While writing this chapter, Bo got given a chore by a friend, where he needed SYSTEM access to their laptop. They had gotten a call from a social engineer who told them he was from Microsoft, and that the friend had a problem on their computer. The pitch was that the Microsoft engineer had gotten to notice somehow that the friend's PC was infected, and the "Microsoft engineer" was there to help. After destroying files on the laptop, they then locked the system with a password, and locked out all the accounts except the one that was used during the exploit. They demanded $199.00 for the password. Even a smart and knowledgeable person can be caught by a good social engineering con. This shows the power of social engineering and also proves people are the weakest link in security. We have gotten people's passwords by just asking, when we were doing social engineering tests of security awareness at various companies.
As explained, the system is locked by an application that launches on boot and runs before the system is fully started. We have no access to the machine at this point. Since the machine has been compromised, we know that to be fully sure of no further infection, we need to nuke the operating system and re-install it. We need to get rid of the malicious user accounts before we attempt to reinstall the operating system. Kali is more than an exploitation toolkit. It can be a recovery toolkit, and it is easier to use than a lot of the more expensive recovery toolkits found online. It also protects you from the chance that some tool you find online that is supposed to be a password-recovery tool is not itself, but either a Trojan or infected with a rootkit. That would make your job harder than it is already.
Meet Bo's little friend, Tux. This is a USB drive that has Kali Linux installed. It is a useful tool for the recovery of passwords, as we are about to do. Look out, though. This penguin bites!
To get into the system, we will boot off of the USB drive. This can be a headache, fighting with the UEFI secure boot on newer machines. UEFI doesn't really secure anything; it just gets in the way when booting or installing any operating system other than Windows. How to do this depends on the laptop manufacturer. You will want to set it to boot from legacy devices. Once the BiOS is set, use the system's boot menu to boot from the USB.
Once the system is booted, open the file manager and you will see that the file manager shows two new drives Windows and WinRE. The Windows drive will be your C: drive of the laptop. The WinRE is the recovery drive. Sadly, you should be able to restore from this drive, but the normal user doesn't set this up, and Windows doesn't automatically set up a recovery of the system. In this case, as is usual, recovery from this is no help. By clicking on the Windows drive, we can see the full contents of the laptop's drive with full SYSTEM access to these files. We can now copy the user's files from this drive to another drive to save the user's data. So just by booting from the Kali USB, we have fully-elevated privileges to the machine to copy files and as we will see, get password hashes and actually change the registry settings.
Samdump2 is a tool to obtain password hashes with access to the registry hives. With Windows not running, these hives are not locked, so reading and writing to these hives is trivial with the level of access we have. With the drive mounted this way, the registry hives are located in the /media/root/Windows/Windows/System32/config/ directory. You must use the full directory tree when running samdump2. Going to the directory and trying to run samdump2 directly to the file will fail. We will need to use two of the hives: both the SYSTEM and SAM hives.
Running samdump2 with no options, or using the -h flag, will give you the options we see in the following. Samdump2 has but three options:
-hruns the help-druns the dump-o filewrites the output to the named file:
So, we need to run the following command:
samdump2 -d /media/root/usbdisk/Windows/Windows/System32/config/SYSTEM /media/root/usbdisk/Windows/Windows/System32/config/SAM
We get the following output. Note that Root Key lists CsiTool-CreateHive with a zeroed out ID number. This is from the compromise of the system and shows the whole registry is compromised. The CsiTool is a toolkit that is normally used for fixing systems; but as you can see, tools that can fix can also be used to destroy:
Root Key : CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000} Default ControlSet: 001 ********* CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}ControlSet001ControlLsaJD ********* n->classname_len = 16 b = 339ea44 ********* CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}ControlSet001ControlLsaSkew1 ********* n->classname_len = 16 b = 339ea7c ********* CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}ControlSet001ControlLsaGBG ********* n->classname_len = 16 b = 339ead4 ********* CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}ControlSet001ControlLsaData ********* n->classname_len = 16 b = 339eb14 Bootkey unsorted: 9d93e73af06c13e1378a679b822938f3 Root Key : CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}
Here, the crackers are changing the access of the local user accounts and disabling all but the logged in user:
******************** 1 ******************** keyname = CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}SAMDomainsAccountUsers�00001F4 disabled = 1 username len=13, off=188 lm_hashoffset = 230, lm_size = 4 nt_hashoffset = 234, nt_size = 14 f50f9419a42269f7cf0ee92704e49671 ******************** 2 ******************** keyname = CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}SAMDomainsAccountUsers�00001F5 disabled = 1 username len=5, off=17c lm_hashoffset = 200, lm_size = 4 nt_hashoffset = 204, nt_size = 4 ******************** 3 ******************** keyname = CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}SAMDomainsAccountUsers�00003E9 disabled = 0 username len=7, off=188 lm_hashoffset = 1c4, lm_size = 4 nt_hashoffset = 1c8, nt_size = 14 624107d6d19f48b32135d7757a8c25d4
Here, we have obtained the hashes of the local accounts, and we can see all are disabled except for the user onelove. These hashes could be pulled into a file, and a tool such as Johnny can be used to crack the hashes:
******************** -1 ******************** *disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:ae9ff1043105688506c9762a0fced32f::: *disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: onelove:1001:aad3b435b51404eeaad3b435b51404ee:9c0f3e5fea832931e493f7beb9e391d7::: root@kali:~#
Chntpw (change NT password) is a command-line tool that will not only change user settings, including the password, but can also edit registry settings in any connected hive. With this tool, you must use the full path to the hives. The following is a copy of the help for this tool:
root@kali:~# chntpw -h chntpw: change password of a user in a Windows SAM file, or invoke registry editor. Should handle both 32 and 64 bit windows and all version from NT3.x to Win8.1 chntpw [OPTIONS] <samfile> [systemfile] [securityfile] [otherreghive] [...] -h This message -u <user> Username or RID (0x3e9 for example) to interactively edit -l list all users in SAM file and exit -i Interactive Menu system -e Registry editor. Now with full write support! -d Enter buffer debugger instead (hex editor), -v Be a little more verbose (for debuging) -L For scripts, write names of changed files to /tmp/changed -N No allocation mode. Only same length overwrites possible (very safe mode) -E No expand mode, do not expand hive file (safe mode) Usernames can be given as name or RID (in hex with 0x first) See readme file on how to get to the registry files, and what they are. Source/binary freely distributable under GPL v2 license. See README for details. NOTE: This program is somewhat hackish! You are on your own!
After booting from a Kali USB, you will see the Windows drive connected in the File Manager. To run chntpw against the hives, you must use the full path to the hives, just as you did with Samdump2. Here we're going to re-enable a disabled account and blank out the password, so we will need to access the SAM, SYSTEM, and DEFAULT hives. To be able to edit the full registry, you would need to mount all the hives. For our needs, we are just going to mount the three and edit the Administrator account. So run the following command. Due to formatting constraints, the command here is on five lines. You want to run all of it on a single line:
chntpw -u Administrator -i /media/root/usbdisk/Windows/Windows/System32/config/SAM /media/root/usbdisk/Windows/Windows/System32/config/SYSTEM /media/root/usbdisk/Windows/Windows/System32/config/SECURITY /media/root/usbdisk/Windows/Windows/System32/config/DEFAULT
You'll see output of the application mounting the shares and then will see the interactive command screen, as follows:
<>========<> chntpw Main Interactive Menu <>========<> Loaded hives: </media/root/usbdisk/Windows/Windows/System32/config/SAM> </media/root/usbdisk/Windows/Windows/System32/config/SYSTEM> </media/root/usbdisk/Windows/Windows/System32/config/SECURITY> </media/root/usbdisk/Windows/Windows/System32/config/DEFAULT> 1 - Edit user data and passwords 2 - List groups - - - 9 - Registry editor, now with full write support! q - Quit (you will be asked if there is something to save)
Here, we enter a 1 to edit the user data and password:
What to do? [1] -> 1 ===== chntpw Edit User Info & Passwords ==== | RID -|---------- Username ------------| Admin? |- Lock? --| | 01f4 | Administrator | ADMIN | dis/lock | | 01f5 | Guest | | dis/lock | | 03e9 | onelove | ADMIN | |
Here, we enter the RID of the Administrator (01f4). We can then see the settings for this account. We see that the account is disabled. We'll need to change that:
Please enter user number (RID) or 0 to exit: [3e9] 01f4 ================= USER EDIT ==================== RID : 0500 [01f4] Username: Administrator fullname: comment : Built-in account for administering the computer/domain homedir : 00000220 = Administrators (which has 2 members) Account bits: 0x0215 = [X] Disabled | [ ] Homedir req. | [X] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 0, while max tries is: 0 Total login count: 13 - - - - User Edit Menu: 1 - Clear (blank) user password 2 - Unlock and enable user account [probably locked now] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select
Next, we enter 2 to unlock the account:
Select: [q] > 2 Unlocked! ================= USER EDIT ==================== RID : 0500 [01f4] Username: Administrator fullname: comment : Built-in account for administering the computer/domain homedir : 00000220 = Administrators (which has 2 members) Account bits: 0x0214 = [ ] Disabled | [ ] Homedir req. | [X] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 0, while max tries is: 0 Total login count: 13 - - - - User Edit Menu: 1 - Clear (blank) user password (2 - Unlock and enable user account) [seems unlocked already] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select
Next, let's blank the password by entering 1:
Select: [q] > 1 Password cleared! ================= USER EDIT ==================== RID : 0500 [01f4] Username: Administrator fullname: comment : Built-in account for administering the computer/domain homedir : 00000220 = Administrators (which has 2 members)
Now we see that the Disabled field in now unchecked:
Account bits: 0x0214 = [ ] Disabled | [ ] Homedir req. | [X] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 0, while max tries is: 0 Total login count: 13
In the following, we see that no NT MD4 or LANMAN hash is found:
** No NT MD4 hash found. This user probably has a BLANK password! ** No LANMAN hash found either. Try login with no password! - - - - User Edit Menu: 1 – Clear (blank) user password (2 – Unlock and enable user account) [seems unlocked already] 3 – Promote user (make user an administrator) 4 – Add user to a group 5 – Remove user from a group q – Quit editing user, back to user select Select: [q] >
By enabling the Administrator account, you could then bypass the Cracker's tools. Still, as you can see, the compromise of the registry with the CsiTool even changed the root key of the hives, so now the system cannot be trusted and needs to be reformatted and the OS reinstalled.
"The only way to be sure it to nuke it from orbit."
You can also use this tool when the system administrator's account password has been forgotten and needs to be reset. We have found this tool to be better than the NTcrack boot disk we have depended on for years.
In this case, we still need to retrieve the user's files before nuking the system. Using Kali, you have full control of the drive, so you can find the user's files. Insert another empty USB drive onto the system and copy the user's files from the Windows drive onto the empty USB drive using the File Manager.