Gain SYSTEM/Administrative Access to Windows XP/2000

[alextepes]

I didn't think You can control the "Administrator" On Windows XP Home it is only there in Safe Mode.

[sircrumpet]

I didn't think You can control the "Administrator" On Windows XP Home it is only there in Safe Mode.

Press Ctrl+Alt+Del Twice on the login screen (or change the settings in Control Panel) to bring up the "traditional" login (which requires you to type user name/password), enter "Administrator" and leave the password blank.

[alextepes]

Oh alright, I didn't know that part, But thanks that'll come in handy some day, I leave my administrator open just in case I forget my password or someone else forgets theres so they can fix it, But I know its wise to have one set even if its like "hak5" or something lol that way no one can go into safe mode and add themselves an account.

[Iain]

It's not good practice to leave the Administrator account without a password. I'd urge you strongly to apply one. however straightforward it might be. It wouldn't stop a determined attacker, but what would? At least you'd put off those who might rely upon the simple trick given above.

[sircrumpet]

It's not good practice to leave the Administrator account without a password. I'd urge you strongly to apply one. however straightforward it might be. It wouldn't stop a determined attacker, but what would? At least you'd put off those who might rely upon the simple trick given above.

Agreed, its such a simple risk, but its one that is all too often ignored. It takes just a second to apply a password, and is well worth doing.

[alextepes]

I don't do anything important on my Microshaft pc, I run servers etc on Linux only and make sure everything it password protected and patched, But if anyone knew my windows username they could easily install vnc when I'm not looking lol, All they need is my ip and username because I don't have a password for my user account either lol

[celltoolz]

Ok so i scrapped utilman.exe and used svchost.exe instead. Also instead of using a Windows 2000 CD to replace the file ive used Windows Live (found via not here... lol but somewhere).. I used VC++ to write the script.

It can be found at http://www.megaupload.com/?d=54KLN5CX

If you dont know how to compile it the Exe is in the Debug folder, its called HackXP.exe if your unsure.

Warning: this is only a beta it only works if your windows folders is called windows not winnt (Ill work this out later), and it has to be C: as the main drive.

Anyways..

Get access to C: partition

Create C:user.txt

in user.txt put Username:Password

Navigate to C:windowssystem32

rename svchost.exe to svchostnew.exe MUST DO

copy HackXP.exe to C:windowssystem32

rename HackXP.exe to svchost.exe

Restart Computer

After it starts it will create a new user and the computer will automatically restart. This is because svchost was not properly loaded and after the restart the original is backed up. Its hard to explain but it should work.

so this is what i have:

C:user.txt <--> NewAdmin:Hacked <--> Username = NewAdmin Password = Hacked

C:windowssystem32svchostnew.exe <--> original microsoft svchost.exe

C:windowssystem32svchost.exe <--> HackXP

When you start your computer it creates a new user and backs up the original ms svchost.exe using svchostnew.exe so no need to worry. Then it restarts so svchost can correctly run.

Post if you need any help... There should be more to come

[kickarse]

Good job!

Btw, you HAVE to rename the svchost.exe to svchostnew.exe

[Guest Panarchy]

Is there a hack for Windows Vista?

[DeGrijze]

Is there a hack for Windows Vista?

Please Panarchy go and find a nice corner and start playing with your self.

:twisted:

Gerard

[sid_lexic]

Hi all,

Some of the earlier instructions mention using the Recovery console. Unfortunately the recovery console asks for the Administrator password which defeats the purpose of this hack. An NTFS4DOS boot disk as mentioned earlier would be the best thing to use. http://www.datapol.de/dpe/freeware/

Please note that Hiren's boot CD contains Warez! (as well as freeware) so be careful where you use it! A better option would be to use the ultimate boot cd or the UBCD4WIN version 3.0. http://www.ubcd4win.com/

Better yet how about a HAK.5 Bootcd then all of the utilities used for the Mods and hacks could be kept on the one CD. Maybe a new thread could be started for this.

[celltoolz]

Yes if you use the windows xp recovery console it asks for a password but if you use the Windows 2000 recovery console it doesnt :)

[renegadecanuck]

I don't know if this counts, or if it's already been posted someplace else in the forums, but I know an easy way to gain local Administrator account access on the machine in case you need that windows version of the root account.

Steps are as follows:

[*]Rightclick on My Computer, choose Manage

[*]Choose Local Users and Groups in Computer Management, open Users folder

[*]Rightclick on Administrator, choose rename, use any other name besides Admin or Administrator in any form

[*]Rightclick on the new username, and choose Set Password, you can now change their password to anything you want

[*]Rename back to Administrator, done

[/list:o]

This isn't removing a password, or spending hours with a cracking application or sitting there cracking it by staring at data all day, but I hope this helps people achieve the same thing you're looking for here, it's worked every time i've used it, don't know if it'll work under a standard User Account (as set under Users in Control Panel.)

It should be mentioned that this will NOT work under Windows XP Home.

[goldfish]

A route which might be interesting to take is injecting code into winlogon.

Winlogon runs as SYSTEM, so you could use it to spawn a new process to do some dirty work for you. You would need to find a way to write to the memory which winlogon resides to (tricky...) and alter the instructions to jmp to a place in memory you have loaded in code, and then jmp back to the end of winlogon, after you have replaced the original instructions. And once you have done this - as far as winlogon is concerned - everything is fine.

The beauty of this approach is that winlogon will be running all the time, no matter what the privs of the account you are using. And even if there is NOBODY logged on. .

Equally, if someone has locked the machine, injecting code into winlogon to switch you back to one of the unlocked Desktops would defeat the password protection. For more permenant access you could make a screensave which does this when a certain key combo is pressed (before the system kills it to wake up the system).

Unfortunately I believe that autorun does not work without a non-system user logged in - but if it did...

[Geko42]

I dont know if any one has said or tried this but,

if you press f8 and boot into safe mode you can log in and change the admin pass word or make an acoount with admin and del after your done.

i have only done this with win xp home and pro also 98

[linuxzealot]

Just a note, the latest Knoppix cd should be able to mount any ntfs partition using libntfs+fuse(beta!!!)... Just to make it a little bit easier or scriptable.

[sircrumpet]

hmmm, wonder if anyone here has heard more about this...

On Dec. 15, a Russian programmer posted a description of a flaw that makes it possible to increase a user’s privileges on all of the company’s recent operating systems, including Vista. And over the weekend a Silicon Valley computer security firm said it had notified Microsoft that it had also found that flaw, as well as five other vulnerabilities, including one serious error in the software code underlying the company’s new Internet Explorer 7 browser.

http://www.nytimes.com/2006/12/25/technolo...artner=homepage

[therealdonquixote]

Hi all, I have been keeping an eye on this thread for quite some time now, and I really like it.

Question, lets say I have an iso of a win2k boot cd... Then we could alter the boot.ini to load the recovery console and run a batch file (or whatever) that switched out the svcehost.exe with celltoolz hacked version while backing up the real version at the same time. Then the batch file tells it to shut down the system eject the CD and reboot to winXP. According to what celltoolz says the hacked svchost.exe will create the new user and pass with admin rights and force the WinXP OS to reboot and backup the original svchost.exe file.

I imagine it working like the Ophcrack live cd that just launches and runs the brute force on the dumped SAM, SYSTEM and SECURITY hashes and keys. Then gives you the user and pass for everything stored on the local PC. (yes that's an over simplification)

What do you guys think? The Win2k hacked CD could easily be modded with Power ISO, its just a matter of the batch file and boot file being feasible (oh and the iso would be warez so I dunno if we could post it here...that's why I haven't posted it yet). So could this work? I'm willing to supply the final product cause I have the toolz and I want to contribute.

Just give me the word (and maybe the .bat file, and possibly the hacked boot.ini file, if you have the spare time and brain) and I can have the iso set up and tested ASAP.

Hope this helps.

BTW - We could also integrate this into a USB drive to boot from for low visibility.

[ichthuz]

i cant believe i didnt see this topic before!. i see huge potential here

[Philzney]

is it possible to do this on a network? my school uses windows 2000 on NT technology (according to the dialog box), and once the computer loads up you have to press ALT CTRL DEL and type in your student number. apparently theres a master computer somewhere in the school that has one big ass hard drive. so is it possible do to it on any computer within the school?

[therealdonquixote]

is it possible to do this on a network? my school uses windows 2000 on NT technology (according to the dialog box), and once the computer loads up you have to press ALT CTRL DEL and type in your student number. apparently theres a master computer somewhere in the school that has one big ass hard drive. so is it possible do to it on any computer within the school?

Since you are only placing the new user to the local admin group via the SAM, SYSTEM and SECURITY files, the networked user and pass for the schools LAN won't matter. However, you will have to do it to every computer you log onto. Unless you can somehow figure out how to get into the school's DB of user and passwords and add a special user of your own that has LAN manager admin rights.

Of course we have to get the local hack to work first. And I don't just mean once or on a home computer, I mean on a PC that has been secured by IT lock down.

So who wants to lose their job?

[pleasedeletethis]

Ok so i scrapped utilman.exe and used svchost.exe instead. Also instead of using a Windows 2000 CD to replace the file ive used Windows Live (found via not here... lol but somewhere).. I used VC++ to write the script.

It can be found at http://www.megaupload.com/?d=54KLN5CX

If you dont know how to compile it the Exe is in the Debug folder, its called HackXP.exe if your unsure.

Warning: this is only a beta it only works if your windows folders is called windows not winnt (Ill work this out later), and it has to be C: as the main drive.

Anyways..

Get access to C: partition

Create C:user.txt

in user.txt put Username:Password

Navigate to C:windowssystem32

rename svchost.exe to svchostnew.exe MUST DO

copy HackXP.exe to C:windowssystem32

rename HackXP.exe to svchost.exe

Restart Computer

After it starts it will create a new user and the computer will automatically restart. This is because svchost was not properly loaded and after the restart the original is backed up. Its hard to explain but it should work.

so this is what i have:

C:user.txt <--> NewAdmin:Hacked <--> Username = NewAdmin Password = Hacked

C:windowssystem32svchostnew.exe <--> original microsoft svchost.exe

C:windowssystem32svchost.exe <--> HackXP

When you start your computer it creates a new user and backs up the original ms svchost.exe using svchostnew.exe so no need to worry. Then it restarts so svchost can correctly run.

Post if you need any help... There should be more to come

Do you have a file that works for HackXP?

[kickarse]

You could always write some code into the msgina.dll, what the login is, with a hidden button that run CMD. That'd spawn in SYSTEM.

[Arikirangi]

Is there a way to boot some sort of network device from the pxe / network boot to access the %system% . My target has bios locked, not possible to open case and no boot from cd etc.

[therealdonquixote]

Is there a way to boot some sort of network device from the pxe / network boot to access the %system% . My target has bios locked, not possible to open case and no boot from cd etc.

If there is no other way to boot from an external device...

A bios chip cannot be backdoored or cracked on an oem machine. If it is a custom build machine then there are some backdoor passwords out there, but they rarely work. So that leaves you SOL.

If the case is locked then you need to unlock the case. Don't get all panicky just yet. As long as you can inconspicuously open the case and remove the cmos battery, then the lock picking is your only hurdle.

Lock picking is easier than you think. You only need some home made tools and some time to practice on your target lock to get er done. If the lock is one of those crappy kingston types then see any of the videos out there on picking those, cause it take seconds and a retarded cat with no paws could pick one of those. If its a master lock or some equivalent key based lock then you will need a "rake" and a "tension rod" and buy a lock like it to take home and practice on.

How To Pick A Lock, In Comic Book Form!!

That's a quick and easy starter tut on lock picking.

Now go out there and be somebody!!!

**of course if the case is locked via a looooooong steel wire thingy strung through through several PC's, and the admin has a HUGE CONSPICUOUS LOCK at the end... then you're straight up SOL. sorry