~!6li3z ~!~ 3xpl0it5~

[chevssites@back|track]# ls

Reset Password Window dengan chntpw (BT 4 PF)

| 2/19/12

1.Booting Via CD Backtrack (jangan lupa set boot di biosnya via CD) sampai masuk ke BTnya
kemudian kita mount dulu drive windows supaya terbaca di bt yg kita cintai dan sayangi

Mount drive windows to bt

root@chevssites:~# mount -t ntfs-3g /dev/sda1/ /mnt/sda1
root@chevssites~# ls -l /mnt/sda1
drwxrwxrwx 1 root root 36864 2009-11-12 10:03 WINDOWS

jangan lupa sebelumnya bahwa drive /mnt/sda1 di bt nya sudah kita buat, kalo drive /mnt/sda1 adalah drive default windows yang terbaca di bt yang maksudnya adalah drive C:// di windows alias jendela punyanya kangmas bill gates.

2.selanjutnya kita jalanin dulu program chntpw nya, dan kita pahami dulu option2 yang ada didalamnya agar kita paham dan tidak hanya membabi buta membaca tutor orang lain, dan bisa lebih kreatif...

root@chevssites:~# chntpw
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
chntpw: change password of a user in a NT/2k/XP/2k3/Vista SAM file, or invoke registry editor.
chntpw [OPTIONS] [systemfile] [securityfile] [otherreghive] [...]
-h This message
-u Username to change, Administrator is default
-l list all users in SAM file
-i Interactive. List users (as -l) then ask for username to change
-e Registry editor. Now with full write support!
-d Enter buffer debugger instead (hex editor),
-t Trace. Show hexdump of structs/segments. (deprecated debug function)
-v Be a little more verbose (for debuging)
-L Write names of changed files to /tmp/changed
-N No allocation mode. Only (old style) same length overwrites possible
See readme file on how to get to the registry files, and what they are.
Source/binary freely distributable under GPL v2 license. See README for details.
NOTE: This program is somewhat hackish! You are on your own!

nah kalo sudah paham maksudnya mari kita melangkah ke step selanjutnya.
3.masukkan seperti opsi-opsi di atas. Sebentar ane jelasin dulu deh opsi2 diatas
--- adalah file tempat menyembunyikan password window (masukkan alamat drivenya)
[systemfile] – adalah file tempat di mana SAM di enkripsi
[otherreghive] tidak usah di isi karena kita sudah tau username yg akan kita reset pwd nya.
-u – adalah usernamenya, disini saya memakai username “”vinblackcabul””
Note: INGAT !!!! jangan sampai salah memasukkan huruf besar kecilnya, karena itu case sensitif!!!!!
wokeh sekarang masukkan commandnya.

root@chevssites:~# chntpw /mnt/sda1/WINDOWS/system32/config/SAM /mnt/sda1/WINDOWS/system32/config/system /mnt/sda1/WINDOWS/system32/config/SECURITY -u vinblackcabul
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 242/19128 blocks/bytes, unused: 9/5256 blocks/bytes.

Hive name (from header):
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c
Page at 0x5a5000 is not 'hbin', assuming file contains garbage at end
File size 6029312 [5c0000] bytes, containing 1374 pages (+ 1 headerpage)
Used for data: 112963/5842920 blocks/bytes, unused: 2691/27736 blocks/bytes.

Hive name (from header):
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0xc000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 11 pages (+ 1 headerpage)
Used for data: 903/41408 blocks/bytes, unused: 4/3296 blocks/bytes.

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | |
| 01f5 | Guest | | dis/lock |
| 03e8 | HelpAssistant | | dis/lock |
| 03ec | juliaperes | | |
| 03eb | vinblackcabul | ADMIN | |
| 03ea | SUPPORT_388945a0 | | dis/lock |

---------------------> SYSKEY CHECK <-----------------------
SYSTEM SecureBoot : 1 -> key-in-registry
SAM Account\F : 1 -> key-in-registry
SECURITY PolSecretEncryptionKey: 1 -> key-in-registry

***************** SYSKEY IS ENABLED! **************
This installation very likely has the syskey passwordhash-obfuscator installed
It's currently in mode = 1, key-in-registry-mode
SYSKEY is on! However, DO NOT DISABLE IT UNLESS YOU HAVE TO!
This program can change passwords even if syskey is on, however
if you have lost the key-floppy or passphrase you can turn it off,
but please read the docs first!!!

** IF YOU DON'T KNOW WHAT SYSKEY IS YOU DO NOT NEED TO SWITCH IT OFF!**
NOTE: On WINDOWS 2000 it will not be possible
to turn it on again! (and other problems may also show..)

NOTE: Disabling syskey will invalidate ALL
passwords, requiring them to be reset. You should at least reset the
administrator password using this program, then the rest ought to be
done from NT.

Do you really wish to disable SYSKEY? (y/n) [n] n

nah ternyata syskey nya udah ketemu tuh, sampai pada opsi yes or no...
anda pilih no yah, jangan sampai pilih yes, karena kalo yes ntar semua passwordnya kena disable dan jadi masalah besar neh, walaupun gak sebesar kasusnya ANGGODO, =))

4.setelah klik no tadi maka akan muncul username yang ada di kompie ane.....

RID : 1003 [03eb]
Username: toke
fullname: tokebelang
comment :
homedir :

User is member of 1 groups:
00000220 = Administrators (which has 2 members)

Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |

Failed login count: 0, while max tries is: 0
Total login count: 440

- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
q - Quit editing user, back to user select
Select: [q] > 2

nah sampailah kita pada opsi User Edit Menu di atas.
Silahkan anda pilih sesuai kata hati atau sesuai petunjukknya ...
untuk kali ini ane tidak pilih no 1 alias mereset pwd nya sampai blank, tapi ane edit dengan memasukkan password baru dengan opsi no. 2

New Password: kolormiyabi
Password changed!

Hives that have changed:
# Name
0
Write hive files? (y/n) [n] : y
0 - OK

nah lo selesai sudah pekerjaan kita, dengan ini, menimbang...., menunggu dan memutuskan.., bahwa:
username: toke telah berganti password dengan “kolormiyabi”

selamat mencoba !!!!!

Labels: backtrack, hacking

posted by acep saepudin at 1:11 PM Permalink

<< Home

~!6li3z ~!~ 3xpl0it5~

br>

[chevssites@back|track]#

[chevssites@back|track]# ls

Reset Password Window dengan chntpw (BT 4 PF)

| 2/19/12

root@chevssites:~# mount -t ntfs-3g /dev/sda1/ /mnt/sda1
root@chevssites~# ls -l /mnt/sda1
drwxrwxrwx 1 root root 36864 2009-11-12 10:03 WINDOWS

root@chevssites:~# chntpw
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
chntpw: change password of a user in a NT/2k/XP/2k3/Vista SAM file, or invoke registry editor.
chntpw [OPTIONS] [systemfile] [securityfile] [otherreghive] [...]
-h This message
-u Username to change, Administrator is default
-l list all users in SAM file
-i Interactive. List users (as -l) then ask for username to change
-e Registry editor. Now with full write support!
-d Enter buffer debugger instead (hex editor),
-t Trace. Show hexdump of structs/segments. (deprecated debug function)
-v Be a little more verbose (for debuging)
-L Write names of changed files to /tmp/changed
-N No allocation mode. Only (old style) same length overwrites possible
See readme file on how to get to the registry files, and what they are.
Source/binary freely distributable under GPL v2 license. See README for details.
NOTE: This program is somewhat hackish! You are on your own!

root@chevssites:~# chntpw /mnt/sda1/WINDOWS/system32/config/SAM /mnt/sda1/WINDOWS/system32/config/system /mnt/sda1/WINDOWS/system32/config/SECURITY -u vinblackcabul
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 242/19128 blocks/bytes, unused: 9/5256 blocks/bytes.

Hive name (from header):
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c
Page at 0x5a5000 is not 'hbin', assuming file contains garbage at end
File size 6029312 [5c0000] bytes, containing 1374 pages (+ 1 headerpage)
Used for data: 112963/5842920 blocks/bytes, unused: 2691/27736 blocks/bytes.

Hive name (from header):
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0xc000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 11 pages (+ 1 headerpage)
Used for data: 903/41408 blocks/bytes, unused: 4/3296 blocks/bytes.

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | |
| 01f5 | Guest | | dis/lock |
| 03e8 | HelpAssistant | | dis/lock |
| 03ec | juliaperes | | |
| 03eb | vinblackcabul | ADMIN | |
| 03ea | SUPPORT_388945a0 | | dis/lock |

---------------------> SYSKEY CHECK <-----------------------
SYSTEM SecureBoot : 1 -> key-in-registry
SAM Account\F : 1 -> key-in-registry
SECURITY PolSecretEncryptionKey: 1 -> key-in-registry

***************** SYSKEY IS ENABLED! **************
This installation very likely has the syskey passwordhash-obfuscator installed
It's currently in mode = 1, key-in-registry-mode
SYSKEY is on! However, DO NOT DISABLE IT UNLESS YOU HAVE TO!
This program can change passwords even if syskey is on, however
if you have lost the key-floppy or passphrase you can turn it off,
but please read the docs first!!!

** IF YOU DON'T KNOW WHAT SYSKEY IS YOU DO NOT NEED TO SWITCH IT OFF!**
NOTE: On WINDOWS 2000 it will not be possible
to turn it on again! (and other problems may also show..)

NOTE: Disabling syskey will invalidate ALL
passwords, requiring them to be reset. You should at least reset the
administrator password using this program, then the rest ought to be
done from NT.

Do you really wish to disable SYSKEY? (y/n) [n] n

RID : 1003 [03eb]
Username: toke
fullname: tokebelang
comment :
homedir :

User is member of 1 groups:
00000220 = Administrators (which has 2 members)

Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |

Failed login count: 0, while max tries is: 0
Total login count: 440

- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
q - Quit editing user, back to user select
Select: [q] > 2

New Password: kolormiyabi
Password changed!

Hives that have changed:
# Name
0
Write hive files? (y/n) [n] : y
0 - OK

nah lo selesai sudah pekerjaan kita, dengan ini, menimbang...., menunggu dan memutuskan.., bahwa:
username: toke telah berganti password dengan “kolormiyabi”

selamat mencoba !!!!!

Labels: backtrack, hacking

posted by acep saepudin at 1:11 PM Permalink

<< Home

☺☻♥♦♣♠•◘○◙♂♀............. chev's site's .............. ☺☻♥♦♣♠•◘○♀↨-8

Reset Password Window dengan chntpw (BT 4 PF)

Previous Posts

Reset Password Window dengan chntpw (BT 4 PF)

Previous Posts