CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/pxesploit/regeditor/README.txt
Views: 11778
1


2
The Offline NT Password Editor

3


4
(c) 1997-2010 Petter Nordahl-Hagen

5


6
This is free software, licensed under the following:

7


8
"ntreg" (the registry library) is licensed under the GNU Lesser Public

9
License. See LGPL.txt.

10


11
"chntpw" (the password reset / registry editor frontend) is licensed

12
under the GNU General Public License, see GPL.txt.

13


14
"reged" (registry editor /export tool) is licensed

15
under the GNU General Public License, see GPL.txt.

16


17
See INSTALL.txt for compile/installation instructions.

18


19
Where to get more info:

20
-----------------------

21


22
http://pogostick.net/~pnh/ntpasswd/

23


24
At that site there's a floppy and a bootable CD that use chntpw to

25
access the NT/2k/XP/Vista-system it is booted on to edit password etc.

26
The instructions below are for the standalone program itself, not the floppy.

27


28
What does chntpw do?

29
--------------------

30


31
This little program will enable you to view some information and

32
change user passwords in a Windows NT SAM userdatabase file.

33
You do not need to know the old passwords.

34
However, you need to get at the file some way or another yourself.

35
In addition it contains a simple registry editor with full write support,

36
and hex-editor which enables you to

37
fiddle around with bits&bytes in the file as you wish yourself.

38


39
Why?

40
----

41


42
I often forget passwords. Especially on test installations (that

43
I just _must_ have some stuff out of half a year later..)

44
On most unix-based boxes you just boot the thingy off some kind

45
of rescue bootmedia (cd/floppy etc), and simply edit the

46
password file.

47
On Windows NT however, as far as I know, there is no way except reinstalling

48
the userdatabase, losing all users except admin.

49
(ok, some companies let you pay lotsa $$$$$ for some rescue service..)

50


51
How?

52
----

53


54
Currently, this thing only runs under linux, but it may just happen

55
to compile on other platforms, too.

56
(there are dos-versions available, look for links on my webpage)

57
So, to set a new adminpassword on your NT installation you either:

58
1) Take the harddrive and mount it on a linux-box

59
2) Use a linux-bootdisk or CD

60
   one is available at: http://pogostick.net/~pnh/ntpasswd/

61
ie. you do it offline, with the NT system down.

62


63
Usage:

64
------

65


66
This is usage of the "chntpw" program binary only.

67
For info on the bootdisk, see the web site.

68
Some of the output format has changed a little since the docs were

69
first written.

70


71
	chntpw version 0.99.2 040105, (c) Petter N Hagen

72
	chntpw: change password of a user in a NT SAM file, or invoke registry editor.

73
	chntpw [OPTIONS] <samfile> [systemfile] [securityfile] [otherreghive] [...]

74
	 -h          This message

75
	  -u <user>   Username to change, Administrator is default

76
	  -l          list all users in SAM file

77
	  -i          Interactive. List users (as -l) then ask for username to change

78
	  -e          Registry editor. Now with full write support!

79
	  -d          Enter buffer debugger instead (hex editor), 

80
	  -t          Trace. Show hexdump of structs/segments. (deprecated debug function)

81
	  -v          Be a little more verbose (for debuging)

82
	  -L          Write names of changed files to /tmp/changed

83
	  -N          No allocation mode. Only (old style) same length overwrites possible

84


85
Normal usage is:

86


87
> chntpw sam system security

88
  - open registry hives 'sam' and 'system' and change administrator account.

89
  Verions dated later from Feb 1999 and later also supports

90
  and will find the admin account, even if the name has been changed,

91
  or the name has been localized (different languageversion of NT

92
  use different admin-names)

93


94
The -u option:

95
Specifies user to change:

96


97
> chntpw -u jabbathehutt mysam

98
  - Prompt for password for 'jabbathehutt', if found (otherwise do nothing)

99
  

100
Or you may give RID number in hex:

101
> chntpw -u 0x1f4 mysam

102
  - Will edit administrator.

103


104
Names does not support multibyte (unicode) characters like

105
some russian and asian locales. Give RID in hex to edit users

106
with such names. Must start with 0x. Ex: 0x2fa

107


108
The -l option:

109
  Will list all users in the sam-file.

110
  

111
The -i option:

112
  Go into the interactive menu system.

113
  

114
The -d option:

115
  This will load the file, and then immediately enter the

116
  buffer debugger.

117
  This is a simple hex-editor with only a few commands,

118
  enter ? at the . prompt to se a short command overview.

119
  'q' exits without saving, 's' exit and saves.

120


121
The -e option:

122
  Will enter the registry editor.

123
  You can navigate the registry like a filesystem at the command-line prompt:

124
  See regedit.txt file for more info.

125


126
The -t option:

127
  This is a debug function (extended -l) to show how it traces the chain

128
  of structs in the file. This also includes a raw interpretation

129
  of the different registry structures + a hex dump.

130


131
The -L option:

132
  Drops the filenames of the changed hives in /tmp/changed

133
  Used by the bootdisk scripts.

134
  

135
The -N option:

136
  Will fall back to old edit mode, disable the block allocations

137
  and only support overwrite-same-size. Used to ensure safety

138
  in testing period.

139


140
How does it work:

141
-----------------

142


143
A struct, called the V value of a key in the NT registry

144
was suddenly somewhat documented through the pwdump utility

145
included in the unix Samba distribution.

146
This struct contains some info on a user of the NT machine,

147
along with 2 crypted versions of the password associated

148
with the account.

149


150
One password is the NT console login password,

151
the other the LANMAN network share password

152
(which essentially is the first one in uppercase only,

153
 and no unicode)

154


155
This is how NT encrypts the passwords:

156


157
The logon cleartext password a user enters is:

158
1) Converted to unicode

159
2) A MD4 hash is made out of the unicode string

160
3) Then the hash is crypted with DES, using the RID (lower

161
   part of the SID, userid) as the crypt key.

162
   This is the so called "obfuscation" step, so

163
   it's not obvious on a hex dump of the file

164
   that two or more users have the same password.

165
4) The result of stage 3 (16 bytes) is put into the V struct.

166


167
For the LANMAN password:

168
1) Uppercased (and illegal characters probably removed)

169
   14 bytes max, if less the remaining bytes are zeroed.

170
2) A known (constant) string is DES-encrypted

171
   using 7 first characters of the password as the key.

172
   Another constant is encrypted using the last 7 chars

173
   as the key.

174
   The result of these two crypts are simply appended,

175
   resulting in a 16 byte string.

176
3) The same obfuscation DES stage as 3 above.

177
4) 16 bytes result put into the V struct.

178


179
Since the number of possible combinations in the lanman

180
password is relatively low compared to the other one,

181
and it's easy to see if it's shorter than 8 chars or not

182
it's used first in brute-force-crackers.

183


184
This program, however, don't care at all what the old

185
one is, it just overwrites it with the new one.

186


187
Ok. So, how do we find and identify the V struct?

188
Yeah.. that was the hard part.. The files structure

189
is not documented (as far as I know..)

190


191
But, with help from an unnamed German, and a lot of testing

192
and guesswork from myself, it's now possible to follow

193
the actual registry tree. (see source code for struct-defines

194
and comments on the registry structure)

195


196
The usernames are listed in:

197
\SAM\Domains\Account\Users\Names\

198


199
[2d18] \SAM\Domains\Account\Users\Names> l

200
ls of node at offset 0x2d1c

201
Node has 4 subkeys and 1 values

202
nk-offset      name

203
0x003290 - <Administrator>

204
0x003630 - <Guest>

205
0x001c88 - <luser>

206
0x003428 - <pnh>

207


208
Each name is a subkey, with one namless value containing

209
the RID.

210


211
[2d18] \SAM\Domains\Account\Users\Names> cd pnh

212


213
[3428] \SAM\Domains\Account\Users\Names\pnh> l

214
ls of node at offset 0x342c

215
Node has 0 subkeys and 1 values

216
vk-offs    size    type           name

217
0x003688     0  (unknown)        <> INLINE:  val (in type field?): 1000 (0x3e8)

218


219
To get the userinfo (V struct), access

220
\SAM\Domains\Account\Users\<RID>\V

221


222
[2c90] \SAM\Domains\Account\Users> l

223
ls of node at offset 0x2c94

224
Node has 5 subkeys and 1 values

225
nk-offset      name

226
0x003320 - <000001F4>

227
0x0036b8 - <000001F5>

228
0x003550 - <000003E8>

229
0x001d00 - <000003E9>

230
0x002d18 - <Names>

231


232
[2c90] \SAM\Domains\Account\Users> cd 000003E8

233


234
[3550] \SAM\Domains\Account\Users\000003E8> l

235
ls of node at offset 0x3554

236
Node has 0 subkeys and 2 values

237
vk-offs    size    type           name

238
0x0035a8    80  REG_BINARY       <F>

239
0x003228   508  REG_BINARY       <V>

240


241
For more techincal info, look it up in the source code.

242


243