Hello! This is my first post on this awesome website! I know that Windows exploits are less common than the more advanced hacks, but I found something I deem pretty cool and figured why not share it with you all. Alright, enough about me, lets begin.
Warning: This resets your password, it does NOT tell you what your old password was, making things such as the windows password based encryptions unaccessible, as this isn't changing your password, so it will not update.
This exploit takes advantage of the ease of access tool on the login page by 'tricking' windows into launching a fully privileged command prompt by selecting 'on the screen keyboard' this is done by renaming the on the screen keyboard exe to something random, and renaming the cmd.exe to on the screens previous name. It will all make since later.
Step 1: Launch Any OS That Allow Full Access to the Windows Folders
In this case, I am going to be using Kali. Although you can use many different linux distros or even a windows disk/usb, as long as you can access the terminal/command prompt your good.
Step 2: Navigate to Sys32
I'm going to infer you know basic navigation and be able to navigate to the Windows partition.
In my case, im currently writing this on my laptop rather than my desktop, so my Windows is known as BOOTCAMP, as I am on a macbook with Windows dual booted.
Once you reach this location, cd to Windows, then to System32.
Step 3: Rename osk.exe to osk.exe.old
oks.exe is the name of the ease of access 'On screen keyboard' file. Rename this using whatever your systems rename command is, in Kali the command would be: mv osk.exe osk.exe.old
Step 4: Rename cmd.exe to osk.exe
Now I'm sure you see how this works, but ill explain it anyways. Basically, when you press 'on screen keyboard' in the ease of access terminal, Windows launched osk.exe, which normally is the on screen keyboard application. But we changed it to launch cmd instead. Like magic.
Command:
Kali: mv cmd.exe osk.exe
Step 5: Launch Windows and Select 'on Screen Keyboard' in Ease of Access Menu
I found this picture off of the interwebs, but what you normally see should be something like this. After going through all the steps above, you should instead see a command prompt.
Sorry for crappy picture, couldn't find how to take screen shot on login menu.
Step 6: Resetting the Password
Now you can type in the magical command to change the password.
The Command: net user
Example: net user "Admin" temppass
If you don't know the password type in net user and locate it there.
Net User - /More Info Here
Step 7: Finished! You Can Login Now!
Viola, you can now login with whatever password you typed in. If you want to reset it simply go back to Kali and redo what you've done! Rename osk.exe to cmd.exe and rename osk.exe.old to osk.exe
Well that's it for my first post! I came across this exploit a while ago and found that it still works so I don't know how common this is or anything like that. Hopefully its not too popular and too many this article is something new! Well, Enjoy!
Comments
No Comments Exist
Be the first, drop a comment!