From: David Hibbeln [dhibbeln@TCCPA.NET] Sent: Friday, March 16, 2001 8:36 AM To: FORENSICS@SECURITYFOCUS.COM Subject: Password Recover and Partition Recovery Tools - Compilation Folks, I pass these links on. I have not used them, and cannot vouch for them. Any comments, additions, suggestions welcome. Partition Recovery: FAT12 FAT16 FAT32 - Linux - Linux SWAP (version 1 and 2) - NTFS (Windows NT)- BeFS (BeOS)- UFS (BSD)- Netware Look for TestDisk http://www.esiea.fr/public_html/Christophe.GRENIER/ Data recovery If you need to access (read/write) your files stored on NTFS partition, you can use my NTFS driver. If you have lost partition or strange problem with your hard disk partitions, you can try TestDisk. Password Recovery: This is a compilation of suggestions made on SECURITY-BASICS@SECURITYFOCUS.COM mailing list in answer to the question of how to recover admin password on NT box. One: http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html Offline NT Password & Registry Editor, Bootdisk Two: http://www.esiea.fr/public_html/Christophe.GRENIER/ Password recovery BIOS setup can be password protected. You can get back your password with CmosPwd LILO, Linux Loader, stored passwords in clear text, you can get them with LiloPwd Three: Boot off a Linux floppy, snag the SAM, make the appropriate adjustments, and restart with NT. Full details are available here: http://www.securityhorizon.com/whitepapers/ntdisk.html Four: Boot from a floppy with NTFS DOS (www.winternals.com) , it allows you to copy the sam and use l0pht on another system. Five: Change the users password in usrmgr and log onto the box as them. If the box is still on the domain. If the box is not on the domain you can use a tools from www.systernals.com or do a parallel install of the operating system. Six: If you read all of the documentation for L0pht crack there is a command line version and in the documentation it references a program that will allow you to create a boot disk and read NTFS file systems from the boot disk... it's NTFSDOS and if you use it read only its free... what I do when that happens is I just boot off the NTFS boot disk copy the SAMs file to disk and take the disk to another workstation running l0pht crack and crack the passwd there.. this works great done it a million times.. all of the documentation for this come with l0pht crack. Seven: Another that costs money is Locksmith, by the guys at Winternals (www.winternals.com) Another method if you don't care about keeping the SAM (that is, the users and their passwords) on the local machines is to boot up the NT4.0 CD and to "repair" the SAM. Generally speaking, it will get rid of all of the accounts and passwords, leaving only a newly created "administrator" account with no password... a very handy tip that has helped me recover "locked out" machines in the past. However, if there are accounts and passwords that cannot be easily recreated on that workstation, it's not recommended.However, this method has the upside of being FREE. Generally, it's not that difficult to get people using the workstation to just get new accounts. Of course, the other downside is having to reset ACLS on the machine if you have them set differently from the default. Regards, \!/ (@ @) David R. Hibbeln h 973-728-0192 w 201-487-7744 ----oOO-(_)-OOo-------- *************************************************** This e-mail is send with 100% recyclable electrons. *************************************************** /"\ dhibbeln@tccpa.net \ / X ASCII RIBBON CAMPAIGN AGAINST HTML MAIL / \