TECH - CHECK: September 2007

Here i am telling you some procedure of bypassing several password prompts that may appear during startup.....

BYPASSING BIOS PASSWORD

BIOS password prompt appears before windows booting. So it is certainly a CUI (character User Interface). In some BIOS it can be bypassed very easily.

Pressing “Esc” for several (50-60 times) times may crash this software & booting may start.
If the above method does not work then you have to do some serious work. Open the cabinet of your CPU. Search for a LI-ION Tablet battery on the MOTHER-BOARD. A jumper should be there. The jumper comes with 2 pins shorted with a metal plate. What you have to do is to short the other 2 pins for 30 sec & Remove the battery.
Now place the metal plate to its original position & re-install the battery.
Restart your computer. It will boot-up with out password. You have to set the date & Time after windows starts.

BYPASSING WINDOWS PASSWORD

Bypassing passwords for Windows 98SE or earlier versions is very easy.

You can just click “cancel” on the password prompt and the windows starts with its default user.
If you want to use a specific user account the follow the steps.
Start your computer and begin to press “F8” till a menu appears with some options related to windows password. Select “safe mode with command prompt”.
When command prompt appears type “ren *.pwl *.bak” under c:\windows & c:\windows\system32 both folders.
Now restart computer. Type any password at the password prompt to open an user account.

Bypassing passwords for Windows 2000 or later versions is little tougher.

Delete Admin Password

Boot up with DOS and delete the sam.exe and sam.log files from Winnt\system32\config in your hard drive. Now when you boot up in NT the password on your built-in administrator account will be blank (No password). This solution works only if your hard drive is FAT32 .

HOW TO CHANGE PASSWORDS IN COMMAND PROMPT:

How to use the net user command to change the user password at a Windows command prompt. Only administrators can change domain passwords at the Windows command prompt. To change a user's password at the command prompt, log on as an administrator and type: "net user * /domain" (without the quotation marks)

When you are prompted to type a password for the user, type the new password, not the existing password. After you type the new password, the system prompts you to retype the password to confirm. The password is now changed.

Alternatively, you can type the following command: net user . When you do so, the password changes without prompting you again. This command also enables you to change passwords in a batch file.

Non-administrators receive a "System error 5 has occurred. Access is denied" error message when they attempt to change the password.

IF YOUR COMPUTER IS RUNNING ON WINDOWS XP SP2 & NTFS FILE FORMAT THEN THERE IS NO SHORTCUT WAY TO BYPASS ADMINISTRATOR PASSWORD.

For utilizing this part you have to know something about NTFS file format & SAM files.

NTFS file format: NTFS file format is the last invention of MICROSOFT c

orporation till now. It is a more secure file system than FAT, FAT16 or FAT32. It can accessed by less number of OS.

SAM File - Holds the user names and password hashes for every account on the local machine, or domain if it is a domain controller. Simple enough wouldn't you say?

Some commonly asked questions:

§ Where do I find the SAM/Hashes?

You can find what you're looking for in several locations on a given machine.

It can be found on the hard drive in the folder %systemroot%system32config. However this folder is locked to all accounts including Administrator while the machine is running. The only account that can access the SAM file during operation is the "System" account.

The final location of the SAM or corresponding hashes can be found in the registry. It can be found under HKEY_LOCAL_MACHINESAM. This is also locked to all users, including Administrator, while the machine is in use.
So the three locations of the SAMHashes are:
%systemroot%system32config
%systemroot% epair (but only if rdisk has been run)
In the registry under HKEY_LOCAL_MACHINESAM

§ Obtaining the SAMPassword Hashes :

Now we know where the goods are, and the problem is this... "How do I get my hands on those hashes?" The answer is "One of four ways."

Probably the easiest way to do this is to boot your target machine to an alternate OS like NTFSDOS or Linux and just copy the SAM from the %systemroot%system32config folder. It's quick, it's easy, and it's effective. You can get a copy of NTFSDOS from Sysinternals(http://www.sysinternals.com) The regular version of NTFSDOS is freeware, which is always nice, but only allows for Read-Only access.
You can also get password hashes by using pwdump2. pwdump uses .DLL injection in order to use the system account to view the password hashes stored in the registry. It then pulls the hashes from the registry and stores them in a handy little text file that you can then import into a password cracking utility like l0phtcrack.
The final way to obtain password hashes is to listen directly to the network traffic as it floats by your computer and grab hashes using the above mentioned l0phtcrack.

§ Cracking Password Hashes:

With the hashes in hand and an eagerness to find out what passwords lie waiting. Let's get cracking. While there are numerous programs available for the use of password cracking I will quickly cover two of the most popular ones.

John the Ripper - John the Ripper is to many, the old standby password cracker. It is command line which makes it nice if you're doing some scripting, and best of all it's free. The only real thing that JtR is lacking is the ability to launch Brute Force attacks against your password file. But look at it this way, even though it is only a dictionary cracker, that will probably be all you need. I would say that in my experience I can find about 85-90% of the passwords in a given file by using just a dictionary attack. Not bad, not bad at all.

L0phtCrack - Probably the most wildly popular password cracker out there. L0phtCrack is sold by the folks at @Stake. And with a pricetag of $249 for a single user license it sure seems like every one owns it. Boy, @Stake must be

making a killing. :) This is probably the nicest password cracker you will ever see. With the ability to import hashes directly from the registry ala pwdump and dictionary, hybrid, and brute-force capabilities. No password should last long. Well, I shouldn't say "no password". But almost all will fall to L0phtCrack given enough time.

§ Injecting Password Hashes into the SAM:

Probably one of my favorite and easiest ways to gain Administrator privileges on a machine, is by injecting password hashes into the SAM file. In order to do this you will need physical access to the machine and a brain larger than a peanut. Using a utility called "chntpw" by Petter Nordhal-Hagen you can inject whatever password you wish into the SAM file of any NT, 2000, or XP machine thereby giving you total control. I would suggest backing up the SAM file first by using an alternate OS. Go in, inject the password of your choosing. Login using your new password. Do what you need to do. Then

restore the original SAM so no one knows you were there.

I know this may seem like a lot to do, but let's face it, a weak password is a cracked password. Dont be afraid the process is not so difficult.

Direct Boot up Without Typing Password:

At a command prompt, type "control userpasswords2" and press Enter to open the Windows 2000-style User Accounts application.
On the Users tab, clear the Users Must Enter A User Name And Password To Use This Computer check box and then click OK.
In the Automatically Log On dialog box that appears, type the user name and password for the account you want to be logged on each time you start your computer.

Cannot Change the Administrator Password in Control Panel:

After you log on as an administrator to a computer that is not a member of a domain, when you double-click User Accounts in Control Panel to change the password for the built-in Administrator account, the Administrator account may not appear in the list of user accounts. Consequently, you cannot change its password.

This behavior can occur because the Administrator account logon option appears only in Safe mode if more than one account is created on the system. The Administrator account is available in Normal mode only if there are no other accounts on the system. To work around this behavior:

If you are running Windows XP Home Edition, restart the computer and then use a power user account to log on to the computer in Safe mode.

If you are running Windows XP Professional, reset the password in the Local Users and Groups snap-in in Microsoft Management Console (MMC):

1. Click Start, and then click Run.
2. In the Open box, type "mmc" (without the quotation marks), and then click OK to start MMC.
3. Start the Local Users and Groups snap-in.
4. Under Console Root, expand "Local Users and Groups", and then click Users.
5. In the right pane, right-click Administrator, and then click Set Password.
6. Click Proceed in the message box that appears.
7. Type and confirm the new password in the appropriate boxes, and then click OK.

Erd Commander 2005

Boots dead systems directly from CD
Easy, familiar Windows-like interface
Intuitive Solution Wizard helps you select the right tool to correct your system issue
Includes Crash Analyzer Wizard to pinpoint the cause of recent system crashes for repair
Allows complete disk sanitizing/data removal with Disk Wipe utility
Includes the Locksmith utility to reset lost Administrator passwords
Includes FileRestore so that you can quickly find and recover deleted files
Provides access to XP Restore Points on unbootable Windows XP systems
Detect malware and other applications that may be consuming system resources
Includes an Internet browser to facilitate downloading needed files and patches
Compares key info on unbootable systems with that of a working system for diagnosis and troubleshooting
Automatically identifies and replaces critical system files that have become corrupt
Allows for formatting and partitioning of disks
Provides emergency removal capability for faulty hotfixes
Built-in network access to safely copy data to/from dead systems
Repair and diagnostic tools located on Start menu
Repair tools include System Restore tool, System File Repair, Service and Driver Manager, Hotfix Uninstall Wizard, Locksmith, Registry Editor, Explorer, Disk Management, and Command Prompt
Data recovery tools include Disk Commander and FileRestore
Diagnostic tools include Crash Analyzer Wizard, System Compare, Autoruns, Event Log Viewer, System Information, TCP/IP Configuration, and Logical volumes utilities
Compatible with Windows NT, 2000, XP, and Server 2003