Author Topic: Win2k Logon Hacks  (Read 1583 times)

robzilla

  • Newbie
  • *
  • Posts: 7
  • Kudos: 0
Win2k Logon Hacks
« on: 1 February 2002, 19:07 »
My brother had a couple (4) of disks that he could use so he could get into a cmd before his Win2k booted up. It let himdo just about anything, and I was wondering if anyone knew where I could download the files of these, if anyone else knows anything about them. I would really apreciate it...Even though there probably is some loop-hole in 2k to do it anyways.  ;)

If anyone knows ANYTHING please leave a reply...

dbl221

  • Member
  • **
  • Posts: 253
  • Kudos: 0
Win2k Logon Hacks
« Reply #1 on: 5 February 2002, 10:27 »
This is the disk we use in Internet Security class for altering the SAM file......ie changing passwords.

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
dbl221***Comp-Sys walking wounded

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Win2k Logon Hacks
« Reply #2 on: 5 February 2002, 11:19 »
quote:
Originally posted by dbl221:
This is the disk we use in Internet Security class for altering the SAM file......ie changing passwords.

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html



Hey, that is one slick disk!! Thanks! I haven't actually run it from floppy yet as is intended, but I did mount the floppy disk image directly and copied the initrd.gz file out if it, then extracted/mounted initrd.  Then I copied the "chntpwd" program out of it into my ~/bin directory so I could test it out directly without booting the floppy.  Copied my /c/winnt/system32/sam file to /tmp and ran the "chntpwd" program on it and could manipulate it however I wanted (change passwords, navigate the registry, etc).  I should have thought of this! And it's all done with Linux!  I'll have to burn this onto floppy and stick it in my little bag 'o' tricks.

I guess the source code for chntpwd is out there somewhere, I'll have to check it out.

On another note, if you need to recover your Administrator password and don't have this boot disk there is another way to do it if you know any normal user logon using CMD.EXE and LOGON.SCR.  I posted that one in an earlier thread.

[ February 05, 2002: Message edited by: VoidMain ]

Someone please remove this account. Thanks...

Master of Reality

  • VIP
  • Member
  • ***
  • Posts: 4,249
  • Kudos: 177
    • http://www.bobhub.tk
Win2k Logon Hacks
« Reply #3 on: 2 May 2002, 02:36 »
darkness

[ April 32, 2002: Message edited by: Master of Reality ]

[ May 02, 2002: Message edited by: Master of Reality ]

Disorder | Rating
Paranoid: Moderate
Schizoid: Moderate
Linux User #283518
'It takes more than a self-inflicted gunshot wound to the head to stop Bob'

Nobber

  • Member
  • **
  • Posts: 89
  • Kudos: 55
Win2k Logon Hacks
« Reply #4 on: 2 May 2002, 03:16 »
That question belongs in the FuckMicrosoft FAQ!

dd if=/path/to/floppy.img of=/dev/fd0

with perhaps some other options. info dd/man dd for more details.
As sure as eggs is eggs.

Calum

  • Global Moderator
  • Member
  • ***
  • Posts: 7,812
  • Kudos: 1000
    • Calum Carlyle's music
Win2k Logon Hacks
« Reply #5 on: 2 May 2002, 14:02 »
quote:
Originally posted by VoidMain:

On another note, if you need to recover your Administrator password and don't have this boot disk there is another way to do it if you know any normal user logon using CMD.EXE and LOGON.SCR.  I posted that one in an earlier thread.



isn't this quite a serious exploit of windows 2000? or am i missing something?
visit these websites and make yourself happy forever:
It's my music! | My music on MySpace | Integrational Polytheism

Nobber

  • Member
  • **
  • Posts: 89
  • Kudos: 55
Win2k Logon Hacks
« Reply #6 on: 2 May 2002, 18:06 »
Why does my post just above look like a complete non sequitur?
As sure as eggs is eggs.

Calum

  • Global Moderator
  • Member
  • ***
  • Posts: 7,812
  • Kudos: 1000
    • Calum Carlyle's music
Win2k Logon Hacks
« Reply #7 on: 2 May 2002, 19:01 »
i suspect because you were replying to the post directly before yours which currently says "darkness" and which was edited on the day it was posted (possibly after you replied.)
visit these websites and make yourself happy forever:
It's my music! | My music on MySpace | Integrational Polytheism

Master of Reality

  • VIP
  • Member
  • ***
  • Posts: 4,249
  • Kudos: 177
    • http://www.bobhub.tk
Win2k Logon Hacks
« Reply #8 on: 2 May 2002, 21:02 »
quote:
Originally posted by Nobber:
Why does my post just above look like a complete non sequitur?

maybe you were on acid when you posted it?
Disorder | Rating
Paranoid: Moderate
Schizoid: Moderate
Linux User #283518
'It takes more than a self-inflicted gunshot wound to the head to stop Bob'

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Win2k Logon Hacks
« Reply #9 on: 3 May 2002, 05:10 »
quote:
Originally posted by Calum:


isn't this quite a serious exploit of windows 2000? or am i missing something?



You're not missing anything, and it's a very serious security exploit. But Microsoft doesn't give a shit, nor do MCSE types apparently, hell MCSEs probably like it because they know they always have a back door if they forget their administrator password. And it's been there since the first release of NT 4. Probably works in XP as well but I'll never know unless someone tells me. What a joke.
Someone please remove this account. Thanks...

morpheus

  • Newbie
  • *
  • Posts: 1
  • Kudos: 0
Win2k Logon Hacks
« Reply #10 on: 3 May 2002, 08:34 »
Want to now even more? Get "Hacking Windows2000 Exposed", great piece of reading worth a ton of how-tos.
Know thyself

robzilla

  • Newbie
  • *
  • Posts: 7
  • Kudos: 0
Win2k Logon Hacks
« Reply #11 on: 3 May 2002, 08:51 »
quote:
On another note, if you need to recover your Administrator password and don't have this boot disk there is another way to do it if you know any normal user logon using CMD.EXE and LOGON.SCR. I posted that one in an earlier thread.
 


what do u mean logon using cmd.exe and logon.scr? im a bit of a noob at this...

[ May 02, 2002: Message edited by: robzilla ]


voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Win2k Logon Hacks
« Reply #12 on: 3 May 2002, 21:18 »
quote:
Originally posted by robzilla:


what do u mean logon using cmd.exe and logon.scr? im a bit of a noob at this...




You know how on NT4 and NT2K when no one is logged on after 15 minutes the screen goes black and a "Press CTRL+ALT+DEL to logon" box bounces around the screen?  Well that is the default users's screen saver. Screen saver files have a *.SCR extension. Well, when the screen goes black after 15 minutes the system has really executed the "LOGON.SCR" screen saver that can be found in the C:\WINNT\SYSTEM32 directory. In that same directory you will also find CMD.EXE which is the command shell for NT (command prompt).  If you are logged on as a normal user (no Administrator access) you have the ability to make a backup copy of the LOGON.SCR file, then copy over LOGON.SCR with CMD.EXE "copy cmd.exe logon.scr". Now if you log off and wait 15 minutes guess what happens?  Yep, a CMD prompt pops up with Administrator level authority. Now you can run any command you want as Administrator. Type "usrmgr" or "musrmgr" and change Administrator's password to anything you want. EXIT out of the CMD prompt and log in as Administrator. Bingo.... Copy the backup copy of LOGON.SCR back over the trojan version if you so choose, but then what's the point?
Someone please remove this account. Thanks...

Calum

  • Global Moderator
  • Member
  • ***
  • Posts: 7,812
  • Kudos: 1000
    • Calum Carlyle's music
Win2k Logon Hacks
« Reply #13 on: 3 May 2002, 13:49 »
useful for anybody to know, if they get physical access to an NT box... (like i may if i get this new job i applied for...)
visit these websites and make yourself happy forever:
It's my music! | My music on MySpace | Integrational Polytheism

Scorcher2005

  • Member
  • **
  • Posts: 38
  • Kudos: 0
Win2k Logon Hacks
« Reply #14 on: 3 May 2002, 16:39 »
quote:
Type "usrmgr" or "musrmgr" and change Administrator's password to anything you want.


how do i change the pw like that?