CopyPwd Reference Information
Disclaimer: CopyPwd is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Usage of CopyPwd is at the risk of the person or company using this software.
Contents
1. Shameless Product
Endorsement
2. Download Location
3. Background Information
4. Usage
Shameless Product Endorsement
Are you still using the builtin Windows tools for administration of your Windows NT or Windows 2000 network? Why? For 5 years, tens of thousands of system administrators have relied upon 'Hyena' for day-to-day system managements tasks. With over 85 different features, Hyena is the most cost effective tool available for management of Windows NT and Windows 2000 domains.
For more information, visit http://www.systemtools.com/hyena
Download Location
Download CopyPwd from http://www.systemtools.com . CopyPwd can be found in the Free Tools section.
Before using, view ALL of the information in this file.
Background Information
The CopyPwd utility was created for one purpose: to copy user passwords from any Windows NT/2000 domain to one or more user accounts on either the same computer or another Windows NT/2000 domain. There are a lot of potential uses for such a capability: the main ones being domain consolidation/migration and password synchronization.
Security Implications : A number of potential users of this utility have commented that there are some potential security concerns about CopyPwd. In particular, the main concern is that a rogue administrator could use the utility to copy the password of a sensitive account, change the password on the account, logon and use the account using their known password, then set the original password back before anyone knew that it had been changed. This is possible using this utility, but we don't know of any way to prevent this and still have the benefit of this utility's purpose. Plus, the same 'exploit' can be performed by simply cracking the password, which would have the added benefit of not needing to change the original password or changing it back.
The technique used by the CopyPwd to retrieve the password was originally developed by Todd Sabin. More information about his "pwdump" project can be found at http://www.webspan.net/~tas/pwdump2. Mr. Sabin's work was published under a GNU license, meaning that the source code was published with the understanding that any derivative works also will fall under the GNU license. As such, CopyPwd also falls under the GNU license. CopyPwd is a FREE utility. The only work added to Mr. Sabin's original pwdump project was to simply write the password back into any designated account. The source code to CopyPwd can be found in the source.zip file that is part of the CopyPwd archive.
CopyPwd is not the only software available that allows for copying passwords. We believe that the only way to perform password copying is by using the technique developed and published by Mr. Sabin. As far as we know, CopyPwd is the only utility that is both free and open source that performs this function.
The general technique used by CopyPwd to extract and set the password is as follows:
All user and computer accounts are "dumped", along with the password hash that is used by the account
The administrator modifies the file created in the previous step to include only the accounts that are needed for copying
CopyPwd is run a second time in "set" mode, reading the contents of the file created in "dump" mode. For each account in the input file, CopyPwd retrieves the account using the name specified in the file, and sets the password.
Note that the actual password is not written to the file, but rather the password hash. The actual hash is written to the file in readable hex format, but is converted back into binary before being written back.
Restrictions - CopyPwd must be run on the actual machine that the passwords are being copy from or to. Also, the user running the software must be an administrator, or more precisely, must be logged into an account with administrative rights. Even more precisely, the process that initiates CopyPwd must have sufficient rights, and in particular the SE_DEBUG_NAME privilege.
Usage
Important: The information stored in the output/input file used by CopyPwd should be treated as extremely sensitive. Although only the usernames and password hashes are written to the file, the hashes should be treated as the actual passwords. Any password cracking software can use the password hash information to crack the password, thereby possibly compromising security. It is recommended that after completion of the CopyPwd process, that the input/output file containing the password hashes be erased, preferably by a security program that can overwrite the file location with zeros or random data.
Installation
To install CopyPwd, simply copy the CopyPwd files into a separate directory on any Windows NT/2000 computer. CopyPwd cannot be run against a remote computer. If passwords are being copied from one set of accounts on one computer to another, then CopyPwd must be installed on both the source and destination computers.
CopyPwd must be run in two stages, first to "dump" the passwords, then to "set" the passwords.
Dumping Passwords
To dump the passwords, issue the command:
CopyPwd DUMP >copypwd.txt
This will place all user/computer accounts and the password hashes on the local computer into a file named "copypwd.txt". Treat this file as extremely sensitive.
The copypwd.txt file can be modified with Notepad. In general, remove any accounts that will not be involved in the copy process, including computer accounts, if necessary. Computer accounts end with a "$", and will be in all capital letters. The user account in the file is separated from the password hash by a colon (:). If using CopyPwd to set passwords, the user account must be changed to match the user account on the destination computer. If the destination computer is running Windows 2000, the lookup and account name match will be based on the Active Directory attribute "SamAccountName". This corresponds to the "Pre-Windows 2000 Logon Name" field as used on the user Properties Account dialog.
Setting Passwords
After performing any modifications as needed as discussed above, run CopyPwd to set the passwords, using the command:
CopyPwd SET
CopyPwd will read the contents of the copypwd.txt file, lookup the user account on the local computer, and set the password as specified in the file. At present, the file must be named copypwd.txt