How to Crack or Guess the Password of a Windows 10 User

The password is the most common way to protect our session in Windows. When we create a new user, the operating system itself allows us to set this password so that no one, without it, can enter. In Windows 10, the password corresponds to that of the Microsoft Account, in addition to being able to enjoy other authentication systems (PIN, biometrics, etc.) thanks to Windows Hello. However, we should not trust 100% of the PC password , since, as we are going to see, anyone, even without permissions, could break it.

Although the login window may seem secure and impassable, the truth is that, in terms of security, it leaves a lot to be desired. The login API itself, LogonUserW , by default, does not have any locking system after a specified number of failed attempts. This opens the door to brute force attacks that are very simple to carry out, with which we can obtain the password of any user on our PC. Other weaknesses can be found in other Windows APIs, such as LogonUserA, CreateProcessWithLogonA and CreateProcessWithLogonW.

Crack or Guess the Password of a Windows 10 User

For this, we do not need more than a Windows computer (from XP to the latest version of Windows 10), as well as any user on the computer. It does not matter if it is a user with restricted permissions, or a guest. In just a few seconds we can find out the password of the PC administrator and, with it, take full control of the computer. And the best of all is that, unlike other alternatives, this one does not erase and break the password.

How to find out (crack) the password of any user in Windows

In order to carry out this attack we will need to download Win Brute Logon , a PoC designed to exploit these weaknesses that we can download for free from GitHub. The script is open, so we can analyze it, if we want, to verify that it is indeed a reliable file.

Being a brute force attack, it is necessary to pass a list of passwords to it . We can download from here a list with the 10,000 most used keys to increase the probability of success. If the team administrator has set a strong password, then things get a bit more complicated, having to resort to brute force password generator tools.

Both Win Brute Logon and the list of keys have to unzip them and save them in the same directory, which we must be able to access through CMD. For example, a simple one could be “pass” inside the root of C :.

The first thing we must do is have access to the system. It does not matter what type of user we get, even if it is “guest” (the most restrictive). The process will be the same from any of them. Once we have access, then we will execute the following command to see which users are created on the PC:

net user

We will choose the user for which we want to obtain the password, and we will execute the following command (changing <username> for the user’s name, and <wordlist_file> for the name of the list of passwords:

WinBruteLogon.exe -v -u <username> -w <wordlist_file>

Now we can only wait for the program to complete its tasks. At the end we can see in the console a line like the following one in which the password will be indicated:

[ OK ] Password for username=[username] and domain=[DESKTOP-PC] found = [contraseña]

Now we can log in with this password in the administrator account to have full control over the PC.

We remember that, in Windows 10, the user’s password is the same as that of the Microsoft Account . Therefore, if someone gets it, they could have access to our mail, OneDrive and all the information linked to our account. Therefore, it is very important to protect our Microsoft Account with additional functions such as double authentication.

Create test user to crack

Before carrying out this attack on a conventional computer, it is advisable to learn to master the tool. To do this, what we can do is create a new user on our PC, with the level of privileges we want, using the net user tool in the following way:

Create administrator user:

  • net user adminname / add
  • net user adminname password
  • net localgroup administrators darkcodersc / add

Create normal user:

  • net user username / add
  • net user username password

And we can also enable the guest account on our PC:

  • net user GuestUser / add
  • net localgroup users GuestUser / delete
  • net localgroup guests GuestUser / add

Now, we will log in at least once to the account we want to crack (to complete its initial configuration) and that’s it. We close the session, enter with the user we want (even the one with the least permissions) and carry out the steps explained in the previous point to find out if the password is broken.

How to protect ourselves from these attacks

As we can see, it is very easy to find and break the security of any Windows user. Microsoft does not apply a series of extra security measures to its operating system to protect us from this. The only way this type of brute force attack would be ineffective is for Windows itself to crash after a number of failed attempts.

We can activate this manually through group policies, as long as we have a Windows 10 Pro. To do this, we will write ” gpedit.msc ” in the search bar, and we will move to the section “Computer Configuration> Windows Configuration> Security Settings> Account Policies > Account Lockout Policy . ”

Here we must look for the directive ” Account lockout threshold “. In it we will have to change its value “0”, by default, to the maximum number of attempts before blocking it.

Umbral de bloqueo de cuenta

And we must also configure the policy ” Duration of account lockout “, which will specify how long the account will be locked when it is locked due to failures.

Furthermore, as we have seen, for this brute force attack to be successful it is necessary that the password be weak. Therefore, if our PC uses a strong, robust and unique password , the chances of this type of attack being successful are very low. Thus, if we create a password that mixes characters, numbers and symbols, and is also relatively long and generated using pseudo-random algorithms, no one will be able to get into our Windows account, at least using this technique.