You will need
  • program sniffer;
  • utility smbrelay;
  • utility for recovering passwords.
Send mail in HTML form to the administrator of the remote computer. In the letter place the link, for example, on figure, on a share of your computer. After the email client will open an email message will be sent to the request to open the file with a shared resource. During the connection of the shared resource when using capture utility smbrelay LanMan hash.
If the built-in account "Guest" is not blocked (respectively? the access to the registry is allowed), drop into a shared folder to share files, a program for remote administration. In the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run, create a parameter with the path to the program.
To implement remote administration tools, use the error Windows Explorer when handling file extensions. Create a batch file with name Readme.txt that will create a shared resource with full access to the C drive. Give it a name that won't arouse suspicion, for example, TEMP$. In this case the executable file will appear with a. txt extension, and in the same folder it will be the program for remote computer management.
To find out the administrator password of a computer running the operating system Windows NT/2000, use one of the utilities for recovering passwords: NAT, RedShadow, Brurus-AE or any other that can be find in free access in the Internet. Passwords you can sort and dictionary, and using brute force attacks. And the second way is the most effective.