Thursday, January 2, 2014

Kali Forensics: chntpw

Menu: Forensics -> Password Forensics Tools
Directory: N/A
Official website:
License: GPL 2

As Kali Linux is out, I will continue to explore the available forensics tools coming with the distribution, which was not available in Backtrack. I will use the application menu as a basis.

The first tool is "chntpw", which is not strictly a forensic tool. This is basically a password reset utility for Windows. you need to shut down the Windows machine, boot in from a CD which has chntpw installed (e.g.: Kali) and use this on the SAM / system hives. The tool also offers setting a new password or editing the registry.

Here is in example:

The help is available via the usual "-h" option:

I have a sample SAM and system file from a Hungarian Windows XP. We can list the users with:

chntpw -l SAM system

As we can see it will list the available users and some other options, like lock status and if the actual account is administrator or not.

If we know which to reset, we can run:

chntpw -u Csabi

and it will offer us various options (reset password, set new, etc...) as you can see on the screenshot below.

We can also run the tool in full interactive mode with the "-i" option.

No comments: