Yeah, I didnt start cracking passwords until I was in college - I didnt need to. When in junior high, the IT admin would kick off a tape back up of the network, and stay logged in. Id wait until later, like 6pm-7pm and dial into his computer (his computer had a connected modem that accepted inbound connections with no username/password), do my thing, then restart the backup before I was for the night, so he wouldn't notice in the morning. Never did anythinf destructive, but I did have about 6 bogus accounts with full admin access. Kept those accounts to myself, lest they grt discovered. They never did... He left around my freshman year of high school. Didn't trust his replacement, so kept my lips shut about the access I had. Graduated with nearly all of my accounts with admin access intact.
In college, had to crack some passwords. Turns out all of the lab computers, the admin password of all NT lab Pcs was a 5 character building abbreviation + room number of where campus IT was based... I was expecting the crack to run overnight on my then 500 Mhz P3. The password was cracked before I could stand up to go to dinner. Last cracked passwords on my old XP laptop, that I couldn't remember the password to. Hard part is getting the unencrypted password file (since I think Win2k, Windows encrypts the SAM file on disk and exclusively locks the file while the OS is running), but if you can run something with system authority, you can inject a dll and extract the decrypted file. You still have to brute force the NTLM hashes after that, but on modern hardware, takes just a few mins. Back in the NT 4 days, at least the way our comouters were configured, nonadmins had write permissions to everything under c:\Windows. Easy way to get system? Replace the default screen saver with a copy of cmd.exe, then log out and wait for the logon screen saver to fire. Back in the day, screen savers ran as system. They dont any longer.
On the NT 4 boxes, I was able to script everything. Pop in a bootable floppy with the script and an NTFS driver, reboot, wait for the script to complete, having copied the SAM file, then reboot again and back to normal. Walk back to my dorm room, crack at will.
In college, had to crack some passwords. Turns out all of the lab computers, the admin password of all NT lab Pcs was a 5 character building abbreviation + room number of where campus IT was based... I was expecting the crack to run overnight on my then 500 Mhz P3. The password was cracked before I could stand up to go to dinner. Last cracked passwords on my old XP laptop, that I couldn't remember the password to. Hard part is getting the unencrypted password file (since I think Win2k, Windows encrypts the SAM file on disk and exclusively locks the file while the OS is running), but if you can run something with system authority, you can inject a dll and extract the decrypted file. You still have to brute force the NTLM hashes after that, but on modern hardware, takes just a few mins. Back in the NT 4 days, at least the way our comouters were configured, nonadmins had write permissions to everything under c:\Windows. Easy way to get system? Replace the default screen saver with a copy of cmd.exe, then log out and wait for the logon screen saver to fire. Back in the day, screen savers ran as system. They dont any longer.
On the NT 4 boxes, I was able to script everything. Pop in a bootable floppy with the script and an NTFS driver, reboot, wait for the script to complete, having copied the SAM file, then reboot again and back to normal. Walk back to my dorm room, crack at will.