Windows 2000 Password Recovering by ~Creepy~Nodque~
This little guide will show you how to find the password of the admin!
Disclamer: This tutorial is strictly "Need To Know" to better improve
the standards of security for today's world. I take absolutely NO
RESPONSIBILITY for what you do with the information I provide.
Copyright: Don't dublicate,don't edit and don't take credit for what
you didn't do. If you would like to host it on your server please give
me full credit and include a link with my e-mail.
Contents:
1. Theory
2. What you will need
3. Things to do before the "real" job
4. Let's get the party started
5. I am in-I am God
1.Theory
Everybody knows that the passwords in Win2k are hidden in the famous
SAM file!->
c:\winnt\system32\config In Windows 2000
It's encrypted with the SYSKEY (128 bit long key) and we will bypass
the key! So , we are going to bypass SYSKEY, dump the hashes WITHOUT
the encryption with dll injection and...crack them!Then we will
overwrite the modified SAM file with the old one! But we will use a
FALSE admin account for this job (like a guest account or something
like that)! So after about one day you will be the god of the
system...the admin! Seems difficult? But it really is NOT!
2.What you will need
Physical access to one PC and an account (guest or any other you can
use)
4 or more floppys
chntpw and SCSI drivers
pwdump2 or v. 3
LC 4 (@STAKE) later versions are called l0pthcrack (loftcrack)
And the good old NTFSdos pro (you will find it somwhere ;])
3.Things to do before the "real" job
The first floppy: Is used for our chntpw (use rawrite2)
The second one: Is used for the SCSI drivers (also use rawrite2)
The 3rd and the 4th: Make bootable floppys with NTFSdos pro (one
bootable,the other one is the program)
4.Let´s get the party started!
Boot the PC with NTFSdos!
Find the SAM file (c:\winnt\system32\config\SAM) and copy (BACKUP) the
file to the floppy!
Reboot the system and put the chntpw floppy into the drive! Usually you
will only have to press enter (use the SCSI drivers when you have to)!
Then set HKML\System\CurrentControlSet\Control\Lsa\SecureBoot to 1 !
So...well, we don’t want to change the admin password, we want to
promote an other account-> like guest or test or.....
We have to write RID for guest and we type @ for the new password (it
HAS TO BE @ ) ....nobody knows why but we have to do this....
You will see that the account guest belongs to the admin group!!!
Now exit, reboot and sign in the guest account without any password!
The easy part......
Now run pwdump2 (you can only do this if you are an admin)
Copy the hashes to a floppy and carry it home!
But first we we have to edit the LOG file (if you don’t how,and if you
are in the system with our guest account,you will be fucked...sorry
guy),
then start NTFSdos again and overwrite the new, modified SAM file with
the old one on the floppy!
Hey! Nearly finished!
Now go home and install LC4 !
Then choose the SAM file (pwdump2) from the floppy and...GUESS...crack
it (dictionary and brute force seems to be the best)!
This will take you about 4 hours -> it depends on you system speed
and the password!
Maybe you are lucky and after 10 seconds the password will appear on
your screen.
5.I am in-I am God
Remember: I am god, you not. ;)
(c) by CreepyNodque
- mrd.at.tc