| Vista Password Reset |
 |
 |
 |
At some point, just about every IT professional has run into the task of recovering or resetting a password for a user on an operating system. Even many home users have run into this issue. It happens--people forget passwords! The forgotten password can be for a regular user or administrator; on a standard file system, or an NTFS Encrypting File System. The question then becomes, "What do I do?" Fortunately, there are a number of mechanisms available to deal with the lost password scenario, both in terms of proactive measures as well as disaster recovery tools and techniques. If we assume that a user has not undertaken any proactive password recovery measures in advance, then we can immediately look at our disaster recovery options. In this case, we want to examine our options for account access and/or data recovery. If the account in question was not using EFS, one commonly performed disaster recovery option is to yank the hard drive, install it as a slave on another system and recover the important data. Most people, however, prefer to avoid this if possible. It's a process which can involve a lot of time, work, a possible system rebuild and a good chance that at least some customization of the user's data or workspace will be lost in the process. A better solution would be to regain access to the user's account so that it was as if the user hadn't lost access in the first place. There are actually quite a few tools on the market which can perform a password reset or change on an NT based system (Windows NT, 2000, XP, Vista). Some of these tools are commercial and others are non-commercial and/or open source (GPL or similar). I personally prefer non-commercial or open source software when there is something available which competes well with a proprietary brand. A good example of an open source non-commercial piece of software which is up to the task of resetting an NT based password for us is Petter Nordahl-Hagen's "NT Password Editor." This piece of software can be downloaded as an ISO image and burned to CD. Then, when a password is forgotten, the CD can be used to boot from and change the NT account password from outside of the Windows operating system. Petters password change utility runs on top of the Linux operating system. For most common hardware setups the boot process is very straightforward and does not require much, if any, tinkering or tweaking. So, let's give it a go and try to reset a few Windows Vista Administrator passwords. In Figure 1 below, I show that I have set up two Vista Administrator Accounts: one named "standard_admin", and the other named "efs_admin." You can click on any of the images in this blog to pop up a full sized image--be sure to allow pop ups in your browser for this website!  Figure 1 The first account does not use EFS; however, the second account does. I have placed a lorem ipsum test data file in each account's "My Documents" folder. I have applied encryption to this file on the efs_admin account. The two lorem ipsum files for each user account are shown below in Figures 2 and 3.
Now, let's fire up Petter's CD boot disk and reset a password. Upon putting the boot disk in, we get a welcome screen as shown in Figure 4. If needed, some simple Linux boot options can be specified at this boot screen, but most people can simply hit <enter> or just wait and the boot will continue automatically after about 30 seconds. After several pages of diagnostic information scroll by, the Linux kernel finishes loading and Petter's "Change NT Password" (chntpw) utility is automatically executed. This chntpw utility prints an introduction, tells us what it can and cannot do as well as some available options. We are immediately asked to select the disk and partition where the user account we wish to modify is stored. Generally, this software guesses the correct options for us and all we have to do is confirm the suggestions by hitting the <enter> key. See Figure 5.
Next, we are asked to specify the path to the Windows Registry. However, again, the software has already correctly guessed the location and all we have to do is hit <enter> to accept this default. Once the Registry is loaded, we are asked if we would like to reset a password (yes!) or use Recovery Console Parameters. By default the password reset option is selected for us, so again, we just hit <enter>--see Figure 6. The chntpw utility proceeds to load three Windows Registry hives--SAM, SYSTEM and SECURITY--after which it prompts us for our next course of action. And...you guessed it! Hitting <enter> will allow us to select a Windows user account to edit, as shown in Figure 7.
Now, the default user password to reset is the Administrator account. So if you are interested in resetting a password for a different account, then this is the first place where we actually have to type something in. In this case, the password I wish to reset is for the standard_admin account, so that's what I type in. The chntpw utility then proceeds to display information and statistics about that account and presents options to clear the password, change it to something else, promote the user to an administrator (if not already), or enable the account if disabled. To clear the password for the selected user, just type "1" and hit <enter>. You will then be told that the password has been cleared, although in reality the change hasn't actually been saved to disk yet. To do that, you'll need to type "!" to quit the user menu, followed by "q" again to quit the main password recovery menu. See Figure 8. You will then be prompted to save any changes which have been made, and to do so, you will have to type "y" and hit <enter>. The utility will proceed by asking you if you want to do another run of the program. In our case we don't, so I just hit <enter> to select the default of no. The chntpw utility then finishes by returning us to a Linux shell and informs us we can reboot the computer by hitting CTRL-ALT-DEL--see Figure 9.
Now let's test this sucker out. Upon booting back into Windows Vista, you can see in Figure 10 that as soon as I click the standard_admin user we are immediately welcomed into Vista and logged into the account--no password required! So the password reset utility worked! In Figure 11, we can see that our data file of interest, the lorem ipsum file, is intact and readable--so we have not lost access to our user data due to the password reset.
If we repeat the same process of clearing the password for the efs_admin account and reboot back into Windows Vista, we find we can login successfully, just like the standard_admin account. However, as shown in Figure 12, we have lost access to our EFS encrypted files!
Figure 12 illustrated how users with EFS encrypted data will lose access to this data if a password reset or change occurs from OUTSIDE of the operating system. This is due to the fact that the certificate key, which is used to encrypt user data, is itself encrypted by the user's password. Therefore, when a password reset or change is done outside of the operating system, the ability to retrieve the certificate key is lost. This means that on an EFS account, a password clearing or change with a third party utility is out of the question if you want to be able to recover your encrypted data. So where does that leave us? Well, it really means that somehow we need to find out exactly what the original password was. There are a few proactive measures for password recovery which Windows XP and Vista do offer. For instance, you can create a password reset file on a thumb drive or other removable media which you can then keep somewhere safe and tucked away. Then, when you forget your password, simply insert this media and reset the password as described on many websites. Another proactive measure is to import a backup of your EFS key certificate which you, hopefully, made! In my case, I did make one, and the steps are briefly described here. I simply insert my thumb drive which contains the backed up certificate and double click the backed up certificate file to automatically start the Certificate Import Wizard (Figure 13). I click "Next" to continue and am prompted to specify the certificate file to import. This has already been selected since I double clicked on the backed up certificate to begin with, so I simply click "Next" again (Figure 14).
I then am prompted to enter the password which is protecting the certificate file, select various key options and click "Next" (Figure 15). Windows Vista then wishes to know where to store the certificate once imported and I simply leave the selection as automatic by clicking "Next" again (Figure 16).
To finish the process of the certificate import all I have to do now is click "Finish" (Figure 17) and we can see that the operation was successful (Figure 18).
Now, if we try to open our lorem ipsum file, we find that we have regained access! (Figure 19). Great!
Let's consider one final scenario. What if we have an account we need to recover that is using EFS, but we don't have any proactive password recovery measures we can utilize such as a Microsoft password reset file, or an EFS certificate key backup? At this point, we pretty much need to "crack" the password somehow. On Windows NT, 2000 and XP systems, this actually isn't such a difficult task. Passwords stored on these system use a fairly weak cryptographic hashing scheme named LM or the LanManager hashing algorithm. LM hashes are quite insecure due to a number of algorithm details which greatly reduce the keyspace, such as: converting all characters to upper-case, null padding or truncating passwords to 14 bytes length, and splitting each fixed length password into two 7 byte halves. Modern computers are quite capable of mounting a brute-force attack on an LM keyspace and succeeding within several hours. Cryptographic optimization routines such as Rainbow Tables will allow extremely efficient cracking of LM hashed passwords. User friendly implementations of Rainbow Tables, such as Ophcrack allow a user to simply insert a boot CD into a system and automatically crack all the LM hashed accounts--usually within a few minutes! One thing Microsoft was being honest about was the fact that Vista is more secure... At least when it comes to passwords anyway. Windows Vista has disabled the weaker LM password hashing scheme and enabled NTLM password hashing as the default. NTLM passwords are much, much more difficult to crack than LM hashed passwords. This is ultimately due to the keyspace which is many orders of magnitude larger for NTLM hashes. Brute force cracking attempts of NTLM hashed password are possible--especially on short, weak passwords--but become much more difficult if the password is long and/or strong. For instance, there are publicly available Rainbow Tables available for NTLM which will crack passwords of up to 6 alphanumeric characters with symbols. However, if you have a stronger password, say of 10 or more characters with symbols mixed in, then good luck! You might think that you can generate your own NTLM Rainbow Tables with a tool such as Winrtgen available in the Cain and Abel security package, and you can! However, take a look at Figure 20. On my modern computer, in order to generate the Rainbow Tables for an 8 character password with mixed alphanumerics and symbols it will take approximately 24 Terabytes of hard drive space and 96 years of computation time. Definitely not worth it!
You might be able to try a distributed computing attack, but in the end you'd probably have to resort to some very expensive third-party services specializing in cryptography if you want to have any hope at all. If there is an easier solution to cracking strong NTLM password hashes that I haven't mentioned, then please tell me about it! To summarize this blog, the following are the simple steps I took to reset (clear) an Administrator password in Windows Vista:
Additionally, a flash video is available below which shows me going through the process of clearing a password with Petter's chpwnt utility. You can click to full-screen button on the player to view the video better. You can also pause and resume the video numerous times to examine the output as the video moves along quite quickly.
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Last Updated ( Wednesday, 07 May 2008 14:10 ) | |||||||||||||||||||||||||||||||||||||||||||||||
