Introduction: How to Gain Access to All Accounts on a School/work Network.
I got a request to make this instructable.
I will explain to you how you get the password of the local admin, network admin, and everyone else on the network.
Disclaimer: This instuctable is for educational purposes only, doing this at your own school may get you expelled or worse.
Only do this when you have permission from the system admin.
Note: GETTING THE NETWORK ADMIN does not work everywhere, you have to be lucky.
Note: the files used do not contain viruses, no matter what the scan says, just press "don't do anything".
Step 1: YOUR TOOLS
- An usb drive with a special PHP file I made. I'll give it to you during this instructable
- A bootable linux distro (I use knoppix, but feel free to use everything else)
- A usb drive with the programs "Saminside" (check insidepro.com) and "Fgdump" (on foofus.net/fizzgig)
Step 2: GETTING THE LOCAL ADMIN Part 1 Version 1
Skip this if the target doesn't have a webserver
Boot the computer and insert your usb drive.
Copy the file called pwd.php in the htdocs folder on your webserver
surf with your browser to http://localhost/pwd.php
Don't type anything in the fields and click the submit button.
If the virus scanner gives you a warning try version 2 (you will need the program saminside and the linux distro)
You will be sent to the next page, download the file from the link to your usb drive and for the love of god REMOVE PWD.PHP AND THE JUST CREATED FILE FROM THE HARDDRIVE
you can skip version 2 and go to GETTING THE LOCAL ADMIN part 2
Step 3: GETTING THE LOCAL ADMIN Part 1 Version 2
Skip this if version 1 worked
turn off the computer and boot into linux using your CD
once it's booted get into the harddrive and go to WINDOWS/System32/config/. Then copy the sam and sytem files to your usb drive
boot back into windows, start Saminside and import the sam and system files, then export to pwdump
Step 4: GETTING THE LOCAL ADMIN Part 2
GETTING THE LOCAL ADMIN part 2
Now you've got the pwdump file open it in notepad
copy the line which contains the word admin or administrator onto your clipboard and go to http://plain-text.info.
Wait until lm has 0/2 or 1/2, click add hashes, paste what you copied into the messagebox, choose algorytm LM, enter the code and press send.
You will be sent to a list of hashes, yours is probably on top (the first lm)
F5 until the value is cracked, the value will be the password.
Step 5: GETTING THE NETWORK ADMIN Version 1
Skip this if the computer you're on doesn't have a webserver.
Wait until you see the network admin get behind a computer, find out the name of that computer (it's usualy written on the monitor) and open pwd.php in your browser again.
As user, type the admin username (the one you got with "getting the local admin") and the matching password. As domain you type the name of the targeted computer.
Press cache and press submit, download the cachedump file, open it with notepad and do as GETTING THE LOCAL ADMIN part 2 says.
Pick the one with an @ symbol in it, it's probably a network admin or another network user.
Also, remember the part behind the @, because it's the login domain
note: you may want to turn off the antivirus before doing this, just make a shortcut to taskmgr, run it as the local administrator (ya know the pass) and turn it off.
Step 6: GETTING THE NETWORK ADMIN Version 2
skip this if version 1 worked
Wait until you see the network admin get behind a computer, find out the name of that computer (it's usualy written on the monitor)
Start CMD as an administrator by creating a shortcut to cmd and running it as the admin (use the username and password gotten at GETTING THE LOCAL ADMIN)
go to the folder where you've put Fgdump and type:
*fgdump -w -h (name of computer) -u (stolen username) -p (stolen pass)
If you're lucky a file will be created with an cachedump extention, open it with notepad and do as GETTING THE LOCAL ADMIN part 2 says.
note: you may want to turn off the antivirus before doing this, just make a shortcut to taskmgr, run it as the local administrator (ya know the pass) and turn off the virus scan from there.
Step 7: GETTING ALL PASWORDS ON THE NETWORK
Find out the domain of the login server (it's shown on the login screen and it's in the cachedump).
Start the php file or cmd (depends on if you have used version 1 or 2 until now).
On the php script: as domain type the domain you just found, the username is the network admin's name and pass is his password. Select hash and the rest goes as in getting the local admin.
If you use cmd: go to the right folder and type
*fgdump -c -h (login server) -u (stolen username) -p (stolen pass)
in which the username and pass belong to the network admin.
Open the pwdump files and do as you've done twice before with the names of your choice.
sape2887 made it!