Access to Accounts 02-1. What are common accounts and passwords in NT? 02-2. What if the Sys Admin has "renamed" the administrator account?
02-1. What are common accounts and passwords in NT?
There are two accounts that come with NT out of the box -- administrator and guest. In a network environment, I have run into local administrator access unpassworded, since the Sys Admin thought that global accounts ruled over local ones. Therefore it is possible to gain initial access to an NT box by using its local administrator account with no password.
Guest is another common unpassworded account, although recent shipments of NT disable the account by default. While it is possible that some companies will delete the guest account, some applications require it. If Microsoft Internet Studio needs to access data on another system, it will use guest for that remote access.
02-2. What if the Sys Admin has "renamed" the administrator account?
It is possible that a Sys Admin will create a new account, give that account the same access as an administrator, and then remove part of the access to the administrator account. The idea here is that if you don't know the administrator account name, you can't get in as an administrator.
Typing "NBTSTAT -A ipaddress" will give you the new administrator account, assuming they are logged in. A bit of social engineering could get them to log in as well. nbtstat will also give you other useful information such as services running, the NT domain name, the nodename, and the ethernet hardware address.
See also section 05-6 which discusses a bug that allows you to get the new administrator account name.
02-3. I lost the Administrator password. What do I do?
Use the Offline NT Password Editor by Petter Nordahl-Hagen. You need to download Petter's code to your Linux machine (you DO have one of those, don't you?) and compile it using a libDES and MD4 library. Now mount the NT drive read/write and follow the instructions in the readme. The instructions are pretty easy to follow, especially if you know enough to get to the point to use them ;-)
Actually, to make things easier, Petter has built a bootdisk image that steps you through the entire thing. I'll be the first to admit that Petter's code is as dangerous as hell, but it does work and I had no problems. YMMV.
Consider using GetAdmin.exe (section 04-5) and go from there if you are too paranoid or fearful of booting up Linux to get to an NT machine.