Tuesday, July 28, 2009

There are many freewares thats capable of generating random passwords for you if you couldn’t think and decide what password to use for your internet banking, emails, user account and etc… It’s not that hard to program something like that, that’s why most of random password generators are offered free. A good password will have numbers, letters, and special characters with at least 8 characters. Now you don’t have to download and install any random password generators even though it’s free because Windows already has one built-in! And it’s capable of setting the random generated password as your Windows user account’s password.

Run command prompt

by clicking on Start, then run..
Windows Start Run
and type the word ‘CMD‘. Click OK
Windows Command Prompt

On the command line you can type:
net user [username] /random (an example below)
Generate Random Password from Windows

Now the password for the user “administrator” is “NP3pnbZ8“. This method only works for LOCAL account. One important note, be very careful with random password because you won’t remember it unless you memorize it or write it somewhere otherwise you won’t be able to login to Windows. If you’ve forgotten the random password, read this article on how to hack into Windows without knowing the password.

Two of the best ways to login to Windows if you’ve forgotten the password is by reseting the password or replacing sfcfiles.dll with a cracked one to allow login with any password. However, a lot of anti-virus detects the cracked sfcfiles.dll as a hacktool and it prevents the DLL file from loading making it unusable.

The best and highly successful way to login to Windows if you’ve forgotten the password is by resetting the password. All you need to do is put in a BootCD, boot up with it and follow the simple instructions to reset any user’s password. No bruteforce cracking, modifying of cracked DLL files….

Today I found a software that’s better and more powerful than Windows Key included in Passware Kit Enterprise.

Active@ Password Changer is designed for resetting local administrator and user passwords on Windows XP / VISTA / 2003 / 2000 / NT systems in case an Administrator’s password is forgotten or lost. You do not need to re-install and re-configure the operating system.

Forgotten password recovery software has a simple user interface, supports multiple hard disk drives, detects several SAM databases (if multiple OS were installed on one volume) and provides the opportunity to pick the right SAM before starting the password recovery process. It displays a list of all local users. The software user simply chooses the local user from the list to reset the password.

This is the part which makes Active@ Password Changer better than Windows Key. Other Windows login security restrictions like ‘Account is disabled‘, ‘Password never expires‘, ‘Account is locked out‘, ‘User Must Change Password at Next Logon‘ and ‘Logon Hours‘ can be changed or reset.
Reset Administrator Password
You’ll be surprised that this feature is included in the DOS version!
Hack Administrator Password

Windows Key only works in DOS but Active@ Password Changer has program for Windows and DOS. Surprisingly, Active@ Password Changer only cost USD59.99 while Windows Key cost US195.00 for the Professional version and USD295.00 for the enterprise version. Obviously you’ll purchase Active@ Password Changer if given a choice as it’s cheaper and better.

Free Demo version allows you to detect the correct Windows SAM database, view the user list and specific user attributes. Professional version allows the user to actually reset passwords and attributes.

P/S: The retail version of Active@ Password Changer Pro v3.5 build 0067 has already been leaked out. But very sorry, I am unable to provide the links. Please do NOT ask or request for it here. Use your friendly Google ;)

[ Download Active@ Password Changer Demo ]

A method to login to a password protected Windows even if you do not have the password is by making Windows accepting any passwords.
There is a far better way to get into Windows XP. It is easy and it does not reset the password. Hack into a computer running Windows XP without changing the password and find out all and any passwords on the machine (including admin accounts). You do not need access to any accounts to do this. Of course, do not do this on anyone elses computer without proper authorisation.
Bypass Windows Login screen

Steps to Hack into a Windows XP Computer without changing password:

1. Get physical access to the machine. Remember that it must have a CD or DVD drive.
2. Download DreamPackPL HERE.
3. Unzip the downloaded dpl.zip and you’ll get dpl.ISO.
4. Use any burning program that can burn ISO images.
5. After you have the disk, boot from the CD or DVD drive. You will see Windows 2000 Setup and it will load some files.
6. Press “R” to install DreamPackPL.
7. Press “C” to install DreamPackPL by using the recovery console.
8. Select the Windows installation that is currently on the computer (Normally is “1″ if you only have one Windows installed)
9. Backup your original sfcfiles.dll by typing:
ren C:\Windows\System32\sfcfiles.dll sfcfiles.lld” (without quotes)
10. Copy the hacked file from CD to system32 folder. Type:
copy D:\i386\pinball.ex_ C:\Windows\System32\sfcfiles.dll” (without quotes and assuming your CD drive is D:)
11. Type “exit”, take out disk and reboot.
12. In the password field, type “dreamon” (without quotes) and DreamPack menu will appear.
13. Click the top graphic on the DreamPack menu and you will get a menu popup.
Hack Windows Login Dreamon
14. Go to commands and enable the options and enable the god command.
Bypass and hack user account passwords
15. Type “god” in the password field to get in Windows.

You can also go to Passwords and select “Logon with wrong password and hash”. This option allows you to login with ANY password.

Note: I was unable to bring up the DreamPackPL for the first time because I have Kaspersky Anti-Virus already running in background. I believe most antivirus already labelled this tool as a Hack-Tool. A Hack-Tool is NOT a virus. DreamPackPL helps you bypass the Windows Login screen and it is not destructive.

Gmail Account Hacking Tool

A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers’ conference in Las Vegas.

Last week Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, and not only, authentication. Users who did not turn it on now have a serious reason to do so as Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks.

When you log in to Gmail the website sends a cookie (a text file) containing your session ID to the browser. This file makes it possible for the website to know that you are authenticated and keep you logged in for two weeks, unless you manually hit the sign out button. When you hit sign out this cookie is cleared.

Even though when you log in, Gmail forces the authentication over SSL (Secure Socket Layer), you are not secure because it reverts back to a regular unencrypted connection after the authentication is done. According to Google this behavior was chosen because of low-bandwidth users, as SLL connections are slower.

The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once this happens the attacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are obviously more likely to get attacked than the ones using secure wired networks. Todd Mumford, from the SEO company called SEO Visions Inc, states “This can be a serious problem for Internet Marketers who travel often and use their wireless laptops and Gmal services often and do not always have access to a secure connection”

Perry mentioned that he notified Google about this situation over a year ago and even though eventually it made this option available, he is not happy with the lack of information. “Google did not explain why using this new feature was so important” he said. He continued and explained the implications of not informing the users, “This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they’re secure but they’re really not.”

If you are logging in to your Gmail account from different locations and you would like to benefit from this option only when you are using unsecured networks, you can force it by manually typing https://mail.google.com before you log in. This will access the SSL version of Gmail and it will be persistent over your entire session and not only during authentication.


© 2008