segunda-feira, 24 de março de 2014

Perdeu a senha do administrador do Windows? Isso é simples de resolver com chntpw

Não são raras as vezes em que algum usuário do Windows me liga perguntando como descobrir a senha do administrador. Nesse artigo eu mostro passo-a-passo como recuperar a senha do Windows usando um Linux live cd.

Primeiramente ligue o equipamento com o live cd no drive. Pode ser qualquer distribuição Linux. Neste exemplo eu uso uma distro baseada em Debian. Abra um terminal texto como root e digite:

# fdisk -l

Disk /dev/sda: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders, total 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x358af8eb

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048      206847      102400    7  HPFS/NTFS/exFAT
/dev/sda2          206848    41940991    20867072    7  HPFS/NTFS/exFAT

Reparem que, neste caso, a partição Windows é a /dev/sda2. Precisamos montá-la com permissões de escrita.

# mkdir /mnt/sda2
# ntfs-3g /dev/sda2 /mnt/sda2

Partição montada, agora precisamos encontrar o arquivo SAM.

# find /mnt/sda2/ -name SAM
/mnt/sda2/Windows/System32/config/RegBack/SAM
/mnt/sda2/Windows/System32/config/SAM

Entre as duas pastas fica claro que a primeira é um backup. Vamos entrar na segunda pasta.

# cd /mnt/sda2/Windows/System32/config

Agora vamos instalar o programa chntpw

# apt-get install chntpw

Após a instalação, digite:

# chntpw -l SAM
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 247/20128 blocks/bytes, unused: 18/4256 blocks/bytes.


* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count         : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrador                  | ADMIN  | dis/lock |
| 01f5 | Convidado                      |        | dis/lock |
| 03e8 | ricardo                        | ADMIN  |          |

Podemos ver que temos trê usuários, sendo que dois estão bloqueados, inclusive o Administrador. Primeiramente vamos trocar a senha do usuário "ricardo".

# chntpw -l SAM -u ricardo
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 247/20128 blocks/bytes, unused: 18/4256 blocks/bytes.


* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count         : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrador                  | ADMIN  | dis/lock |
| 01f5 | Convidado                      |        | dis/lock |
| 03e8 | ricardo                        | ADMIN  |          |


---------------------> SYSKEY CHECK <----------------------- p="">SYSTEM   SecureBoot            : -1 -> Not Set (not installed, good!)
SAM      Account\F             : 0 -> off
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
Syskey not installed!

RID     : 1000 [03e8]
Username: ricardo
fullname:
comment :
homedir :

User is member of 1 groups:
00000220 = Administradores (which has 2 members)

Account bits: 0x0214 =
[ ] Disabled        | [ ] Homedir req.    | [X] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |

Failed login count: 0, while max tries is: 0
Total  login count: 8

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
 q - Quit editing user, back to user select
Select: [q] 

Digite a opção "1" para deixar o usuário sem senha.

Hives that have changed:
 #  Name
 0  
Write hive files? (y/n) [n] :

Digite "y" para salvar o arquivo SAM

 0   - OK

Agora vamos habilitar o usuário administrador

# chntpw -l SAM -u Administrador

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
 4 - Unlock and enable user account [probably locked now]
 q - Quit editing user, back to user select
Select: [q] 

Digite "4".

Unlocked!

Hives that have changed:
 #  Name
 0  
Write hive files? (y/n) [n] : 

Digite "y" para salvar.

 0   - OK

Podemos também promover o usuário "ricardo" para ser administrador do Windows.

# chntpw -l SAM -u ricardo

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
 q - Quit editing user, back to user select
Select: [q] 

Digite "3".

NOTE: This function is still experimental, and in some cases it
      may result in stangeness when editing user/group in windows.
      Also, users (like Guest often is) may still be prevented
      from login via security/group policies which is not changed.
Do you still want to promote the user? (y/n) [n]

Digite "y".

User is member of 1 groups.
User was member of groups: 00000220 =Administrators,
Deleting user memberships
Adding into only administrators:
Promotion DONE!

Hives that have changed:
 #  Name
 0  
Write hive files? (y/n) [n] :

Digite "y" para salvar o arquivo.

 0   - OK

Vamos verificar se o usuário "ricardo" virou administrador do sistema.

# chntpw -l SAM
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrador                  | ADMIN  |          |
| 01f5 | Convidado                      |        | dis/lock |
| 03e8 | ricardo                        | ADMIN  |          |


Agora é só reiniciar o equipamento e testar o login no Windows.