Join Us!

Password-Protected ...
 
Notifications
Clear all

Password-Protected Windows 10  

Page 1 / 2
  RSS
mhibert
(@mhibert)
New Member

Hi Guys,

I am struggling to bypass Windows 10 login password. What techniques would you use if you would be on my place?

P.S. BIOS is protected with a strong password and boot priority cannot be changed.

Thank you

Quote
Posted : 11/03/2018 4:54 am
jaclaz
(@jaclaz)
Community Legend

Hi Guys,

I am struggling to bypass Windows 10 login password. What techniques would you use if you would be on my place?

P.S. BIOS is protected with a strong password and boot priority cannot be changed.

Thank you

The usual ones, of course if you can access the disk. (i.e. it is not encrypted and you have not the password or if it is a laptop with integrated encryption, etc.)

OSK.EXE or similar, direct patching of msv1_0.dll if 32 bit (cannot say if a patch for 64 has been found/published for "your" Windows 10 version, and surely that depends on the exact version of the .dll)

jaclaz

ReplyQuote
Posted : 11/03/2018 5:30 am
mhibert
(@mhibert)
New Member

what are the usual ones? Maybe i missing something

ReplyQuote
Posted : 11/03/2018 5:54 am
benfindlay
(@benfindlay)
Active Member

Can you pull the disk? If so, cracking the password in the relevant Registry hives would be a good place to start!

Failing that, what about a password reset tool like NTPASSWD (I've not actually tried this myself on Windows 10 - hopefully someone can confirm that it still works)?

Ben

ReplyQuote
Posted : 11/03/2018 9:34 am
jaclaz
(@jaclaz)
Community Legend

@benfindlay
Reset is different from bypass (and is different from cracking the password).

@mhibert
As above, reset is different from bypass (and is different from cracking the password via ophcrack or similar).

To bypass there are historically three ways, in order of more intrusive to less intrusive
1) rename (a copy of) cmd.exe to osk.exe (or to other executable accessible from the logon screen), this is not strictly speaking a bypass, but it allows to create a new user, leaving the original account untouched or change (reset) the password for the existing user
2) open a console on the Winsta0 desktop, this is actually a bypass as you will have a session as System, besides having the same possibility as above
3) modify the msv1_0.dll (this is trivial/universal on 32 bit, version specific on 64 bit), this is a real bypass, as you can login with *any* password on the existing local user account

Whether each and every of this will work on Windows 10, particularly on the specific version you have and/or whether the patch for your specific version in case of #3 exists is up to you to find.

#1
Google for (without double quotes) "osk.exe cmd.exe reset windows password", or "utilman.exe cmd.exe reset windows password" you will find tens of (mostly copy pasted from one to another and for various windows versions) tutorials with slight variations, the method is the same since Windows XP .
Check anyway
http//reboot.pro/topic/21061-how-to-to-reset-my-forgotten-windows-10-password/

#2
http//reboot.pro/topic/18792-if-anyone-is-up-for-a-challenge/
https://blog.didierstevens.com/2006/08/31/my-second-playdate-with-utilmanexe/

#3
http//reboot.pro/topic/18588-passpass-bypass-the-password/
read the whole thread, get latest chenall's version (but of course in your case you can use any hex editor instead) then look for the right pattern if any

Mind you these are what I would try, and what you could try if you are into learning.

Otherwise, spend a few bucks for a Commercial solution
http//www.piotrbania.com/all/kon-boot/

jaclaz

ReplyQuote
Posted : 11/03/2018 10:10 am
MDCR
 MDCR
(@mdcr)
Active Member

I remember a bootable Linux CD in which i could modify tbe password at will, even clear it. Forgotten the name of it, worked from XP to Windows 7, never tried it with Win 8 or 10, but i guess it would work.

ReplyQuote
Posted : 11/03/2018 2:32 pm
Jefferreira
(@jefferreira)
New Member

You can use a Linux Live Distribution to access the data on the storage device or working image.

Once you mount the device or image, you are able to access and extract the registry files and any other artefacts.

PS I was on the move when I saw the post and did not read it carefully. You wrote that the Bios is password protected. I haven't done this in a while, but removing the battery from the motherboard should reset/remove the BIOS password.

ReplyQuote
Posted : 11/03/2018 4:24 pm
jaclaz
(@jaclaz)
Community Legend

I remember a bootable Linux CD in which i could modify tbe password at will, even clear it. Forgotten the name of it, worked from XP to Windows 7, never tried it with Win 8 or 10, but i guess it would work.

Yep ) , and that again is resetting the password, not bypassing it and not cracking it.

A number of recovery/forensic oriented distro's may include the Offline NT Password and Registry Editor
http//pogostick.net/~pnh/ntpasswd/
or chntpw
https://en.wikipedia.org/wiki/Chntpw
Which is included (example) in Kali and SystemRescueCD
https://en.wikipedia.org/wiki/Chntpw#Where_it_is_used

that you can get also for most "standard" distro's
https://pkgs.org/download/chntpw

jaclaz

ReplyQuote
Posted : 11/03/2018 4:38 pm
benfindlay
(@benfindlay)
Active Member

@benfindlay
Reset is different from bypass

<SNIP>

Indeed, however the two terms are often used interchangeably as, absent certain situational conditions, they can in fact be equivalent.

It may be, in the case of what mhibert is trying to achieve, that a reset will be sufficient, hence the suggestion.

mhibert, can you provide a little more information please?

ReplyQuote
Posted : 12/03/2018 8:52 am
JimC
 JimC
(@jimc)
Member

Thank you @Jaclaz for the helpful summary of the different methods.

Methods (1) and (2) both provide a system-level command-prompt at the login screen. This can be used to reset an account password. Method (3) by-passes this and permits login with any password. The end result is the almost same and all 3 methods require file system access to an unencrypted OS volume.

However, something which I don't think has been mentioned yet is that once the password has been changed (or bypassed) you will no longer have access to EFS encrypted data or other secrets protected by the Windows credential manager.

I would be interested to learn from other practitioners if this scenario has come up or is changing/bypassing the password sufficient in practice despite the limitation?

Jim

www.binarymarkup.com

ReplyQuote
Posted : 12/03/2018 11:26 am
benfindlay
(@benfindlay)
Active Member

<SNIP>

However, something which I don't think has been mentioned yet is that once the password has been changed (or bypassed) you will no longer have access to EFS encrypted data or other secrets protected by the Windows credential manager.

I would be interested to learn from other practitioners if this scenario has come up or is changing/bypassing the password sufficient in practice despite the limitation?

Jim,

Great point. EFS is indeed one of the specific scenarios in which bypass and reset are NOT equivalent. However, the question still remains what exactly is the end goal of the bypass/reset? If it is simply to gain access to the user account and files NOT protected by Windows' credential manager, then bypass & reset are for all intents and purposes equivalent.

Speaking from my own experience, in six and a half years I never once encountered EFS on a case I examined, nor am I aware of it being present on any cases my colleagues examined during this time period.

I do however recall reading a news article some years ago about a terrorism case in which EFS was enabled and the investigators had to devote significant time and resources in cracking it to gain access (apologies, I can't recall/find the specific article now).

Ben

ReplyQuote
Posted : 12/03/2018 11:48 am
jaclaz
(@jaclaz)
Community Legend

Yep ) , the whole point is the different level of "changes" made by this (or that) method and amount of difficulty/inconvenience.

The #1 either modify the password (that then is lost forever, no "way back") or needs the creation of a new user (which is OK in most cases BUT that is not exactly "forensically sound"), the very little on volume activity to make a copy of the two .exe's and renaming them is minimal but still exists.

The #2 DOES NOT modify the password BUT it creates anyway some files on the volume because of the SYSTEM account, and anyway the access is more limited AFAICR.

The #3 DOES NOT modify the password nor in practice changes anything on the volume different from a "normal" boot with the user credentials, the patched .dll can be binary restored, so it is the less intrusive of all.
KONBOOT AFAIK/AFAICR uses anyway, method #3, possibly even bettered, because the .dll is patched in memory, I believe.

The actual "right" method of dumping the SAM and decrypting/cracking the password (while having the advantage of actually making the original password known) has on volume/filesystem exactly the same impact of #3, but it is obviously much slower[1] and setting up Ophcrack or similar and creating (or accessing) Rainbow Tables is not exactly easy-peasy.

Evidently this latter approach (again the "right" one in theory) will provide access to EFS.

As I see it (and not so casually I was among the people creating PassPass, from an original idea dating back to Windows NT 4 or 2000 by Damian Bakowski) method #3- when possible - is fast, easy , (besdes being IMHO also "elegant") and since it doesn't modify *anything* it could be a "first step" not preventing in any way the later adoption - if needed - of the "right" method of decrypting the password.

As another single datapoint, NOT related to forensics, more related to "clueless people that manage to lock themselves out of the system and ask for help in recovery" which is more my field of experience/interest, I never found anyone using EFS.
Lots of senselessly (hidden or non-hidden) encrypted containers like Truecrypt and similar, and a few bitlockered drives, but never EFS.

@JimC
Just in case, yet another possible issue (Syskey) loosely related to EFS
https://www.forensicfocus.com/Forums/viewtopic/t=11839/

jaclaz

[1] I mean if "admin", "password" and "123456" don't work wink

ReplyQuote
Posted : 12/03/2018 12:08 pm
JimC
 JimC
(@jimc)
Member

One other related scenario springs to mind, although I accept it may not be that useful in practice

There is a difference between a locked workstation and one with no user logged in. If you have access to a system level command prompt or similar, it is relatively easy to unlock a locked workstation without the password. This could be useful if a workstation was seized that was locked or was hibernated whilst locked. In such a case, the workstation could be unlocked and fully accessed without the password.

Based on this, I could argue that if a live image was not possible the next best thing would be to hibernate (rather than shutdown) a live workstation before seizing it. This would preserve the OS state and leave further options for future examination. This would of course overwrite the existing hibernation file which may not be desirable…

Apologies if this is telling old hands how to suck eggs.

Jim

www.binarymarkup.com

ReplyQuote
Posted : 12/03/2018 12:22 pm
jaclaz
(@jaclaz)
Community Legend

Based on this, I could argue that if a live image was not possible the next best thing would be to hibernate (rather than shutdown) a live workstation before seizing it. This would preserve the OS state and leave further options for future examination. This would of course overwrite the existing hibernation file which may not be desirable…

Well, I could argue that IF the system has never been hybernated before the effects of writing a new hyberfil.sys file may be detrimental to the amount of data that can be carved from allocated and given how (often) hybernate is mal- or non- functioning, it represents IMHO a risk.

I guess it needs to be decided if the possible trade-offs are worth it depending on the specific case *needs*, I mean if the scope is knowing if in the last few minutes/hours a given program has been run, then having a hyberfil.sys is very meaningful, if the scope is finding (say) deleted correspondence it would be safer to shut down the system.

…decisions, always decisions … wink

jaclaz

ReplyQuote
Posted : 12/03/2018 2:17 pm
Armando0
(@armando0)
New Member

Thank you @Jaclaz for the helpful summary of the different methods.

Methods (1) and (2) both provide a system-level command-prompt at the login screen. This can be used to reset an account password. Method (3) by-passes this and permits login with any password. The end result is the almost same and all 3 methods require file system access to an unencrypted OS volume.

However, something which I don't think has been mentioned yet is that once the password has been changed (or bypassed) you will no longer have access to EFS encrypted data or other secrets protected by the Windows credential manager.

I would be interested to learn from other practitioners if this scenario has come up or is changing/bypassing the password sufficient in practice despite the limitation?

Jim

www.binarymarkup.com

If you don't want to lose access to EFS encrypted files or stored network/browser passwords, you have no other way but to recover the old password. Besides using Ophcrack to crack the password using rainbow tables, you can also use the following softwares to recover your password with GPU hardware acceleration

RainbowCrack - http//project-rainbowcrack.com/
HashCat - https://hashcat.net/hashcat/
Password Recovery Bundle - https://www.top-password.com/guide/windows-password-recovery.html
Proactive System Password Recovery - https://www.elcomsoft.com/pspr.html

A high-end graphics card can boost the cracking speed a lot.

ReplyQuote
Posted : 22/06/2018 2:03 am
Page 1 / 2
Share: