Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 30 Jul 2014, 19:16
All times are UTC - 4
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Security/Privacy
A PET to crack XP passwords
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [4 Posts]  
Author Message
Sit Heel Speak


Joined: 30 Mar 2006
Posts: 2595
Location: downwind

PostPosted: Sat 27 Aug 2011, 22:53    Post subject:  A PET to crack XP passwords
Subject description: Offline Windows Password & Registry Editor, modified for Puppy
 

(created and used successfully in the Puppy Studio 3.3-vanilla version of Lucid Puppy 5.20; it should work in any Lucid Puppy with kernel 2.6.33.2 or newer, and maybe in other Puppies)

Hi y'all,

At a yard sale the other day, about 75 miles from home, I found a nice desktop computer at an irresistible price. But, when I took it to a nearby friend's house, after replacing a dead power supply fan and renewing the thermal compound on the CPU, I was confronted with the roadblock shown in the photo below, a demand for an XP password (the seller, the former owner's father, did not know the password and the former owner is a now a missionary in Brazil, unavailable):



So, since I wanted to be able to dual-boot Puppy and XP, the challenge was to find a way to crack that password. The subject has been covered before on this forum at

http://www.murga-linux.com/puppy/viewtopic.php?p=145995
but this solution requires you to have the XP install CD, and at

http://www.murga-linux.com/puppy/viewtopic.php?t=24751
but this solution requires OphCrack, about which see below.

A little Google'ing found this website, which lists seven free XP password crackers available as ISO bootable-CD images.

First I tried OphCrack. OphCrack requires you to download one or more hash tables, from here. The smallest OphCrack hash table for XP is 380 MB in size, and that one alone did not succeed in cracking the password, and I did not care to download further, even larger hash tables. For a truly fiendish XP password it is possible for OphCrack to require up to 16 GB in downloaded hash files. Toooooo much. So...adios, OphCrack.

Second I tried Kon-Boot. Kon-Boot comes with a large set of drivers to cover every possible hard disk controller. But when I selected the driver for this computer's (sata-nv) controller, I was thrown into an endless loop. Eventually I managed to hack the Kon-Boot script to force the disk controller driver to load and get out of the loop, but then I received an error message to the effect that this driver's header is in an incorrect format. So, adios Kon-Boot.

Third I tried Offline Windows Password & Registry Editor. With a modest amount of editing of three of its scripts, I was able to get OWP&RE to do the job of deleting the passwords and resetting the "disabled/locked" flags on the two vital accounts, Administrator and the user whose name is shown in the above screen photo. Woo-hoo, success; I was at long last able to log onto XP, become Administrator, and create an account with a username more to my liking.

I have decided to share the fruits of my labors with the Puppy community. *Usual disclaimer warnings*:

1. It worked on mine but it may not work on yours; and, I *think* I packaged all the necessary files in this PET...

2. In making my edits I *assumed* that XP resides on an NTFS partition;

3. I *also assumed* that the NTFS partition with XP on it is already mounted. I accomplished this by simply using Puppy Universal Installer to install the Puppy I had onto sda1, and then I booted into that frugal install, and shut down and created a savefile, then I rebooted into the Puppy (which now automatically mounts the NTFS XP partition as /initrd/mnt/dev_save) and then ran the modified OWP&RE.

4. I do not know what will happen if you try it on a non-NTFS XP install.

5. I do not know what will happen if you try it on an NTFS partition on which a frugal install of Puppy does not reside (whether you mount the partition first or not).

6. OWP&RE *claims* to be able to work with Vista but I have not tried this.

I take no responsibility for anything bad that happens. What. So. Ever.

What's in this PET:

The PET package attached provides a new subdirectory, /scripts, which contains the OWP&RE scripts. I edited the three scripts disk.sh, path.sh, and write.sh to eliminate a silly "verify that this *really is* an NTFS partition" check, which requires a binary executable Puppy does not provide (ntfs-3g.probe), and to bring OWP&RE's disk-and-subdirectory naming conventions into accord with Puppy's. If you want to examine my edits, you can compare /scripts/disk.sh with disk.sh-original and search the three scripts disk.sh, path.sh and write.sh for comments including the string "by SHS".

This PET also adds into Puppy the following three files:

1. In /usr/bin:
-- cpnt (writes contents of memory to a file in an NTFS partition)
-- chntpw (utility for resetting or blanking local NT/XP/Vista passwords)

The above two executables are from SystemRescueCd version x86-1.6.3.

2. In /usr/lib:
-- libntfs-3g.so.80, a symlink to the library /usr/lib/libntfs.so.10.0.0. If your Puppy has a different version of libntfs.so.n.n.n then you must make the symlink point to that.

How to use this PET to overcome an unknown XP password:

1. Create a frugal install of Lucid Puppy 5.20 or newer on the XP partition, using Puppy Universal Installer (and Grub4DOS Bootloader Config if Grub is not already installed).

2. Reboot into this new Puppy install, shut down, create a savefile.

3. Reboot again into the new Puppy install. Install the attached PET.

NOTE: If the Windows subdirectory system32/config resides somewhere other than in /initrd/mnt/dev_save/WINDOWS then you will need to edit the "DSK=" lines in path.sh and write.sh; case matters. If the WINDOWS subdirectory shows as "windows" then you will need to edit the defroots= and defpath= lines in path.sh.

4. Open a console (rxvt or what-have-you) window and issue:

Code:
cd /scripts
./main.sh


...and then choose in accordance with what you see in this scroll-buffer capture of what I did next (I attempted to color my responses in purple and bold but the forum doesn't allow it):

Code:
# [b][color=purple]cd /scripts[/color][/b]
# [b][color=purple]./main.sh[/color][/b]

=========================================================
There are several steps to go through:
- Disk select with optional loading of disk drivers
- PATH select, where are the Windows systems files stored
- File-select, what parts of registry we need
- Then finally the password change or registry edit itself
- If changes were made, write them back to disk

DON'T PANIC! Usually the defaults are OK, just press enter
             all the way through the questions

=========================================================
¤ Step ONE: Select disk where the Windows installation is
=========================================================
/scripts/diskscan.sh: line 7: mdev: command not found

Disks:
Disk /dev/sda: 250.0 GB, 250059350016 bytes
Disk /dev/sdb: 2000.3 GB, 2000398934016 bytes

Candidate Windows partitions found:
 1 :            /dev/sda1  238472MB BOOT

Please select partition by number or
 q = quit
 d = automatically start disk drivers
 m = manually select disk drivers to load
 f = fetch additional drivers from floppy / usb
 a = show all partitions found
 l = show propbable Windows (NTFS) partitions only
Select: [1] [b][color=purple](NOTE: I simply pressed Enter here two times.  I found that simply pressing Enter once, or pressing 1 once, didn't work.  Dunno why.  But entering either the candidate Windows partition number or pressing Enter twice, works.) [/color][/b]

Please select partition by number or
 q = quit
 d = automatically start disk drivers
 m = manually select disk drivers to load
 f = fetch additional drivers from floppy / usb
 a = show all partitions found
 l = show propbable Windows (NTFS) partitions only
Select: [1]

Please select partition by number or
 q = quit
 d = automatically start disk drivers
 m = manually select disk drivers to load
 f = fetch additional drivers from floppy / usb
 a = show all partitions found
 l = show propbable Windows (NTFS) partitions only
Select: [1][b][color=purple]q[/color][/b]

=========================================================
¤ Step TWO: Select PATH and registry files
=========================================================
DEBUG path: WINDOWS found as WINDOWS
DEBUG path: system32 found as system32
DEBUG path: config found as config
DEBUG path: found correct case to be: WINDOWS/system32/config

What is the path to the registry directory? (relative to windows disk)
[WINDOWS/system32/config] :
DEBUG path: WINDOWS found as WINDOWS
DEBUG path: system32 found as system32
DEBUG path: config found as config
DEBUG path: found correct case to be: WINDOWS/system32/config

total 25208
-rwxrwxrwx 1 root root   262144 2011-08-28 07:56 default
-rwxrwxrwx 1 root root   262144 2011-08-28 07:56 SAM
-rwxrwxrwx 1 root root   262144 2011-08-28 07:56 SECURITY
-rwxrwxrwx 1 root root 17563648 2011-08-28 07:56 software
-rwxrwxrwx 1 root root  4718592 2011-08-28 07:56 system
drwxrwxrwx 1 root root     4096 2006-05-05 06:24 systemprofile
-rwxrwxrwx 1 root root   262144 2006-05-02 22:35 userdiff

Select which part of registry to load, use predefined choices
or list the files with space as delimiter
1 - Password reset [sam system security]
2 - RecoveryConsole parameters [software]
q - quit - return to previous
[1] : [b][color=purple]1[/color][/b]
Selected files: sam system security
Copying sam system security to /tmp

=========================================================
¤ Step THREE: Password or registry edit
=========================================================
chntpw version 0.99.6 100627 (vacation), (c) Petter N Hagen
Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 242/19568 blocks/bytes, unused: 7/4816 blocks/bytes.

Hive <system> name (from header): <SYSTEM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh>
Page at 0x463000 is not 'hbin', assuming file contains garbage at end
File size 4718592 [480000] bytes, containing 1016 pages (+ 1 headerpage)
Used for data: 85881/4512688 blocks/bytes, unused: 1703/50512 blocks/bytes.

Hive <SECURITY> name (from header): <emRoot\System32\Config\SECURITY>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
Page at 0xc000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 11 pages (+ 1 headerpage)
Used for data: 920/41808 blocks/bytes, unused: 6/2896 blocks/bytes.


* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count         : 0


<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: <SAM> <system> <SECURITY>

  1 - Edit user data and passwords
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)


What to do? [1] -> [b][color=purple]1[/color][/b]


===== chntpw Edit User Info & Passwords ====

| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator                  | ADMIN  | dis/lock |
| 03ec | ASPNET                         |        | dis/lock |
| 03eb | Gabe                           | ADMIN  | dis/lock |
| 01f5 | Guest                          |        | dis/lock |
| 03e8 | HelpAssistant                  |        | dis/lock |
| 03ea | SUPPORT_388945a0               |        | dis/lock |

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] [b][color=purple](I pressed Enter)[/color][/b]

RID     : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :

User is member of 1 groups:
00000220 = Administrators (which has 2 members)

Account bits: 0x0210 =
[ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |

Failed login count: 43, while max tries is: 0
Total  login count: 0

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
 4 - Unlock and enable user account [probably locked now]
 q - Quit editing user, back to user select
Select: [q] >[b][color=purple]4[/color][/b]
Unlocked!

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] [b][color=purple](NOTE: I pressed Enter)[/color][/b]

RID     : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :

User is member of 1 groups:
00000220 = Administrators (which has 2 members)

Account bits: 0x0210 =
[ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |

Failed login count: 0, while max tries is: 0
Total  login count: 0

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
 q - Quit editing user, back to user select
Select: [q] > [b][color=purple]1[/color][/b]
Password cleared!

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] [b][color=purple]. (NOTE: I pressed period (.), Enter)[/color][/b]

| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator                  | ADMIN  | *BLANK*  |
| 03ec | ASPNET                         |        | dis/lock |
| 03eb | Gabe                           | ADMIN  | dis/lock |
| 01f5 | Guest                          |        | dis/lock |
| 03e8 | HelpAssistant                  |        | dis/lock |
| 03ea | SUPPORT_388945a0               |        | dis/lock |

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] [b]color=purple]Gabe[/color][/b]

RID     : 1003 [03eb]
Username: Gabe
fullname: gaben
comment :
homedir :

User is member of 1 groups:
00000220 = Administrators (which has 2 members)

Account bits: 0x0210 =
[ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |

Failed login count: 1, while max tries is: 0
Total  login count: 93

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
 4 - Unlock and enable user account [probably locked now]
 q - Quit editing user, back to user select
Select: [q] > [b][color=purple]4[/color][/b]
Unlocked!

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] [b][color=purple]Gabe[/color][/b]

RID     : 1003 [03eb]
Username: Gabe
fullname: gaben
comment :
homedir :

User is member of 1 groups:
00000220 = Administrators (which has 2 members)

Account bits: 0x0210 =
[ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |

Failed login count: 0, while max tries is: 0
Total  login count: 93

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
 q - Quit editing user, back to user select
Select: [q] > [b][color=purple]1[/color][/b]
Password cleared!

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] [b][color=purple]. [/color][/b]

| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator                  | ADMIN  | *BLANK*  |
| 03ec | ASPNET                         |        | dis/lock |
| 03eb | Gabe                           | ADMIN  | *BLANK*  |
| 01f5 | Guest                          |        | dis/lock |
| 03e8 | HelpAssistant                  |        | dis/lock |
| 03ea | SUPPORT_388945a0               |        | dis/lock |

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] [b][color=purple]![/color][/b]


<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: <SAM> <system> <SECURITY>

  1 - Edit user data and passwords
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)


What to do? [1] ->[b][color=purple]q[/color][/b]

Hives that have changed:
 #  Name
 0  <SAM> - OK

=========================================================
¤ Step FOUR: Writing back changes
=========================================================
About to write file(s) back! Do it? [n] : [b][color=purple]y[/color][/b]
cat: /tmp/fs: No such file or directory
cat: /tmp/disk: No such file or directory
Writing  SAM

***** EDIT COMPLETE *****

You can try again if it somehow failed, or you selected wrong
New run? [n] :[b][color=purple] n[/color][/b]
=========================================================

* end of scripts.. returning to the shell..
* Press CTRL-ALT-DEL to reboot now (remove floppy first)
* or do whatever you want from the shell..
* However, if you mount something, remember to umount before reboot
* You may also restart the script procedure with 'sh /scripts/main.sh'

#


Here is the successful end result:



Disclaimer: I am by no means an expert in the XP password cracking arena, so don't expect me to provide tech support. This is the result of much trial-and-error and what I consider to be a series of lucky guesses. If it doesn't work for you, try posting a detailed description of what you did, but *it's likely I won't help you*, as my time these days is very limited. Et cetera et cetera et cetera. However, maybe someone more versed in the subject will happen along.

I wish you the best of luck with it,

Now go forth and multiply those dual-booting XP+Puppy machines...

SHS
XP_password_cracker_SHS-0.0.1.pet
Description  XP password cracker based on Offline Windows Password and Registry Editor
pet

 Download 
Filename  XP_password_cracker_SHS-0.0.1.pet 
Filesize  37.13 KB 
Downloaded  554 Time(s) 

Last edited by Sit Heel Speak on Mon 29 Aug 2011, 10:51; edited 1 time in total
Back to top
View user's profile Send private message 
8-bit


Joined: 03 Apr 2007
Posts: 3357
Location: Oregon

PostPosted: Sun 28 Aug 2011, 05:28    Post subject:  

It just so happens I have a Toshiba laptop with Win XP, a recovery partition, and an ext2 partition with Puppy.
So even though I know the Password for XP, I may try your offering with a little editing of the scripts.
I did save your complete instructions in a text file for reference also.

I will let you know how it goes.
And if I loose XP in the process on that 10 year old laptop, I will not feel bad as I have all the restore CDs and the darn thing most likely needs a restore to get some of it's speed back.

With XP on the PC you got, all you have to do to make it move like a snail is to let MS do its updates to XP.
The more updates, the slower it runs.
Back to top
View user's profile Send private message 
aarf

Joined: 30 Aug 2007
Posts: 3620
Location: around the bend

PostPosted: Sun 28 Aug 2011, 06:43    Post subject:  

last i was in brasil they had Internet there and as far as i know missionaries were not banned from using it. ( is you new irresistibly priced laptop hot when you touch it? Laughing )

edit: sorry, desktop computer.

_________________

ASUS EeePC Flare series 1025C 4x Intel Atom N2800 @ 1.86GHz RAM 2063MB 800x600p ATA 320G
_-¤-_

<º))))><.¸¸.•´¯`•.#.•´¯`•.¸¸. ><((((º>

Last edited by aarf on Sun 28 Aug 2011, 07:45; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website 
8-bit


Joined: 03 Apr 2007
Posts: 3357
Location: Oregon

PostPosted: Sun 28 Aug 2011, 06:54    Post subject:  

In my case, the 900+ dollars I paid for mine back then when I needed a laptop and had a business, was worth it.
Now, it is not worth much at all.

And I have also on occasion purchased PCs and got them home to find the OS was password protected.

With a laptop though, If you say shine it and try reinstalling XP for instance, you may wipe out drivers that are specific to that laptop.
I have been that route and had one h*ll of a time tracking down the drivers I wiped out.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [4 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Security/Privacy
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1344s ][ Queries: 13 (0.0221s) ][ GZIP on ]