Working with Windows Passwords

Don't you just hate it when you create the world's most complicated password for your admin account, and then "Bing!, Bang!, Boom!" it is gone from your memory like a thief in the night? Yeah, that has never happened to me either 😉

To be honest with you, what this post is going to show you is not even close to the proper methods a real admin would use to establish a password recovery methodology. This blog posting is purely for the fun factor. If you are looking to sharpen your Windows admin skills needed for work, check out this article on 3 ways to actually recover an admin password (https://www.makeuseof.com/tag/3-ways-to-reset-the-forgotten-windows-administrator-password/). 

Note: Just in case you were wondering, the only password worth learning to recover is the admin password because all other passwords can be reset by an admin. 

Ok so if you are still here and reading, you are just looking to learn how mischievous little children can ransack a computer by stealing passwords, enabling accounts not normally used, and elevating accounts not meant to be a local admin. 

Disclaimer: What I am about to walk you through can be used for evil, and I do not endorse the use of any steps to follow outside of computers that you personally own or have been given written permission to deface.

In this posting, we will explore two ways to gain access to a Windows machine without being a legitimate admin. The methods shown in this posting have been practiced on Windows 8.1 through Windows 11. 

Note: These methods are meant to be used if you have access to the physical machine, or have exported the necessary files. We will demonstrate a fully remote attack at a later time. 

Let's get started!

Modifying a User Account

Here we will show you how to change a user's password by first blanking the password and then adding a new one. We will also walk you through how to elevate a non-administrative account. This exercise will require a live bootable USB or disk running a program called "chntpw". I find that the popular pen-testing distro of Kali has what we need.

Note: The lite version of Kali did not have the necessary programs needed for either method covered in this post. Go with the full version. (https://www.kali.org/get-kali/#kali-live)

The first step is to burn the Kali live version to USB, or if performing this on a virtual machine, the downloaded iso file will work just fine. Please google the proper steps for your computer; there are way too many options for me to cover them all here. 

Next, insert your USB into the physical machine that you wish to perform these activities on (Legal notice: if not authorized for the machine, this is illegal). You will have to change the boot priority in the machine's bios. Once again, way too many options for me to cover, google it. 

If you are using a virtual machine, you can follow these steps to load up the Kali live iso file. Our team only uses Virtualbox, but VMware works the same way. It screens will just look different.

Open your virtual machine manager (Virtualbox application)

We will be making changes to the machine called "windows_10_docker". Open the settings for your virtual machine. Open the storage section for the machine, and select the empty disc drive.

Select the drop-down to insert a new disc. Navigate to the location where you downloaded the Kali live iso, and then select it. 

That is it for loading the live disc in a virtual machine. we will remove the iso file once we have completed our exercise.

Note: Make sure that the boot order has the "optical" option listed before the "hard disk" option.

Next, turn on the machine. The machine will boot into Kali live instead of Windows.

Select the default live option. the login credentials are username: root and password: toor. If presented with a pop-up, accept the default config. 

Next, open a terminal. Based on the version of Kali Linux, opening the terminal may be different. I usually look for a black icon containing a "$_". Once the terminal is open run the "fdisk -l" command to identify which drive to mount. 

Locate the appropriate drive by looking for sizes. the drive containing my Windows OS is "/dev/sda2". I know this because the size is about 50Gb. Let's mount the drive by running the following command:

 mount /dev/sda2 /mnt/

Note: If you receive a message that the drive is read-only.  Start the windows machine normally, even if a virtual machine is being used. Then shut down the Windows machine completely. After this booting into the Kali Live disc again, and mount as you just tried before. 

this command mounts the Windows OS into the folder /mnt on the Kali Live system. Now we can navigate the Windows Os without any hindrance. change into the config folder under system32. the command to so is: 

cd /mnt/Windows/stsem32/config

From here we run the chntpw -l command to list out which accounts exist on the computer. this command requires us to pass in the SAM file. this is why I had you change into the config directory of the Windows OS. 

This screenshot is from the windows 10 box prior to the start of this exercise. It proves tester_bob is not an admin. 

I have 6 accounts. 3 accounts are usable. The Guest account should be listed as dis/lock, but I already did this exercise a few times and unlocked the account along the way. 

the next step is to select the user that you would like to make modifications for. I will be selecting tester_bob. Execute the following command to access tester_bob:

Note: Linux is case-sensitive. This means that everything must be typed as you see it or the instruction will not work. Capitalization matters. 

From here I will perform two actions. first I will erase the password for tester_bob:

use selection "1". When the prompt reappears, elevate the user's rights to that of admin by selecting option "3". This option will ask you to confirm the action. Of course, we will say "Yes!" 

Now let's quit editing the user so that we can confirm our changes. Provide the selection "q" and write the changes to the SAM file. Before shutting down the system, execute "chntpw -l SAM" once again. 

There we have it, you have just erased the password and made the user an admin. The last step is to restart the machine, remove the USB or disc, and do whatever you want as an admin. None of the other users are any the wiser. 

Note: I have noticed that the next booting of Windows will be slightly slower, but this will pass after the next boot. 

Cracking the Windows Password for Windows 

This process will need a persistent version of a pen-testing distribution of Linux. This is because only a persistent version of Linux will allow updating or installation of software that may be missing. I will be showing this exercise from ParrotOS Security version.

Note: you can also use a docker container of kali. I prefer this one because it comes with web-based GUI.  Docker command: docker pull kasmweb/core-kali-rolling:1.10.0-rolling. Once it has been downloaded execute this command: sudo docker run --rm -it --shm-size=512m -p 6901:6901 -e VNC_PW=password kasmweb/core-kali-rolling:1.10.0-rolling

Step one extract the SYSTEM and SAM files from your Windows machine. Boot up the targeted Windows. If you performed our first exercise then you can use your newly elevated user account. To extract the mentioned files execute the following commands:

cd c:\windows\system32\config

reg save hklm\system c:\users\<your username>\desktop\system

reg save hklm\sam c:\users\<your username>\desktop\sam

The next step is to get these two files over to the pen-testing Linux distro of your choice. The files are small enough to email. I will be copying them into my ParrotOS VM.

Once you have logged into your Linux, copy over your system and sam files from wherever you stored them. Next, open your terminal and execute the following commands:

locate wordlist (this will find the local wordlist for cracking passwords)

Most Linux distros will have a directory "/usr/share/wordlists". Navigate to this directory with :

cd /usr/share/wordlists

Then extract the rockyou.txt.gz file by executing:

gunzip rockyou.txt.gz

Next, we will locate the program pwdump.py with the command:

locate pwdump.py 

or 

sudo find / -iname "*pwdump.py*"

Ok so now you have everything you need to extract the user hashes. Hold on, maybe I should explain the user hashes to you. 

In the world of encryption, hashes are one of the strongest forms of encryption because they cannot be decrypted. they are one-way encryptions. The weak point of any hash is that the encrypted form can be guessed given enough information. That is where bruteforcing, wordlists, and rainbow tables come into play. Somewhere in the vast world of computers and the Internet, mad geniuses have spent many hours compiling lists of words or hashes that we can use to crack passwords.  The program pwdump.py will use the system file and the sam file to extract each user's hashed password. 

Lets give it a go. Execute the following command:

/usr/share/creddump7/pwdump.py [system file] [sam file] >> windows_hashes.txt

If we open our new file, we will notice two unique hashes for the users tester and tester_2.

Note: the users are different for this demo because I pulled them from my Windows 11 virtual machine.

Ok so now on to the fun part that you have been waiting for. We will use the application john the ripper to crack these password hashes. execute the following command

john --format=nt --wordlist= /usr/share/wordlists/rockyou.txt windows_hashes.txt

There you have it, passwords cracked. The tester password is "password1" and the tester_2 password is "password2". If you ever forget the password, you can find all of your cracked passwords in the ~/.john/john.pot file. 

This concludes our password cracking and user account modification lesson. As a reminder, this is illegal if you do not own all machines involved, or are not given written permission to perform these actions on any machine.