Forgot that Windows password?

So there are many ways to retrieve that lost Windows password. I just wanted to share this for those that might run into some problems that I have seen.

So you might run into a situation where you need to reset the local administrator password on a Windows box. You might reboot into something like NT PASSWORD. Now comes the problem. You boot into this and it doesn't want to mount your drives or doesn't seem to want to find the SAM file. I did notice this happens more often when the system has been shut down improperly. To fix that issue, just reboot into safe mode. This will normally let you shut down properly. You might have to do this more than once. If that still doesn't work, have no fear:

Boot into Backtrack. After your booted up, check your mounts with the mount command. If you see your Windows system partition, your set if not you should try to mount it with the following:

ntfs-3g /dev/sda2 /mnt/sda2 -o force

That should mount your drive, it does expect that your drive is sda2. If it is not, put your value here. If you don't know check your logs and dmesg to see what it might be.

After it is mounted cd into the /pentest/password/chntpw directory.

Run the following:

chntpw -l /mnt/sda2/WINDOWS/system32/config/SAM

This should list the users that exist in the SAM file on the local system.

To change the password do the following:

chntpw -u Administrator /mnt/sda2/WINDOWS/system32/config/SAM

*Note: If your username happens to contain a space put it in quotes*

This will present you with some options as to what to change. Choose to blank out the password. You can also set it, but I have found this way to be the easiest. You can set it to what you want it to once you get the box back up.

After you modify the password, write your changes. This may ask for you to run a disk check after you reboot. Skip this on the first boot. Change your password after it comes back up then you can reboot and let it do what it wants.

This isn't an exact step by step. It is taking into account that you have Linux experience and some familiarity with password reset procedures. I just wanted to share this because I have seen admins feel like they are out of luck after NT Password does not work. Have no fear! You do have another option.

WEP Y?

Wow! It is truely amazing just how many people still use WEP. I'm not going to go on a huge rant about this but if you are using it STOP! People often say, well it's better than nothing. I say not really. The reason I say this is because it gives you a sense of security that is false. Others say "but I don't have anything anyone would want". I say there are millions of identities stolen from home computers. Most wireless access points have WPA, use this. If it has WPA2 then that is even better. In the "it's better than nothing" category, I would say WPA is here with WPA2 being the best at this time for home use.

With that in mind, I thought I would show how easy it is to crack WEP in a few simple commands and the right, freely available, tools.

*Disclaimer: Please remember not to use this for nefarious purposes. This is informational only. Do it on your own access point as a proof of concept or make sure it is in your rules of engagement for a penetration test for a client.*

I will not be held liable for any misuse of this information!

Cracking WEP

1. Download the tools:

Backtrack 4

2. Boot into the Disk

3. Find a good target by running the following command:

airodump-ng wlan0 (just run airodump-ng by itself to find your interface name, mine happens to be wlan0)

4. Write down the BSSID, ESSID, and channel of the AP with the strongest signal (this one is normally near the top of the list)

5. Lock onto the target with the following command in a new terminal window:

airodump-ng -w wep -c 11 --bssid 00:00:00:00:00:00 wlan0 (here WEP is the encryption type, -c is the channel, in this example it is 11 but enter the value you saved in step 4, the bssid will not be all zeros either, enter the BSSID you wrote down in step 4 in the style I wrote the zeros)

6. Attempt association to the AP with the following command in another terminal window:

aireplay-ng -1 0 -a 00:00:00:00:00:00 wlan0 (here again the bssid should not be zeros but the value you have from step 4)

7. Hopefully your card supports packet re-injection. This basically means when it finds some interesting traffic that it can recognize, it will replay that packet back into the network and make this process much faster. Do this step by typing the following in yet another terminal window:

aireplay-ng -3 -b 00:00:00:00:00:00 wlan0 (Remember not zeros but the step 4 BSSID here)

8. Once you see the "data" section get to somewhere between 20K and 30K you should be good to go. do an ls -la to capture the file name that was created. It is the file with the .cap extension.

9. Armed with that information run the following command to crack the WEP key

aircrack-ng filename (remember it should look like wep02.cap or something else with the .cap extension)

This final step is the quickest. Depending on if your wireless card supports packet re-injection, it could take a while to capture the needed traffic to get the pieces you need to crack WEP. If your card is fully supported with re-injection, this will probably take no more than 15 minutes as an average. You can run the crack command at random intervals during the capture process to see if you got it yet, though I recommend just waiting until you get 20-30K data numbers. I haven't seen it really work with less than that. Not saying it doesn't, I just haven't seen it.

So there you have it. Scary huh? It is. Please remember not to use this for nefarious purposes. This is informational only. Do it on your own access point as a proof of concept or make sure it is in your rules of engagement for a penetration test for a client. I didn't give you this so you can go cracking your neighbor's wireless connection :)