Scribd
Upload
23 views14 pages

Lab 8

cdf

Uploaded by

Tuấn Nguyễn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
23 views14 pages

Lab 8

cdf

Uploaded by

Tuấn Nguyễn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 14

Lab 8: Bypassing a BIOS Password

Assigning a BIOS Password


1. Open a virtual machine (VM), but don't start it. It doesn't matter what OS is installed on the VM.
If you don't have a VM handy, just create a new one.
2. When the "PhoenixBIOS Setup Utility" screen appears, click in the VM to capture the keyboard.
Then use the keyboard arrow keys to select the Security menu. Press Enter to "Set Supervisor
Password".
3. Enter a BIOS password of 12345678 in both boxes, as shown to the right on this page. Use the
Enter key to move from one box to the other.
4. After entering the password in both fields, press Enter. A "Setup Notice" box appears saying
"Changes have been saved.". Press Enter again.
5. Your BIOS screen should now show that the "Supervisor Password" is "Set", as shown to the
right on this page.

Entering the Wrong Password Three Times


1. From the VMware Workstation menu bar, click VM, Power, "Power ON to BIOS".
2. A blue box asks you to "Enter Password". Enter something wrong, like X, and press Enter.
Repeat the process three times.
3. A "System Disabled" box appears, as shown to the right on this page, with a code number
visible.

4. Open a Web browser and go to dogber1.blogspot.com/2009/05/table-of-reverse-


engineered-bios.html
5. In the "Phoenix (generic) line, download the "Windows binary" link (or Lab-
Proj.08_pwgen-5dec.zip from the instructor).
6. On your desktop, right-click the pwgen-5dec.zip and click "Extract All…". Click Extract.

Using the Keygen


7. A box pops up showing a pwgen-5dec.exe file. Double-click that file. If a warning box
pops up, click Run.
8. A command prompt window opens. Click in that box and enter the number from your
"System Disabled" message.
9. It finds a series of passwords. Notice that the passwords you get are not the same ones I
got, and don't include the password is not the one you entered--but it will probably still
work.

Testing the Generated Password


10. Press Ctrl+Alt to release the keyboard from the VM.
11. From the VMware Workstation menu bar, click VM, Power, "Power Off". Click "Power
off".
12. From the VMware Workstation menu bar, click VM, Power, "Power On to BIOS".
13. A blue box asks you to "Enter Password". Enter the password from the "Generic Phoenix
BIOS" line in the keygen--when I did it, it was fqhrzg
14. If the password works, you will see the BIOS open. If it fails, run the keygen again. Every
time you run it, it finds different passwords, and they don't all work. But it worked for me
two out of three times
Setting a Boot Password
15. In the Security menu, press the down-arrow to select the "Password on boot" item. Press
Enter to select it. A blue box pops up. Press the down-arrow key to highlight Enabled and
press Enter.
16. Your BIOS screen should now show that the "Password on boot" is "Enabled", as shown to
the right on this page.
17. Press F10 and then Enter to save changes.
Entering the Wrong Password Three Times
18. A blue box asks you to "Enter Password". Enter something wrong, like X, and press Enter.
Repeat the process three times.
19. A "System Disabled" box appears, as shown to the right on this page, but this time the
code number is 00000.
Saving a Screen Image
20. Make sure your screen shows the "System Disabled" box, with a number of 00000.
21. Press Ctrl+Alt to release the keyboard from the VM. Press the PrntScrn key to save the
screen image. Open Paint and paste in the image. Save it as Lab-Proj 8c from YOUR
NAME.
Using the Keygen
22. Run the keygen and enter the code of 00000. It generates a password.
Testing the Generated Password
23. Press Ctrl+Alt to release the keyboard from the VM.
24. From the VMware Workstation menu bar, click VM, Power, "Power Off". Click "Power
off".
25. From the VMware Workstation menu bar, click VM, Power, "Power On ".
26. A blue box asks you to "Enter Password". Enter the password from the "Generic Phoenix
BIOS" line in the keygen. It won't work--obviously 00000 is not the real code. This keygen
works for BIOS passwords, but not for boot passwords.
Clearing the Passwords
27. Press Ctrl+Alt to release the keyboard from the VM.
28. From the VMware Workstation menu bar, click VM, Power, "Power Off". Click "Power
off".
29. From the VMware Workstation menu bar, click VM, Power, "Power On to BIOS".
30. A blue box asks you to "Enter Password". Enter the password you chose originally:
12345678
31. Use the arrow keys to get to the Security page. Highlight "Password on Boot" and press
Enter. Use the arrow keys to highlight Disabled and press Enter.
32. In the Security menu, set the "Password on boot" to Disabled.
33. Use the arrow keys to highlight "Set Supervisor Password" and press Enter.
34. In the blue "Set Supervisor Password" box, enter 12345678 in the first line. Press Enter
four times.
35. Your BIOS screen should now show that both passwords are Clear, as shown to the right
on this page.
36. Press F10 and then Enter to save changes.

Lab 9: Password Cracking of Windows Operating System.


Step 1.
Open Run box by clicking “Window + R” on keyboard and type “regedit” as shown
in Figure 2 and Figure 3 respectively. Click “OK” to proceed.

Step 2: A Registry Editor file with SAM and SYSTEM folder will open as shown in
Figure 4.
The SAM and SYSTEM files are located in : “C:\Windows\System32\config” path
as shown in Figure 5.
Step 3:
These SAM and SYSTEM files can be accessed by registry editor after giving
administrative permissions. Right click on the SAM file as shown in Figure 6.
Then allow “Full Control” and “Read” by clicking the check box as shown in
Figure 7.

Step 4:
Export the SAM file after giving the administrative permissions. Right click on
the SAM file and click “Export” as shown in Figure 8. Save the file by giving
file name as “SAM” and type as “Registry Hive Files” as shown in Figure 9.
Step 5:
In a similar fashion, right click on the SYSTEM file and give administrative
permissions by allowing “Full Control” and “Read” after clicking the check
box as shown in Figure 10.

Step 6:
Export the SYSTEM file after giving the administrative permissions. Right
click on SYSTEM file and click “Export” as shown in Figure 11. Save the file
by giving file name as
“SYSTEM” and type as “Registry Hive Files” as shown in Figure 12.
Step 7:
Download the “Mimikatz” tool by clicking the “mimikatz_trunk.zip” file from
GitHub website as shown in Figure 13 and Figure 14

Step 8:
After downloading the file, unzip the“mimikatz_trunk.zip” file. Now go to:
“C:/Downloads/mimikatz_trunk/x64/mimikatz” and left click twice on
mimikatz file as shown in Figure 15.

Step 9:
A command line prompt of Mimikatz tool will open as shown in Figure 16.

Step 11:
Type “lsadump::sam /system:C:\Users\NITTTR\Desktop\SYSTEM /SAM:C:\
Users\NITTTR\Desktop\SAM” command in command line prompt of
Mimikatz tool. Press Enter.
The command will show NTLM hash password of Windows operating system
as shown in Figure 17
Step 12
Open Kali Linux operating system as shown in Figure 18.

Step 13:
Copy the NTLM hash (recovered with Mimikatz tool, refer Figure 17)
and store it in a file on Desktop as shown in Figure 19. Also, multiple
NTLM hash can be stored in a file to get plaintext as shown in Figure 20.
Step 14:
Search the password wordlist by browsing Google search engine as
shown in Figure 21. Open the GitHub website and download the ZIP file
as shown in Figure 22.
Step 15:
Save and open the downloaded file as shown in Figure 23. Open the
“Real-Passwords” folder to see the passwords wordlist as shown in
Figure 24

Step 16:
Open any password wordlist (e.g., Top12Thousandprobable-v2.txt file) as
shown in Figure 25. Copy the wordlist file on Desktop and rename as “pwdlist”
as shown in Figure 26.
Step 17:
In Kali Linux operating system, open the hashcat tool. Go to Applications->
Password attacks-> hashcat as shown in Figure 27.

Step 18:
A terminal with usage of hashcat tool will open as shown in Figure 28.
The tool states various hash modes which can be recovered as shown in
Figure 29 and Figure 30.
The NTLM hash has ID of 1000 as shown in Figure 29. The tool also
shows various attack modes as shown in Figure 30.
Step 20:
Write the command “hashcat –m 1000 –a 0 /root/Desktop/hash
/root/Desktop/pwdlist --force” to recover the hash and “hashcat –m 1000
–a 0 /root/Desktop/hash /root/Desktop/pwdlist --force --show” to display
the plaintext of NTLM hash as shown in Figure 33.
In this command, -m stands for hash mode (e.g., 1000 stands for NTLM
hash, refer Figure 30) and -a stands for attack mode (e.g., 0 stands for
straight attack, refer Figure 31). The26 path to the hash file and wordlist
file is also given in the
command. The plaintext of the NTLM hash is displayed in the Figure 33
and highlighted in red rectangular box. The plaintext of the NTLM hash
is “password123”.

You might also like