Password cracking for Windows

Source: Internet
Author: User
I. Crack the Windows 2000 system password with bare hands:
In the early days, the Windows2000 system had a flaw called the Input Method Vulnerability, any user who understands this Input Method Vulnerability can easily create an account on a Windows system that does not make up for the vulnerability and does not know the user name and password of the system, set as administrator. This vulnerability exists in Windows2000, Windows2000 SP1, Windows2000 SP2, and some Windows2000 SP3 systems. Of course, the latest version is Windows 2000 SP4. This patch has completely removed the Input Method Vulnerability. This vulnerability is not introduced here because it is currently applicable in a narrow range.
In fact, the most widely used method to crack windows passwords is the Sam file method. In Windows, there is a file named Sam, which is responsible for managing the usernames and account information of the current system. Although it is encrypted, we can use some hacker tools to perform brute-force cracking with the help of dictionaries, restore the correct user name and password. For example, in LC4, we can use LC4 to crack the user name and password within six digits within 48 hours. However, in reality, we don't have much time to crack the Sam file. Here we will tell you a clever way to delete the Sam file. The Sam file exists in the C: \ winnt \ system32 \ config directory. Because the Sam file is used by the system after you log on to the desktop, therefore, you cannot delete a file in normal mode. The message "Cannot delete Sam, share conflicts, source files or target files may be in use" is displayed during deletion. (1) We usually start the boot disk to the DOS environment through windows98, and then use the del command to run C: \ winnt \ system32 \ config. When we delete the Sam file and restart the computer to log on to the system again, we only need to enter the username as administrator and the password is blank. This makes it easy to crack the password of windows. TIPS: The LC4 brute-force cracking method is applicable when you want to obtain the original user name and password. After you delete the Sam file directly, no matter what your original user name and password are, all will go forever with the deletion of the SAM file. In fact, if you do not want to detect the system, you can copy the Sam file first, delete the file in the system directory, and log on to the system to view the corresponding file, after that, restore the copied Sam file.
Ii. Crack the Windows XP system password with bare hands:
Windows XP is an operating system for home users. However, in practice, many employees of the Company are used to this version. For Windows XP without any SP patch installed, you can use the methods described above to delete the Sam file or brute force crack the Sam file. However, after installing the SP1 or SP2 Patch, you cannot use the Sam file deletion method to crack the Windows XP system. After the system is deleted, you cannot log on to the Windows XP system. You can only reinstall the system. So how should we crack the Windows XP system password with bare hands?
(1) Default Account Logon method: first, let us know a tips. Generally, the administrator password is required during Windows XP installation. In most cases, the user jumps directly. Therefore, after the XP system is installed, an account with a username of administrator and a blank password is built in. You can press CTRL + ALT + DEL on the Windows XP system logon interface. A traditional logon interface similar to Windows is displayed. In this interface, enter the user name as administrator, if the password is null, try to log on.
In 50%, you can log on to the system and change the password or create a new user. If you find that you cannot log on to the system using the Administrator and empty password, you must use the script described below.
(2) Start script method: first, we need to understand the start script and shutdown script of the system. The Win2000/XP Computer startup and shutdown scripts are a new feature of them. The STARTUP script is a batch file that invites users to log on before running, this function is similar to autoexec, which automatically executes batch processing files in Win9x and DOS. bat, And the shutdown script is the file that runs before the computer is shut down.
TIPS: there is also a concept in Win2000/XP system called user login/logout script. What is the difference between them and the startup script and shutdown script mentioned above? The main difference between the two is: The computer startup/shutdown script runs when the computer starts and shuts down, the script Program A dialog box for inviting users to log on is usually displayed after the startup script is run only once. The user login/logout script appears after the dialog box for inviting users to log on, A user logs on to the system or logs off from the system. The number of running operations is determined by the number of user logon/logout times. Each time the user logs on/out of the system, the script program runs once.
In the 2000/XP system, we can configure the startup and shutdown scripts through the Group Policy. Start-> Run-> enter gpedit. MSC to start the Group Policy. In Windows Settings under the computer configuration of the Local Computer policy, we can see the script (start/Close) option. (2) Here we can add the startup and shutdown scripts at will. In this way, the startup script we set will be automatically executed after the system starts. If we put a script for changing the account password in the startup script, can we immediately change the password after the system starts? This principle is used to crack the system account by starting the script. When the startup/shutdown script is applied, a scripts is generated under the System32 \ grouppolicy \ MACHINE \ scripts directory in the system directory. INI's hidden file, which actually records the script call Information. The file format is as follows:
0 running line = Name of the loaded STARTUP script (BAT or vbs)
0 parameters = post header and parameter, generally Blank
0 offline line = Name of the loaded shutdown script
0 parameters = parameter, which is generally null
You can edit the boot script to automatically modify the forgotten administrator password after the computer starts.
Step 1: First edit a BAT file to change the administrator password. The content is "Net user administrator 31896", which indicates that the administrator password is changed to 31896.
Step 2: Use the 98 boot disk to start the operating system or mount the local hard disk to another machine, no matter what method you use, you only need to successfully copy the script file edited in the first step to system32 \ grouppolicy \ MACHINE \ scripts \ Startup in the system directory.
Step 3: Edit scripts. ini. (For example, the BAT file name is softer. BAT) the content of the corresponding scripts. ini file is as follows:
0 keys line = softer. bat
0 parameters =
Step 4: After the computer is restarted, the system automatically changes the password of the Administrator account to 31896 before logon, thus successfully cracking the administrator password.
After you use the start script to crack the Windows XP system password, you must promptly Delete the start script. Otherwise, even if you modify the administrator password, the password is automatically restored to 31896 at each startup because of the existence of the startup script.
TIPS: This method is also applicable to Windows systems, but it is easier to delete Sam files.
Iii. password cracking for Windows 2003 with bare hands:
In fact, Windows 2003 and Windows 2003 SP1 systems can also be cracked by the startup script, which is not a system vulnerability, it's just that we have successfully used the built-in Startup Script Function to crack the password. However, in Windows 2003, the launch script cracking password is different from that in XP. If you have not run the Group Policy in Windows 2003, you cannot find the System32 \ grouppolicy \ MACHINE \ scripts \ Startup directory in the system directory by simply copying the startup script following the above method, even if we manually create the corresponding directory, the password cracking function cannot be implemented after the script is copied. Because the file directory and startup script storage rules in the 2003 system are different from those in XP. So here I will tell you a clever method, that is, to find a Windows 2003 system that you know the password, and then set a STARTUP script through the Group Policy on it, enable the Script Function to change the administrator password to 31896. Then, use a floppy disk to copy all the c: \ windows \ system32 \ grouppolicy \ directories in the Windows 2003 system. Then use the 98 boot disk to start the computer to be cracked and run C: \ windows \ system32 \ grouppolicy \ directory is copied to the corresponding directory of the computer, so that when the computer is restarted to enter the Windows 2003 system, the system automatically runs the startup script, change the Administrator account to 31896.
This article Article We have explained how to crack the system password without any external tools from Windows 2000 to Windows 2003. The START script cracking method applies to all systems, and the deletion Sam method is only valid for Windows 2000 systems.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.