Hack Windows7 password using Ubuntu and chntpw

“chntpw is a utility to view some information and change user passwords in a Windows NT/2000 SAM userdatabase file, usually located at \WINDOWS\system32\config\SAM on the Windows file system. In addition it also contains a simple registry editor (same size data writes) and an hex-editor which enables you to fiddle around with bits and bytes in the file as you wish.”

What u need is a USB bootable UBUNTU or Backtrack
for That Click Here  

Now you have your USB bootable UBUNTU or Backtrack
Plug in you pendrive and boot from it 

Before we proceed, let’s make a few assumptions:

1. You are using Windows 7/Vista

2. Your windows partition is located at /dev/sda1

3. We’ll mount it at /media/mnt/

4. We’ll reset the Administrator account.

The latest version of chntpw is the 0.99.6-2 but it has been reported to not quite working with some Windows 7 computers. The precedent version 0.99.5-0 does however work perfectly. here are the links to download both versions:

Version 0.99.6-2: To Downlaod Click Here

Version 0.99.5-0: TO Downlaod Click Here

To install Go to Download folder and run this command in terminal.

sudo apt-get install chntpw

Mount the windows partition like so:

sudo ntfs-3g /dev/sda1 /media/mnt ; cd /media/mnt/Windows/System32/config

Adjust the device names and folder paths to suit your setup. If you don’t know your username, chntpw can list all users like so:

chntpw -l SAM

Reset the Administrator password like so:

chntpw -u Administrator SAM

chntpw -l SAM


Reset the Administrator password like so:


chntpw -u Administrator SAM


You should get a prompt similar to this:


- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
4 - Unlock and enable user account [probably locked now]
q - Quit editing user, back to user select
Select: [q] >


Type 1 to clear the password. This option has the best chance of success and comes with the least complications. You should get another prompt similar to this if you choose option 1:


Hives that have changed:
# Name
0
Write hive files? (y/n) [n] :


Type y and you should get this:


0 - OK


Reboot the into Microsoft Windows like so:


sudo reboot


and create a new password for the Administrator account.
FIND ME 

Create a Bootable Ubuntu USB Flash Drive the Easy Way

 We can speed up the booting process by installing Ubuntu to a bootable USB flash drive instead.

To accomplish this, we’ll use a tiny software package called UNetbootin, which is designed to make the installation process simple and easy.

Create the Bootable Flash Drive

You’ll first need to download the UNetbootin software and save it somewhere useful, since there’s no installation required, just double-click to run.

I chose to use an already downloaded ISO image of the Ubuntu installation cd, and then chose my flash drive, and clicked the OK button. Yes, this step is as simple as that.

 

The process will extract the files from the ISO image (or download them), copy them to the flash drive and then install the bootloader. Depending on what you are installing, this really doesn’t take very long.

Once the process is completed, you’ll be prompted to reboot… which you don’t necessarily have to do unless you want to test booting the flash drive on the same machine you are using.

Otherwise you can hit the Exit button.

Ettercap Basics

 

Ettercap Basics

First let’s learn some basics about Ettercap. Ettercap has the following 4 types of user interface

• Text Only – ‘-T’ option
• Curses – ‘-C’ option
• GTK – ‘-G’ option
• Daemon – ‘-D’ option

In this article, we will mainly focus on the “Graphical GTK User Interface”, since it will be very easy to learn.

Launching an ARP Poisoning Attack

We have already explained about why we need ARP and the conceptual explanation of ARP cache poisoning in ARP-Cache-Poisoning. So please have a look into it, and this article will cover how to perform it practically.

The following diagram explains the network architecture. All the attacks explained here will be performed on the following network diagram only. Using Ettercap in a production environment is not advisable.

Launch Ettercap using the following command in the 122 machine.

# ettercap -G

Click “Sniff->Unified Sniffing”. It will list the available network interface as shown below. Choose the one which you want to use for ARP Poisoning.

Once you have chosen the interface the following window will open:

The next step is to add the target list for performing the ARP poisoning. Here we will add 192.168.1.51 and 192.168.1.10 as the target as follows.

Click “Hosts->Scan for Host”.

It will start to scan the hosts present in the network.

Once it is completed, click “Hosts->Host List”. It will list the available hosts in the LAN as follows:

Now among the list, select “192.168.1.51″ and click “Add to Target 1″ and select “192.168.1.10″ and click “Add to Target 2″.

Now select “Mitm->Arp Poisoning” as follows:

The following dialog box will open. Select “Sniff Remote Connection” and click “ok”:

Then click “Start->Start Sniffing as follows:

Now Arp is poisoned, i.e, 122 machine starts to send ARP packets saying “I’m 1.10″. In-order to verify it, From 192.168.1.51 “ping 192.168.1.10″. Open “Wireshark” application in 192.168.1.122 machine, and put a filter for ICMP. You will get the ICMP packets from 192.168.1.51 to 192.168.1.10 in 192.168.1.122 as follows:

Launching DNS Spoofing Attack in LAN

The concept of DNS is as follows.

• Machine A said ‘ping google.com’
• Now it has to find that IP address of google.com
• So it queries the DNS server with regard to the IP address for the domain google.com
• The DNS server will have its own hierarchy, and it will find the IP address of google.com and return it to Machine A

Here we will see how we can spoof the DNS.

There are many plugins which comes by default with EtterCap. Once such plugin is called as DNSSpoof. We are going to use that plugin to test the DNS spoofing.

Open the /usr/share/ettercap/etter.dns in the 122 machine and add the following,

*.google.co.in A 192.168.1.12
*.google.com A 192.168.1.12
google.com A 192.168.1.12

www.google.com PTR 192.168.1.12
www.google.co.in PTR 192.168.1.12

Here, 192.168.1.10 acts as the DNS server. In-order to perform DNS spoofing, first we need to do the ARP poisoning as explained above. Once ARP is done, follow the below steps

Click “Plugins->Manage Plugins” as follows:

Select the “dns_spoof” plugin and double click to activate it as follows:

Now from 192.168.1.51 ping google.com

$ ping google.com

PING google.com (192.168.1.12) 56(84) bytes of data.
64 bytes from www.google.co.in (192.168.1.12): icmp_seq=1 ttl=64 time=3.56 ms
64 bytes from www.google.co.in (192.168.1.12): icmp_seq=2 ttl=64 time=0.843 ms
64 bytes from www.google.co.in (192.168.1.12): icmp_seq=3 ttl=64 time=0.646 ms

You can see that it returns a local machine’s IP address which we have given in the configuration.

Hope this articles provides some insight into ARP Poisoning and DNS Spoofing. Once everything is done, remember to stop MITM attack as follows:

Finally, it doesn’t hurt to repeat the warning again. Do not execute this on a network or system

Nmap Scanning on Backtrack 5

Nmap Scanning on Backtrack 5 [Detailed Tutorial]

Nmap is a program that scans all of the ports in your computer and check it  whether they are open or not.

So lets start the scanning process in Backtrack 5 Environment.

Ping Scan 

Range Scan 

Stealth Scan (-sS) 

OS SCAN : It showed us which Operating system is running by 

             the host.

TCP SCAN : This scan will show all the open tcp ports . 

ADVANTAGES :

1. Speed
2. Free to use 
3. Don't need priviledges

DISADVANTAGES

1. Easily Detectable and Filterable .

FIN SCAN 

NULL SCAN

UDP SCAN

In udp scanning we use udp scan instead of tcp scan .

Protocol Scan -sO <Target Ip >

IP PROTOCOL SCAN 

This Scan is used to find the ip protocols in use .

ACK (Acknowledgement Scan)

ETHERCAP

Ettercap Basics

First let’s learn some basics about Ettercap. Ettercap has the following 4 types of user interface

• Text Only – ‘-T’ option
• Curses – ‘-C’ option
• GTK – ‘-G’ option
• Daemon – ‘-D’ option

In this article, we will mainly focus on the “Graphical GTK User Interface”, since it will be very easy to learn.

Launching an ARP Poisoning Attack

We have already explained about why we need ARP and the conceptual explanation of ARP cache poisoning in ARP-Cache-Poisoning. So please have a look into it, and this article will cover how to perform it practically.

The following diagram explains the network architecture. All the attacks explained here will be performed on the following network diagram only. Using Ettercap in a production environment is not advisable.

Launch Ettercap using the following command in the 122 machine.

# ettercap -G

Click “Sniff->Unified Sniffing”. It will list the available network interface as shown below. Choose the one which you want to use for ARP Poisoning.

Once you have chosen the interface the following window will open:

The next step is to add the target list for performing the ARP poisoning. Here we will add 192.168.1.51 and 192.168.1.10 as the target as follows.

Click “Hosts->Scan for Host”.

It will start to scan the hosts present in the network.

Once it is completed, click “Hosts->Host List”. It will list the available hosts in the LAN as follows:

Now among the list, select “192.168.1.51″ and click “Add to Target 1″ and select “192.168.1.10″ and click “Add to Target 2″.

Now select “Mitm->Arp Poisoning” as follows:

The following dialog box will open. Select “Sniff Remote Connection” and click “ok”:

Then click “Start->Start Sniffing as follows:

Now Arp is poisoned, i.e, 122 machine starts to send ARP packets saying “I’m 1.10″. In-order to verify it, From 192.168.1.51 “ping 192.168.1.10″. Open “Wireshark” application in 192.168.1.122 machine, and put a filter for ICMP. You will get the ICMP packets from 192.168.1.51 to 192.168.1.10 in 192.168.1.122 as follows:

Launching DNS Spoofing Attack in LAN

The concept of DNS is as follows.

• Machine A said ‘ping google.com’
• Now it has to find that IP address of google.com
• So it queries the DNS server with regard to the IP address for the domain google.com
• The DNS server will have its own hierarchy, and it will find the IP address of google.com and return it to Machine A

Here we will see how we can spoof the DNS.

There are many plugins which comes by default with EtterCap. Once such plugin is called as DNSSpoof. We are going to use that plugin to test the DNS spoofing.

Open the /usr/share/ettercap/etter.dns in the 122 machine and add the following,

*.google.co.in A 192.168.1.12
*.google.com A 192.168.1.12
google.com A 192.168.1.12

www.google.com PTR 192.168.1.12
www.google.co.in PTR 192.168.1.12

Here, 192.168.1.10 acts as the DNS server. In-order to perform DNS spoofing, first we need to do the ARP poisoning as explained above. Once ARP is done, follow the below steps

Click “Plugins->Manage Plugins” as follows:

Select the “dns_spoof” plugin and double click to activate it as follows:

Now from 192.168.1.51 ping google.com

$ ping google.com

PING google.com (192.168.1.12) 56(84) bytes of data.
64 bytes from www.google.co.in (192.168.1.12): icmp_seq=1 ttl=64 time=3.56 ms
64 bytes from www.google.co.in (192.168.1.12): icmp_seq=2 ttl=64 time=0.843 ms
64 bytes from www.google.co.in (192.168.1.12): icmp_seq=3 ttl=64 time=0.646 ms

You can see that it returns a local machine’s IP address which we have given in the configuration.

Hope this articles provides some insight into ARP Poisoning and DNS Spoofing. Once everything is done, remember to stop MITM attack as follows:

Finally, it doesn’t hurt to repeat the warning again. Do not execute this on a network or system