inteliture.com
Google

Saturday, July 14, 2007

How to Get admin rights on a windows PC

An Introduction.

This tutorial will cover some various ways to get admin rights on a windows PC.

NOTE: To newbies: Getting admin rights, means to totally control a PC (ex. a school PC, where admins are the teachers, who let u use a guest account with some restrictions). Now, we are going to make our selves admins.

The silly way.

We are going to see if the admin has set a password. Silly way, but sometimes there are stupid admins. Boot the PC in safe mode (press F8 on boot and choose "Safe Mode"). On the login screen, press the login account. If its not password protected, u are in as admin.

Windows XP.

METHOD 1

Windows XP is a fair bit more friendly than previous Microsoft operating systems based off of the Windows NT kernel, at least when it comes to recovering forgotten passwords. Not only can you set a password hint to help you remember a forgotten user password, you can also create a floppy disk which will enable you to completely reset your password in the event that you cannot recall it. While this will not help you if you are currently locked out of your system, it can certainly put your mind at ease about the possibility of it ever happening again. Windows XP allows users to create a password reset disk specific to their user account. This disk can be used at the welcome screen to reset the password in the event that you do forget it.

To create the disk: Go to start\control panel\user accounts. Select the account you are currently logged in as. Under the 'related tasks' heading in the top left corner, click 'prevent a forgotten password' to open the forgotten password wizard. Insert a blank floppy disk and follow the instructions to create your password reset disk.

To use the password reset disk in case of emergency: Once you have created a password reset disk for a specific user, the next time the password for that user is entered incorrectly at the welcome screen, a message will pop up asking if you have forgotten your password. At this point you can select to use your password reset disk. Follow the instructions to reset your login password.

NOTE: There is a possible problem with the above procedure if you have used Windows XP's built in encryption feature to encrypt some of your files and folders, but have not yet updated to service pack 1. Do not reset your password in this situation, as you will lose access to the encrypted data. Once you have got service pack 1, it is safe to use the disk.

METHOD 2

When you or anyone installs Windows XP for the first time your asked to put in your username and up to five others.

This is the only place in Windows XP that you can password the default Administrator Diagnostic Account. This means that to by pass most administrators accounts on Windows XP all you must boot to safe mode by pressing F8 during boot up and choosing it. Log into the Administrator Account and create your own or change the password on the current Account.

This only works if the user on setup specified a password for the Administrator Account.


NOTE: Tested on Windows XP Home and Pro.

If you log into a limited account on your target machine and open up a dos prompt then enter this set of commands Exactly:

cd\ *drops to root
cd\windows\system32 *directs to the system32 dir
mkdir temphack *creates the folder temphack
copy logon.scr temphack\logon.scr *backsup logon.scr
copy cmd.exe temphack\cmd.exe *backsup cmd.exe
del logon.scr *deletes original logon.scr
rename cmd.exe logon.scr *renames cmd.exe to logon.scr
exit *quits dos

Now what you have just done is told the computer to backup the command program and the screen saver file, then edits the settings so when the machine boots the screen saver you will get an unprotected dos prompt with out logging into XP.

Once this happens if enter this command:

"net user password"

ex. net user AM2o THENEWPASS

This changes the password on AM2o machine to THENEWPASS and you are in.

The SAM file.

Sam file, is the file which windows used to store the password of the accounts. It cannot be removed, copied, or altered because the file will be in use all the time.

NOTE: This only works if ur drive is FAT (go to "My Computer" -> right mouse click on C:\ drive and check for "File system" . It might be NTFS or FAT.

Two ways to use SAM file:

  1. Boot ur PC in DOS (press F8 on boot and choose "DOS") and type cd.. (till u go to C:\). Now type cd C:\windows\system32\config . Type dir and see what is in this folder. Now delete the SAM file (type del SAM). Now reboot and the admin password will be deleted. Note that if u dont have "C:\windows" directory, check for "C:\winnt" and delete the SAM.exe and SAM.log .
  2. Get the password from the SAM file. Use L0pht Crack 4 (get it here).

NOTE: U may encounter problem and errors trying to access the SAM file, so we 'can use another (more complicated though) method.

TOOLS NEEDED:

  1. Access to another PC.
  2. At least 2 empty 1.44MB floppy disks.
  3. A copy of a command line compression (get RAR here).
  4. A DOS boot disk (get one here) or a Portable Linux Distribution (here) or Copy ur C:\ drive files to ur alternate system.

NOTE: If you use a DOS boot disk and your system drive uses the NTFS file system (the default for Windows XP), you will also need a program that allows DOS to see NTFS formatted drives, such as NTFSDOS. Copy the NTFSDOS executable file onto the boot disk.

With a DOS boot disk:

  1. Copy the NTFSDOS file onto your DOS boot disk.
  2. Copy the RAR utility files onto one of your empty floppy disks.
  3. Boot your system with the boot disk.

If your system drive uses the FAT32 file system:

  1. From the a: prompt, insert the disk with the RAR utility.
  2. Type: Rar32 a -v a:\systemandsam c:\windows\system32\config\system c:\windows\system32\config\sam
  3. This will copy both the System and SAM files into a compressed file on your floppy called 'systemandsam.' They should all fit onto the one disk, but if not, you will be prompted to insert another blank floppy.
  4. Now skip down to the section on extracting passwords.

If your system drive uses the NTFS file system:

  1. Type: ntfsdos to detect NTFS formatted drives. The system will inform you which drive letters are allocated to which drives. Make a note of the drive letter of your main drive (the one with windows installed on it).
  2. Insert the disk with the RAR utility and type:
  3. Rar32 a -v a:\systemandsam (drive letter of your main drive as above):\windows\system32\config\system (drive letter of your main drive as above):\windows\system32\config\sam
  4. This will copy both the System and SAM files into a compressed file on your floppy called 'systemandsam.' They should all fit onto the one disk, but if not, you will be prompted to insert another blank floppy.
  5. Now skip down to the section on extracting passwords.

Using a portable Linux CD:

These tend to be pretty user friendly, at least compared to most Linux versions… Just boot from the CD.

As most current versions of Linux read NTFS drives as well as FAT32, simply navigate to the HDA1\windows\system32\config directory from the desktop and copy the SAM and SYSTEM files to the desktop, then email them to yourself.

From a hard disk you transferred to a new computer:

Easiest of all. Simply navigate to the (drive letter ex. C:\)\windows\system32\config directory and copy the SAM and SYSTEM files to the location you desire.

Extracting Passwords:

Use L0pht Crack 4 (get it here) or Proactive Windows Security Explorer.


Extra notes.

U can also use the Netbios hack method (see "Netbios Hack tutorial") but ur victim must have "file and printer sharing" enable.

NOTE: If u want to test some of this methods on ur PC, we suggest u to create a backup copy of the files which u are going to delete.
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)