lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ADC6B4D847A6C74A94ECA2B78BEC05DB05929AC6FB@susday214.corp.ncr.com>
Date: Sun, 1 Aug 2010 05:08:17 -0400
From: "McGhee, Eddie" <Eddie.McGhee@....com>
To: Makoto Shiotsuki <shio@...rim.or.jp>, "full-disclosure@...ts.grok.org.uk"
	<full-disclosure@...ts.grok.org.uk>
Subject: Re: Screen_unlock - Windows logon screen unlocker

Cool idea but come on, once we have physical access there's no need to disconnect the hdd and connect to another machine, there is plenty tools out there already to get access, I suppose it does show a slightly different method though so thumbs up I suppose. 

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Makoto Shiotsuki
Sent: 01 August 2010 04:20
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Screen_unlock - Windows logon screen unlocker

When you have "suspended or hibernated Windows box" and you want to resume it without user's password, you may be able to accomplish this by the Winlockpwn in case the box has Firewire port (or PCMCIA slot).
Or you may be able to do this through Ethernet interface by the Metasploit using pass-the-hash method and meterpreter script
(screen_unlock.rb) if it is not protected by personal firewall.

But what if there is no Firewire port / PCMCIA slot?
What if you cannot access to the box through the Network Card?

Windows' Accessibility tools (mangify.exe, osk.exe, narrator.exe,
sethc.exe) can be executed on the Logon screen and run with "System"
privilege.  By overwriting exe file of the Windows' Accessibility tool (ex. magnify.exe) in the hard disk directly from another OS, you will be able to execute any program on the Logon screen with system privilege.

Screen_unlock is Winlockpwn-like tool based on the screen_unlock.rb meterpreter script.  But this is a standalone executable runs on the target box and unlocks the Logon screen by patching msv1_0.dll loaded by LSASS.

You can download the source code and executable from,

  http://www.st.rim.or.jp/~shio/tools/screen_unlock/screen_unlock.zip
  MD5: 44c804da3ab1491ac34a5a997242f372

Usage: 

  1. Download "screen_unlock.exe" from the web site.
  2. Remove the hard disk from target box and connect it to BT4.
  3. Examine MFT number of the program file you want to overwrite.
  4. Overwrite it with screen_unlock.exe cluster-by-cluster using dd.

     For example:

     (i=0; for c in `istat -f ntfs /dev/sda1 MFT_No | grep '^[1-9]' | 
     tr -d '\n'`; do echo $c; dd if=screen_unlock.exe bs=4096 skip=$i
     count=1 | dd of=/dev/sda1 bs=4096 seek=$c count=1 conv=notrunc;
     i=`expr $i + 1`; done) 

     Cluster size (bs=) must be confirmed before execution!

  5. Put the hard disk back to target box and turn it on.
  6. On the Logon screen, execute utilman by pressing Windows_Key + U.
  7. Select the tool overwritten with screen_unlock.exe and start it.

As you know overwriting hard disk cluster may cause serious damage to the target system.  Please do this at your own risk.

In case the program file to overwrite (ex. magnify.exe) has been executed previously, this method may fail.  The SuperFetch feature of Vista and 7 may become a hurdle.  If you know effective way to avoid such restrictions, please let me know. :)

Any feedbacks are welcome.
Thank you.

Makoto Shiotsuki


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ