Windows 10 Virtuali...
 
Notifications
Clear all

Windows 10 Virtualisation & Microsoft user accounts

15 Posts
7 Users
0 Likes
2,022 Views
(@brevs11)
Posts: 19
Active Member
Topic starter
 

Morning all.

I've been attempting for a while to find a way to login to a Microsoft user account on a Windows 10 computer when that computer has been virtualised (FTK Imager to mount the forensic image, VFC and VMWare to create and run the VM). This has to be completed in a forensically sound manner as possible.

So the scenario I'm finding more often these days is that the user has either created from new, or migrated an existing local account to a Microsoft based password protected account. I know that when Windows 10 is installed Microsoft tries very hard to force users down the path of creating a Microsoft account rather than using a local account. A Microsoft based account must be protected with a password or PIN.

I have used the following 'hack' which allows you to enable and login to the local Administrator account, assuming that the user has not previously enabled it and added a password.

Enable Hidden Administrator Account in Windows 10 without Login

However, even logging in to the local Administrator account does not allow the changing or removal of another users's Microsoft created account.

All of the tools I'm currently using to examine the SAM incorrectly report Microsoft created accounts as having no password set, likewise running various boot disks to blank the NT password fail because there isn't one.

Depending on how the account was created when attempting to login to the account you will sometimes get "Your device is offline, please enter old password." Some online research for this message shows that there are numerous users who report either that they never set an earlier password or, they enter their old password and it doesn't work. If Windows does store an old password for offline local use, where is it?

Asking the user for the password is not always possible and of course the password could always be reset by logging into the Microsoft account on a different device, again not possible in this scenario.

I wondered if anyone has any success or ideas as to whether what I'm trying to achieve is possible, without the options available in the preceding paragraph.

 
Posted : 28/01/2019 10:09 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

"…report Microsoft created accounts as having no password set…"

I'm curious…what tools are you using, and what are they telling you? What I mean is, what is the message, exactly worded, that you're seeing?

That might be helpful.

Thanks.

 
Posted : 28/01/2019 11:00 am
(@brevs11)
Posts: 19
Active Member
Topic starter
 

AccessData Registry Viewer, ophcrack, IEF, EnCase v6 & v8 all show the NT hash and password as empty in the SAM.

I did another little bit of research a while back and I stand to be corrected but this has been the case since Windows Version 1607 (Anniversary Update). I discovered it by accident, the tools were reporting no password set on the account but when I virtualised it there was a password, if it was a Microsoft based account.

Thanks

 
Posted : 28/01/2019 11:15 am
mjpetersen
(@mjpetersen)
Posts: 12
Active Member
 

The reason you are not seeing the account is because the passwords are not stored locally.

Have you tried the VFC Password Bypass? Did that work or did it only allow you to view the local files and not the on-line files?

 
Posted : 28/01/2019 6:04 pm
(@brevs11)
Posts: 19
Active Member
Topic starter
 

The reason you are not seeing the account is because the passwords are not stored locally.

Have you tried the VFC Password Bypass? Did that work or did it only allow you to view the local files and not the on-line files?

VFC reports that there is no password set on the account so the password bypass does not work.

I have a Microsoft account on a PC at home. I know the current and old (local account) passwords so I'll disconnect from the Internet and see if I get the "Your device is offline, please enter old password." message, although I've never been able to get it to work previously. And even if this does work I would imagine that it wouldn't work if the account was created from scratch as a Microsoft account.

If the old password is present, it must be stored somewhere but it doesn't seem to be in the SAM, certainly not where a normal local user account password is stored anyway.

 
Posted : 29/01/2019 7:52 am
(@randomaccess)
Posts: 385
Reputable Member
 

Microsoft moved the location of the passwords for local systems last year.
Many tools haven't been updated. Mimikatz works though.

I wrote a post about it here

Unfortunately I haven't figured out the problem you're seeing.
I'm thinking that it stores the password the same way that it would cache it for a domain.
I ran mimikatz over a live-account-enabled test image today and didn't get very far.

I'll have to think through the problem; the password is stored somewhere, just where I don't know yet.

 
Posted : 29/01/2019 11:05 am
(@brevs11)
Posts: 19
Active Member
Topic starter
 

I'll have to think through the problem; the password is stored somewhere, just where I don't know yet.

Many thanks for the info.

It makes you wonder how many people are reporting that no password is set on an account based on the 'industry standard' tools when one is actually set. This is why I've been trying to run a VM in every case….to be sure.

 
Posted : 29/01/2019 11:57 am
(@brevs11)
Posts: 19
Active Member
Topic starter
 

I'm running the latest build of Windows 10, with a Microsoft account protected with a PIN. I removed the Ethernet cable rebooted and I could still login with the same PIN so it's cached locally somewhere.

 
Posted : 30/01/2019 8:03 am
(@randomaccess)
Posts: 385
Reputable Member
 

Yep it's cached.
I get the feeling it's just treated like a domain account. You can login to a domain account offline
Where does windows cache the passwords there?

 
Posted : 30/01/2019 12:04 pm
(@brevs11)
Posts: 19
Active Member
Topic starter
 

Where does windows cache the passwords there?

It seems as though only Microsoft and the person who wrote MimiKatz know )

The MimiKatz notes get really heavy but I was reading that it's stored in memory somewhere.

I've had a little bit of success this morning extracting a Windows 10 NT Hash using MimiKatz and then using Ophcrack and Rainbow Tables to decode the hash. So it's do-able but not pretty.

What I'm really looking for now is something that will allow you to overwrite the NT hash as blank rather than having to extract the hash and then crack it.

Unfortunately I'm not clever enough by a long way to do it myself oops

 
Posted : 30/01/2019 12:49 pm
Page 1 / 2
Share: