CodeProject: Hacking Windows XP SP2 Security,Get into any Machine support USB boot by any USB Storage Device and Bypass the Mother Board Password - (TheSimple way). Free source code and programming help

Don't forget to vote ;)

1-Introduction
2-To Hackers / Security Systems Engineers
3-Close Lock to hole
4-Dose Microsoft Know and Why!?
5-Understand the Idea
6-Get Admin Like Account (The Simple Way)
7-Crack the SAM-Know the real Admin Password and Apply Hint 8
8-Creat a Hidden User Account
9-USB Boot for FAT32, NTFS or any File System
10-Mother Boards Default Passwords and how to extract it if you are in The system

1-Introduction

This article introduce very simple way to get Administrator like account and do the job and after finish recover your way, after that Get Admin Password later in your home by Cracking, After get the Admin Password Create a hidden user account and do all your jobs free, and Explain how to make a USB Storage Device Bootable corresponding to any system boot, and how to bypass Mother Board password by Default Passwords, and how to extract it if you are in the system

2-To Hackers / Security Systems Engineers

First All must know that both Hackers / Security Systems Engineers Are 2 faces to the same coin Any way, I try this on Windows XP SP2 I want all to try it on Windows Server 2003, Windows Vista Any Windows NT and POST a Message to make all know what versions exactly this idea can apply for

3-Close Look to hole

Microsoft stores all Security Information in many files but the main file is the SAM file (Security Accounts Manager)! this file contain critical information about users account you can explore the folder
$windir$\system32\config
You will find all things and may discover some thing new, but what amazing here is that the file is available, so we can apply our idea

shot1

You will Not be able To copy them Under XP

4-Dose Microsoft Know and Why!?

Yes Microsoft Know all things, and done on purpose why? I always for many years ask my self why Microsoft doesn’t do real security on their systems from the CD setup to all security aspects In the system, I found(my opinion may wrong)that they need to achieve 2 strategic things

1-They need their software spread and all depend on it and in one day when they feel that they are the One The security will done and all money will go to One Pocket

2-They Forced/Like to Make Some Organizations Hack other systems

Proof:
They can make this File SAM Unavailable by storing the information in FAT, FAT32, NTFS Areas (Sectors reserved by The Operating SYSTEM to Store the Addresses of the files on the HardDisk File Allocation Table) So that it is hard to extract. But they don't!!!!!

5-Understand the Idea

The Idea is simple I will explain it manually and it can then be programmed it is so easy here is the idea

The SAM file is available and the SAM file contain a Security Information, so I created a Free Windows XP SP2 Logon account (Administrator Account without password) that means when windows Lunch it Will enter directly to the system without asking about any password And windows will store this Account in The SAM file on My PC So the SAM file on My PC contain an Account will Make you enter Directly to the Windows, so I will take My SAM File and Replace (by renaming, we will need the original file to recover our way) It with the other SAM File in The Other System or Machine So When you restart It will make you enter directly to the Windows With Administrator Like Account ,do what you need and then back all things to the previous state. All These Steps will be under other system bootable DOS, Knoppiex, Windows Live CD, Because Windows XP will not make u able to copy the Files

6-Get Admin Like Account (The Simple Way)

1- Download My 2 SAM files I Include them in Downloads
2- Go to the target Machine , and try to Access it and Boot from any device CD-ROM, Floppy, NIC if it haven't any of those Read Hint 9
3- After Get Access to the Boot Command prompt c:> or Boot Live OS CD, Go to the windows folder $windir$\system32\config And Copy the SAM File and System File (we will need it later) To other folder, Then go to $windir$\repair copy SAM file
And then Rename the 2 SAM Files to SAM1 in their original places
4- Copy My SAM/config File and Paste it in the windows folder $windir$\system32\config Copy My SAM/Repair File and Paste it in the windows folder $windir$\repair (may this step not required)
5- Reboot and Make windows enter Normally
6- Yeah, No You are in The System
7- Copy the files in step 3 to Floppy Disk or Flash Stick Or Send it to your mail via Internet
8- After finish repeat step 2 and delete My SAM files and Rename Both SAM1 to SAM
9- Reboot , Congratulation you recover your way

7-Crack the SAM-Know the real Admin Password and Apply Hint 8

There is many ways I will introduce 2 ways and explain 1 After you get the SAM File and System File there are Programs That extract the Accounts and their passwords, depending on the idea of cracking the HASH (the HASH is one way encryption method) so that The program will generate random passwords and convert them to HASH and then compare it with the HASHES in the SAM File , so it may take a long time but for fast you will pay more money for ready made HASHES with their user names and passwords the 2 program are

1-L0phtcrack v4.0 (LC4 alternate name) the most famous on the NET
2-SAMInside http://www.insidepro.com/I include on the Downloads

I will explain fast SAMInside

shot1

This is the main window press Ctrl+O or by mouse click Import SAM and SYSTEM

shot1

Window will open to import the 2 files and the program will start to crack the Accounts and get them, and then display users names and their passwords

Any other tool will do the job try all and select your best I Explain here SAMInside because he give me results with 6 character only password and get it FAST

8-Creat a Hidden User Accountn

Windows NT / Windows 2000 and Windows XP has a security setting to hide accounts from the Logon Screen/Control panel users accounts

shot1

Press
Ctrl+Alt+Delet
Give you another Access Dialog

Steps:

1-After getting Admin Password enter to the system
2-create an Account with password
3-click start - > Run - > type Regedit press Enter
4-Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\ CurrentVersion\Winlogon\SpecialAccounts\UserList

shot1

5- Create a new DWORD Value on the UserList
6-Name it with Name of Account to be Hidden
7-set the Value Data of this DWORD Value to 0 to hide it /1 to appear it
8- close Regedit and Reboot
9- Press Ctrl+Alt+Delete when logon Screen Appear another login dialog appear type You hidden user name and password and press Enter

Note:

1- the account profile will be visible in \Documents and Settings, But it will be hidden from Logon Screen and User Account in the control panel

2-there is other method that Inject your Account directly to the Admin SAM without know the Admin Pass, but believe me you don't Expect the result, so if you want try it (if the password hard to get)

9-USB Boot for FAT32, NTFS or any File System

HP Always amazing me to do this we need 2 tools

1- HP USB Disk Storage Format Tool v 2.0.6 I include in Downloads If u want to find more go to http://www.hp.com/
2- NTFSDOS Professional Boot Disk Wizard I include in Downloads If u want to find more go to http://www.winternals.com/

shot1

Just connect your USB Storage
steps:
1- Prepare a Startup Disk or Startup CD , Or any Equivalent
2- In the HP tool select the Device->your USB Storage
3- Select File System FAT or FAT32
4- Check "create a DOS startup disk" checkbox and then select option "using DOS System Files Located at"
5- brows your location
6- Click Start
7- Now you have a Bootable USB Storage Device
8- Now in the NTFSDOS Professional Boot Disk Wizard follow the wizard and you will get a NTFS bootable USB Storage

Why we need NTFS ?
If the Partition of the Windows System is NTFS so with normal Startup you will not be able to access any files because the File System is not Recognized by MS-DOS when we install NTFSDOS Professional on the bootable disk it will allow you To Access any File Under NTFS

Note:
Make sure that the option in Mother board Setup of First Boot "USB-Hard Disk" if you want to boot from a USB

10-Mother Boards Default Passwords and how to extract it if you are in The system

This subject is huge I try to find simple or clever way but as u know many PC's many machines many bios versions and updates so I search the net for the best and I list below ,but if this doesn’t help I recommend you to find the bios version and the motherboard and search the net on Google, yahoo, yahoo groups and other you will find some thing help u

HOW TO BYPASS BIOS PASSWORDS
http://www.elfqrin.com/docs/biospw.html

Removing a Bios - CMOS Password
http://www.dewassoc.com/support/bios/bios_password.htm

How to Bypass BIOS Passwords
http://www.uktsupport.co.uk/reference/biosp.htm

How to Bypass BIOS Passwords
http://www.i-hacked.com/content/view/36/70/

Default Password List
2006-04-30
http://www.phenoelit.de/dpl/dpl.html

Award BIOS backdoor passwords:
ALFAROME--------BIOSTAR--------KDD--------ZAAADA-------- ALLy--------CONCAT--------Lkwpeter--------ZBAAACA-------- aLLy-------- CONDO--------LKWPETER--------ZJAAADC-------- aLLY--------Condo--------PINT--------01322222-------- ALLY--------d8on--------pint--------589589-------- aPAf--------djonet--------SER--------589721-------- _award--------HLT--------SKY_FOX--------595595-------- AWARD_SW--------J64--------SYXZ--------598598 AWARD?SW--------J256--------syxz-------- AWARD SW--------J262--------shift + syxz-------- AWARD PW--------j332--------TTPTHA-------- AWKWARD--------j322-------- awkward

AMI BIOS Backdoor Passwords:
AMI--------BIOS--------PASSWORD--------HEWITT RAND-------- AMI?SW--------AMI_SW--------LKWPETER--------CONDO

Phoenix BIOS Backdoor Passwords: phoenix--------PHOENIX--------CMOS--------BIOS

Misc. Common Passwords
ALFAROME--------BIOSTAR--------biostar--------biosstar-------- CMOS--------cmos--------LKWPETER--------lkwpeter-------- setup--------SETUP--------Syxz--------Wodj
Other BIOS Passwords by Manufacturer
Manufacturer--------Password
VOBIS & IBM-------- merlin
Dell--------Dell
Biostar-------- Biostar
Compaq--------Compaq
Enox--------xo11nE
Epox--------central
Freetech--------Posterie
IWill--------iwill
Jetway--------spooml
Packard Bell--------bell9
QDI--------QDI
Siemens--------SKY_FOX
TMC--------BIGO
Toshiba--------Toshiba
Toshiba--------BIOS

Most Toshiba laptops
and some desktop systems will bypass the BIOS password if the left shift key is held down during boot
IBM Aptiva BIOS
Press both mouse buttons repeatedly during the boot

You must Sign In to use this message board.


Per page

FirstPrevNext

SP3 password creation?
ingvar8

3:50 30 Jun '09

How i can create password for SP3(XP) system, SAM file you attached is not working for me. Is it possible create universal SAM file - without needing SYSTEM file corresponding to the system?
Sign In·View Thread·PermaLink

Re: SP3 password creation?
haitham hamed housin

13:41 20 Aug '09

you can create on SP3 a free login account and use SAM of it , for a Universal one I really not sure , so the only way is to do low level compasion ,and you know , now they had new OS's and new Virtualization Ideas , so don't waste your time , we are on a new age for security , the Virtualization Security!.
Sign In·View Thread·PermaLink

DOS system files
Random Random2

2:09 12 Mar '09

In the HP Format tool where do I find my system DOS files? Please help me
Sign In·View Thread·PermaLink

Re: DOS system files
haitham hamed housin

4:12 12 Mar '09

you should have a win98 startup disk , or look for any virtual tool that make virtual floppy with an image of startup disk
Sign In·View Thread·PermaLink

Today WindowsXP tomorrow the WORLD!.
Andrew Spiteri

2:24 24 Aug '07

Thanks To ALLAH that u're plain stupid.
Sign In·View Thread·PermaLink	1.27/5

You have wrong concepts!
Mohamed Meshref

23:00 27 Apr '07

Actually using "Security Definition" of security vulnerability, this is not security vulnerability, because you need to have physics access to the computer.

Putting information on Fat table is just a hacky way of doing thing, this is not an OS concept which is used in any operating system, and this is really bad, wanna 1 reason?
I can then destroy your fat table, and then build it again, and then oops, I got total access to the machine because now it doesn't contain any password stored.

This is nice effort, but please read more about operating systems design & development before jumping into conclusions!

And I'll give you one more free security tip, password always meant to support two things:

1- Prevent access to non-allowed users.
2- Hide the password itself.

Let's look at point 1, now you have physical access to the machine, which means you can access every single file in windows, you can copy files, you can open images, you can even copy the registry and do whatever you want, so having good or bad password system here is useless, in this case password was meant to prevent people who don't have physical access only

Let's go to point 2, SAM is encrypted as I remember with 128 bits (I don't remember but I think it's 128), putting in mind this is an encryption level used to prevent remote access to machine, this number will make perfect sense in security, making it bigger is useless and wasted processing power.

So at the end, I hope next time you spend some time reading in OS & security concepts before jumping into anything like that.

Mohamed Meshref
Software Design Engineer

3.40/5

Re: You have wrong concepts!
Mohamed Meshref

23:08 27 Apr '07

And one more thing, you can even encrypt any portion of your files (under NTFS) using your user account (built-in windows functionality), so when you change the SAM, file won't be readable, nice, huh? Mohamed Meshref Computer Science Ain Shams (4) http://www.programmingplanet.net IT and Game Developer N.E.T Egypt http://www.egnet4u.com Microsoft DirectX Beta Tester NVidia Registered Developer
Sign In·View Thread·PermaLink	2.33/5

Re: You have wrong concepts!
Mohamed Meshref

23:11 27 Apr '07

I see that the comment was posted using my signature of 4 years ago Mohamed Meshref Software Design Engineer Microsoft SQL Server Team
Sign In·View Thread·PermaLink	5.00/5

WIN-Security [modified]
H0tHacker-07

21:28 22 Apr '07

SALAM'ALAKUM: It's really wonderful.I Never saw like this article before..thank you 1- Is there anothor way to logon to the WIN_XP_SP2 AS Administrator with out usin' passwords- I don't mean F8(SAFEMODE) 2- If you set syskey on computer.how could you remove it if you forgot password? thank you fiamanillah:-> -- modified at 2:43 Monday 23rd April, 2007 Life is easy if You take it easily
Sign In·View Thread·PermaLink

Re: WIN-Security
haitham hamed housin

12:34 5 Sep '07

1- explain more what do you mean by login without password ! 2-Just Copy any enceypted file to Non-NTFS partition (floppy disk, usb Flash) and guess what the file lose the Encryption ! and you can access it
Sign In·View Thread·PermaLink	2.00/5

Re: WIN-Security
tcpvipros

8:20 31 Oct '08

what if the syskey can't be deleted? how can you disable the lock command of the administrator?
Sign In·View Thread·PermaLink	1.00/5

Help

18:54 14 Feb '07

I have reached the sam files but when i try to rename there is error that "duplicate file or used for another application" or try to delete the error is "access denied". i am using ntfsdos and boot from usb. plz help whats a problem and how i can resolve this. thanx in advance Shahi
Sign In·View Thread·PermaLink

Re: Help
haitham hamed housin

12:29 5 Sep '07

I don't know what do you do but under DOS you can do any thing ! you have the control now ! do the steps again carefully.
Sign In·View Thread·PermaLink

mr hi h r u ?
Haytham Haweamdeh

21:04 8 Feb '07

hi ya man this this is a nice one , but is there a tool can read the sam file directly from dos mode hawamdeh
Sign In·View Thread·PermaLink	1.50/5

Re: mr hi h r u ?
haitham hamed housin

12:35 5 Sep '07

there are any thing , just search and discover
Sign In·View Thread·PermaLink

Nice Content Article
sumit siddheshwar

20:41 8 Feb '07

Sumit Siddheshwar
Sign In·View Thread·PermaLink	2.00/5

need any files email : haitham_hamed@yahoo.com
haitham hamed housin

1:00 20 Aug '06

this for forwarding any missing or corrupted files
Sign In·View Thread·PermaLink

Interesting article
Nick the gr8

12:38 28 Jul '06

Dear Haitham,
Apparently your article addresses security issues in windows xp , i have read it along with several articles discussing the same topic. i'd like to ask you that since u mentioned that lopthcrack or the other software used to crack passwords need two system files the SAM and SYSTEM but in most cases getting these files in a network or from another pc in the workgroup is restricted. plus would u have any idea on how to use dos to get such files, maybe through hidden shares like IPC and ADMIN...

Thks for this article ,
and hope u give us more

Nick the GR8

Re: Interesting article
haitham hamed housin

16:14 5 Aug '06

sorry for late; you want to catch the username/password through the network really this is actually happen and more than this!, any way i have mention in another article a hack tip that allow you to catch the username/password http://www.codeproject.com/useritems/ShareWinXp.asp#11[^] after you get the hashes you can continue :-> Don't forget to vote thanks
Sign In·View Thread·PermaLink	5.00/5

afferin kâmil
Recep GUVEN

5:04 21 Jul '06

thank you
Sign In·View Thread·PermaLink	2.00/5

Special thanx for -# Smitha Vijayan # -Editor-The Code Project
haitham hamed housin

12:06 2 Jun '06

she help me on the link for ntfsdos profissional for legal copyright thanx Smitha again
Sign In·View Thread·PermaLink

another situation you can use this !!!?
haitham hamed housin

2:12 2 Jun '06

some one come to my office ask me that he put a Password but he forget it and he don't know what to do ? so i apply may way it works so that is usefull
Sign In·View Thread·PermaLink	5.00/5

why is This Useful? For All specially For IT (BE FREE)
haitham hamed housin

2:34 31 May '06

you may work in a Company this company give you limited access on your pc that you are work on so you can't listen to music from CD because the IT adminstrator Restrict your account so you can't do any thing

so that you can use this methode to replace your existing account by full access account so you can do all things and pretend that you are like others

i just mention this because of a call from my uncle ask me to do this

and this is a simple situation i just hear it

is it nice to be free ?

3.50/5

Re: why is This Useful? For All specially For IT (BE FREE)
H0tHacker-07

21:34 1 May '07

You can't use SAMinside under Limited and Guest accounts...So, wha ya' doin' in this situation??!!! Life is EASY
Sign In·View Thread·PermaLink

Security?
Tutu

23:58 29 May '06

Hi,

1. Nice Article
2. This type of attack has nothing to do with WinXP. You can do the same on any other OS. If you have physical access to the machine, the security is already compromised. On Any OS!
3. If you still want protection you enable EFS (Encrypting File System) and then you have no way of copying the passwords file.
4. If you need more security, you add the box to a domain and then no passwords are stored on the local machine anymore.
5. If you have physical access to the box you’d better install a hardware key logger (http://www.keyghost.com/) and come back next day to get all the usernames and password for the machine. Less work Laugh

I’m sorry, but your article is no more then a guide to “how to seals someone’s documents from his desk if he has no dead-lock at his house and you can open the door with a plastic credit-card”.

Tutu.

http://www.acorns.com.au

1.80/5

Last Visit: 11:03 26 Nov '09 Last Update: 11:03 26 Nov '09

12 Next »