Win2k Logon Hacks

[robzilla]

My brother had a couple (4) of disks that he could use so he could get into a cmd before his Win2k booted up. It let himdo just about anything, and I was wondering if anyone knew where I could download the files of these, if anyone else knows anything about them. I would really apreciate it...Even though there probably is some loop-hole in 2k to do it anyways.  

If anyone knows ANYTHING please leave a reply...

[dbl221]

This is the disk we use in Internet Security class for altering the SAM file......ie changing passwords.

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

[voidmain]

quote:Originally posted by dbl221:
This is the disk we use in Internet Security class for altering the SAM file......ie changing passwords.

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

Hey, that is one slick disk!! Thanks! I haven't actually run it from floppy yet as is intended, but I did mount the floppy disk image directly and copied the initrd.gz file out if it, then extracted/mounted initrd.  Then I copied the "chntpwd" program out of it into my ~/bin directory so I could test it out directly without booting the floppy.  Copied my /c/winnt/system32/sam file to /tmp and ran the "chntpwd" program on it and could manipulate it however I wanted (change passwords, navigate the registry, etc).  I should have thought of this! And it's all done with Linux!  I'll have to burn this onto floppy and stick it in my little bag 'o' tricks.

I guess the source code for chntpwd is out there somewhere, I'll have to check it out.

On another note, if you need to recover your Administrator password and don't have this boot disk there is another way to do it if you know any normal user logon using CMD.EXE and LOGON.SCR.  I posted that one in an earlier thread.

[ February 05, 2002: Message edited by: VoidMain ]

[Master of Reality]

darkness

[ April 32, 2002: Message edited by: Master of Reality ]

[ May 02, 2002: Message edited by: Master of Reality ]

[Nobber]

That question belongs in the FuckMicrosoft FAQ!

dd if=/path/to/floppy.img of=/dev/fd0

with perhaps some other options. info dd/man dd for more details.

[Calum]

quote:Originally posted by VoidMain:

On another note, if you need to recover your Administrator password and don't have this boot disk there is another way to do it if you know any normal user logon using CMD.EXE and LOGON.SCR.  I posted that one in an earlier thread.

isn't this quite a serious exploit of windows 2000? or am i missing something?

[Nobber]

Why does my post just above look like a complete non sequitur?

[Calum]

i suspect because you were replying to the post directly before yours which currently says "darkness" and which was edited on the day it was posted (possibly after you replied.)

[Master of Reality]

quote:Originally posted by Nobber:
Why does my post just above look like a complete non sequitur?

maybe you were on acid when you posted it?

[voidmain]

quote:Originally posted by Calum:


isn't this quite a serious exploit of windows 2000? or am i missing something?

You're not missing anything, and it's a very serious security exploit. But Microsoft doesn't give a shit, nor do MCSE types apparently, hell MCSEs probably like it because they know they always have a back door if they forget their administrator password. And it's been there since the first release of NT 4. Probably works in XP as well but I'll never know unless someone tells me. What a joke.

[morpheus]

Want to now even more? Get "Hacking Windows2000 Exposed", great piece of reading worth a ton of how-tos.

[robzilla]

quote: On another note, if you need to recover your Administrator password and don't have this boot disk there is another way to do it if you know any normal user logon using CMD.EXE and LOGON.SCR. I posted that one in an earlier thread.
 

what do u mean logon using cmd.exe and logon.scr? im a bit of a noob at this...

[ May 02, 2002: Message edited by: robzilla ]

[voidmain]

quote:Originally posted by robzilla:


what do u mean logon using cmd.exe and logon.scr? im a bit of a noob at this...

You know how on NT4 and NT2K when no one is logged on after 15 minutes the screen goes black and a "Press CTRL+ALT+DEL to logon" box bounces around the screen?  Well that is the default users's screen saver. Screen saver files have a *.SCR extension. Well, when the screen goes black after 15 minutes the system has really executed the "LOGON.SCR" screen saver that can be found in the C:\WINNT\SYSTEM32 directory. In that same directory you will also find CMD.EXE which is the command shell for NT (command prompt).  If you are logged on as a normal user (no Administrator access) you have the ability to make a backup copy of the LOGON.SCR file, then copy over LOGON.SCR with CMD.EXE "copy cmd.exe logon.scr". Now if you log off and wait 15 minutes guess what happens?  Yep, a CMD prompt pops up with Administrator level authority. Now you can run any command you want as Administrator. Type "usrmgr" or "musrmgr" and change Administrator's password to anything you want. EXIT out of the CMD prompt and log in as Administrator. Bingo.... Copy the backup copy of LOGON.SCR back over the trojan version if you so choose, but then what's the point?

[Calum]

useful for anybody to know, if they get physical access to an NT box... (like i may if i get this new job i applied for...)

[Scorcher2005]

quote:Type "usrmgr" or "musrmgr" and change Administrator's password to anything you want.

how do i change the pw like that?