Password Bypassing and Clearing
by Metalx1000
It doesn't take much to sit down at a computer and bypass pretty much any security that may be set up for the local accounts.
There are a variety of Linux distributions available, on the Internet, in Live CD format. You can pop one of these CD into pretty much any computer and have full control.
All modern distributions of Linux have the ability to read and write to a large list of file systems including NTFS. Linux also gives you more control over the files on the system since it gives you access to folders on a Windows machine that you wouldn't have access to even as administrator of the Windows OS.
The problem arises when you may need more than just files access on the computer. What if you have to make changes to the registry, or run an application that is installed on the computer already? It's times like these that we may need to bypass the logging screen on an OS.
Getting someone's password can be a difficult thing to accomplish. There are programs out there, such as Ophcrack, that will try and crack a user's password.
It does this by running a dictionary attack on the file where passwords are stored. In the Windows OS, this would be the SAM file.
The SAM file can be found under: C:\WINDOWS\SYSTEM32\CONFIG\SAM
The main problem with programs like Ophcrack is the same problem you have when trying to perform any dictionary attack. If the password you're trying to crack isn't in the dictionary list you have, you won't ever crack it.
As an alternative, you can change or clear a user's password. I used to use a bootable CD called ERD Commander by Winternals. ERD Commander is like a Windows version of a Linux Live CD. It would boot and ask where Windows was installed and then I could edit the registry or use a program called Locksmith that allows you to change a user's password. ERD Commander had a few other features too, but these were the only ones I really ever used.
The thing that drove me crazy about ERD Commander was that it was, like Windows itself, very slow. You could wait five minutes for it to load sometimes. So, once chntpw came along I stopped using ERD Commander. chntpw is a Linux utility to reset a Windows user's password. It also has the ability to edit the registry on a Windows computer.
So you could use a Linux Live CD once again to boot the machine.
Most distros will have chntpw installed or in the repositories. Just navigate to the folder where the SAM file is located and type: chntpw -l sam
This will give you a list of all the Windows users for the system and some information about their accounts. Now you can type chntpwd -u username sam to edit a user's account (replace username with the user's name).
From this point on you can just follow the onscreen instructions. You will have the options to blank their password, change their password, or upgrade their account. It is suggested that you blank their password rather than change it. Changing the password doesn't always work. But, if you blank their password you can always set a new password once you have logged into their account on the Windows side. When chntpw asks if you would like to hive, choose yes. This will save your changes.
Upgrading or downgrading a user's account will give or take permissions from the user. chntpw is a faster alternative to ERD Commander. It also gives you the ability to clear/blank the password on Vista systems whereas ERD Commander does not work on Vista systems.
The big stumbling block with both of these options is that they change or clear a user's password. So, the next time that user tries to login, they won't be able to since their password has been changed. You won't be able to change their password back since you don't know their password (if you did, you would have no need for either of these programs).
We have another option in a very small bootable ISO image called Kon-Boot.
Kon-Boot can be downloaded in a very small ZIP file. It's about 8.7 kB zipped up. Once downloaded, unzip the ISO file and burn it to a CD using your favorite CD burning program.
When you put this CD in a computer and boot from it, you will first see a boot screen that has a big logo that says, "Kryptos Logic" with a scrolling banner below it. I sat at this screen for a while before I realized I had to press the "anykey." I pressed "Enter" and the system continued to boot. It will seem like the system is booting normally and you will end up at the login screen you are used to.
There is one difference at this point: You don't need a password to login. Just choose a user and hit Enter. You are now logged in as that user.
When you are done doing whatever it is that you need to do, just restart the computer without the CD in the drive. The system is back to normal with the original passwords. According to the Kon-Boot website, Kon-Boot has been tested on Windows XP, Vista, Windows 7, Windows Server 2003, and Windows 2008. It's also worth mentioning that there is a version on Kon-Boot for Linux systems.
Other ways to get through the login screen on a Linux system is with chroot. Available either by default or through repositories, chroot allows you to change what the system sees as the root directory. Boot a Live CD containing chroot and mount the hard drive partition that contains the Linux OS that you want access to.
If the partition is mounted to /media/disk, then open a terminal screen and run: chroot /media/disk
Now, anything you do in that terminal will act as though it is running on the system you have chroot'ed to.
At this point, you can use the passwd command to change a user's password much like we did with chntpw for Windows. The command would be typed like this: passwd username
Replace username with the user's name that you could like to change. Type the new password and confirm it by typing it a second time. This will successfully change the password.
We've looked at a number of different ways we can bypass the local security on most systems. The question arises, "How do we protect ourselves from these types of attacks?" One way is to set a BIOS password. This is a good deterrent, but there are ways around that, too.
I believe that encrypting your hard drive is the best policy. This will stop all the attacks I have listed above. Although I'm not familiar with the process on a Windows install, some Linux operating systems such as Debian give you the option during the install process to encrypt the hard drive.
This is a simple way to protect your data. Things such as cold boot attacks are still possible, but less common than the other attacks. Cold boot attacks also require the system to be on and logged in already to work.
If you do encrypt your hard drive, be sure to remember your password or you're screwed.
Thanks to Canola for all your help.
References