Common Recovery and Removal Questions

From NST Wiki
Jump to: navigation, search

How Do I Clear A Windows XP User Password?

The Network Security Toolkit distribution contains the necessary tools to allow one to reset a forgotten user password on a Windows XP drive. This is done via the chntpw utility. The process involves the following:

  • Mounting the Windows drive. This is typically going to be the first partition on a IDE or SATA hard disk (it will be /dev/sda1 on 99% of the Windows XP systems you come across).
  • Locating the Security Accounts Manager (SAM) file (typically found under the WINDOWS/system32/config directory on a Windows XP box).
  • Running the chntpw command on the SAM file.
  • Finally, its important to umount the Windows drive to make sure all data written to the SAM file is flushed to disk.

Warning.png We have not encountered a problem using the chntpw utility. However, as it involves writing to a Windows NTFS partition, it makes Paul nervous each time he uses it (and he's pretty sure that he's had to re-install Windows at least once after using this utility). If the Windows box is important you should back up any data PRIOR to using this command.

First, lets mount the Windows XP disk and list what users are on the system.

[root@probe ~]# mkdir /mnt/winxp
[root@probe ~]# mount /dev/sda1 /mnt/winxp
[root@probe ~]# ls /mnt/winxp/WINDOWS/system32/config
AppEvent.Evt  SAM           SECURITY.LOG  SysEvent.Evt   system.sav
default       SAM.LOG       software      system         TempKey.LOG
default.LOG   SecEvent.Evt  software.LOG  system.LOG     userdiff
default.sav   SECURITY      software.sav  systemprofile  userdiff.LOG
[root@probe ~]# chntpw -l /mnt/winxp/WINDOWS/system32/config/SAM
chntpw version 0.99.3 040818, (c) Petter N Hagen
Hive's name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 270/21264 blocks/bytes, unused: 7/3120 blocks/bytes. 

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count         : 0
RID: 01f4, Username: <Administrator>, *disabled or locked*
RID: 03ed, Username: <erik>, *BLANK password*
RID: 01f5, Username: <Guest>, *disabled or locked*
RID: 03e8, Username: <HelpAssistant>, *disabled or locked*
RID: 03ec, Username: <megan>
RID: 03eb, Username: <pkb>
RID: 03ee, Username: <scott>, *disabled or locked*
RID: 03ea, Username: <SUPPORT_388945a0>, *disabled or locked*

Hives that have changed:
 #  Name
None!
[root@probe ~]# 

Now that we've identified the users on the system, lets clear the password for scott:

[root@probe ~]# chntpw -u scott /mnt/winxp/WINDOWS/system32/config/SAM
chntpw version 0.99.3 040818, (c) Petter N Hagen
Hive's name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 270/21264 blocks/bytes, unused: 7/3120 blocks/bytes.

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count         : 0
RID: 01f4, Username: <Administrator>, *disabled or locked*
RID: 03ed, Username: <erik>, *BLANK password*
RID: 01f5, Username: <Guest>, *disabled or locked*
RID: 03e8, Username: <HelpAssistant>, *disabled or locked*
RID: 03ec, Username: <megan>
RID: 03eb, Username: <pkb>
RID: 03ee, Username: <scott>, *disabled or locked*
RID: 03ea, Username: <SUPPORT_388945a0>, *disabled or locked*

---------------------> SYSKEY CHECK <-----------------------
SYSTEM   SecureBoot            : -1 -> Not Set (not installed, good!)
SAM      Account\F             : 0 -> off
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
Syskey not installed!
RID     : 1006 [03ee]
Username: scott
fullname: 
comment : 
homedir : 

Account bits: 0x0210 =
[ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. | 
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     | 
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   | 
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  | 
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  | 

Failed login count: 3, while max tries is: 0
Total  login count: 19
Account is probably locked out!
Do you wish me to reset the failed count, unset disabled and lockout,
and set the "password never expires" option? (y/n) [n]y


* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
Please enter new password: *
Blanking password!

Do you really wish to change it? (y/n) [n] y
Changed!


Hives that have changed:
 #  Name
 0  </mnt/winxp/WINDOWS/system32/config/SAM>
Write hive files? (y/n) [n] : y
writeHive: write of /mnt/winxp/WINDOWS/system32/config/SAM failed: Success. 

[root@probe ~]# umount /mnt/winxp
[root@probe ~]# 

Warning.png We aren't sure why the "failed" messages occur at the end of the output.

The example above was run on a Windows XP 32 bit system, if the system you are using is not running Windows XP, the SAM file may be in a different directory. You can use the find command to locate the file. Here is a example of locating the SAM file on a Windows 7 32 bit machine:

[root@cayenne ~]# mkdir /mnt/win
[root@cayenne ~]# mount /dev/sda1 /mnt/win
[root@cayenne ~]# find /mnt/win/Windows -name SAM
/mnt/win/Windows/System32/config/RegBack/SAM
/mnt/win/Windows/System32/config/SAM
[root@cayenne ~]# umount /mnt/win
[root@cayenne ~]#

How Do I Erase A Partition or Entire Disk?

Maybe this topic shouldn't be under the area of recovery as its more of a anti-recovery issue. However, if you are getting ready to discard, or give away an old hard disk, its a good idea to clear the contents. There are several ways in which you can do this:

  • You can use the wipe or scrub command line utility to thoroughly erase the data on the hard disk. However, this takes a VERY long time.
  • You can cat from /dev/zero to the hard disk or partition which you want to erase. This is a very quick way to erase the contents of the disk. However, there are those that believe that if one had the right equipment, it might be possible to recover data from a "zeroed" disk by looking at "lingering" magnetic charges left on the media.
  • You can cat from /dev/urandom to the hard disk or partition which you want to erase. This takes significantly longer than using /dev/zero.

Whichever method you choose, remember to allow plenty of time as event the quickest method may take a minute or more per GB of disk. Also, external hard disks tend to take significantly longer to clear than internal hard disks. If you are able to remove a external hard disk from its enclosure and mount it internally on a system, you may speed up the process significantly.

The following examples demonstrate how one might erase the entire contents of the hard disk mapped to /dev/sda.

Warning.png DO NOT run any of the commands shown below if you have any important data left on your hard drive. These commands clear everything (including your partition tables).

The following provides some examples of erasing a very old 16 MB (notice MB not GB) SD flash card which appears as disk /dev/sdb to the system. The time command was used to show how long each method took and while its not a good measurement for the times to expect on your system (this SD card was not the fastest), it does give an idea of the relative time difference between each method.

Information about /dev/sdb:

[root@cayenne ~]# fdisk -l /dev/sdb

Disk /dev/sdb: 16 MB, 16056320 bytes
2 heads, 32 sectors/track, 490 cylinders
Units = cylinders of 64 * 512 = 32768 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1               1         490       15651+   1  FAT12
[root@cayenne ~]# 

Using the wipe command:

[root@probe ~]# time (wipe /dev/sdb; sync)
Okay to WIPE 1 special file ? (Yes/No) Yes
Operation finished.                                                           
1 file wiped and 0 special files ignored in 0 directories, 0 symlinks removed but not followed, 0 errors occured.

real	14m1.267s
user	0m4.052s
sys	0m5.269s
[root@probe ~]# 

Using the scrub command:

[root@probe ~]# time (scrub /dev/sdb; sync)
scrub: using NNSA NAP-14.x patterns
scrub: please verify that device size below is correct!
scrub: scrubbing /dev/sdb 16056320 bytes (~15MB)
scrub: random  |................................................|
scrub: random  |................................................|
scrub: 0x00    |................................................|
scrub: verify  |................................................|

real	1m22.839s
user	0m1.564s
sys	0m0.413s
[root@probe ~]# 

Copying /dev/urandom to disk method:

[root@probe ~]# time (cat < /dev/urandom > /dev/sdb; sync)
cat: write error: No space left on device

real	0m33.885s
user	0m0.001s
sys	0m9.500s
[root@probe ~]#

Copying /dev/zero to disk method:

[root@probe ~]# time cat < /dev/zero > /dev/sdb
cat: write error: No space left on device

real	0m23.168s
user	0m0.001s
sys	0m0.154s
[root@probe ~]#