Offline password changing on Windows (7 Home) with Kali

Many tools can unlock and clear the user password for example Offline Windows Password & Registry Editor but only a few architecture. Therefore, I tried the program chntpw on Kali Live. This procedure works on all versions of Windows.

After starting the Kali live cd / usb, we need to determinate what is the Windows main partiton. You can use a program such as gparted. My Windows system partiton is sda2. Lets mount it:

root@kali:~# mount /dev/sda2 /mnt/

Create a backup:

root@kali:~# cp /mnt/Windows/System32/config/SAM /mnt/Windows/System32/config/SAM_bck-20150301

The default Kali version of chntpw is wrong! When I finished the unlocking process I need to quit and save changes to the SAM file, but program can’t quit. I have a loop. We need to downgrading the chntpw program:

root@kali:~# wget http://launchpadlibrarian.net/15221455/chntpw_0.99.5-0%2Bnmu1_i386.deb
root@kali:~# dpkg -i chntpw_0.99.5-0+nmu1_i386.deb
dpkg: warning: downgrading chntpw from 0.99.6-3kali3 to 0.99.5-0+nmu1

Now, we can start the unlocking and password clearing process:

root@kali:~# chntpw -i /mnt/Windows/System32/config/SAM
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0xf000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 255/51992 blocks/bytes, unused: 7/5160 blocks/bytes.

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0

======== chntpw Main Interactive Menu ========

Loaded hives:

1 - Edit user data and passwords
2 - Syskey status and change
3 - RecoveryConsole settings
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)

What to do? [1] -: 1

===== chntpw Edit User Info and Passwords ====

| RID -|---------- Username ------------| Admin? |- Lock? --|
| 03eb | HomeGroupUser$ | | |
| 01f4 | Rendszergazda | ADMIN | dis/lock |
| 03e8 | user | ADMIN | dis/lock |
| 01f5 | Vendeg | | dis/lock |
| 03e9 | Zsofi | | dis/lock |

Select: ! - quit, . - list users, 0x - User with RID (hex)
or simply enter the username to change: [Rendszergazda] 0x01f4

RID : 0500 [01f4]
Username: Rendszergazda
fullname:
comment : Beepitett fiok a gep/tartomany felugyeletehez
homedir :

User is member of 1 groups:
00000220 = Rendszergazdak (which has 2 members)

Account bits: 0x0211 =
[X] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |

Failed login count: 2, while max tries is: 0
Total login count: 1

- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
4 - Unlock and enable user account [probably locked now]
q - Quit editing user, back to user select
Select: [q] : 1
Password cleared!

Select: ! - quit, . - list users, 0x - User with RID (hex)
or simply enter the username to change: [Rendszergazda] 0x01f4

RID : 0500 [01f4]
Username: Rendszergazda
fullname:
comment : Beepitett fiok a gep/tartomany felugyeletehez
homedir :

User is member of 1 groups:
00000220 = Rendszergazdak (which has 2 members)

Account bits: 0x0211 =
[X] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |

Failed login count: 2, while max tries is: 0
Total login count: 1
** No NT MD4 hash found. This user probably has a BLANK password!
** No LANMAN hash found either. Sorry, cannot change. Try login with no password!

- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
4 - Unlock and enable user account [probably locked now]
q - Quit editing user, back to user select
Select: [q] : 4
Unlocked!

Select: ! - quit, . - list users, 0x - User with RID (hex)
or simply enter the username to change: [Rendszergazda] <strong>!</strong>

======== chntpw Main Interactive Menu ========

Loaded hives:

1 - Edit user data and passwords
2 - Syskey status and change
3 - RecoveryConsole settings
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)

What to do? [1] : q

Hives that have changed:
# Name
0
Write hive files? (y/n) [n] : y
0 - OK

Now, we are ready to reboot:

root@kali:~# reboot