Administrator password lost? How to crack Windows NT!

Aug 10 '00

I admit it upfront: this article shows how to break into a Windows NT computer and - if you
are on the other side - gives some advice how to protect your system better.

There are a number of scenarios where one needs the administrator's password:

(A) You are a legitimate user of the computer and need admin access but the only person who
knows the password, is on vacation. Silly, yeah.

(B) It's your computer at home; you installed Windows NT long ago and have used it as a
regular user since then. Now you cannot recall the password. This happened to me.

(C) You are not a legitimate user of the computer and want to do or access stuff that is not for
your eyes. Well, I cannot help but such people will benefit from this article also.

First some introduction information. Windows NT - from now on NT - came out in the late
80ies and brought the file system NTFS = New Technology File System. NTFS is superior to
MS-DOS's, Win 95 and Win 98 file system. For this article most relevant is that you give
access rights - typically on directory level. Certain folders may be accessible only to certain
users.
The administrator can access all folders and the execution of some programs requires admin
rights, which makes the admin account very important.

So there you are, in front of that NT box with a NTFS partition/ hard disk and you want that
admin password and don't know it. Here's my toolbox of dirty tricks:

1) The official way - I guess this is what Microsoft would answer:

"Reinstall Windows NT"

Takes a minimum of 30 minutes. Works guaranteed, but you lose your settings. To fully
restore the settings, it would take days.
Also, if you are in situation (C), this is not an option. You can hardly hide a reinstallation of
the operating system.

2) A quickie for read access: NTFSDOS.EXE

This is a nice little tool that I use since it came out in 1996. It's FREE and I love it! To use it,
you need a MSDOS boot floppy. Go to a Win98 computer that carries DOS 7.0 - this version
does long file names. At the DOS prompt create a bootable floppy with
format a: /s
Get NTFSDOS.EXE from http://www.sysinternals.com and put the 40kB small EXE file on
the boot floppy.
Then have the NT computer boot from that floppy (you might need to change the BIOS to
make it boot from floppy instead of from hard disk right away).
After booting, you'll be at the DOS prompt. Run the program NTFSDOS and it will mount all
NTFS partitions that it can find.
This is supposed to work even for the latest version, NTFS5. I have only NTFS4 on my
computers, so I cannot verify this.

You can now read any file/ execute any console program, e.g. you can copy stuff over to your
floppy disk or to a network drive, but no write access. And of course you won't find out the
encrypted admin password.

Such a tool just bypasses the security that the operating system grants.

3) Read & write access with "NTFSDOS Pro" ($149) or better "ERD Commander" ($250 -
$325)

Available at http://www.winternals.com/
Works basically like NTFSDOS as described in 2), but you get write access. ERD 'pro' can
replace the unknown admin password with a new one.

So here's a way to well... get the desired admin access, it just costs $300 and the original
password is replaced.

4) L0phtcrack from http://www.l0pht.com/l0phtcrack/

Why pay when there are promising ways for free?

L0pht is a famous team of hackers and their tools have won many awards.
A nice quote from their site:

"That vulnerability is completely theoretical."

-- Microsoft

L0pht, Making the theoretical practical since 1992.

This tool works over the network and uses a combination of different attacks. Visit the site to
find for yourself how powerful this cracking tool is.
My own password was a 12 letter long combination of two German words, all lower case. It
was cracked. The final attack, a brute force attack, was estimated to last at max 13 hours but
the tool found the admin password after 4 hours already. This was on a Pentium III, 600 MHz,
by the way.

5) Dirty trick - slip the system a command prompt!

This one gives you full read/write access, and admin access. It does not work on Windows
2000 anymore.
So, you sit and stare at the login prompt for a while, and the screen saver will come up. Here
comes our attack. We replace the screensaver with a different program which will not ask for
a password.
Usually you can log in with a guest or regular user account. Do that and go to the
directory \Windows\System32 and replace the login screensaver with the command line
prompt.

cd \Windows\System32
ren logon.scr login.bak
copy cmd.exe logon.scr

To save time, you might want to change the time out in the registry from 900 seconds to
something shorter, but that goes to far in an epinion. (search under
\HKEY_USERS\DEFAULT)

Then reboot, and just wait for the screensaver to come up. It will be the command line prompt
and you'll have access to the computer. Full access! You can run the user manager, create a
new account and give it admin privileges or just change the admin password...

Also don't forget to restore the original screen saver.

Advice for administrators who want to protect their computers:

* Put a password on your BIOS and disable booting from floppy or CD-ROM. This rules out
NTFSDOS and Co.

* Maybe even physically lock your computer so that the hard disk cannot be removed and put
in a different computer where the attacker can boot from floppy disk

* Download l0phtcrack from www.l0pht.com and find out how good your password is. You
will be surprised.
Use strong passwords!
Use Microsoft's syskey tool (comes with a service pack 6) and see the documentation at
http://support.microsoft.com/support/kb/articles/q143/4/75.asp
http://support.microsoft.com/support/kb/articles/q248/1/83.asp

* I don't know how to protect your machine against the last attack. It obviously only requires
a working regular account.

Finally a note to Linux fans. Bypassing the OS with a boot floppy is independent from
Windows a threat. I bet there are or