lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <201008010319.AA00223@pc-shio.st.rim.or.jp>
Date: Sun, 01 Aug 2010 12:19:40 +0900
From: Makoto Shiotsuki <shio@...rim.or.jp>
To: full-disclosure@...ts.grok.org.uk
Subject: Screen_unlock - Windows logon screen unlocker

When you have "suspended or hibernated Windows box" and you want to
resume it without user's password, you may be able to accomplish this
by the Winlockpwn in case the box has Firewire port (or PCMCIA slot).
Or you may be able to do this through Ethernet interface by the
Metasploit using pass-the-hash method and meterpreter script
(screen_unlock.rb) if it is not protected by personal firewall.

But what if there is no Firewire port / PCMCIA slot?
What if you cannot access to the box through the Network Card?

Windows' Accessibility tools (mangify.exe, osk.exe, narrator.exe,
sethc.exe) can be executed on the Logon screen and run with "System"
privilege.  By overwriting exe file of the Windows' Accessibility
tool (ex. magnify.exe) in the hard disk directly from another OS,
you will be able to execute any program on the Logon screen with
system privilege.

Screen_unlock is Winlockpwn-like tool based on the screen_unlock.rb
meterpreter script.  But this is a standalone executable runs on
the target box and unlocks the Logon screen by patching msv1_0.dll
loaded by LSASS.

You can download the source code and executable from,

  http://www.st.rim.or.jp/~shio/tools/screen_unlock/screen_unlock.zip
  MD5: 44c804da3ab1491ac34a5a997242f372

Usage: 

  1. Download "screen_unlock.exe" from the web site.
  2. Remove the hard disk from target box and connect it to BT4.
  3. Examine MFT number of the program file you want to overwrite.
  4. Overwrite it with screen_unlock.exe cluster-by-cluster using dd.

     For example:

     (i=0; for c in `istat -f ntfs /dev/sda1 MFT_No | grep '^[1-9]' | 
     tr -d '\n'`; do echo $c; dd if=screen_unlock.exe bs=4096 skip=$i
     count=1 | dd of=/dev/sda1 bs=4096 seek=$c count=1 conv=notrunc;
     i=`expr $i + 1`; done) 

     Cluster size (bs=) must be confirmed before execution!

  5. Put the hard disk back to target box and turn it on.
  6. On the Logon screen, execute utilman by pressing Windows_Key + U.
  7. Select the tool overwritten with screen_unlock.exe and start it.

As you know overwriting hard disk cluster may cause serious damage to
the target system.  Please do this at your own risk.

In case the program file to overwrite (ex. magnify.exe) has been
executed previously, this method may fail.  The SuperFetch feature
of Vista and 7 may become a hurdle.  If you know effective way to
avoid such restrictions, please let me know. :)

Any feedbacks are welcome.
Thank you.

Makoto Shiotsuki


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ