Thursday, 28 March 2013

to crack windows password

Windows Logon Password - How crackers work ?

Posted by Aneesh M. Makker at 9:39 AM / Categories: /
Cracking windows logon password is not so difficult. You can get many offline password crackers  which could change/clear the existing password (like offline nt password and registry editor) or cracks the existing password (like oph crack). Just download their ISO images ,burn them,insert to CD ROM and then things are simply self explainatory. I am writing this post to make you clear that how actually these password crackers work. 


Okay when you set windows logon password, it is obviously stored in a file somewhere in windows.
The password is stored in SAM file placed in %systemroot%\system32\config  (like C:\windows\system32\config).
Now why we just dont try to open SAM and see all stored passwords. Okay lets do it, go to C:\windows\system32\config and open SAM. You must get an error that " it is in use by some another application". Actually we cant open SAM file when windows is running . Even if anyhow we manage to access the content of SAM file, we won't get the passwords in clear text but they are encrypted.

So , what is SAM file ?

SAM stands for Security Accounts Manager. SAM is database stored as registry in windows that stores windows users passwords in hashed formats( LM and NTLM). These are usually called as hashes.


What are hashes ?

Hashes are kind of encryption.  A hash function is a one way function. One way means, if plain text
is converted into hash, it can not be converted back plain text. Remember this is the most important
point that they are one way functions.

What is windows authentication procedure ?

When ever a user creates new account in windows, its password is convetred to hash and stored in SAM database.When user logins, the password is converted to hash and is compared with the stored hash in SAM database, if both the hashes match , the user is authenticated.

How to access SAM file ?

SAM file can not be moved/copied or opened when windows is running. It can be accessed only when windows is offline/not running . Got confused that how can we use the windows files when it is not running ?
Here comes the concept of Live Operating systems. A live CD is containing a bootable OS. Just insert it in CD ROM and you can use it without any installation.

How to crack Windows password ?

Okay suppose we have got access to SAM file and have password hashes. Dont you think its useless because hashes cant be coverted to plain text ? Lets see, what we can do.

We ( I mean automated tools) can actually do two things.

1. Clear/Change password :Clear the existing hash and put new hash (we know alogrithm to convert plain text to hash) in order to change/clear the password. This is  how offline nt password and registry editor work. It doesn't give you the orignal password but helps you to change/clear it.
2.Crack password Make a long list of all possible combinations of alphabets,numbers and convert them to hashes.Compare every hash with hash we obtained from SAM file and hashes could be cracked. This is exactly how OPH crack works. It has already saved hashes of many possible combinations of letters/numbers stored in tables called as rainbow tables.


I hope things are clear to you :).
Posted by at No comments:

Setting Backdoor in Windows

Setting Backdoor in Windows | Command Prompt On Logon Screen

Lets assume that you have just cracked victim's windows password.  or simply got access to his windows for some time.Can you make some changes in windows so that you could access the windows again even if victim changes the password ?? or Can you make any changes in your own windows so that you could access it anytime even if anybody sets/changes password ?
Simply Can we set a backdoor in windows ?
Yes we can :) .
Backdoor actually means maintaining access.
okay lets do one thing first. Open your command prompt (run as administrator in win 7/vista).

Type the following command :

Syntax : net user account.name *
Example: net user administrator *
and hit enter. Set any password for that account.



Hopefully your new password must have been set. did you notice one thing ? It didn't ask you to confirm old password. Now suppose if anyhow we manage to access command prompt at logon screen (without logging in), we can easily change/clear password.  
Okay lets move on.
Now press shift key five times and you must have got a dialog box "sticky keys" on screen.

Sticky keys is a feature that makes it easy for users who have physical  disablilities to press multiple keys at time.   This is the only feature which can be used before logging in at logon screen ( as per my knowledge). I repeat this feature can be used at  logon screen by pressing shift key five times.
Whenevr we start an application like paint, we are actually running mspaint.exe placed in C:\windows\system32. or command prompt, we are running cmd.exe placed in system32 directory, similary
When we press shift key 5 times or use sticky keys feature, system actually starts the executable file
sethc.exe placed in system32 directory. This means if we rename cmd.exe to sethc.exe and press shift 5 times, system would again start sethc.exe but instead of sticky keys the command prompt will be opened.
But you just cant simply rename it or change system32 files. Follow the tutorial for that.

 Tutorial :


* Go to C:\windows\system32
* Copy cmd.exe on your desktop and rename it to sethc.exe .
*Now copy that file and paste again in system32 directory.

@ Windows XP Users


Hopefully existing orignal sethc.exe must have been replaced and your job is done. Now press shift five times and you would see command prompt on screen.You can access command prompt at windows logon screen and change/clear the password easily using "net user" command.

Note: You can also do these changes while using windows Guest Account. But when you would access command prompt at logon screen, you can change/clear password even of administrator's account. This is exactly how , we can hack into administrator's account through guest account.

@ Windows vista/7 Users


You must have got a pop up box saying "Access Denied".


Actually you can not change system32 directory files until you do not have the permissions. You can not have the permissions until you do not have the ownership. So lets take ownership, change permissions, just follow the steps.

1. Right click on sethc.exe and run as administrator.  Again right click on sethc.exe, open properties.
Click on Advanced tab , then on owner and click edit, change the owner from "trusted installer" to "administrator" and click apply.





2. Then click on 'Edit' in security tab to edit permissions. Click on 'Administrators' , give it full control
and apply changes.

Okay its done now.

Now try replacing the orignal sethc.exe with our sethc.exe (got by renaming cmd.exe).
Press shift key five times and hopefully you would get command prompt on the screen instead of sticky keys.

Enjoy Command prompt at logon screen...

So do not forget to set this backdoor whenever you would get friend's  laptop for a few minutes... :)
Posted by at No comments:
Subscribe to: Comments (Atom)