13

If you were provided a computer running Windows 2000 or newer and you have no passwords, what method do you use to gain access with administrator privileges so you can use the system?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
spoulson
  • 2,183
  • 5
  • 22
  • 30
  • 1
    If I were provided a computer running Windows 2000 or newer and I had no passwords for that machine, I would ask the guy who gave me the PC what the administrator password was. Isn't that what everyone would do? :) – Richard Holloway Jul 27 '10 at 15:45

10 Answers10

16

ophcrack is a live cd that boots and brute-forces passwords on a windows machine. http://ophcrack.sourceforge.net/

Don Dickinson
  • 384
  • 3
  • 8
  • 1
    The cool thing about ophcrack is that it's based on Rainbow Tables (http://en.wikipedia.org/wiki/Rainbow_table), which are terrific ! Here's a good article by Jeff Attwood : http://www.codinghorror.com/blog/archives/000949.html – paulgreg Apr 30 '09 at 12:09
  • +1 for ophcrack, usually takes ~ 5min (most of which is spent booting and loading the rainbow tables into memory) I've not had it fail to provide me with the Administrator password yet – Nathan May 20 '09 at 16:34
12

ntpasswd will give you off-line access to the registry and allow you to reset or blank passwords, including the Administrator.

Richard Slater
  • 3,228
  • 2
  • 30
  • 42
  • 3
    this tool should be recommended for another bonus: it cannot reset the original password, so it cannot be used for illegal activities which include covering the tracks. – lImbus May 20 '09 at 14:36
  • @lImbus - Couldn't you just revert the registry keys to the previous values? You'll still never know what the original password was, but you'll still get in and most people will never figure out what happened. – Ryan Bair Jul 27 '10 at 16:02
  • Needed to access the local forgotton password on a Windows Server 2008 machine with 4 disk RAID and this worked first time to reset the local admin password. Ophcrack booted but couldn't access the RAID HD. – dodgy_coder Sep 23 '11 at 00:24
3

Try one of the tools at http://www.petri.co.il/forgot_administrator_password.htm

Rory Becker
  • 528
  • 6
  • 13
1

Boot a linux live cd and use chntpw. I tend to use Fedora for the live cd.

Then:

yum install chntpw

Mount the windows partition:

mkdir /mnt/windows && mount /dev/<windows partition> /mnt/windows

Browse to the SAM database:

cd /mnt/windows/<Windows directory/system32/config

To get a list of local users on the windows machine type:

chntpw -l SAM

Change a particular users password:

chntpw -u <username> SAM
Garry Harthill
  • 864
  • 1
  • 11
  • 17
1

I haven't personally tried Kon-Boot disk yet but it was recommended to me by someone who has. Here's the description off of their site. I'd provide you with a link but apparently Noobs can't do that here. If you just google Kon-Boot you'll find it.

Kon-Boot for Windows enables logging in to any password protected machine profile without without any knowledge of the password. This tool changes the contents of Windows kernel while booting, everything is done virtually - without any interferences with physical system changes. So far following systems were tested to work correctly with Kon-Boot (however its quite possible other versions of listed Windows systems may be suitable as well): Tested Windows versions

Windows Server 2008 Standard SP2 (v.275) Windows Vista Business SP0 Windows Vista Ultimate SP1 Windows Vista Ultimate SP0 Windows Server 2003 Enterprise Windows XP Windows XP SP1 Windows XP SP2 Windows XP SP3 Windows 7

user3222
  • 11
  • 1
0

If you don't want to change the password:

1 > Get a program called Ophcrack(very large. 496Mb)

2 >> Download the liveCD (ISO)

3 >> Burn the ISO to a CD using an ISO burner

4 >> The Live CD's come with the free rainbow tables, so you might need to download other tables (cost money)

4 >> Bootup from the CD

5 >> Crack the SAM and System file

splattne
  • 28,508
  • 20
  • 98
  • 148
0

I used an EBCD boot CD a number of times with success on W2000 machines - you use it to overwrite the SAM entries for the administrator account rather than the usual brute force/dictionary approaches.

I've no the need to try it on newer versions of Windows but I think I read somewhere that security had been tightened up to stop this approach from working.

Chris W
  • 2,670
  • 1
  • 23
  • 32
0

I'd use a boot CD that would let me clear the administrator password. Had to do that with a workstation at church. There are quite a few Live CDs out there for just that if you do a quick GIS.

K. Brian Kelley
  • 9,034
  • 32
  • 33
0

Do you really need the password?

A possible alternative would be: Add a new disk. Reinstall the OS. Access data from the old disk.

(If you do need the password, I recommend ntpasswd)

Stewart
  • 925
  • 1
  • 8
  • 10
0

This works for xP, but , I am not sure if it will work for win2k. RockXP

Scott and the Dev Team
  • 131
  • 2
  • 5