I'm curious on how Trinity Rescue Kit resets passwords and can even change them. Is it as simple as removing files containing password info and/or modifying them, or is there some other kind of magic going on?
Hello Barfnargle,
first of all. Thanks for sharing this question. I was not aware of such tool and will use it.
I can give you a longer theoretical answer to this. So take some time and I hope this makes sense to you. First:
What's a Password?
A password a keyword that allows you to enter or access something. Both sides are know to this word, by exchanging it you can be verify by each other. la parola or the word.
It comes from the old Romes using it verify the warden in darkness of the night, so they could verify between friends or enemy.
Password were one of the fist method within compute system to verify a user to be authorized to use a computer.
Passwords on the computer
You as user will be ask to place a password, that only you can know. The compute then will save it to the harddrive. It's place so only the Operation System can access it.
So what Trinity Rescue Kit does, it goes to this place and change this entry or remove it.
This is the very simple vision of it ;-).
The leading question will be now: Can I not change it simple by myself?
Yes in a *nix(Linux/Unix) system you can, there is a file the system called: shadow (/etc/shadow)
You'll see there the hash values of the password. By deleting this hash the password will be rested. But I skip the details here, cause I expect you to use windows.
For windows system it's a bit different, they have a special file where they contain all user/password information. This is called SAM Security Account Manager and can be found on %WinDir%\system32\config\sam . It's a binary file so you can not just edit it.
But it's a even harder, when it would be just a binary file, you may could open it and
extra the password? This has happend on other system long before windows.
So they will use a cryptography hash function to encode your password. So only
However there are application that can open this file and try to extra the hash values. Maybe also creating new.
That way TRK works. It is basically an offline attack, it will alter entry for user or maybe generate a new SAM file.
For older system like Windows XP the hash can be attacked duo time they have become weak. So it's crackable. Newer verion of window should using NTLM Hashes.
Last but no least.
This brings to our last lesson to learn, physical security.
When someone can access you compute directly and have just a moment of time they can access everything. They may dump just this file in hope to crack your system or replace it and login with a pre-define password.
To mitigate this you may encrypt you harddrive. But in anyway keep stranger away from your laptop.
best regards
Akendo
PS: Sorry of the bad english