Help finding correct payload

[Pabs_b]

I want payload that is able to crack the administrator password from just the windows 10 lock screen without logging in or any local account and also a payload that if logged in on non admin very restricted user to steal the C:\Windows\System32\config folder or sam files in it to find the NTLM hash.

[Dave-ee Jones]

1 hour ago, Pabs_b said:

I want payload that is able to crack the administrator password from just the windows 10 lock screen without logging in or any local account

?
?
?
?

Join the club.

One way to do this would be to make a payload that does the Ease-of-Access exploit trick step-by-step. Have a Google of that: "Ease of Access exploit". Basically you replace the Ease of Access program with cmd using a Windows boot disk. Potentially you could make the Bunny restart the machine, act as a boot disk and then press the corresponding "boot from USB" button and do all the fancy stuff for you. However, the chances of it working are quite slim, especially since every machine is different in it's own way. E.g. Lenovo's use the Enter key for the "Boot from.." screen, while HPs and stuff use other keys (typically F12). So yeah, lots of different scenarios there. You could always do it manually.

[C1PH3R]

On 4/24/2018 at 6:35 AM, Pabs_b said:

I want payload that is able to crack the administrator password from just the windows 10 lock screen without logging in or any local account and also a payload that if logged in on non admin very restricted user to steal the C:\Windows\System32\config folder or sam files in it to find the NTLM hash.

And I want a unicorn ?. But I think that if such a payload would be on this forum Windows would probably fix it. Good luck tho! Maybe installing a keylogger and getting the password that way is easier?

 

C1PH3R