EvilZone

So, I'm going to create a scenario so that I understand what you are trying to say.

Walk up to a machine that is already on and running Windows. Plug in a USB with this tool and execute it. This tool would brute force the users password on the spot, without elevated privileges or if necessary run an exploit to acquire the necessary privileges. Is this right?

The important part of that scenario is that you do not want to turn off the machine or reboot into a linux environment. If we can reboot, then we can extract the SAM file, pillage the network, etc.

It's a cool idea, but I'm thinking about all the time it would take to create a tool like that. How does it brute force the password without elevated privileges? I still don't understand why this would be better than walking up to the running machine and executing a trojan. If I have an exploit that allows privilege escalation, I'm going to install a rootkit instead.

I would really like to see a POC. I'm curious how it would work.

Yes is precisely for that specific spot, no reboots, sneaky moment, for example when i was in a security deparment and configured hundred of machines we was sure that no one could boot from CD or anything without our permission, and also, there are more scenarios that come to my mind, anyway gona record a simple POC ASAP setting the machine up.

EDIT: Horrible busy day, sorry, only got a screencap ask for more if you need, it planed to upload at least a gif, but got shit to do. ("Invitado"=Guest User, Administradores = Administrators, 0,49s 1k tests from guest to admin. Can show how i set the password in case someone needs it to believe, anyway i was checking it, and in fact i can almost 2X that speed. Just realized i wrote POF instead of POC, as i said.. busy day, well anyway there you have it )

Well, someone who is into hacking knows that he needs different methods for different circumstances, a new tool offering new posibilities should't be dismissed just cause doesn't let you one click own your "ranged" victims it is one more tool in your arsenal waiting to be used when you need it.

That said, when i mean local, i mean that obviously you can use it once you got remote access to any session, but imho if you are into someone else's session remotely already you can manage to get privileges without brute force, that's why i present it that way, but sure, you can use it once you got at least one non privileged user session.

The additional parts of the program are mostly postexplotation automatizated tasks, so in case you get privileges or pwn the pw you can make it in ninja mode, specially considering that the primary function for this tool is a physical access attack, imagine the scenario, you plug the usb and execute it in a second that no one is looking and the program copy itself to the computer, automatically does what you programed or auto decides what is the best option, then notify you to an email or a server and delete his trace, install some additional free software? who dislikes free software right?, you know that "friend" who left his session open just for a second cause he went to the bathroom but have UAC to ask for pw anyway, or that other friend that has 2 accounts one non pw protected non privileged account and you want to pwn him, well i think you get the idea.

Why is it even more dangerous these days? well, Windows enforces users to create main admin account with their email, then suggest you to use their cloud to backup certain data, so having the password will be brutal, bitlocker? no worries it gathers the key aswell... and just imagine this in a one click tool. One second and you own Admin and postexplotation as desired, email, cloud backups, and bitlocker key.

Anyway my biggest doubt is if someone already had some method to brute force windows user at that speed without privileges, that is the important bit of the kit, if that already exists i have nothing new to offer, as i said i know there is some privilege scalation, but soon to be patched...