Hi all, Just a quick update.
I’m sure we are all farmilliar with the Windows NT Password offline editor? (if not http://home.eunet.no/pnordahl/ntpasswd/ )
It provides a bootable environment based on chntpw to change or blank any 2000/XP/2003/Vista local users password, very useful for lost accounts.
However, while playing around I was wondering how easy it would be to get a copy of the users original hash first, so it can be put back in place after you have reset the password, allowing you to cover your tracks (Not having to hastle users to set a new password is always a good thing!)..
Turns out windows does no checks on the file properties of the ‘SAM’ account manager registry hive, so;
- boot into some form of linux with NTFS-3G (NTFS Read/Write support), copy SYSDRIVE:/Windows/System32/Config/SAM to SAM.Bak.
- Go ahead with your chntpw based password reset (may as well use the raw chntpw tool since you are already in linux, however nothing wrong with shutting down and booting into the NTPWRS bootable cd (as the SAM.Bak file was saved on the actual drive).
- Reset the users password of your choice and do whatever needs to be done…
- When finished, boot back into Linux with NTFS R/W support and move SAM.Bak back to SAM, overwriting the current ‘SAM’ file.
Thats it, passwords for all users back to what they were.
This isn’t anything new, or actually that exciting, but it’s something not really mentioned around the NTPWRS/chntpw pages and I thaught it could come in useful to know it works 🙂
Right, onto the real point of my messing around, I want to be able to do the same for active directory;
So far it looks like I have hit a deadend trying to access the AD DB itself while the system is live, user passwords are stored in a ‘UnicodePWD’ class inside the users object which is a ‘write only’ field. I have a few more idea’s on how to get this, and then putting the hash back whenever required is very easy indeed 🙂