Hello everyone,Let’s do some fun stuff by bypassing windows login screen.For this,you must have a physical access to the victims pc.For this You need to create a bootable usb(8–16gb storage flash drives are prefered).For Practice,i’m going to do this in my parallel’s desktop.Now let’s begin..
→Physical Access to the victims PC.
Creating a Bootable Image:
Now download the Win32diskimager from the above link.If u want to use rufus,it is also fine.Plug-in your USB device.
Run the win32Diskimager.
Select the image file by clicking on the folder icon and select your kali.iso.
Now select your device
in my case,i’m not using any usb here.In your case ,it will show ur usb device here. And click on write..
It will take sometime to write all the data.Once it done remove your usb .
Now we’ve successfully created a bootable usb.We must carry a bootable usb.so,that we can boot kali from any windows machine.
Use can directly boot into the kali machine by using ur usb.But now,i’m going to use my parallel’s desktop.So,For booting into kali in a virtual machine,we need to make some changes to the settings.First,go to ur VM settings..
Go to cdrom and select the image .
So,connect the cdrom to the device.
So u can see the cdrom is mounted..Now let’s Change the boot order in boot settings.Before changing the boot order shutdown the windows machine.
change the settings like the above shown in the screenshot.Now let’s boot up windows machine.
Here is our boot manager,select the EFI DVD/CDROM from legacy Hard Drive.
Now Boot into forensic mode.
After booting into the system.Let’s mount the windows local C folder.
Open disks in kali linux and mount the windows partition..
It’s time to play with The SAM file.
Let’s change your directory Winows local Disk C.
We can see the Windows folders Right..? Now Let’s turn your Direction to the config folder.
There we can see SAM file.Now It’s time to call our chntpw to do the magic.In the method we are going to clear the password.
Use ‘chntpw SAM -l’ to list all the user accounts.
Now let’s try to clear the admin password.
use ‘chntpw -i SAM’. This command will give us a interactive session..
Now select 1.
This will show the usernames and their RID’s.Now select the administrator account.In my case it is sampathpendurthi (03e8).
it will show the information about the selected user.Now let’s clear the password by selecting 1.
And it’s done.After that select q to quit and it will prompt to save the file or not.Say yes and it’s done.we’ve successfully clear the password of a windows user.
Now reboot the system.And it will directly login into the sampathpendurthi..
Now in this method,we are going to open a cmd window in the login screen.Now let’s begin.
Boot into linux in forensic mode mentioned as above.
Mount the windows partition and open it in explorer.
So the above screenshot show the folder that are present in the windows folder.
The main aim is to get a command prompt window in the login screen.so that, we can change the password.
Now search for utilman.exe in the search bar
Now rename this Utilman.exe to someother name.in my case i’m changing it to utilman1.exe
Now search for cmd.exe and change that name to Utilman.exe
we’re with it.Now let’s boot into windows ..
As u can see it’s asking for password,but i don’t know the password.You can see the “ease of access” on the left of power button.Now click on it.
It will open the command prompt with admin rights where we can change the password..
As u can see my command prompt is opened and type the following command to change the password of the user..
“net user sampathpendurthi hacker”
In my case the username is sampathpendurthi.
And hit enter and there u go .U have successfully changes the password of a windows user….
→U can also use WCE(Windows Credentials Editor) if u r using windows7.
→U can also use mimikatz to get the hash u can crack that hash using john.
If u r facing any permission errors in the linux while renaming the files.boot into windows.While in the login screen reboot it and boot into kali again.
Follow for more stuff like this.