.0 030112
- There is now full registry edit support with expansion of value
size and add / delete of keys and values!
See regedit.txt for more info on registry editing
See source for details on data block allocation etc in registry.
- Changed interactive mode (-i) a bit, now features menues.
- Syskeystatus/change not shown unless selected from menu.
- New option: -N to set it in old-edit mode, ie only exact
overwrites. This is for safety in testing etc.
* v 0.98.6 021213
- Added parsing of users F and SAMs F value, which stores account type bits
and lockout information. Ability to reset it if locked.
- As usual, see source (especially sam.h for details) on this.
* v 0.98.5 021208
- Added ability to enter RID (in hex) instead of username by
starting the entry with 0x. Works interactive and on commandline.
This will enable edit of users that has names which actually
use unicode, like some russian and asian systems.
- Only entering * for password will blank password by setting
hash lengths to zero. Seems to be working ok in 2k and XP.
This may also clear up an earlier failed change.
One bug/drawback: Seems to leak about 30-50 bytes in the V struct.
- Fixed bug in handling of blank LANMAN-pass.
* v 0.98.4 011022
- Fixed input buffer overflow that made it impossible to enter
usernames at 16 chars (the \n would flow over into the password
prompt thus not changing it)
- New option -L that will write the names of changed hives to
/tmp/changed. Mainly for use in my bootfloppy scripts.
* v 0.98.3 010808
- Blank password detection rewritten. The NT or LANMAN hash seems
to actually be missing from the sam entry if password is blank.
This will now be detected, and if only LANMAN is present, it
will be convertet to NT password.
- Some minor changes in text & prompts.
* v 0.98.2 010107
- Changed to use OpenSSL for MD4 & DES encryption instead of
the old libraries. Only change of build process from source
is to point the Makefile to wherever your OpenSSL libraries & includes are.
- Minor changes in wording of Syskey warnings.
- No functional changes.
- Known bugs: Hive statistics often wrong (but the numbers are not used
later, so it's not critical)
* v 0.98.1 000607
- Discovered that when a key has lots of subkeys (typically about
300 or more?) its hashtable is split and accessed through an
indirect ('ri') table, almost as some filesystems do with
datablock lists on large files. This caused an error "Not 'nk' node"
and sometimes a crash in earlier versions. In SAM this happens in
\SAM\Domains\Account\Users when the number of users are large
(which often is the case on domain controllers).
See source code for technical details on this. (WinReg.txt not updated)
* v 0.98 000401
- Disabling syskey on Win2000 corrupts the SAM somehow, makes it
unable to reenable + leaves it in a partial mode 1 syskey.
Also corrupts the Domain Trust password, making it impossible
to join og leave a domain.
Delete HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC (the trust key,
may need to change ACLs to get to it) to leave the domain and make it
possible to rejoin.
- Added support for changing passwords without disabling or
changing syskey, simply by inserting old type password hash
into the sam. It gets converted to syskey-hash on next boot.
Why I didn't discover this before is beyond me.
- A few smaller bugfixes.
* v 0.98 000215
- Can now write, too, but only existing values, & same datalength.
- Internals rewritten, registry manipulation functions
now in separate "library".
- Added ability to check for and disable syskey. (see syskey.txt
& sourcecode for details)
- "Command line"-type registry-editor improved a bit.
- Possible to load and edit several hives at once
- Several minor changes.
- Since a lot has been rewritten, there's probably more bugs.
* v 0.90 990307
Major updates:
- Full registry parse/read/viever. Can follow the tree like a filesystem.
No write-support yet.
- 3.51 & 4.0 support. Seems to be working on NT5 betas, too.
- 100% sure to find usernames/passwords.
- Support for localized admin-names (will automatically find it)
- Several minor bugs from earlier versions fixed.
- Sorry, but still no syskey support. (but since full registry
read capabilities exsist, it's now easier to make it)
* PRE-1 970611
- Got reports on "Netlogon service not started"
(and then it was impossible to logon)
if attempt to change blank password into something else.
This was because if the password is set blank (from NT), the NT-logon
hash (md4) is not stored in SAM at all (the LANmanager hash seems to be
there..) However, chntpw didn't know about this, and happily(?) wrote away
and corrupted the SAM file, causing Netlogon to fail.
This version will flag accounts with blank passwords, and refuse to change it.
- The -i (interactive) option now loops. Will ask for a new name repeatedly,
until '!' is entered. This enables you to change multiple passwords in
one run.
- No support for syskey, yet.
* PRE-1 970528:
- First public release
|