I am playing a little game with my brother to see who can get a password and get into a windows account the fastest.

I have made it so that i can access cmd from the windows lock screen, with full Admin privelages, and am able to run linux. I would like to know if there is a way to view the passords of the windows accounts without changing said passwords.
Mimikatz? Although it needs the user (target) to have logged in at least once before the last reboot
Plaintext passwords are not stored on disk, so the short answer is no. The slightly longer answer is that you can try to find a hash collision for a given user, but whether this is feasible depends on the strength of a given password.

Finding a hash collision simply involves a brute-force search, because the NTLM hash used to store Windows passwords is quite weak by today's standards. Tools like Ophcrack or hashcat are relatively easy to use.

If perhaps you don't actually need to know the password but just need an authentication bypass, Kon-Boot (which appears to have several vendors using the same name?) is basically a rootkit that gives you an easy authentication bypass. Older versions were freeware, though the more useful updated versions (supporting 64-bit Windows, most importantly) are not.
Tari wrote:
Plaintext passwords are not stored on disk, so the short answer is no. The slightly longer answer is that you can try to find a hash collision for a given user, but whether this is feasible depends on the strength of a given password.


Windows actually does have a plaintext copy you can extract from LSASS provided the user(s) has signed on since the last reboot. That's how the tool I mentioned above works. If it's a fresh boot, however, then yes there's nothing you could recover short of bruteforcing the hash.
hcadam wrote:
Tari wrote:
Plaintext passwords are not stored on disk, so the short answer is no. The slightly longer answer is that you can try to find a hash collision for a given user, but whether this is feasible depends on the strength of a given password.


Windows actually does have a plaintext copy you can extract from LSASS provided the user(s) has signed on since the last reboot. That's how the tool I mentioned above works. If it's a fresh boot, however, then yes there's nothing you could recover short of bruteforcing the hash.


Will it work if using Windows 10 and last logged in with a PIN code?
BigSmoke3320 wrote:
hcadam wrote:
Tari wrote:
Plaintext passwords are not stored on disk, so the short answer is no. The slightly longer answer is that you can try to find a hash collision for a given user, but whether this is feasible depends on the strength of a given password.


Windows actually does have a plaintext copy you can extract from LSASS provided the user(s) has signed on since the last reboot. That's how the tool I mentioned above works. If it's a fresh boot, however, then yes there's nothing you could recover short of bruteforcing the hash.


Will it work if using Windows 10 and last logged in with a PIN code?


I haven't tried it with Windows 10, but I'm pretty sure they use a different method that doesn't store the plaintext in RAM. So no, it won't work as it is, although I think the is (was?) a registry key you could enable that forced it to store plaintext.
hcadam wrote:
although I think there is (was?) a registry key you could enable that forced it to store plaintext.


Yes, there's also a Group Policy/Local Security Policy equivalent of this: "Store passwords using reversible encryption." Once this is done, the (practically) plaintext version should be stored automatically... or just set the flag on your friend's account "Change password on next logon" and then the plaintext version of that new password will be stored on logon.

Once the plaintext version is stored, use this PowerShell module to retrieve the password.
I think my task just got a lot easier. I have found that he didn't choose to sign in with a local account, instead it is a Microsoft account. If I assume correctly, i should be able to view the saved passwords, and see the Microsoft account password, right?
Depends on if his Microsoft Account password is saved in a browser. If it is not saved, I would imagine that it is hashed as well on the system similar to password normally are.

Also, I believe that if Windows passwords go beyond 14 characters in length, then a different hashing algorithm is employed, one that is a bit stronger.
After digging around, I noticed that I am able to see the credentials, using windows credential manager, but the characters are dotted out, and I can't force them to be shown because I don't have the password to that account, however, if I were to use the built-in windows Administrator account, would the password become un-dotted out?
BigSmoke3320 wrote:
After digging around, I noticed that I am able to see the credentials, using windows credential manager, but the characters are dotted out, and I can't force them to be shown because I don't have the password to that account, however, if I were to use the built-in windows Administrator account, would the password become un-dotted out?

Unfortunately, no, as the Windows Credential Manager uses the Encrypting File System, which works at a per-user level. You must log on with the session of the SID of the user you want to look through.
oldmud0 wrote:
BigSmoke3320 wrote:
After digging around, I noticed that I am able to see the credentials, using windows credential manager, but the characters are dotted out, and I can't force them to be shown because I don't have the password to that account, however, if I were to use the built-in windows Administrator account, would the password become un-dotted out?

Unfortunately, no, as the Windows Credential Manager uses the Encrypting File System, which works at a per-user level. You must log on with the session of the SID of the user you want to look through.


Would the "run as" command work, since I would be using the command in an elevated context?

Also, if Linux would make it easier, i am able to boot into Linux from my external HDD if that will assist in finding where it is stored.
BigSmoke3320 wrote:
oldmud0 wrote:
BigSmoke3320 wrote:
After digging around, I noticed that I am able to see the credentials, using windows credential manager, but the characters are dotted out, and I can't force them to be shown because I don't have the password to that account, however, if I were to use the built-in windows Administrator account, would the password become un-dotted out?

Unfortunately, no, as the Windows Credential Manager uses the Encrypting File System, which works at a per-user level. You must log on with the session of the SID of the user you want to look through.


Would the "run as" command work, since I would be using the command in an elevated context?

Also, if Linux would make it easier, i am able to boot into Linux from my external HDD if that will assist in finding where it is stored.

As far as I know, you can't impersonate, and it's very difficult to access the encrypted parts of an NTFS drive from Linux.
Ok, then new idea:

Wait until next time the computer sleeps, then start a VBScript that reads Keypresses, and then saves it to a string. If this would work, how is it done? I have little experience with Windows 10.
BigSmoke3320 wrote:
Ok, then new idea:

Wait until next time the computer sleeps, then start a VBScript that reads Keypresses, and then saves it to a string. If this would work, how is it done? I have little experience with Windows 10.

This would work, but I recommend AutoHotKey for capturing anything keyboard-related. Anyway, I don't really want to talk any more about this, as any advice in this thread can go toward real malice.
Ok. I agree.

Quote:
Anyway, I don't really want to talk any more about this, as any advice in this thread can go toward real malice.


EDIT: I have solved the problem. Due to risks claimed by oldmud0 - see above quote - I will not be making the method that I used public. If you would like to find out my method, please pm me with your situation, and what you plan to do with this information. I will do my best to provide prompt replies to these messages.
  
Register to Join the Conversation
Have your own thoughts to add to this or any other topic? Want to ask a question, offer a suggestion, share your own programs and projects, upload a file to the file archives, get help with calculator and computer programming, or simply chat with like-minded coders and tech and calculator enthusiasts via the site-wide AJAX SAX widget? Registration for a free Cemetech account only takes a minute.

» Go to Registration page
Page 1 of 1
» All times are UTC - 5 Hours
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

 

Advertisement