Use Acccheck to Extract Windows Passwords Over Networks
Sometimes you need a password to gain access to an older running Windows system. Maybe it's a machine in your basement you forgot about or a locked machine that belonged to a disgruntled employee. Maybe you just want to try out your pentesting skills.
When you need to access a running Windows system, you can use a dictionary attack tool like acccheck to brute-force the admin's username and password as long as it's older Windows system (XP and earlier, possibly Windows 7).
Acccheck looks at Windows SMB protocol authentication, specifically the administrator account, and works over the network. Of course, if you have physical access to your machine, there are other ways to get the password, but if not, acccheck is a good tool. And best of all, it's built right into Kali.
Acccheck is included in Kali, so fire up a terminal and start the tool with:
It will tell you a couple different ways to run the script, but you can run it straight away using the following basic syntax, where -t indicates a single host, and IP ADDRESS is the host IP of a Windows machine.
acccheck -t IP ADDRESS
That command will scan the IP address with the default "administrator" username and a blank password. It might not work, but you never know until you try!
Unless you were really, really lucky, you got into the Windows computer in question already. If not, you'll have to get a little more detailed with your hack. We can be a little more thorough running the acccheck command with a few more parameters, such as:
acccheck -t IP ADDRESS -u USERNAME -p PASSWORD
In this command, -t is single host request, IP ADDRESS is your target Windows machine, -u USERNAME is the username you want to try, and -p PASSWORD is the password you think will work. Below, I'm trying "admin" and "password123" on the same machine.
If acccheck has success logging in, it creates a file called "cracked" in your working directory upon completion. After I tried a few more username and password combinations, I saw this file:
Investigating the file, I can see the IP, username, and password that worked for me. If you get on my network, you might get into 10.0.2.15 with amuck/bluesky123 as you can see below.
So now let's check out what more we can have acccheck do. Because it's a password cracker, acccheck accepts dictionaries, as well as any list of usernames you might have. On Kali, we can point at the stock dictionaries and username files, which are relatively large, and see if we have success. Below are the locations for these files.
- /usr/share/dirb/wordlists/big.txt (dictionary file)
- /usr/share/dirb/wordlists/others/names.txt (username file)
And this time, because you have more than one password and username to try, the syntax is a bit different—you'll need an uppercase -P and -U, which tells acccheck to search the passwords and usernames in the files. All together, this longer command is:
acccheck -t 10.0.2.15 -U /usr/share/dirb/wordlists/others/names.txt -P /usr/share/dirb/wordlists/big.txt
To reiterate, the uppercase letters are needed because we're calling files this time, not just words. And don't forget to use your own target IP address!
Danger: Running the command above will take a long time. The big.txt file is indeed big, and acccheck is checking all of the usernames you selected against all of the passwords, making this task very intensive! In the image above, produced when I ran the "top" command, you can see acccheck running, and it remained running for hours before I stopped it! (I eventually ran kill 19959 in a terminal, since I ran it against a VERY strong password.)
Acccheck can use more than the default username and password list included in Kali—we can use our own dictionary file, and our own list of usernames, too.
Here, I've used a popular dictionary file along with a standard list of Windows admin usernames as my password field (just admin, Admin, administrator, and Administrator). The same uppercase -P and -U apply, because I'm calling files and not just passing individual words. My command is a lot shorter this time, however, because my files are located in the working directory:
acccheck -t 10.0.2.15 -U mynames.txt -P mypasswords.txt
If you've had success running acccheck against a Windows machine and it generated a valid cracked file, you should consider renaming the cracked file with a logical name, possibly including the IP address, to keep things straight moving forward. Here, I renamed my successful cracked file for 10.0.2.15 to something I will recognize in the future (cracked-10-0-2-15):
To get really aggressive, you can use an uppercase -T in your command to run acccheck against a range of IP addresses, not just one target IP address. I won't get into that here, but those files work the same as usernames and passwords, so get creative.
And as with many similar Windows exploits, pre-scanning your target IP to look for vulnerable ports is always a good idea, and Nmap is a good way to do just that.