There’s another option for defeating passwords. This technique requires physicall access to the target machine, and although it’s very effective at gaining access to the target, it’s also very noisy. In the previous section, password cracking was discussed. If a skilled penetration tester is able to access a target machine alone for just a few minuts, he or she should be able to get a copy of the password hashes. All things considered, this could be a very stealthy attack and difficult to detect. In most cases, the penetration tester will leave few clues that he or she were ever on the target machine. Remember the penetration tester can take the passwords off-site and crack them at his or her leisure.
Password resetting is another technique that can be used to gain access to a system or to escalate privileges; however, this method is much less subtle than password cracking. When first introducing this topic, it’s common to compare gaining access to a Windows machine by performing a password reset to a burglar driving a bulldozer through the wall of a store to gain access to the premises. It may be effective, but you can be sure that the storeowner and employees will know that they were broken into.
Password resetting is a technique that allows an attacker to literally overwrite the SAM file and create a new password for any user on a modern Windows system. This process can be performed without ever knowing the original password, although it does require you to have physical access to the machine
As with all other techniques discussed in this course, it’s vital that you have authorization before proceeding with this attack. It’s also important that you understand the implications of this technique. Once you change the password, there’ll be no way to restore it. As described in the beginning of this section, it’s very much like a burglar driving a bulldozer through the side of a building. The next time a user attempts to log in and he or she finds the password has been changed, you can bet that someone is going to notice.
With that in mind, this is still an incredibly powerful technique and one that
can be very handy for gaining access to a system. To perform password resetting,
you’ll need to boot the target system to a BlackArch installed USB stick (It
must be completely installed in there). Once booted, from the terminal you’ll
need to mount the physical hard drive of the system containing the SAM file. You
can find the instructions for performing this task in the previous section.
After mounting the hard drive, you can run the “
chntpw” command to reset the
password. To review the full options available switches, you can issue the
Assume that you want to reset the administrator password on your target machine. To accomplish this, you’d issue the following command:
chntpw -i /mnt/sda1/Windows/System32/config/SAM
the command above, the “chntpw” is used to start the password resetting program. The “-i” is used to run the program interactively and allow you to choose the user you’d like reset. The “/mnt/sda1/Windows/System32/config/SAM” is the mounted directory containing the SAM file of our target machine. It’s important to make sure you have access to the SAM file; remember, not all drives are listen as sda1. As mentioned earlier, running the “fdisk -l” command can be helpful in determining the appropriate drive.
After running the “
chntpw -i /mnt/sda1/Windows/System32/config/SAM” command,
you’ll be presented with a series of interactive menu-driven options that will
allow you to reset the password for the desired user. Each of the steps is very
clearly laid out and described; you simply need to take a few moments to read
what is being asked. The program is actually designed with a series of “default”
answers and in most cases you can simply hit the “enter” key to accept the
As shown in the previous image, after loading, the first question you are asked is: “What to do? ” Above the question you’ll see a series of five options to choose from. Simply enter the number or letter that corresponds to the choice you want to make and hit the “enter” key to continue. The “” after the question indicates that choice “1” is the default.
In our example, we are planning to reset the password for the administrator account, so we can type “1” and hit enter, or simply hit the enter key to accept the default. Next, we are presented with a list of users available on the local Windows machine. You can select the desired user by typing in his or her username as displayed. Once again, the default option is to set to “Administrador (Administrator in spanish)”. The next image shows a screenshot of the available users.
Here again, we can simply hit the “enter” key to accept the default choice of an administrator account “Golem”. Next, we are presented with the various options for editing the user on the target machine as shown in the next image. Please note that at this step, you don’t want to accept the default option!
As previously mentioned, at this point you want to be sure you select option “1” ti clear the password. After entering your selection to clear the user password, you’ll get a message stating: “Password cleared!”. At this point, you can reset another user’s password or enter “!” to quit the program. It’s important that you complete the remaining steps because at this point the new SAM file hasn’t been written to the hard drive. In the menu that follows enter “q” to quit the chntpw program. At last, you’ll be prompted with a message asking if you’d like to write your changes to the hard drive. Be sure to enter “y” at this step as the default is set to “n”.
The password for the selected user has now been cleared and is blank. You can shut down BlackArch by issuing the “reboot” command and ejecting the DVD. When Windows restarts, you can log into the account by leaving the password blank.