Home 0P3N Blog Windows Password Cracking Without External Tools
Ready to Start Your Career?
Create Free Account
Techquest89 s profile image
By: Techquest89
July 14, 2017

Windows Password Cracking Without External Tools

By: Techquest89
July 14, 2017
Techquest89 s profile image
By: Techquest89
July 14, 2017
Imagine if you will, a 17 hour work day, some idiot unplugged the main switch to your server rack (at the end of your 8 hour work day) and causes the entire server rack to go catatonic.  Zoom ahead forward, you finally have gotten almost everything fixed, the last server comes up and you are greeted with the lovely error: The Trust Domain relationship between this "workstation" and primary domain failed ( yes this happened on a server). Not only that but now your local admin account is completely locked out as well, and in order to fix the situation you must get back into the local admin account.What you will learn:This article will hopefully help you kill 2 birds with one stone: Fix a trusted domain relationship issue, and more importantly teach you how having physical access to any windows based system is all you need to get into the admin account.Things you will need:~Physical access to the laptop, desktop, or server you want to get into.~A Windows install DVD or flash drive formatted and setup with the Windows content (as far as I am aware PE images won't work). Does not matter if it is the same edition of Windows you currently have or not, as long as it is Windows 7 or Windows Server 2008 R2 or higher it will work.~Snacks, because why not!Start with the system completely turned off, put in your flash drive or make sure to put the DVD in before shutting down the system. Use the correct key for your particular system to bring up the boot menu (most popular is F12 for most brands) and boot off the disk or flash drive. You will eventually come to the Windows installer screen, and in the bottom left corner, you should see the option that says repair your computer, chose that and you will see a few options once that screen loads.Here we are going to choose 'Command Prompt'. This will allow us to make the needed changes to gain what would be considered root level access without having to log into windows, but more on this later on.Once the command prompt opens up you will need to find what your C: drive has been renamed too, in most cases it's D: but in the rare case it's not, or your setup is odd, make sure you do the work to find out by running 'diskpart' and running the "List vol" command to see what drive letters have been used.Once you have the correct drive lettering and have switched to that drive in command prompt we need to navigate to the /windows/system32 folder and do the following:  Command copy utilman.exe utilman.exe.bak   then we need to overwrite utilman by doing the following command: copy cmd.exe utilman.exe  hit y for yes and then enter to accept, once you get the 1 file(s) copied message you can close out of cmd and reboot your system. Let it boot all the way to the windows login screen. What we have just done is copied an unrestricted level of command prompt to run when the utilman.exe file runs, in case you are not aware, this is the name for the accessibility settings that show up on every windows login screen, you might not have ever used them, in most Windows systems it is either bottom left or bottom right corner.Once you have opened the backdoor we just made, it's time to do the following: net user username password     In this example I've used generic entries, but you could either reset an existing account that has admin rights or do the administrator account, if you wish to make a new account you would do the following:  net user /add username password   One last thing we need to do is make sure we have admin rights, to do this we want to use net localgroup administrators username /addNow you should be able to log into the local admin account, and in the instance of trust domain relationship, removing and re-adding to the domain is the best fix if you are in a corporate environment where you don't have control over things like user accounts or domain controllers.   Hope this helps!NOTE* once you are done make sure you open command prompt and clean up your backdoor by copying the original utilman back to its rightful place by doing the following from an admin level command prompt: copy utilman.exe.bak utilman.exeHope this helps!Techquest89
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry