Mittwoch, 7. November 2012

Admin Password


das mit /active:yes klappt auch nicht im abgesicherten Modus:

Code:
C:\Users\peter> net user Administrator /active:yes
Systemfehler 5 aufgetreten.

Zugriff verweigert

Im abgesicherten Modus kann ich mich auch nur als nicht privilegierter Benutzer anmelden.

Geschafft habe ich es schließlich, indem ich mittels Linux-Tool chntpw den nicht privilegierten Account zum Admin Account zu machen:

Code:
root@sula:~# chntpw -l /mnt/Windows/System32/config/SAM
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
Hive
name (from header): <\SystemRoot\System32\Config\SAM>ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x10000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 262/54048 blocks/bytes, unused: 16/7168 blocks/bytes.


* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length     : 0
Password history count      : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 03e8 | admin                       | ADMIN  | dis/lock |
| 01f4 | Administrator               | ADMIN  | dis/lock |
| 01f5 | Gast                        |     | dis/lock |
| 03e9 | peter                       |     |       |
Geändert mittels chntpw Kommando:

Code:
root@sula:~# chntpw -u peter /mnt/Windows/System32/config/SAM
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
Hive
name (from header): <\SystemRoot\System32\Config\SAM>ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x10000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 262/54048 blocks/bytes, unused: 16/7168 blocks/bytes.


* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length     : 0
Password history count      : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 03e8 | admin                       | ADMIN  | dis/lock |
| 01f4 | Administrator               | ADMIN  | dis/lock |
| 01f5 | Gast                        |     | dis/lock |
| 03e9 | peter                       |     |       |

---------------------> SYSKEY CHECK <----------------------- font="font">
SYSTEM   SecureBoot         : -1 -> Not Set (not installed, good!)
SAM   Account\F          : 0 -> off
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
Syskey not installed!

RID  : 1001 [03e9]
Username: peter
fullname: peter
comment : 
homedir : 

User is member of 1 groups:
00000221 = Benutzer (which has 3 members)

Account bits: 0x0010 =
[ ] Disabled     | [ ] Homedir req. | [ ] Passwd not req. | 
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account  | 
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   | 
[ ] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08)  | 
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  | 

Failed login count: 0, while max tries is: 0
Total  login count: 11

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
 q - Quit editing user, back to user select
Select: [q] > 3
NOTE: This function is still experimental, and in some cases it
   may result in stangeness when editing user/group in windows.
   Also, users (like Guest often is) may still be prevented
   from login via security/group policies which is not changed.
Do you still want to promote the user? (y/n) [n] y
User is member of 1 groups.
User was member of groups: 00000221 =Users, 
Deleting user memberships
Adding into only administrators:
Promotion DONE!

Hives that have changed:
 #  Name
 0  
Write hive files? (y/n) [n] : y
 0  
- OKDie Kontrolle sieht gut aus:

Code:
root@sula:~# chntpw -l /mnt/Windows/System32/config/SAM
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
Hive
name (from header): <\SystemRoot\System32\Config\SAM>ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x10000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 263/54064 blocks/bytes, unused: 18/7152 blocks/bytes.


* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length     : 0
Password history count      : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 03e8 | admin                       | ADMIN  | dis/lock |
| 01f4 | Administrator               | ADMIN  | dis/lock |
| 01f5 | Gast                        |     | dis/lock |
| 03e9 | peter                       | ADMIN  |       |
root@sula:~#
Beim Booten konnte ich mich normal als nichtprivilegierter Benutzer anmelden und dann lies sich eine cmd.exe auch als Administrator ohne zusätzliche Passwort-Abfrage starten. Darin konnte ich dann mit "net uset admin xyz" das Passwort setzen.

Keine Kommentare: