Stop Microsoft
All Things Microsoft => Microsoft Software => Topic started by: robzilla on 1 February 2002, 19:07
-
My brother had a couple (4) of disks that he could use so he could get into a cmd before his Win2k booted up. It let himdo just about anything, and I was wondering if anyone knew where I could download the files of these, if anyone else knows anything about them. I would really apreciate it...Even though there probably is some loop-hole in 2k to do it anyways. ;)
If anyone knows ANYTHING please leave a reply...
-
This is the disk we use in Internet Security class for altering the SAM file......ie changing passwords.
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html (http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html)
-
quote:
Originally posted by dbl221:
This is the disk we use in Internet Security class for altering the SAM file......ie changing passwords.
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html (http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html)
Hey, that is one slick disk!! Thanks! I haven't actually run it from floppy yet as is intended, but I did mount the floppy disk image directly and copied the initrd.gz file out if it, then extracted/mounted initrd. Then I copied the "chntpwd" program out of it into my ~/bin directory so I could test it out directly without booting the floppy. Copied my /c/winnt/system32/sam file to /tmp and ran the "chntpwd" program on it and could manipulate it however I wanted (change passwords, navigate the registry, etc). I should have thought of this! And it's all done with Linux! I'll have to burn this onto floppy and stick it in my little bag 'o' tricks.
I guess the source code for chntpwd is out there somewhere, I'll have to check it out.
On another note, if you need to recover your Administrator password and don't have this boot disk there is another way to do it if you know any normal user logon using CMD.EXE and LOGON.SCR. I posted that one in an earlier thread.
[ February 05, 2002: Message edited by: VoidMain ]
-
darkness
[ April 32, 2002: Message edited by: Master of Reality ]
[ May 02, 2002: Message edited by: Master of Reality ]
-
That question belongs in the FuckMicrosoft FAQ!
dd if=/path/to/floppy.img of=/dev/fd0
with perhaps some other options. info dd/man dd for more details.
-
quote:
Originally posted by VoidMain:
On another note, if you need to recover your Administrator password and don't have this boot disk there is another way to do it if you know any normal user logon using CMD.EXE and LOGON.SCR. I posted that one in an earlier thread.
isn't this quite a serious exploit of windows 2000? or am i missing something?
-
Why does my post just above look like a complete non sequitur?
-
i suspect because you were replying to the post directly before yours which currently says "darkness" and which was edited on the day it was posted (possibly after you replied.)
-
quote:
Originally posted by Nobber:
Why does my post just above look like a complete non sequitur?
maybe you were on acid when you posted it?
-
quote:
Originally posted by Calum:
isn't this quite a serious exploit of windows 2000? or am i missing something?
You're not missing anything, and it's a very serious security exploit. But Microsoft doesn't give a shit, nor do MCSE types apparently, hell MCSEs probably like it because they know they always have a back door if they forget their administrator password. And it's been there since the first release of NT 4. Probably works in XP as well but I'll never know unless someone tells me. What a joke.
-
Want to now even more? Get "Hacking Windows2000 Exposed", great piece of reading worth a ton of how-tos.
-
quote:
On another note, if you need to recover your Administrator password and don't have this boot disk there is another way to do it if you know any normal user logon using CMD.EXE and LOGON.SCR. I posted that one in an earlier thread.
what do u mean logon using cmd.exe and logon.scr? im a bit of a noob at this...
[ May 02, 2002: Message edited by: robzilla ]
-
quote:
Originally posted by robzilla:
what do u mean logon using cmd.exe and logon.scr? im a bit of a noob at this...
You know how on NT4 and NT2K when no one is logged on after 15 minutes the screen goes black and a "Press CTRL+ALT+DEL to logon" box bounces around the screen? Well that is the default users's screen saver. Screen saver files have a *.SCR extension. Well, when the screen goes black after 15 minutes the system has really executed the "LOGON.SCR" screen saver that can be found in the C:\WINNT\SYSTEM32 directory. In that same directory you will also find CMD.EXE which is the command shell for NT (command prompt). If you are logged on as a normal user (no Administrator access) you have the ability to make a backup copy of the LOGON.SCR file, then copy over LOGON.SCR with CMD.EXE "copy cmd.exe logon.scr". Now if you log off and wait 15 minutes guess what happens? Yep, a CMD prompt pops up with Administrator level authority. Now you can run any command you want as Administrator. Type "usrmgr" or "musrmgr" and change Administrator's password to anything you want. EXIT out of the CMD prompt and log in as Administrator. Bingo.... Copy the backup copy of LOGON.SCR back over the trojan version if you so choose, but then what's the point?
-
useful for anybody to know, if they get physical access to an NT box... (like i may if i get this new job i applied for...)
-
quote:
Type "usrmgr" or "musrmgr" and change Administrator's password to anything you want.
how do i change the pw like that?
-
u dont, u change your permissions so you can change password after that ;)
-
quote:
Originally posted by VoidMain:
copy over LOGON.SCR with CMD.EXE "copy cmd.exe logon.scr".
well i tried to, and it asks are you sure you want to overwrite and i said yes. it then said Access Denied, 0 files copied. I guess Storm Windows blocks that........got any other ways around this(changing admin and mgr passwords)???
-
There is another thread on these boards that discuss a Linux boot disk that allow you to change the Administrator password on NT and Win2K that is definately easier. If you do have your machine set up securely (in that normal users can't copy over LOGON.SCR) then you will have to go through another step which makes the process more time consuming.
If you have forgotten your Administrator password and want to use the LOGON.SCR/CMD.EXE trick and do not have permissions to copy over the LOGON.SCR as a normal user you will have to get your Windows NT or 2K CD and do a minimal OS install to a directory other than where the original copy of Windows was installed (without formatting the drive). For instance, NT and 2K normally installs to C:\WINNT. Install a new copy into C:\WINNT2. log in to the new copy of Windows as Administrator, "copy C:\WINNT\SYSTEM32\CMD.EXE C:\WINNT\SYSTEM32\LOGON.SCR".
Reboot into the original install of the OS, wait 15 minutes, get the CMD prompt and run User Manager to reset the original Administrator's password, delete the second copy of NT/2K.
[ May 04, 2002: Message edited by: VoidMain ]
-
to hack it you just have to go to linuxiso.org
then, set the computer on fire
no one will eeeevvvveeeerrrr kkkknnnnoooowwwwwww
-
so will the boot disk work with this SECURE set up of the computer?
-
Yes it will because when you boot from a different OS (even NT or Win2K) you bypass the security when accessing the original file system. Unless of course you are using the encrypted file system in Win2k (hopefully you don't, as you will have much bigger problems if your OS becomes unbootable for any reason. What are the chances of that ever happening??? (http://smile.gif) ).
[ May 04, 2002: Message edited by: VoidMain ]
-
very old thread... but perhaps this is why we (or at least used to a few months ago... before the change in the network section) always got people asking how to hack windows and such. I don't think this type of thread is really good on this forum... but when did the change happen? or was it one of those things that just happened and nobody notices? probably before my time.
-
To use this floppy requires physical access to the machine, and the BIOS to be set to allow boot from floppy. There is no difference between this and the use of Tom's rootboot disk to clear a forgotten linux root password.
And if you have this kind of access to the machine you could always reinstall windows on it which is another way to bypass the root/admin password.
[ July 09, 2003: Message edited by: M. O'Brien ]
-
So, obviously, physical acess to any machine can be a great security risk. And can be easily prevented by disabling boot from CD or floppy and passwording the BIOS. Seems like somethnig a good admin would do anyway.
-
quote:
Originally posted by Fett101:
So, obviously, physical acess to any machine can be a great security risk. And can be easily prevented by disabling boot from CD or floppy and passwording the BIOS. Seems like somethnig a good admin would do anyway.
Yes, physical access to any machine is a large security risk. There is an IT maxim that says there is NO way to truly secure a system that people have physical access to.
Locking out boots from anything but the primary hard disk and passwording the BIOS is a good idea (and is what I do for all my boxes, whether Windows or Linux is installed). However, it can't really secure the box, because anyone can override the bios password by opening the case and setting a BIOS clear jumper or yanking the battery for 5 minutes.
This is one of the reasons I lament the fact that the thin-client approach has died as a common desktop solution. That and the fact that its so much easier to patch one beefcake server than dozens or hundreds of little independent machines.