In Windows XP, passwords (more precisely, password hashes) are stored in the SAM file located in the system32 folder. The operating system does not provide an opportunity to view this file. The main ways to find out the administrator's password on a local network are traffic sniffing, used to intercept password hashes, and brute-force passwords to shared resources.
It is necessary
- - sniffer program;
- - smbrelay utility;
- - utility for brute-force passwords.
Instructions
Step 1
Send the email in HTML form to the administrator of the remote computer. Place a link in the letter, for example, to a picture located on a shared resource on your computer. After the mail client opens the letter, a request will be sent to open a file from a shared resource. When connecting the share using the smbrelay utility, intercept the LanMan hash.
Step 2
If the built-in “Guest” account is not blocked (and therefore access to the system registry is allowed), place the remote administration program in the shared file sharing folder. In the registry key HKCU / Software / Microsoft / Windows / CurrentVersion / Run, create a parameter indicating the path to this program.
Step 3
To implement the remote administration tool, use the "Explorer" error when handling file extensions. Create a batch file named Readme.txt, which will create a share with full access to drive C. Give it a non-suspicious name, such as TEMP $. In this case, the file to be launched will be displayed with the txt extension, and the program for remote computer control will be located in the same folder with it.
Step 4
To find out the administrator's password for a computer running Windows NT / 2000, use one of the password brute-force utilities: NAT, RedShadow, Brurus-AE, or any other that can be found in the public domain on the Internet. In this case, passwords can be enumerated both in a dictionary and using a simple search. Moreover, the second method is the most effective.
