About
Community
Bad Ideas
Drugs
Ego
Erotica
Fringe
Society
Technology
Hack
Introduction to Hacking
Hack Attack
Hacker Zines
Hacking LANs, WANs, Networks, & Outdials
Magnetic Stripes and Other Data Formats
Software Cracking
Understanding the Internet
Legalities of Hacking
Word Lists
register | bbs | search | rss | faq | about
meet up | add to del.icio.us | digg it

Local Attack

by draggie

NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.

How to kindly and fine break into Windows 2000 or NT with perfect covering tracks.

written on: 14.08.2003 by draggie for Astalavista

Please be patient with my English ;)

DISCLAIMER

This text is only for educational purposes and author is not responsible of any possible inflicted damage of any kind after lecture of this guide.

1 Why did you wrote it?!

Well, I saw a lot guides that shows how to delete SAM file and be happy for a while. I will show how to FIND the password, not to change or delete it. When you have unchanged administrator password you usually can login remotely on other computers in a domain. Then I will show how to cover tracks. And it is not strict step-by-step guide, you will have to read a little bit on web pages.

2 Little bit of theory

As we all know passwords in Win2k are hidden in SAM file (x:\winnt\system32\config). As not everyone know that file is:

in Windows 2000 always encrypted with 128 bit long key called SYSKEY

in Windows NT SYSKEY is in use from Service Pack 3

It is impossible to crack it but you can bypass SYSKEY. What for? To get administrator rights, dump the hashes without SYSKEY encryption using dll injection and crack them. Then you will owerwrite modified SAM with old one. You will say - it is without sense - you are getting administrator account to get hashes for administrator account?! No. We will use FALSE administrator account for example guest to get TRUE administrator password. Then we will cover tracks.

Everything will be unchanged and we will have administrator password. And one more thing - administrator can use SYSKEY password protection (one more...) but you can also bypass it. I know it is now unclear, so let's start!

3 What we will need

Physical access to one computer in a domain, usually administrator password on single computer is common for all domain.

any other account with or without password

about 4 floppy disks

chntpw and SCSI driver from http://home.eunet.no/~pnordahl/ntpasswd/

pwdump2 from http://razor.bindview.com

LC 4 from @stake, later l0pthcrack

and NTFSdos pro from for example KazAa or Emule

Metallica - st Anger in the background :)

That is all? Yes, I think that yes.

4 Preparations

We have to prepare our floppies. Firstly, using rawrite2 we creates two flops - one with chntpw and second with SCSI drivers. Why rawrite? We have to make an image of linux flop, that's why. How to do it? Read at Petter Nordahl Hagen site.

Second thing is to make bootable diskette with NTFSDOS pro (it will be two - one bootable, second - program). Here we go.

5 Part one

We are booting our victim computer from NTFSdos pro disk and if it is necessary mount NTFS partition. If partition is fat32 we do not have to do it, of course. Than, we find a SAM file (usually x:\winnt\system32\config\SAM) and copies it to diskiette. It is BACKUP. Very important.

Now, we put in a chntpw diskette. We have to find a RESET button and press it. :)

Linux offline password registry editor is loading...

Usually you just have to accept defualt prompts in [] by pressing enter... Use SCSI drivers when necessary.

If administrator set SYSKEY additional password (it is rare) - it means that you have to give a SYSKEY password or put in a diskette before log in panel, we have to bypass it. To check how does it work you can run syskey.exe on your own Windows 2000. Bypassing SYSKEY is also Petter merit. Hats from heads!

We have to set (using offline registy editor in chtpw)

HKML\System\CurrentControlSet\Control\Lsa\SecureBoot to 1 but you should better

check it at Petter Nordahl pages. For Windows 2000 it could be one more so... READ!

But when SYSKEY is not protected by password or on a diskette we..., well, the most difficult part. We do not want to change administrator password but to PROMOTE account with known password, for example guest. We have to type RID for guest (it will be shown), than what is the MOST IMPORTANT as a new passord we type @. I do not know if it is in documentation, but Petter Nordahl Hagen answered my mail and told that @ makes promotion of user and it really does! You will got information that guest was promoted and now belongs to administrators group!

We exit application with saving changes and puts of diskette. RESET and we logs to our account without password. We are administrators now! Sometimes, we have to firstly zero our password and then set is to @. We needed administrator access to run pwdump2. Now, we do it and copy hashes to file. Clever dll injection. Send the file to diskette! Now, we have to clear logs in control panel and log-book :) You know how to do it. RESET or Restart system, one more time boots up system from NTFSdos pro flop. We owerwrite modified SAM with old one (BACKUP)

Uffff. First part is done. Be proud of yourselve and do not forget to take flops!

6 Part two

We are going home and we install LC4. Than we choose Import from PWDUMP file and choose our file (saved from pwdump2). Choose dictionary and brute force and leave it for a night. Morning will welcome you with administrator password. Enojy!

7. Yuppie!

Once again - what happened?

We used NTFSdos pro to mount ntfs partition. We made backup of SAM. Sometimes we had to turn off password protection of SYSKEY by registry editor in chtpw. We promoted any account to administrator rights to run pwdump2. Pwdump2 dumped hashes of password from SAM without any encryption. Then, we changed new SAM with backup. We used LC4 to decode password. Done

Special thanks to:

Petter Nordahl Hagen

Many people that created so wonderful programs.

If you have any quiestion read twice How to use it on programs' authors pages or buy Hacking Exposed book (there is ALMOST the same - not excacly)

For ppl from my country

Pozdrowienia dla rodaków! Torunianin.

 
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.
 

totse.com certificate signatures
 
 
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
Hot Topics
Anti-Virus
a way to monitor someones AIM conversation
VERY simple question: browser history
anyone familiar with ms secure?
how do i hide files in to jpeg
FTP Attackers...
cable tv question
FireWall
 
Sponsored Links
 
Ads presented by the
AdBrite Ad Network

 

TSHIRT HELL T-SHIRTS