File: README.txt

package info (click to toggle)
chntpw 0.99.2-2
  • links: PTS
  • area: non-free
  • in suites: sarge
  • size: 256 kB
  • ctags: 360
  • sloc: ansic: 3,062; makefile: 71
file content (225 lines) | stat: -rw-r--r-- 7,787 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225

The Offline NT Password Editor

(c) 1997-2004 Petter Nordahl-Hagen

See COPYING for copyright & credits.
See INSTALL for compile/installation instructions.

Where to get more info:
-----------------------

http://home.eunet.no/~pnordahl/ntpasswd/

At that site there's a floppy and a bootable CD that use chntpw to
access the NT/2k/XP-system it is booted on to edit password etc.
The instructions below are for the standalone program itself, not the floppy.

What does it do?
----------------

This little program will enable you to view some information and
change user passwords in a Windows NT SAM userdatabase file.
You do not need to know the old passwords.
However, you need to get at the file some way or another yourself.
In addition it contains a simple registry editor with full write support,
and hex-editor which enables you to
fiddle around with bits&bytes in the file as you wish yourself.

Why?
----

I often forget passwords. Especially on test installations (that
I just _must_ have some stuff out of half a year later..)
On most unix-based boxes you just boot the thingy off some kind
of rescue bootmedia (cd/floppy etc), and simply edit the
password file.
On Windows NT however, as far as I know, there is no way except reinstalling
the userdatabase, losing all users except admin.
(ok, some companies let you pay lotsa $$$$$ for some rescue service..)

How?
----

Currently, this thing only runs under linux, but it may just happen
to compile on other platforms, too.
(there are dos-versions available, look for links on my webpage)
So, to set a new adminpassword on your NT installation you either:
1) Take the harddrive and mount it on a linux-box
2) Use a linux-bootdisk or CD
   one is available at: http://home.eunet.no/~pnordahl/ntpasswd/
ie. you do it offline, with the NT system down.

Usage:
------
	chntpw version 0.99.2 040105, (c) Petter N Hagen
	chntpw: change password of a user in a NT SAM file, or invoke registry editor.
	chntpw [OPTIONS] <samfile> [systemfile] [securityfile] [otherreghive] [...]
	 -h          This message
	  -u <user>   Username to change, Administrator is default
	  -l          list all users in SAM file
	  -i          Interactive. List users (as -l) then ask for username to change
	  -e          Registry editor. Now with full write support!
	  -d          Enter buffer debugger instead (hex editor), 
	  -t          Trace. Show hexdump of structs/segments. (deprecated debug function)
	  -v          Be a little more verbose (for debuging)
	  -L          Write names of changed files to /tmp/changed
	  -N          No allocation mode. Only (old style) same length overwrites possible

Normal usage is:

> chntpw sam system security
  - open registry hives 'sam' and 'system' and change administrator account.
  Verions dated later from Feb 1999 and later also supports
  and will find the admin account, even if the name has been changed,
  or the name has been localized (different languageversion of NT
  use different admin-names)

The -u option:
Specifies user to change:

> chntpw -u jabbathehutt mysam
  - Prompt for password for 'jabbathehutt', if found (otherwise do nothing)
  
Or you may give RID number in hex:
> chntpw -u 0x1f4 mysam
  - Will edit administrator.

Names does not support multibyte (unicode) characters like
some russian and asian locales. Give RID in hex to edit users
with such names. Must start with 0x. Ex: 0x2fa

The -l option:
  Will list all users in the sam-file.
  
The -i option:
  Go into the interactive menu system.
  
The -d option:
  This will load the file, and then immediately enter the
  buffer debugger.
  This is a simple hex-editor with only a few commands,
  enter ? at the . prompt to se a short command overview.
  'q' exits without saving, 's' exit and saves.

The -e option:
  Will enter the registry editor.
  You can navigate the registry like a filesystem at the command-line prompt:
  See regedit.txt file for more info.

The -t option:
  This is a debug function (extended -l) to show how it traces the chain
  of structs in the file. This also includes a raw interpretation
  of the different registry structures + a hex dump.

The -L option:
  Drops the filenames of the changed hives in /tmp/changed
  Used by the floppy scripts.
  
The -N option:
  Will fall back to old edit mode, disable the block allocations
  and only support overwrite-same-size. Used to ensure safety
  in testing period.

How does it work:
-----------------

A struct, called the V value of a key in the NT registry
was suddenly somewhat documented through the pwdump utility
included in the unix Samba distribution.
This struct contains some info on a user of the NT machine,
along with 2 crypted versions of the password associated
with the account.

One password is the NT console login password,
the other the LANMAN network share password
(which essentially is the first one in uppercase only,
 and no unicode)

This is how NT encrypts the passwords:

The logon cleartext password a user enters is:
1) Converted to unicode
2) A MD4 hash is made out of the unicode string
3) Then the hash is crypted with DES, using the RID (lower
   part of the SID, userid) as the crypt key.
   This is the so called "obfuscation" step, so
   it's not obvious on a hex dump of the file
   that two or more users have the same password.
4) The result of stage 3 (16 bytes) is put into the V struct.

For the LANMAN password:
1) Uppercased (and illegal characters probably removed)
   14 bytes max, if less the remaining bytes are zeroed.
2) A known (constant) string is DES-encrypted
   using 7 first characters of the password as the key.
   Another constant is encrypted using the last 7 chars
   as the key.
   The result of these two crypts are simply appended,
   resulting in a 16 byte string.
3) The same obfuscation DES stage as 3 above.
4) 16 bytes result put into the V struct.

Since the number of possible combinations in the lanman
password is relatively low compared to the other one,
and it's easy to see if it's shorter than 8 chars or not
it's used first in brute-force-crackers.

This program, however, don't care at all what the old
one is, it just overwrites it with the new one.

Ok. So, how do we find and identify the V struct?
Yeah.. that was the hard part.. The files structure
is not documented (as far as I know..)

But, with help from an unnamed German, and a lot of testing
and guesswork from myself, it's now possible to follow
the actual registry tree. (see source code for struct-defines
and comments on the registry structure)

The usernames are listed in:
\SAM\Domains\Account\Users\Names\

[2d18] \SAM\Domains\Account\Users\Names> l
ls of node at offset 0x2d1c
Node has 4 subkeys and 1 values
nk-offset      name
0x003290 - <Administrator>
0x003630 - <Guest>
0x001c88 - <luser>
0x003428 - <pnh>

Each name is a subkey, with one namless value containing
the RID.

[2d18] \SAM\Domains\Account\Users\Names> cd pnh

[3428] \SAM\Domains\Account\Users\Names\pnh> l
ls of node at offset 0x342c
Node has 0 subkeys and 1 values
vk-offs    size    type           name
0x003688     0  (unknown)        <> INLINE:  val (in type field?): 1000 (0x3e8)

To get the userinfo (V struct), access
\SAM\Domains\Account\Users\<RID>\V

[2c90] \SAM\Domains\Account\Users> l
ls of node at offset 0x2c94
Node has 5 subkeys and 1 values
nk-offset      name
0x003320 - <000001F4>
0x0036b8 - <000001F5>
0x003550 - <000003E8>
0x001d00 - <000003E9>
0x002d18 - <Names>

[2c90] \SAM\Domains\Account\Users> cd 000003E8

[3550] \SAM\Domains\Account\Users\000003E8> l
ls of node at offset 0x3554
Node has 0 subkeys and 2 values
vk-offs    size    type           name
0x0035a8    80  REG_BINARY       <F>
0x003228   508  REG_BINARY       <V>

For more techincal info, look it up in the source code.