Hello! This is my first post on this awesome website! I know that Windows exploits are less common than the more advanced hacks, but I found something I deem pretty cool and figured why not share it with you all. Alright, enough about me, lets begin.
Warning: This resets your password, it does NOT tell you what your old password was, making things such as the windows password based encryptions unaccessible, as this isn't changing your password, so it will not update.
This exploit takes advantage of the ease of access tool on the login page by 'tricking' windows into launching a fully privileged command prompt by selecting 'on the screen keyboard' this is done by renaming the on the screen keyboard exe to something random, and renaming the cmd.exe to on the screens previous name. It will all make since later.
In this case, I am going to be using Kali. Although you can use many different linux distros or even a windows disk/usb, as long as you can access the terminal/command prompt your good.
I'm going to infer you know basic navigation and be able to navigate to the Windows partition.
In my case, im currently writing this on my laptop rather than my desktop, so my Windows is known as BOOTCAMP, as I am on a macbook with Windows dual booted.
Once you reach this location, cd to Windows, then to System32.
oks.exe is the name of the ease of access 'On screen keyboard' file. Rename this using whatever your systems rename command is, in Kali the command would be: mv osk.exe osk.exe.old
Now I'm sure you see how this works, but ill explain it anyways. Basically, when you press 'on screen keyboard' in the ease of access terminal, Windows launched osk.exe, which normally is the on screen keyboard application. But we changed it to launch cmd instead. Like magic.
Command: <system rename command> cmd.exe osk.exe
Kali: mv cmd.exe osk.exe
I found this picture off of the interwebs, but what you normally see should be something like this. After going through all the steps above, you should instead see a command prompt.
Sorry for crappy picture, couldn't find how to take screen shot on login menu.
Now you can type in the magical command to change the password.
The Command: net user <USERNAME in quotes> <PASSWORD>
Example: net user "Admin" temppass
If you don't know the password type in net user and locate it there.
Net User - /More Info Here
Viola, you can now login with whatever password you typed in. If you want to reset it simply go back to Kali and redo what you've done! Rename osk.exe to cmd.exe and rename osk.exe.old to osk.exe
Well that's it for my first post! I came across this exploit a while ago and found that it still works so I don't know how common this is or anything like that. Hopefully its not too popular and too many this article is something new! Well, Enjoy!
Want to help support Null Byte and start making your own money as a white hat hacker? Jump start your White-Hat Hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from Ethical Hacking Professionals.