Implementing PC Security
Name
150-151
Score
Clearing Administrator Passwords
/ 10
Update Value
10 points
Overview
Users frequently forget their passwords. If the forgotten password is the only Administrator
password on Windows XP computer, the computer is rendered useless. This lab will show you
how to clear the Administrator password (or any other Windows XP user password) so that the
operating system can be accessed. Note: this can also help recover computers when employees
leave but forget to clear their password. Remember as a student of MSTC you are held
accountable for the Core Abilities which includes Act with Integrity.
Try This First
All new Windows XP installations are created with an Administrator account (with this name).
Often, users will not disable it, rename it or reset its password (see Security Tips below). They
simply create new accounts some of which may also have administrator rights. You might be
able to login in to this Administrator account using the default password to regain access to a
computer.
1.
Using User Accounts (Control Panel), add a password to the Student user (I recommend
student or password. Restart the virtual machine (rt-Alt-Del).
2.
The Windows XP Welcome screen appears asking for the password to the student account.
Note the default Administrator account is not visible unless there are no other users.
3.
To try to access the Administrator account, you’ll have to switch to the login mode that uses
a dialog box.
With the Welcome Screen visible, press Alt-Ctrl-Delete (right-Alt-Delete in Virtual PC).
Note: ensure no user icon is highlighted before pressing Alt-Ctrl-Delete. You might have to
press Alt-Ctrl-Delete (rt-Alt-Delete) twice
4.
5.
Enter Administrator in the User name: box.
Usually, the Administrator password is just blank. If that doesn’t work, try Admin or admin.
You can try others if you wish, but if neither of those work, I use EBCD.
6.
What password provided you access to the Administrator account?
7.
Access User Accounts in the Control Panel. Take a screen snapshot that shows the
availability of the Administrator account and the Student account (password protected),
cropping out all but the two icons and their associated text.
Paste the screen snap below this line.
8.
Select the Student account and then click the Remove Password link. Note that as an
administrator you have the ability to remove or change the passwords of other accounts—
even other administrator accounts! Take a screen snapshot of the Student account icon
that shows it is no longer password protected, cropping out all but the Student icon and its
associated text.
Paste the screen snap below this line.
9.
That was too easy; don’t you agree?
10. Set the Student password to a password of your choice.
What password did you use?
Using EBCD
1.
2.
3.
4.
5.
6.
7.
Next we’ll assume the computer user has disabled the Administrator account (see Security
Tips below for how to do this) so our attempts to crack it have failed.
We will use a program called Emergency Boot CD (EBCD). . You can get a copy from the
PC Security Tools folder on Smokey. This program creates a bootable CD that bypasses the
normal boot sequence and operating system but still gives access to the hard drive You can
download this program from this location.
Copy the entire EBCD Lite folder from Smokey to your host machine desktop or download
it from the web site above.
Extract the EBCD files into the same folder as the self-extracting file.
a. Open the EBCD Lite folder on your Desktop
b. Double-click the file there. This is a self-extracting zip file. When you run the file it will
self-extract (unzip) the files it contains.
c. In the dialog box that appears, change the destination folder to the EBCD Lite folder on
your Desktop.
d. Click the Install button.
(Optional) In the Read Me file that appears, read How to Build the CD (for the impatient).
Close the Read Me file.
An ebcd-0.6.1-lite folder will be created inside your EBCD Lite folder on the Desktop. In
that folder, you’ll find the file makeebcd.exe. Double-click this file.
You should now see the EBCD061L.ISO file. This is the file (virtual CD) you will be
linking to using your virtual machine. Close the black DOS window by pressing any key.
8.
Instead of creating a boot CD, we’ll test this program using Virtual Machine and an ISO
image of EBCD (virtual CD).
9.
If necessary, start your virtual machine. If you didn’t save your changes from the first half of
this lab, add a password of your choosing to the Student account.
10. Restart the virtual machine and login as Student to ensure the password works.
11. Insert the EBCD or, if you’re using the ISO file, use the Virtual PC CD menu to Capture the
ISO image.
12. Restart the virtual machine (right-Alt-Delete).
13. The virtual machine should boot using the CD (image). A DOS-like Linux menu and
command prompt (boot:)will appear.
14. Choose the NT password editor option.
Note: EBCD analyzes your computer and provides default options for prompts. In most
cases the default options are appropriate and all you have to do is press Enter. Read the
instructions below carefully.
15. When the file decompression finishes, you’ll be prompted to press Return to continue. Do
so.
16. Press Enter to accept the default response to Probe for SCSI drivers [n]
Press Enter to accept the default drive containing Windows (hda1)
Press Enter to accept the default Registry location (system32/config)
Press Enter to accept the default Registry hive (SAM System Security)
17. Press Enter to select option 1 on the menu: Edit user data and passwords
18. Enter the name of the user account whose password you wish to change (Student).
CAUTION: Linux is case-sensitive
NOTE: If you were clearing the password of the Administrator account, all you’d have to do
is press ENTER
19. Clear the password for the account by entering a star ( * ). Note: You could enter a new
password immediately, but EBCD recommends simply clearing the password (and using
Windows to set a new password).
20. Enter “y” to change the password.
21. Enter “!” to quit changing passwords.
22. Enter “q” to Quit using EBCD
23. Enter “y” to save the changes to the Registry hive.
24. Enter “y” again to confirm the change to the Registry hive.
25. EBCD has now stopped. Remove the CD or, if you’re using the ISO file, release the ISO
file (CD menu).
26. Restart the virtual machine.
27. Because there are no user accounts with passwords, Windows XP automatically starts the
machine with the default user.
28. Verify that you are actually logged in as Student and the password has been cleared. Select
User Accounts in the Control Panel. Take a screen snapshot of the Student account icon that
shows it is no longer password protected, cropping out all but the Student icon and its
associated text.
Paste the screen snap below this line.
29. If you are working a lab machine, delete the EBCD folder you created on the host machine.
NOTE: EBCD is no longer supported by its creator. A new, free program is available called PC
Login Now. Unfortunately, this program does not seem to run in a virtual machine. The
program is also significantly larger the EBCD though this shouldn’t be an issue if you’re burning
a CD. It also seems to be significantly slower. You can get a copy of the PC Login Now ISO
from www.pcloginnow.com and get tips on using the program from this site.
30. Submit this document to your instructor.
Extra Credit (5 points)
1.
In your virtual machine, DISABLE the Administrator account (see Security Tips below).
Use EBCD to (attempt to) clear the Administrator password. Read the question below
before going through the process so you’ll recognize the answer when you come upon it.
How did the EBCD process change?
Take a screenshot showing the change. Crop the snapshot appropriately.
Paste the screen snap below this line.
2.
Complete the password clear process. Attempt to login as the Administrator.
Were you successful?
3.
In your virtual machine, RENAME the Administrator account (see Security Tips below).
Use EBCD to (attempt to) clear the Administrator password. Read the question below
before going through the process so you’ll recognize the answer when you come upon it.
How did the EBCD process change?
Take a screenshot showing the change. Crop the snapshot appropriately.
Paste the screen snap below this line.
4.
Complete the password clear process. Attempt to login as the Administrator.
Were you successful?
5.
What do you think would happen (change) if you RENAMED and DISABLED the
Administrator account?
Security Tips
1.
2.
3.
4.
You can actually disable the Administrator account.
a. Control Panel, Performance and Maintenance, Administrative Tools
b. Local Security Policy
c. Local Policies, Security Options
d. Double-click the first item to disable the Administrator account
You can rename the Administrator account using the fourth (4th) item under Security
Options.
Always change the Administrator password on your XP computer and require additional
administrator-level accounts have strong passwords.
Force users to login using the Login dialog box instead of the icons (Welcome Screen). This
will force crackers to know both a user name and password.
a. In the User Accounts window, click Change the way users log on and off
b. Turn off the Welcome Screen option (icons)
c. Change the Local Security policies to not show the name of the last user who logged on.
 Local Policies, Security Options
 Change Interactive logon: Do not display last user name
Combining all these tips can significantly improve your computer’s security UNLESS the
cracker has EBCD or PC Login Now. Crackers must know a user name (since they’re not
displayed) and the user’s password to access the system. Social engineering can help with the
user name; Cain can help with the password.
EBCD makes make getting into a computer as an Administrator too easy—even if you rename
the account or disable it.
Making your own EBCD Physical CD
In order to make a physical EBCD boot CD you need to have software that will burn an ISO
image to a CD. See the Read Me file (created when you extract the zip file) for tips on how to
do this. In Lab 136, you can use Nero to accomplish this.