How to Reset a Windows Password Through a Backdoor

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this screencast I'll be showing you a simple back door that can be used to reset the password of any windows account on virtually any version of Windows however before we get started I need to mention two very important disclaimers the first is that you should only use these techniques to access computers that you have a lawful right to access so I'm not condoning tampering with computers that you do not have the right to be accessing and I do not intend this tutorial to be used for those purposes secondly if you lose data destroy your computer make anyone angry disrupt your day give yourself a headache or otherwise how bad things happen because of this tutorial it's entirely your fault so follow these instructions at your own risk with that out of the way let's define some terms this method for resetting Windows passwords through a backdoor will perform a password reset the nomenclature of the term password reset implied something a little different than just a password change a password reset can be disruptive resets do not perform any additional operations like changing the encryption keys that are associated with the user account and we're going to find that out here shortly you should also know that this operation is not a crack this is not a password recovery you're not going to be able to see the user accounts old password there are entirely different methods for seeking to uncover an accounts password but this tutorial doesn't touch on any of those this method simply resets the accounts current password to a new password of your choosing and you will never see what the old password was so now that you understand what this method will and will not do let's discuss a little bit about how we're going to be doing it first off physical access is a must now that can be through physically touching the machine or a KVM over IP device with remote media with remote media is important this is not a method to reset a password over a network so this won't work if you only have remote console access through say B and C RDP or some other remote access to elect our or viewer the whole method hinges on having physical access to the PC because ultimately the goal of this technique is to acquire unencrypted offline access to the windows system32 folder and rename a single executable file within that folder you can use any number of methods to do this including slaving the drive to another PC and browsing the file system using a Windows installation disk using any other bootable media really they can interact reliably with the NTFS file system so for instance a Linux live image on a CD or USB Drive you could use a recovery partition like you might find on a consumer PC whatever you do it really doesn't matter as long as you have unencrypted access to the system32 folder while the windows instance itself is not running because it won't let you rename anything within system 32 if it's running so now would be a good time to mention that if someone has physical access to a computer and is intent on doing mischief they pretty much own that computer in question so keep your physical assets safe and that's actually where drive encryption can really help you out if it's the right kind there's different kinds and different levels of encryption and not just encryption key strength but also methods such as volume versus disk encryption and that's a little bit outside the scope of this video now notice how I said you need unencrypted offline access to the system32 folder that's because if you're trying to perform this method for resetting a password on a Windows machine Drive encryption is going to ruin it for you if the boot volume is encrypted that's actually pretty rare though so you probably don't have to worry about it that's the breakdown we need physical access to the computer and offline unencrypted access to the windows system32 folder so let's move to our victim PC this PC is running Windows 7 Professional I'll show you right here Windows 7 Professional Service Pack 1 I'm logged in right now and of course I know the password to this account so I'm going to set the password to something random kind of the cop will just hammer on the keyboard here so there's no way that I can possibly remember that at least not with my memory so let's go set the password to this complex one and then we go we've set our password so let me now draw your attention to this folder on the desktop here this is encrypted with EFS I prove it to you encrypt contents to secure data is selected there's a visual indicator within a folder notice that all the file names are in green notice that these files themselves are also encrypted notice that I can see inside these files so I am going to log out and we're going to get going with password reset demonstration however before I do let me set the stage for a demonstration of how Windows handles EFS and why this is actually going to be important anytime you reset a password using this method EFS stands for encrypting file system and as a technology within Windows that allows users to easily protect their files with encryption now the following information that you see here is taken from technic Microsoft comm and a link to this specific article is in the notes below the video if you're watching it on YouTube or Vimeo I won't read it all but what this means in a nutshell is that EFS keys are protected by each user's account password so if you lose your account password you lose access to any files protected by EFS EFS is performed at the file system level basically within NTFS itself so applications have no clue about it they don't have any role to play in the encryption of the files at the writing to disk EFS encrypted files can only be unacceptable properly changing your password will change the encryption keys and thus you're not going to lose access to your EFS encrypted files a proper password change is done through the control panel or by pressing ctrl out the lead and changing your password from the option present to you their resetting a password using the method that we're about to use is not going to update the EFS key pair and thus you will lose access to any data that's encrypted using EFS and of course there are caveats to the danger of losing access to your data and those involve setting up designated recovery agents before any password resets are performed but those topics are beyond the scope of this screencast and if those sound of interest to you and your situation then I advise you to google that let's get back to our victim PC so now that I've explained all that to you it's time to log off at this point after all of that talk about EFS I have no recollection of what that password is that we changed so I can get back in so I've pretty much locked myself out of this PC take a look down in the lower left corner of the login page you see this little icon that's the accessibility options icon and probably not a lot of people have ever looked at it or even noticed it was there or if they did they probably never clicked on when we press it we see that we have various options to launch some basic accessibility utilities for example we have the on-screen keyboard here which is helpful if we have a tablet or some kind of touchscreen what you don't see is that the executables that are launched from the accessibility options tool down there in the lower left hand corner they're all running as the system user the system user is basically the granddaddy of all Windows users so we have the on-screen keyboard running right now as the most powerful user on this computer this is the most powerful on-screen keyboard you will ever see now is when our boot disc comes into play or any of the other offline access methods that were listed earlier in this video such as a bootable USB Drive or a recovery partition I'm going to be using a Windows installation disc to gain offline access to this hard drive in fact I'm going to go old-school just for kicks and I'm going to use a Windows 2000 server CV so let's boot into that boy that brings back memories I'm going to skim over the options that I choose here it's just the standard options that you would choose to get into the windows recovery console on an older version of Windows it's going to get us into a command prompt where we can make a few changes to the underlying file system on the hard drive so this part really isn't that important so let's move to this system32 folder now I happen to know that the on-screen keyboard is executable is OS K dot exe and there you see it I also know that of course the command prompt is cmd.exe so what would happen if we simply renamed cmd.exe to OS k exe let's find out and it's as simple as that till it's reboot so now we're back at the login screen and of course I still can't login don't remember the password let's see if the on-screen keyboard will help us that is a funny-looking on-screen keyboard even more importantly look at that I am the system user at this point it's just a matter of changing passwords using good old net user and that's my password by the way let me in now notice there's no smoke and mirrors here this is a 7 character password and if you remember the password that we reset it to that big long junk password was well it was more than 7 characters and look at that we now have access to the account that we locked ourselves out of earlier now notice the command prompt is still up it stays with you but notice that I am now the user account rather than the system account now we could have just as easily done this to add a user instead of modifying an existing user's password for example we could have gone and of course I'm denied because I'm not at an elevated command prompt but the idea is if you wanted to add a user rather than tamper with an existing user that's just another option now if we had created a new user we wouldn't have to worry about losing access to any EFS encrypted files like for instance these we can open up the folder but notice we can't get to any of these files access is denied now I might seem kind of hopeless at this point but I've found that if you reset your password back to what it was previously or back to what it was the last time you did a proper password reset you can access those EFS encrypted files again so let's reset the password back to the complex one that we had set before which is this one current password is let me in going to paste the new old password in the one that we reset you'd think that we'd at least have to log off and log back on again to be able to access these EFS encrypted files but in fact we don't so there we are we can access the EFS encrypted files once we've set the password back to what it was the last time it was properly set and that's a good point keep in mind that we could have reset this password hard like this using this little backdoor method a dozen times over the course of a month and we'd still have to go back to the last password that was changed gracefully which in our case was this one right here and that is how you defeat account security and windows if you have physical access to the PC and unencrypted offline access to the system32 folder don't forget to go back and rename the command prompt that we named to OS K Exe of course you're going to want to rename OS k Exe back to its original name if you want that because otherwise you have this gaping security hole just sitting there waiting for someone to use it if you found this video to be useful and you watched it on YouTube please like it with a thumbs up button and subscribe to see more videos if you watch this on Vimeo please like it with the heart button and subscribe to my video uploads check the notes below these videos if you're watching them on YouTube or Vimeo for some more information and cool links feel free to share this video or embed it anywhere that you think people would appreciate it thanks for watching
Info
Channel: Wesley D
Views: 6,038,745
Rating: undefined out of 5
Keywords: Microsoft, windows, server, password, reset, recovery, crack, hack, backdoor, Backdoor (computing), Windows Server, Microsoft Windows, How-to, Computer, software tutorial, screencast, tutorial, video, training, video training
Id: qIOIe0nr6DQ
Channel Id: undefined
Length: 15min 25sec (925 seconds)
Published: Thu Feb 23 2012
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.