Breaking into Windows Systems with MasterBlaster

Scenario: you've got a Windows 2000 domain controller (operational, no less), and you're without an administrator password.

Step 1: Try a few passwords: hell you're creative let's see if 'changeme', '<blank>', 'password', 'windows', 'administrator', 'blank' work? Nope, hmm... rainbow tables?

Step 2: Brute force: now many will immediately jump to overwriting the Windows SAM file, but it's actually more resourceful to try to crack the password first. Why? Well, if you're just trying to get into the computer then sure, go ahead and erase the hash and lose a piece of valuable information. When dealing with a network, one that includes a Windows 2000 domain controller, it's more beneficial to attempt to recover an administrative password. Most likely it has been used more than once. But, when you try L0phtCrack and come up empty handed there's only one place to turn!

Step 3: Master Blast! Although the tool isn't really called MasterBlaster it's much more fun to call it that.

When you work in IT you go partly insane. Sometime you starting calling your computer special names, and other times you name recovery CDs after versions of Pokemon games. (You know, degrees of separation, from reality...) Well, my co-worker Frank is notorious for his naming conventions. Aside from Windows XP FireRed and Windows XP LeafGreen there are Windows Vista Chicken Fried Steak Edition, Make Windows 7 Up Yours (this is mine actually), and my personal favorite: The MasterBlaster, complete with physical health warnings.

Anyways, while at the NECCDC our team had an inject to document all the security software we used during the first two days. When asked 'what tool did we use to reset the Windows SAM file?' I replied 'MasterBlaster'. They say 'I don't think that was it...' I reassure them, 'it certainly was', knowing full well there's nothing called MasterBlaster. Never-the-less I convinced them that the tool was named MasterBlaster. Shortly after, a competition grader must have either a) thought we were confused, b) thought there was a tool called MasterBlaster. Success!

Too finished up the tutorial, Step 4: Reboot your machine in Directory Service Recovery Mode. Login with the administrator password you just masterblast'ed and run regedit. Navigate to HKEY_USERS\.Default\Control Panel\Desktop and change SCRNSAVE.EXE from logon.scr to cmd.exe and ScreenSaveTimeout from 900 to 15.

Step 5: Once you reboot normally run MMC DSA.MSC in the screen-saver-cmd-window. Profit.

Note: This tutorial is nothing new, you can find these steps all over the Internet. I'm just highlighting fun!