How to Reset a Windows Password Through a Backdoor

Check out my SysAdmin blog:
http://www.TheNubbyAdmin.com

Talk to me on Twitter:
https://twitter.com/#!/nonapeptide

Email me at:
nonapeptide@gmail.com

This screencast is the video counterpart to this article of mine:
http://www.simple-talk.com/sysadmin/g...

TechNet Link about EFS:
http://technet.microsoft.com/en-us/li...

What I used to create the presentation portions of the screencast:
http://prezi.com/

Important time links:
0:11 Disclaimer. Please take heed
0:52 What this backdoor will and will not allow you to do
1:45 How this will be done
4:03 Beginning of demonstration with victim PC
6:05 Brief discussion about EFS and why this password reset could cause data loss
7:47 Continuance of demonstration with the victim PC
14:33 Wrap up

Have some other topic you'd like me to explain in a screencast? Let me know in the comments.

Oh, and yes, I start sentences with the word "so" and "now" far too much. So, now, I'm going to try and stop doing that in future videos.

---

Closed Caption:

in this screencast i'll be showing you a
simple back door that can be used to
reset the password of any windows
account on virtually any version of
windows
however before we get started I need to
mention two very important disclaimers
the first is that you should only use
these techniques to access computers
that you have a lawful right to access
so I'm not condoning tampering with
computers that you do not have the right
to be accessing and I do not intend this
tutorial to be used for those purposes
secondly if you lose data destroy your
computer make anyone angry disrupt your
day
give yourself a headache or otherwise
how bad things happen because of this
tutorial
it's entirely your fault so follow these
instructions at your own risk
with that out of the way let's define
some terms
this method for resetting windows
passwords through a back door will
perform a password reset the
nomenclature of the term password reset
implied something a little different
than just a password change a password
reset can be disruptive resets do not
perform any additional operations like
changing the encryption keys that are
associated with the user account and
we're going to find that out here
shortly
you should also know that this operation
is not a crack
this is not a password recovery you're
not going to be able to see the user
accounts old password
there are entirely different methods are
seeking to uncover an account password
but this tutorial doesn't touch on any
of those this method simply resets the
accounts current password to a new
password of your choosing and you will
never see what the old password was so
now that you understand what this method
will and will not do
let's discuss a little bit about how
we're going to be doing it first off
physical access is a must now that can
be through physically touching the
machine or a kvm over IP device with
remote media with remote media is
important
this is not a method to reset a password
/ network so this won't work if you only
have remote console access to say
VNC rdp or some other remote access to
like bomgar or teamviewer the whole
method hinges on having physical access
to the pc because ultimately the goal of
this technique is to acquire unencrypted
offline access to the windows system32
folder and rename a single executable
file within that folder you can use any
number of methods to do this including
sliding the drive to another pc and
browsing the file system using a Windows
installation disk using any other google
media really they can interact reliably
with the NTFS file system so for
instance a linux live image on a CD or
USB Drive you can use a recovery
partition like you might find on a
consumer pc whatever you do it really
doesn't matter as long as you have
unencrypted access to the system32
folder while the windows instance itself
is not running because it won't let you
rename anything with in system32 if it's
running
so now would be a good time to mention
that if someone has physical access to a
computer and his intent on doing
mischief they pretty much owned that
computer in question
so keep your physical assets safe and
that's actually where drive encryption
can really help you out if it's the
right kind there's different kinds and
different level of encryption and not
just encryption key strength but also
methods such as volume versus disk
encryption and that's a little bit
outside the scope of this video
now notice how I said you need
unencrypted offline access to the
system32 folder
that's because if you're trying to
perform this method for resetting a
password on a windows machine drive
encryption is going to ruin it for you
if the boot volume is encrypted
that's actually pretty rare though so
you probably don't have to worry about
it
that's the breakdown
we need physical access to the computer
and offline unencrypted access to the
windows system32 folder let's move our
victim pc
this pc is running windows 7
professional show you right here
windows 7 professional service pack 1
i'm logged in right now
and of course i know the password to
this account so i'm going to set the
password to something random guy off the
cop or just hammer on the keyboard here
so there's no way that I can possibly
remember that at least not with my
memory
so let's go set password to this complex
one
and then we go we set our password
so let me now draw your attention to
this folder on the desktop here
this is encrypted with ef-s prove it to
you encrypt contents to secure data is
selected
there's a visual indicator within a
folder notice that all the file names
are in green
notice that these files themselves are
also encrypted notice that i can see
inside these files
so i am going to log out and we're going
to get going with password reset
demonstration however before I do let me
set the stage for a demonstration of how
Windows handles EFS and why this is
actually going to be important
anytime you reset a password using this
method
TFS stands for encrypting file system
and as a technology within windows that
allows users to easily protect their
files with encryption and the following
information that you see here is taken
from technology at microsoft.com and a
link to the specific article is in the
notes below the video if you're watching
on YouTube or Vimeo
I won't read it all but what this means
in a nutshell is that EFS keys are
protected by each user's account
password
so if you lose your account password you
lose access to any files protected by FS
BFS is performed at the file system
level basically within ntfs itself so
applications have no clue about it
they don't have any role to play in the
encryption of the files at the writing
to disk BFS encrypted files can only be
unencrypted through the key pair that is
itself encrypted using your account
password properly changing your password
will change the encryption keys and
that's you're not going to lose access
to your gfs encrypted files a proper
password change is done through the
control panel or by pressing control of
the weed and changing your password from
the option present to you they're
resetting a password using the method
that we're about to use is not going to
update the fs keep air and thus you will
lose access to any data that's encrypted
using the fs and of course there are
caveats to the danger of losing access
to your data and those involved setting
up designated recovery agents before any
password resets are performed but those
topics are beyond the scope of this
screencast and if those sound of
interest to you and your situation then
I advise you to google that
let's get back to our victim pc
so now that I've explained all that to
you its tongue to log off at this point
after all that talk about the fs I have
no recollection of what that password is
that we changed so i can't get back in
so I pretty much locked myself out of
this pc take a look down in the lower
left corner of the login page you see
this little icon
that's the accessibility options icon
and probably not a lot of people have
ever looked at or even noticed it was
there if they did they probably never
clicked on when we press it
we see that we have various options to
launch some basic accessibility
utilities for example we have the
on-screen keyboard here which is helpful
if we have a tablet or some kind of
touch screen
what you don't see is that the
executables that are launched from the
accessibility options tool down there in
the lower left-hand corner
they're all running as the system user
the system user is basically the
granddaddy of all windows users so we
have the on-screen keyboard running
right now as the most powerful user on
this computer is the most powerful
on-screen keyboard you will ever see now
is when our boot disk comes into play or
any of the other offline access methods
that were listed earlier in this video
such as a bootable USB Drive or recovery
partition
i'm going to be using a Windows
installation disk to gain offline access
to this hard drive in fact i'm going to
go old school just for kicks and i'm
going to use a Windows 2000 server cv
so let's put into that
boy that brings back memories I'm going
to skim over the options that I choose
here it's just the standard options that
you would choose to get into the windows
recovery console on an older version of
windows
it's going to get us into a command
prompt where we can make a few changes
to the underlying file system on a hard
drive
so this part really isn't that important
so let's move to the system32 folder now
i happen to know that the on-screen
keyboards executable is OS k dot exe and
there you see it
I also know that of course the command
prompt is cmd.exe so what would happen
if we simply renamed cmd.exe 20 s k dot
exe
let's find out
and it's as simple as that - let's
reboot
so now we're back at the login screen
and of course I still can't login don't
remember the password
let's see if the on-screen keyboard will
help us
that is a funny looking on screen
keyboard even more importantly look at
that I am the system user
at this point it's just a matter of
changing passwords using good old net
user and that's my password by the way
let me know
and notice there's no smoke and mirrors
here this is a seven character password
and if you remember the password that we
reset it to that big long jump password
was well with more than 7 characters
look at that we now have access to the
account that we locked ourselves out
over here
now notice the command prompt is still
up
it stays with you but notice that i am
now the user account rather than the
system account now we could have just as
easily done this to add a user instead
of modifying an existing users password
for example we could have gone
and of course I'm tonight because i'm
not at an elevated command prompt
but the idea is if you wanted to add a
user rather than tamper with an existing
user
that's just another option now if we had
created a new user we wouldn't have to
worry about losing access to ntfs
encrypted files
like for instance these we can open up
the folder but notice we can get to any
of these files access is denied
now i might seem kind of hopeless at
this point but I've found that if you
reset your password back to what it was
previously are back to what it was the
last time you did a proper password
reset
you can access those EFS encrypted files
again so let's reset the password back
to the complex one that we had said
before which is this one
current password is let me in and paste
the new old password and the one we
reset you think that we'd at least have
to log off and log back on again to be
able to access easy FS encrypted files
but in fact we don't
so there we are we can access the fs
encrypted files once we set the password
back to what it was the last time it was
properly set and that's a good point
keep in mind that we could have reset
this password hard like this using this
little backdoor method a dozen times
over the course of a month and we still
have to go back to the last password
that was changed gracefully which in our
case was this one right here
that is how you defeat account security
in windows if you have physical access
to the pc an unencrypted offline access
to the system32 folder
don't forget to go back and rename the
command prompt that we named 20 s k dot
exe of course you're going to want to
rename osk exe back to its original name
if you want that because otherwise you
have this gaping security hole just
sitting there waiting for someone to use
it if you found this video to be useful
and you watched it on YouTube please
like it with the thumbs up button and
subscribe to see more videos if you
watch this on video please like it with
the heart button and subscribe to my
video uploads check the notes below
these videos if you're watching them on
youtube or vimeo for some more
information and cool links
feel free to share this video or
embedded anywhere that you think people
would appreciate it thanks for watching