Windows bully project

[Untitled00]

I left a project 5 years ago, i thought I had something interesting but never shared with anyone... so I'm here to tell you what I found and I want to hear if it's something worth sharing or just a retarded project not even worth mentioning.

Windows bully:
-The core: Brute force local users-passwords (windows from Vista to 10 SAM not working with AD) without needing privileges in fact the proof of concept is tested from the default guest user attacking a local admin, at a speed of 1Million tests in around 7 minutes, and i think at some point i doubled the speed in a i7, (i'm reading my old notes so it might not be 100% accurate)
-Additional: if the current user had admin privileges it executed a LSASS dump and used mimikatz to extract passwords in 1 second, if it didn't the brute force started.
-Had some aditional features but first i want to see how people react to the core idea.

So the idea was, walking with it in a USB or sth and executing it to get a specific user password as fast as possible.

Things that i want to know, i never heard of a method that could brute force local SAM at that speed without needing privileges... i know there is some vulns of privilege escalation in the wild... but still want to hear thoughts.

Untitled00

[JustSomeBrHUE]

It seems something really useful, can be a good tool to some people, but without a "ranged" attack option your public will be very limited. Most of the people who want to obtain someone's password don't have contact with the machine of the victim so it can be a problem to you.

But if you want to help those who lost their computer password or want to pull the leg of a friend (or enemy maybe...) it will be a really cool tool. 


Oh, and i'm interested in know what are these aditional features, if you don't mind

[Untitled00]

Well, someone who is into hacking knows that he needs different methods for different circumstances, a new tool offering new posibilities should't be dismissed just cause doesn't let you one click own your "ranged" victims it is one more tool in your arsenal waiting to be used when you need it.

That said, when i mean local, i mean that obviously you can use it once you got remote access to any session, but imho if you are into someone else's session remotely already you can manage to get privileges without brute force, that's why i present it that way, but sure, you can use it once you got at least one non privileged user session.

The additional parts of the program are mostly postexplotation automatizated tasks, so in case you get privileges or pwn the pw you can make it in ninja mode, specially considering that the primary function for this tool is a physical access attack, imagine the scenario, you plug the usb and execute it in a second that no one is looking and the program copy itself to the computer, automatically does what you programed or auto decides what is the best option, then notify you to an email or a server and delete his trace, install some additional free software? who dislikes free software right?, you know that "friend" who left his session open just for a second cause he went to the bathroom but have UAC to ask for pw anyway, or that other friend that has 2 accounts one non pw protected non privileged account and you want to pwn him, well i think you get the idea.

Why is it even more dangerous these days? well, Windows enforces users to create main admin account with their email, then suggest you to use their cloud to backup certain data, so having the password will be brutal, bitlocker? no worries it gathers the key aswell... and just imagine this in a one click tool. One second and you own Admin and postexplotation as desired, email, cloud backups, and bitlocker key.

Anyway my biggest doubt is if someone already had some method to brute force windows user at that speed without privileges, that is the important bit of the kit, if that already exists i have nothing new to offer, as i said i know there is some privilege scalation, but soon to be patched...

[JustSomeBrHUE]

Answering your main question, No, I don't think it already exists, I've paste some months searching for a simple and easy tool that don't need much knowledge or skills to do such work, and if it work as you say (just plug and it's done) I'm sure it will be a popular tool really soon. I already found some programs that can do something similar, but most of them just swindle the security but still can't discover the password.

I'm just a random guy interested in hacking stuff. So if you want more trustworthy answers probably it's better to wait the real hackers.

But, let me ask you, when do you plan to put it online?  (Yes, you already got your first downloader hehe)

[spike]

So I have a few questions, first is how is this different than ophcracks rainbow tables? If we are brute forcing a password, don't we also need a dictionary file?

You mentioned walking in with a USB and doing this. Time and the machine that you are working with really matters. If you only have a few minutes, and the target machine is a 2.0 GHz dual core, then simply extracting the SAM file and cracking it offsite with a gpu based tool like oclhashcat may be faster and safer. Yet still, maybe just walking out with the entire damn machine would be easier. Hell if I'm already physically on the network, then there are so many other possibilites other than sitting there and toiling away brute forcing some password.

This also seems like an aweful lot of work for just one password. Maybe it would be easier to walk in with a malicious USB that spawns a shell to your box, then keylog. We could get really creative and buy a fancy keyboard, modify it with a trojan, and mail it to the IT department.

As far as Windows security goes, Windows 10 has new security methods that make it more difficult to pull the passwords out of memory with tools like mimikatz. Here are the links to the limited amount of research that I have done.

Talks about the security methods:
https://adsecurity.org/?p=1535

Talks about a potential for a remote exploit:
https://www.blackhat.com/docs/us-15/materials/us-15-Brossard-SMBv2-Sharing-More-Than-Just-Your-Files-wp.pdf

[Untitled00]

But, let me ask you, when do you plan to put it online?  (Yes, you already got your first downloader hehe)

Not sure if i will share it or not yet, mostly yes, if i see interest and it is something worth (probably will need help with some stuff but nothing critical, mostly input and possible GUI, but we are good with command line tool)

So I have a few questions, first is how is this different than ophcracks rainbow tables? If we are brute forcing a password, don't we also need a dictionary file?

You mentioned walking in with a USB and doing this. Time and the machine that you are working with really matters. If you only have a few minutes, and the target machine is a 2.0 GHz dual core, then simply extracting the SAM file and cracking it offsite with a gpu based tool like oclhashcat may be faster and safer. Yet still, maybe just walking out with the entire damn machine would be easier. Hell if I'm already physically on the network, then there are so many other possibilites other than sitting there and toiling away brute forcing some password.

This also seems like an aweful lot of work for just one password. Maybe it would be easier to walk in with a malicious USB that spawns a shell to your box, then keylog. We could get really creative and buy a fancy keyboard, modify it with a trojan, and mail it to the IT department.

The point of this tool is versatility and adaptability so new ideas are welcome.

As long as what is new compared to extracting sam, as far as i know, (or as i knew), there is no method to extract SAM without being already an admin or having specific privileges (or specific vulnerabilities), so the deal here is, adding the possibility of brute forcing fast without the need of extracting the SAM nor needing prior privileged user in a fresh installation of windows, just as it comes is vulnerable to this bruteforce method, remember 1million combos in 7 minutes, probably less, can check later today if someone wants a current benchmark or any more proof of concept or whatever. (Yes dictionary is needed forgot to mention, planed on adding a tool to create personalized dictionaries, there is some cool links related to that in this forum, so it is a matter of including this to make the tool more comfortable and adaptable so chance of standard dictionaries or custom ones, or mixed up)(about the time, i think it is not so CPU hungry, but can check in some old PC's that are lying around here, and as i said, the point could be to dump it locally when you exec, ejecting USB and it does the task in the background without noticing at all then sending it somewhere or storing it somewhere then clean)
P.D.: thanks for the links checking it later.

[spike]

So, I'm going to create a scenario so that I understand what you are trying to say.

Walk up to a machine that is already on and running Windows. Plug in a USB with this tool and execute it. This tool would brute force the users password on the spot, without elevated privileges or if necessary run an exploit to acquire the necessary privileges. Is this right?

The important part of that scenario is that you do not want to turn off the machine or reboot into a linux environment. If we can reboot, then we can extract the SAM file, pillage the network, etc.

It's a cool idea, but I'm thinking about all the time it would take to create a tool like that. How does it brute force the password without elevated privileges? I still don't understand why this would be better than walking up to the running machine and executing a trojan. If I have an exploit that allows privilege escalation, I'm going to install a rootkit instead.

I would really like to see a POC. I'm curious how it would work.

[Untitled00]

So, I'm going to create a scenario so that I understand what you are trying to say.

Walk up to a machine that is already on and running Windows. Plug in a USB with this tool and execute it. This tool would brute force the users password on the spot, without elevated privileges or if necessary run an exploit to acquire the necessary privileges. Is this right?

The important part of that scenario is that you do not want to turn off the machine or reboot into a linux environment. If we can reboot, then we can extract the SAM file, pillage the network, etc.

It's a cool idea, but I'm thinking about all the time it would take to create a tool like that. How does it brute force the password without elevated privileges? I still don't understand why this would be better than walking up to the running machine and executing a trojan. If I have an exploit that allows privilege escalation, I'm going to install a rootkit instead.

I would really like to see a POC. I'm curious how it would work.

Yes is precisely for that specific spot, no reboots, sneaky moment, for example when i was in a security deparment and configured hundred of machines we was sure that no one could boot from CD or anything without our permission, and also, there are more scenarios that come to my mind, anyway gona record a simple POC ASAP setting the machine up.

EDIT: Horrible busy day, sorry, only got a screencap ask for more if you need, it planed to upload at least a gif, but got shit to do. ("Invitado"=Guest User, Administradores = Administrators, 0,49s 1k tests from guest to admin. Can show how i set the password in case someone needs it to believe, anyway i was checking it, and in fact i can almost 2X that speed. Just realized i wrote POF instead of POC, as i said.. busy day, well anyway there you have it )

[spike]

Huh. That's pretty cool. I would like to work on it with you. What language is it in? Pop in the #coding channel on IRC so we can talk about it.