Não são raras as vezes em que algum usuário do Windows me liga perguntando como descobrir a senha do administrador. Nesse artigo eu mostro passo-a-passo como recuperar a senha do Windows usando um Linux live cd.
Primeiramente ligue o equipamento com o live cd no drive. Pode ser qualquer distribuição Linux. Neste exemplo eu uso uma distro baseada em Debian. Abra um terminal texto como root e digite:
# fdisk -l
Disk /dev/sda: 21.5 GB, 21474836480 bytes
255 heads, 63 sectors/track, 2610 cylinders, total 41943040 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x358af8eb
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 206847 102400 7 HPFS/NTFS/exFAT
/dev/sda2 206848 41940991 20867072 7 HPFS/NTFS/exFAT
Reparem que, neste caso, a partição Windows é a /dev/sda2. Precisamos montá-la com permissões de escrita.
# mkdir /mnt/sda2
# ntfs-3g /dev/sda2 /mnt/sda2
Partição montada, agora precisamos encontrar o arquivo SAM.
# find /mnt/sda2/ -name SAM
/mnt/sda2/Windows/System32/config/RegBack/SAM
/mnt/sda2/Windows/System32/config/SAM
Entre as duas pastas fica claro que a primeira é um backup. Vamos entrar na segunda pasta.
# cd /mnt/sda2/Windows/System32/config
Agora vamos instalar o programa chntpw
# apt-get install chntpw
Após a instalação, digite:
# chntpw -l SAM
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 247/20128 blocks/bytes, unused: 18/4256 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrador | ADMIN | dis/lock |
| 01f5 | Convidado | | dis/lock |
| 03e8 | ricardo | ADMIN | |
Podemos ver que temos trê usuários, sendo que dois estão bloqueados, inclusive o Administrador. Primeiramente vamos trocar a senha do usuário "ricardo".
# chntpw -l SAM -u ricardo
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 247/20128 blocks/bytes, unused: 18/4256 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrador | ADMIN | dis/lock |
| 01f5 | Convidado | | dis/lock |
| 03e8 | ricardo | ADMIN | |
---------------------> SYSKEY CHECK <----------------------- p="">SYSTEM SecureBoot : -1 -> Not Set (not installed, good!)
SAM Account\F : 0 -> off
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
Syskey not installed!
RID : 1000 [03e8]
Username: ricardo
fullname:
comment :
homedir :
User is member of 1 groups:
00000220 = Administradores (which has 2 members)
Account bits: 0x0214 =
[ ] Disabled | [ ] Homedir req. | [X] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 0
Total login count: 8
- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
q - Quit editing user, back to user select
Select: [q]
Digite a opção "1" para deixar o usuário sem senha.
Hives that have changed:
# Name
0
Write hive files? (y/n) [n] :
Digite "y" para salvar o arquivo SAM
0 - OK
Agora vamos habilitar o usuário administrador
# chntpw -l SAM -u Administrador
- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
4 - Unlock and enable user account [probably locked now]
q - Quit editing user, back to user select
Select: [q]
Digite "4".
Unlocked!
Hives that have changed:
# Name
0
Write hive files? (y/n) [n] :
Digite "y" para salvar.
0 - OK
Podemos também promover o usuário "ricardo" para ser administrador do Windows.
# chntpw -l SAM -u ricardo
- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
q - Quit editing user, back to user select
Select: [q]
Digite "3".
NOTE: This function is still experimental, and in some cases it
may result in stangeness when editing user/group in windows.
Also, users (like Guest often is) may still be prevented
from login via security/group policies which is not changed.
Do you still want to promote the user? (y/n) [n]
Digite "y".
User is member of 1 groups.
User was member of groups: 00000220 =Administrators,
Deleting user memberships
Adding into only administrators:
Promotion DONE!
Hives that have changed:
# Name
0
Write hive files? (y/n) [n] :
Digite "y" para salvar o arquivo.
0 - OK
Vamos verificar se o usuário "ricardo" virou administrador do sistema.
# chntpw -l SAM
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrador | ADMIN | |
| 01f5 | Convidado | | dis/lock |
| 03e8 | ricardo | ADMIN | |
Agora é só reiniciar o equipamento e testar o login no Windows.
Nenhum comentário:
Postar um comentário