Putting it all together – Credential Harvesting Playbook #1.

Gone in 60 Seconds! Reset a windows 10 local administrator account in 60 seconds using a bootable Kali USB drive and three commands in the terminal!

To be honest, I don’t run Kali Linux on my daily driver. I find that Ubuntu with the right tools installed, gets me the mileage I need to get by. With that being said, Kali is a super powerful tool to have in my arsenal, especially in the form of a bootable USB. In a recent engagement where we tasked with searching for ways into various parts of the IT infrastructure, we were provided a company provisioned device (and basic user account) to start with. Our first step? Find a way to elevate the local privilege’s with the information and devices provided to determine what we could see. Here’s how we did that.  

Enter the Kali Bootable Drive 

The steps to build a Kali bootable drive are well documented in the various corners of the internet. I prefer the DD approach as it’s a simple one-liner to prep the drive and I pretty much live in the terminal most days anyway. 

Boot from USB

Again, booting from USB should be standard fair. On the Dell kit we were provisioned, it a quick bump to F12 on reboot and select the boot options (this can vary from manufacturer to manufacturer though). This kit didn’t have secure boot turned on nor was the OS drive encrypted so my job suddenly got a whole lot easier. Boot to “Kali Live (Forensic Mode)” and chill for a bit. 

Find SAM

Tracking down the SAM is pretty straightforward – head to the host’s OS drive and then to /Windows/System32/Config and then drop to a terminal session from here.

Doing the ‘actual’ work

The actual work of resetting the password or elevating privilege as simple as three commands.

To show you the users in the SAM >  chntpw -l SAM

To remove the password of a user in the SAM (where username is the actual user) > chntpw -u username SAM

and then follow that up with pressing ‘1’ to clear the user password or ‘3’ to promote a user to admin. 

As a extra step, you’ll likely want to ensure the account is unlocked and enabled by pressing ‘2’.

Save your work

Don’t close the terminal yet – make sure you ‘q’ from chntpw and save your changes to the SAM. Once you do that you should be golden. 


All in all, this a quick way to elevate privileges or take over a local admin account on a workstation and see where you can go. No guarantee this will work in every scenario but definitely a worthwhile place to start! 


Penetration Testing

provides you a true understanding of your companies risk by penetrating your organization’s IT environment, demonstrating what systems & data could be exploited and providing a remediation plan to prevent such attacks in the future.

Vulnerability Assessments

provide you a comprehensive understanding of your IT infrastructure inventory, which assets are vulnerable to attack and how to fix those vulnerabilities before they are exploited.

Security Audits

provide your organization with an affordable executive audit to help plan, define and execute a security strategy that will strengthen your overall security posture.

Phishing Campaigns

provide your company with an understanding of your employees risk to various phishing attacks including the data you need to create awareness and the training your employees need to take a more defensive posture when interacting with incoming emails.

Security Awareness Training

specializes in making sure your employees understand the mechanisms of spam, phishing, spear phishing, malware, ransomware and social engineering and can apply this knowledge in their day-to-day job.

Managed Security Services

provide your organization with the technology and expertise required to effectively implement, monitor and manage your security infrastructure.

Get in Touch.

Get in touch with our team to find out how our services and products can eliminate your vulnerable IT surface area and reduce your risk to a successful cyber attack.