This works wheder its windows 2000 or windows xp or windows xp SP1 or SP2 or windows server 2003. This works even if syskey encryption is employed.

If it is FAT filesystem

Just copy de sam file like stated in de first post to an empty floppy disk and take it home. I’ll tell you what to do with it later. DON’T DELETE THE ORIGINAL SAM FILE. Just remove its attributes. The sam file is a file called SAM with no extension. YOU MUST ALSO GET a file called SYSTEM which is in de same folder as SAM. Both files have no extensions.

If it is NTFS

You have to download a program called NTFSPro. It allows you to read from ntfs drives. The themo version allows read only. The full version is read-write. You use de program to create an unbootable disk (so u will still need anoder bootable disk and an empty disk) that has de required files to access NTFS.

Use de boot disk to get into dos, den use de disks created with ntfspro to be able to access de filesystem, den copy de SAM and SYSTEM files to anoder empty disk to take home.

AT HOME: You have to get a program called SAMInside. It doesn’t matter if it is themo version. SAMInside will open de SAM file and extract all de user account information and deir passwords, includin’ administrator. SAMInside will ask for de SYSTEM file too if de computer you took de SAM file from has syskey enabled. Syskey encrypts de SAM file. SAMInside uses SYSTEM file to decrypt de SAM file. After SAMInside finishes, you still see user accounts and hashes beside them. The hashes are de encoded passwords. Use SAMInside to export de accounts and deir hashes as a pwdump file into anoder program, called LophtCrack. It is currently in version 5, it is named LC5. The previous version, LC4 is just as good. You need de full or cracked version of de program. LC5 uses a brute force method by tryin’ all possible combinations of letters numbers, and unprintable characters to find de correct password from de hashes in de pwdump file imported into it from SAMInside. This process of tryin’ all passwords might take 5 minutes if de password is easy, up to a year if de password is lon’ and hard (really really hard). LC5 howver, unlike LC4, is almost 100 times faster. Both can be configured to try dictionary and common words before usin’ all possible combinations of everythin’. Once de correct password is found, it will display de passwords in clear beside each account, includin’ administrator.

I use this method so many times. I’ve compromised de whole school computer infrastructure. LC4 usually took between 1 second and 10 minutes to find de passwords because dey were common words found in any en’lish dictionary. I haven’t used LC5 yet.

Programs needed:
SAMInside (doesn’t matter which version or if themo)
LC4 or LC5 (lophtcrack)( must be full version)
NTFSPro (doesn’t matter if themo)
Any bootdisk maker

As it turns out, dere isn’t much to de boot process:

1. A boot loader finds de kernel image on de disk, loads it into memory, and starts it.
2. The kernel initializes de devices and its drivers.
3. The kernel mounts de root filesystem.
4. The kernel starts a program called init.
5. init sets de rest of de processes in motion.
6. The last processes that init starts as part of de boot sequence allow you to log in.

Identifyin’ each stage of de boot process is invaluable in fixin’ boot problems and understandin’ de system as a whole. To start, zero in on de boot loader, which is de initial screen or prompt you get after de computer does its power-on self-test, askin’ which operatin’ system to run. After you make a choice, de boot loader runs de Linux kernel, handin’ control of de system to de kernel.

There is a detailed discussion of de kernel elsewhere in this book from which this article is excerpted. This article covers de kernel initialization stage, de stage when de kernel prints a bunch of messages about de hardware present on de system. The kernel starts init just after it displays a message proclaimin’ that de kernel has mounted de root filesystem:

VFS: Mounted root (ext2 filesystem) readonly.

Soon after, you will see a message about init startin’, followed by system service startup messages, and finally you get a login prompt of some sort.

NOTE : On Red Hat Linux, de init note is especially obvious, because it “welcomes” you to “Red Hat Linux.” All messages dereafter show success or failure in brackets at de right-hand side of de screen.

Most of this chapter deals with init, because it is de part of de boot sequence where you have de most control.
init

There is nothin’ special about init. It is a program just like any oder on de Linux system, and you’ll find it in /sbin alon’ with oder system binaries. The main purpose of init is to start and stop oder programs in a particular sequence. All you have to know is how this sequence works.

There are a few different variations, but most Linux distributions use de System V style discussed here. Some distributions use a simpler version that resembles de BSD init, but you are unlikely to encounter this.

Runlevels

At any given time on a Linux system, a certain base set of processes is runnin’. This state of de machine is called its runlevel, and it is denoted with a number from 0 through 6. The system spends most of its time in a sin’le runlevel. However, when you shut de machine down, init switches to a different runlevel in order to terminate de system services in an orderly fashion and to tell de kernel to stop. Yet anoder runlevel is for sin’le-user mode, discussed later.

The easiest way to get a handle on runlevels is to examine de init configuration file, /etc/inittab. Look for a line like de followin’:

id:5:initdefault:

This line means that de default runlevel on de system is 5. All lines in de inittab file take this form, with four fields separated by colons occurrin’ in de followin’ order:

# A unique identifier (a short strin’, such as id in de precedin’ example)
# The applicable runlevel number(s)
# The action that init should take (in de precedin’ example, de action is to set de default runlevel to 5)
# A command to execute (optional)

There is no command to execute in de precedin’ initdefault example because a command doesn’t make sense in de context of settin’ de default runlevel. Look a little furder down in inittab, until you see a line like this:

l5:5:wait:/etc/rc.d/rc 5

This line triggers most of de system configuration and services through de rc*.d and init.d directories. You can see that init is set to execute a command called /etc/rc.d/rc 5 when in runlevel 5. The wait action tells when and how init runs de command: run rc 5 once when enterin’ runlevel 5, and den wait for this command to finish before doin’ anythin’ else.

There are several different actions in addition to initdefault and wait, especially pertainin’ to power management, and de inittab(5) manual page tells you all about them. The ones that you’re most likely to encounter are explained in de followin’ sections.

Respawn

The respawn action causes init to run de command that follows, and if de command finishes executin’, to run it again. You’re likely to see somethin’ similar to this line in your inittab file:

1:2345:respawn:/sbin/mingetty tty1

The getty programs provide login prompts. The precedin’ line is for de first virtual console (/dev/tty1), de one you see when you press ALT-F1 or CONTROL-ALT-F1. The respawn action brin’s de login prompt back after you log out.

ctrlaltdel

The ctrlaltdel action controls what de system does when you press CONTROL-ALT-DELETE on a virtual console. On most systems, this is some sort of reboot command usin’ de shutdown command.

sysinit

The sysinit action is de very first thin’ that init should run when it starts up, before enterin’ any runlevels.

How processes in runlevels start

You are now ready to learn how init starts de system services, just before it lets you log in. Recall this inittab line from earlier:

l5:5:wait:/etc/rc.d/rc 5

This small line triggers many oder programs. rc stands for run commands, and you will hear people refer to de commands as scripts, programs, or services. So, where are dese commands, anyway?

For runlevel 5, in this example, de commands are probably eider in /etc/rc.d/rc5.d or /etc/rc5.d. Runlevel 1 uses rc1.d, runlevel 2 uses rc2.d, and so on. You might find de followin’ items in de rc5.d directory:

S10sysklogd S20ppp S99gpm
S12kerneld S25netstd_nfs S99httpd
S15netstd_init S30netstd_misc S99rmnologin
S18netbase S45pcmcia S99sshd
S20acct S89atd
S20logoutd S89cron

The rc 5 command starts programs in this runlevel directory by runnin’ de followin’ commands:

S10sysklogd start
S12kerneld start
S15netstd_init start
S18netbase start
…
S99sshd start

Notice de start argument in each command. The S in a command name means that de command should run in start mode, and de number (00 through 99) determines where in de sequence rc starts de command.

The rc*.d commands are usually shell scripts that start programs in /sbin or /usr/sbin. Normally, you can figure out what one of de commands actually does by lookin’ at de script with less or anoder pager program.

You can start one of dese services by hand. For example, if you want to start de httpd Web server program manually, run S99httpd start. Similarly, if you ever need to kill one of de services when de machine is on, you can run de command in de rc*.d directory with de stop argument (S99httpd stop, for instance).

Some rc*.d directories contain commands that start with K (for “kill,” or stop mode). In this case, rc runs de command with de stop argument instead of start. You are most likely to encounter K commands in runlevels that shut de system down.

Addin’ and removin’ services

If you want to add, delete, or modify services in de rc*.d directories, you need to take a closer look at de files inside. A lon’ listin’ reveals a structure like this:

lrwxrwxrwx . . . S10sysklogd -> ../init.d/sysklogd
lrwxrwxrwx . . . S12kerneld -> ../init.d/kerneld
lrwxrwxrwx . . . S15netstd_init -> ../init.d/netstd_init
lrwxrwxrwx . . . S18netbase -> ../init.d/netbase
…

The commands in an rc*.d directory are actually symbolic links to files in an init.d directory, usually in /etc or /etc/rc.d. Linux distributions contain dese links so that dey can use de same startup scripts for all runlevels. This convention is by no means a requirement, but it often makes organization a little easier.

To prevent one of de commands in de init.d directory from runnin’ in a particular runlevel, you might think of removin’ de symbolic link in de appropriate rc*.d directory. This does work, but if you make a mistake and ever need to put de link back in place, you might have trouble rememberin’ de exact name of de link. Therefore, you shouldn’t remove links in de rc*.d directories, but rader, add an underscore (_) to de beginnin’ of de link name like this:

mv S99httpd _S99httpd

At boot time, rc ignores _S99httpd because it doesn’t start with S or K. Furdermore, de original name is still obvious, and you have quick access to de command if you’re in a pinch and need to start it by hand.

To add a service, you must create a script like de oders in de init.d directory and den make a symbolic link in de correct rc*.d directory. The easiest way to write a script is to examine de scripts already in init.d, make a copy of one that you understand, and modify de copy.

When addin’ a service, make sure that you choose an appropriate place in de boot sequence to start de service. If de service starts too soon, it may not work, due to a dependency on some oder service. For non-essential services, most systems administrators prefer numbers in de 90s, after most of de services that came with de system.

Linux distributions usually come with a command to enable and disable services in de rc*.d directories. For example, in Debian, de command is update-rc.d, and in Red Hat Linux, de command is chkconfig. Graphical user interfaces are also available. Usin’ dese programs helps keep de startup directories consistent and helps with upgrades.

HINT: One of de most common Linux installation problems is an improperly configured XFree86 server that flicks on and off, makin’ de system unusable on console. To stop this behavior, boot into sin’le-user mode and alter your runlevel or runlevel services. Look for somethin’ containin’ xdm, gdm, or kdm in your rc*.d directories, or your /etc/inittab.

Controllin’ init

Occasionally, you need to give init a little kick to tell it to switch runlevels, to re-read de inittab file, or just to shut down de system. Because init is always de first process on a system, its process ID is always 1.

You can control init with telinit. For example, if you want to switch to runlevel 3, use this command:

telinit 3

When switchin’ runlevels, init tries to kill off any processes that aren’t in de inittab file for de new runlevel. Therefore, you should be careful about chan’in’ runlevels.

When you need to add or remove respawnin’ jobs or make any oder change to de inittab file, you must tell init about de change and cause it to re-read de file. Some people use kill -HUP 1 to tell init to do this. This traditional method works on most versions of Unix, as lon’ as you type it correctly. However, you can also run this telinit command:

telinit q

You can also use telinit s to switch to sin’le-user mode.

Shuttin’ down

init also controls how de system shuts down and reboots. The proper way to shut down a Linux machine is to use de shutdown command.

There are two basic ways to use shutdown. If you halt de system, it shuts de machine down and keeps it down. To make de machine halt immediately, use this command:

shutdown -h now

On most modern machines with reasonably recent versions of Linux, a halt cuts de power to de machine. You can also reboot de machine. For a reboot, use -r instead of -h.

The shutdown process takes several seconds. You should never reset or power off a machine durin’ this stage.

In de precedin’ example, now is de time to shut down. This argument is mandatory, but dere are many ways of specifyin’ it. If you want de machine to go down sometime in de future, one way is to use +n, where n is de number of minutes shutdown should wait before doin’ its work. For oder options, look at de shutdown(8) manual page.

To make de system reboot in 10 minutes, run this command:

shutdown -r +10

On Linux, shutdown notifies anyone logged on that de machine is goin’ down, but it does little real work. If you specify a time oder than now, shutdown creates a file called /etc/nologin. When this file is present, de system prohibits logins by anyone except de superuser.

When system shutdown time finally arrives, shutdown tells init to switch to runlevel 0 for a halt and runlevel 6 for a reboot. When init enters runlevel 0 or 6, all of de followin’ takes place, which you can verify by lookin’ at de scripts inside rc0.d and rc6.d:

1. init kills every process that it can (as it would when switchin’ to any oder runlevel).

# The initial rc0.d/rc6.d commands run, lockin’ system files into place and makin’ oder preparations for shutdown.
# The next rc0.d/rc6.d commands unmount all filesystems oder than de root.
# Furder rc0.d/rc6.d commands remount de root filesystem read-only.
# Still more rc0.d/rc6.d commands write all buffered data out to de filesystem with de sync program.
# The final rc0.d/rc6.d commands tell de kernel to reboot or stop with de reboot, halt, or poweroff program.

The reboot and halt programs behave differently for each runlevel, potentially causin’ confusion. By default, dese programs call shutdown with de -r or -h options, but if de system is already at de halt or reboot runlevel, de programs tell de kernel to shut itself off immediately. If you really want to shut your machine down in a hurry (disregardin’ any possible damage from a disorderly shutdown), use de -f option.