If you look at our user Ralf, you will see his password in plain text!

On this system we get pretty much the same results by using the “wdigest” command:

Though I didn’t use Windows 8 in this example, you also have the “livessp” command. As Benjamin
explained to me one day, many Win8 systems tag a MS Live e-mail account to their login credentials.
With Mimikatz you can get both their login password and their e-mail password with one command.
Though beyond the scope of this book, you can also use “mimikatz-command” to do more advanced
functions, including recovering certificates.

Conclusion
In this section we showed how to recover plain text passwords from a remote system. We did so
using the Metasploit Framework’s Meterpreter and the Mimikatz command.
As you can see trusting in using complex passwords alone as a security measure is not always fool
proof. If an attacker is able to get access to your system, they could possibly obtain your password in
plain text.
Chapter 19 – Mimikatz and Utilman
Introduction
For ages the security field mantra has been, if you have physical access, you have total access. And in
many cases this is true.
I performed onsite server and workstation support throughout upstate New York and Northern
Pennsylvania for about 20 years and have seen companies do some really silly things when it comes
to physical security.
I have been in and out of hundreds of facilities, allowed to roam around completely unsupervised.
At one datacenter that I showed up to repair a server; none of the admins could be found and the
network manager was off site. Not one of them answered their pages or cell phone calls. So the
receptionist did the only logical thing, she ushered me into their server room and left me there,
completely unsupervised for about an hour until someone showed up…
One time I saw a major company prop their secure server room door open with cabling boxes and
leave it unsupervised while they took their hour lunch.
I have a friend who is a retired Special Forces operator, and he told me once that if you are armed
with a tie and a clipboard, no one will stop you. And he was right. Out of my 20 years of doing onsite
server and IT support involving banks, government facilities, research centers and large corporations,
once inside the building, I was stopped and asked for ID only three times!
Physical security is very important. In this section we will look at one possible Windows physical
attack using a Kali Live CD, the “Utilman Login Bypass” and the very powerful password revealing
program “Mimikatz”.

Utilman Login Bypass

Okay this technique is really old, and not technically an attack. It originated from an old Microsoft
Technet Active Directory support forum message. This technique, called the “ UtilmanBypass ” ,
was one recommended technique to log into a Windows server in case you forgot the password.
The Utilman bypass works by manipulating a helpful windows function that is available at the login
prompt. It allows a system level command session to open without using credentials.
I have friends who support large networks that tell me that they still use this technique for legitimate
purposes. For example when older corporate stand-alone systems need to be backed up and re-
purposed and no one can remember the system password, they will use this technique.
To perform this procedure you need a (Kali) Linux boot disk. We will boot from the disk and change
the Windows “Utilman” program, so when the “Windows” + “U” keys are pressed, a command
prompt will open instead of the normal utility menu.
For this example I used a Windows 7 Pro system.

WARNING!!!
*** Warning *** If you do something wrong in this
procedure you could render your Windows system
unbootable. Ye have been warned.

1. On a Windows system, boot from a Kali Linux Live CD:

2. After a while the Kali Desktop will appear. Click “Places” and then select your local hard
drive that will show up as “xx GB Filesystem”:

Open this and your Windows File system will show up:
(NOTE: If the hard drive is not encrypted, you have complete access to the Windows file system at
this point)
3. Now navigate to the “Windows\System32” directory:

What we are going to do now is to rename the original Utilman.exe out of the way, make a duplicate
copy of cmd.exe and rename it to Utilman.exe.
4. Find the “utilman.exe” file and rename it to “utilman.old”:

5. Right click on the “cmd.exe” file and click “copy”, now past it back right into the same
directory and you should now have both “cmd.exe” and a file called “cmd (copy).exe”, like
so:

6. Now rename the “cmd (copy).exe” file to say “Utilman.exe”.

You should now have two utilman files, a utilman.old (which is the original) and the utilman.exe file
(which is the copy of cmd.exe):
That’s it! We keep the Utilman.old file in case we want to switch it back and restore normal Utilman
functionality.
7. Now just shutdown Kali and let the Windows system boot up normally.
8. At the login screen press the “Windows” and “u” key together. And up pops a system level
command prompt!

If you type “whoami” you will see that you are in fact the user “nt authority\system”, the highest
level access that is available. Notice the login icons are still in the background.
From here you can do anything you want, you have complete access.
This works in all versions of Microsoft Windows OS’s from Windows 9x on up. It also works in
their Server products. Here is a login screen for Server 2012 R2 Datacenter. Notice the “Press
Control-Alt-Delete to sign in” message, and notice the command prompt open with System level
rights:
Modifying the “Sethc.exe” command in the same way also allows you to bypass the Windows login
screen. The “sethc” file is for the Windows Sticky Keys function. Under normal operation, if you hit
the Shift key 5 times in a row, the sticky key dialog box will pop up.
Used this way, just hit the shift key five times at the login screen and the system level command
prompt opens.
***Note to admins – Physical access for the most part equals total access. Encrypt your drives and
secure your systems!

Recovering password from a Locked Workstation

Moving forward with this concept, how cool would it be for a penetration tester (if you had physical
access to a system) to be able to grab the passwords off of a Windows system that was sitting at a
locked login prompt? And what if you could get these passwords in plain text?
Well, you can!
A while back I was wondering, what if you were a penetration tester that had physical access to a
system, would it be possible to get passwords off of a locked Desktop? You know, a user is using the
system and dutifully locks his workstation before leaving for lunch.
If you have physical access to the system, this can be done.
First you need to be able to enable the system level command prompt from the login screen.
Discussed above, the “Utilman Login Bypass” trick enables a pop-up system level prompt by just
pressing the “Windows” and “u” key on the keyboard.
Now all we need is a USB drive with Mimikatz installed. This can be downloaded from Gentle
Kiwi’s blog:
http://blog.gentilkiwi.com/mimikatz
1. Again you need to have already installed the “Utilman Bypass” from above at an earlier point
in time.
2. At the locked desktop Windows desktop press “windows” & “u” keys.

3. Typing “whoami” with verify that we are at system level authority:

4. Navigate to your usb drive. Which is the E: drive on my system:

5. CD into your mimikatz directory and pick the Win32 or x64 bit version, depending on your
 target Operating System.

6. Once in the right Mimikatz directory, run “mimikatz”.

Yes, everything is in French, but you will be okay, trust me.

7. Type “sekurlsa::logonPasswords” or “sekurlsa::logonPasswords full”:

Additional Information:
Now you may need to go to the Properties menu for
the command prompt window and increase the
windows size if the data scrolls off the page and you
can’t see it. In this example I had to set the windows
height to 80.
And as you can see it worked:
Several users have logged onto our test PC and we can view all their user names, their password
hashes and their actual passwords in plain clear text!
As I mentioned earlier, you would need to have physical access to the machine, especially to set up
the initial Utilman Login Bypass. And you need to run Mimikatz, which I just downloaded and put on
a USB drive for convenience.
And someone had to have logged onto the system since it booted. If no-one has logged onto the system
yet, there are no passwords in memory for Mimikatz to pull.

Conclusion
In this section we learned how to boot from a Kali Live CD and view the contents of a Windows file
system. If we drive isn’t encrypted we could easily pull user documents and files from it.
We also learned how to set up the Utilman Bypass to log into Windows without the password. Finally
we learned how to use Mimikatz to grab a user’s password in plain text.
As a couple of my friends that do pentesting for the government have said, physical access equals
total access. Shut down your system if you will be away for extended times, and install a Power on
Password to protect the boot process from being tampered with. Use an encrypting file system that
encrypts the entire drive.
Secure physical access to important machines. Also turn off or disable DVD/CD ROM drives and
USB ports if not needed. Some organizations even go to the extent of filling USB ports with glue!
Chapter 20 - Keyscan and Lockout Keylogger
Introduction
Sometimes a penetration tester may have remote access to a user’s machine, but he may not have the
user’s password. Maybe the user has a very long complex password that would just take too long to
crack. What could he do?
Meterpreter in the Metasploit Framework has a great utility for capturing keys pressed on a target
machine. We will start with a system that we have already run an exploit on and were successful in
creating a remote session with Metasploit. We connected to the session with the session command
and are now sitting at a Meterpreter prompt.

Key logging with Meterpreter

We will start with a system that we have already run an exploit on and were successful in creating a
remote session with Metasploit. We connected to the session with the “session -i <ID#>” command
and are now sitting at a Meterpreter prompt.

If we type “help” at the Meterpreter prompt we will be given a list of commands that we can run. For
this section we are concerned with just the “keyscan” commands:

So let’s go ahead and see what it looks like when we start a remote keylogger, then we will view the
captured key strokes.
1. Simply type “keyscan_start” to start the remote logging.

2. Now we just need to wait until our victim types some things on the keyboard. For our
example, go ahead and open your Windows 7 browser and perform a search in Google.
3. Now back on the Kali system, to see what was typed simply enter “keyscan_dump”:

Here you can see from this demo that our target user went to “google.com” and searched for “will
Dallas go 8 and 8 again this year?”