Locally Gain Access to Any Password Protected Windows Machine

Today I want to show you a super easy way of accessing a local windows account if you do not know the password. This might be useful if you are locked out of a windows machine. I have tested this technique on Windows 10 and it has worked perfectly every time.

Now I know there are a few other ways to do this but I found many other ways were riddled with errors or the equipment needed might be unavailable. As such I believe this is one of the most practical solutions to local windows account hacking. Furthermore as we are using Kali linux if this attempt does not work we have many tools up our sleeves to try something else. (I will go into these techniques in future tutorials). Alternative ways might be quicker but they seem to have a higher probability of failure.

If you are interested in these other methods they include using a windows installer disk (which you might not have). There’s also the sticky key cmd.exe swap technique although this is fairly easy messing around with file names in system32 might not be a great idea for someone who doesn’t really know what they are doing. Furthermore you could try something like Orphcrack – a live bootable that uses rainbow tables to crack passwords. However this method might take a substantial amount of time especially if the password to crack is quite long/complicated and limited rainbow tables are available.

Now before we begin, for this hack you will need:

 

  1. A writeable CD (The reason we are using a CD instead of a USB is purely for simplification however you could make a USB in the same way using software such as “Unetbootin”)

 

  1. An internet connection (We will get all software needed for free online)

 

  1. Access to an alternative computer in which you can download this required software

 

  1. Knowledge of how to enter the BIOS of your target computer (A quick google search should suffice)

This technique can be divided into 5 steps which I will outline in detail:

 

– Create linux bootable live disk

 

– Allow cd to run through BIOS

 

– Navigate to windows security account manger (SAM)

 

– Use chntpw to blank password

 

– Shutdown/restart – turn on computer – automatic login

 

  1. – Create linux bootable live disk

 

To create the bootable live cd we will need two pieces of software – a CD burner and an iso image. For this tutorial I have chosen to use a “kali 2016 iso” and the cd burning software “Burn cdcc”.

 

The kali iso can be downloaded HERE.

 

Burn cdcc can be downloaded HERE.

1-localhack

BurnCDCC is shown above. Just open up the application once downloaded and browse for the Kali 2016 iso you have downloaded. Also drop the speed to no more than 4X for DVD as this will make sure information is written to the disk properly. Once all settings are set you just need to click start – you will be prompted to insert your blank disc. Once it states “Completed” you can close the program. Leave the disk in.

 

  1. – Allow Your cd to run using the BIOS

 

To allow the CD to run instead of the windows OS you need to enable legacy mode and turn off secure boot. To do this you must enter the BIOS. Usually there is a certain key you can press as the computer is loading before the OS boots that will take you to the BIOS. For example in HP systems this is F10. A quick search will tell you which key to press.

 

Once in the BIOS, navigate to the “boot settings” screen and select to enable legacy mode (this should usually disable secure boot as well but just make sure it has by checking the secure boot settings).

 

Once this is done exit the BIOS making sure to save any changes when you are prompted. The computer will automatically restart. Make sure you are prompted to confirm any changes that you made to the BIOS during this restart as that will let you know that you have successfully changed and saved these settings.

 

Now determine which key enables access to “device boot manager” – similar to the BIOS this will allow you to select which “device” you wish to boot from. For example in HP systems this is F9. Press this during loading before the OS boots just as before.

 

You will now be given options on where to boot from. Select CD/DVD drive.

 

Kali will now boot.

 

 

  1. – Navigate to Windows Security Account Manger (SAM)

 

Once Kali has booted you will need to mount the windows partition. Use the command “fdisk -l” to see all available partitions. There are many ways you can mount the windows partition; googling will give you many command line ideas on how to do this. However it is very easy to mount the partition by clicking on the folder icon and then clicking “other locations” here you will see the windows partition – just double click to mount and that is all you have to so as to be able to access files within this windows partition.

 

Now it’s time to access the windows registry.

Open a terminal and type (without quotes)

 

“cd /”

 

to make sure your are in the root directory then type

 

“cd media/root/Windows/Windows/System32/config”.

 

You are now in the config directory. There is a file in here called SAM aka Security Account Manger. This file holds password hashes for all windows accounts. This file is inaccessible when running windows. Also a SYSKEY partially encrypts the SAM file this does not matter as much for us in this tutorial but in a future tutorial I will show you how it is possible to gain access to the passwords contained in this file.

 

4 – Use “chntpw” to Blank the Password – No password will be needed when next logging into Windows.

 

Now we want to use a password removal utility called chntpw aka Offline NT Password & Registry Editor. You can create a live CD of this utility itself but if this trick does not work it might be easier to have kali already up and running to crack hashes from the SAM database file.

 

To use this utility type the following command.

 

“chntpw -i SAM”

 

Users are displayed as well as options.

The first option is to change/delete passwords

Type “1” and hit enter to select this option.

 

Then enter the RID of the account you wish to access (ie. 0x3e9).

2-localhack

Blank the password by pressing 1 and hitting enter . Also unlock the account by entering 2 and pressing enter. (Even if it says the account is already unlocked sometimes it is not).

 

Enter q to go back to users and we can now see next to our target account “Meow” that the lock is now blank.

3-localhack

Exit by typing “q” and hitting enter making sure to save changes by entering “y” to confirm the changes.  ** THIS IS VERY IMPORTANT** if you do not save the changes this will not work – remember to close the terminal AFTER saving.

4-localhack

  1. – Shutdown/restart – Automatic Login

 

Shut down Kali. Turn the computer back on and disable legacy mode – making sure secure boot is enabled again.

 

And Viola! Now you should be able to log straight into the account without a password.

 

 

Be the first to comment

Leave a Reply

Your email address will not be published.


*