This exploit takes advantage of the ease of access tool on the login page by ‘tricking’ windows into launching a fully privileged command prompt by selecting ‘make items on the screen larger – magnifier’. By using this method you can simply reset admin account password, just by having physical access to the computer.

Disclaimer: This is for use on a PC that you own. Breaking into someone else’s PC is considered a serious crime in most places. If you make a mistake or change something else, your Windows may become a non-boot. If so, just undo whatever you changed outside of the hack shown here, and it will back to normal. Need I say this is for Educational Purposes! You are responsible for your own thoughts and actions.

1. Launch any OS that allow full access to file system

Here you can use many different linux distros or even a windows disk/usb, as long as you can access the terminal/command prompt, you’re good. In this case, we are going to use Kali linux distro. Insert CD/DVD into drive and reboot the machine. Start your Live DVD. You may need to go into the BIOS screen and change the boot-up order to CD/DVD drive first, HDD second.

2. Navigate to Sys32

Use the file browser in your Linux environment, navigate to %windir%/system32/. You may have to right-click and mount the Windows partition/drive first or use the NTFS-3G command.

Article is written on a macbook with Windows dual booted, there is Windows instance named as BOOTCAMP.

3. Rename Magnify.exe

Find and rename magnify.exe (Magnifier file) to magnify.old. 

mv magnify.exe magnify.old

4. Rename cmd.exe

Find and rename cmd.exe to magnify.exe.

mv cmd.exe magnify.exe

5. Shut Down Linux & Reboot Windows

Log out and reboot, remove CD/DVD/USB, and restart into Windows.

6. Get CMD Prompt Modify Accounts

When Windows reboots, click on the ease of access button in the bottom left corner

Click the second selection “Make items on the screen larger (Magnifier)” and hit apply.

The command prompt should now be in front of you. You now have a system level command prompt. At this point is where you can change the admin password and make any modification to the system using administrator privileges. 

Tip: You can right-click on cmd.exe and click “Run as administrator” inside of Windows for escalated privileges. To edit files, it would never be allowed at basic admin level (caution). Same goes for any app in Windows right click and make the magic happen.

Type net user to get a list of accounts

Change Password: 

net user username new_password

Tip: when you do so, the password changes without prompting you again.

Add an account: 

net user username password /add

Tip: If your username has a space, like John Doe, use quotes like “John Doe”.

Admin that: 

net localgroup administrators username /add

Delete that: 

net user username /delete

Remote Desktop Users Group: 

net localgroup Remote Desktop Users username /add

Net User Syntax Reference:

net user commands 
net user for domain

7. Revert back all changes

Now you should insert your Linux Live CD/DVD/USB and rename the files back to the original names.

1. Repeat Step 1
2. Repeat Step 2
3. Rename magnify.exe back to cmd.exe
4. Rename magnify.old back to magnify.exe
5. Log out, take out CD/DVD USB, reboot into Windows

Recommended resources

Kali Linux
Create Live USB Sticks Rufus

Conclusion

Well, that was how you hack a Windows 7/8/2008/10 administrator account password with Windows Magnifier. This also demonstrates how you could Pwn a machine if you think about it some, have hands on and they have not disabled EoA.  Hope it helps you in some way.

source: https://null-byte.wonderhowto.com, https://thehacktoday.com

The post Hack a Windows 7/8/10 admin account password with Windows magnifier appeared first on ITBlogSec.com.

You may be aware of the fact that a local Windows user with system rights and permissions can reset the password for other users, but did you know that a local user can also hijack other users’ session, including domain admin/system user, without knowing their passwords?

Alexander Korznikov, an Israeli security researcher, has recently demonstrated that a local privileged user can even hijack the session of any logged-in Windows user who has higher privileges without knowing that user’s password, using built-in command line tools.

This trick works on almost all versions of Windows operating system and does not require any special privileges. Korznikov is himself unable to figure out if it is a Windows feature or a security flaw. The issue discovered by Korznikov is not entirely new, as a French security researcher, namely Benjamin Delpy, detailed a similar user session hijacking technique on his blog some six years ago.

Korznikov calls the attack a “privilege escalation and session hijacking,” which could allow an attacker to hijack high-privileged users’ session and gain unauthorized access to applications and other sensitive data. For successful exploitation, an attacker requires physical access to the targeted machine, but using Remote Desktop Protocol (RDP) session on a hacked machine; the attack can be performed remotely as well.

Video Demonstrations and PoC Exploit Released!

https://www.youtube.com/watch?v=oPk5off3yUg&feature=player_embedded

Korznikov has also provided a few video demonstrations of a successful session hijacking (using Task manager, service creation, as well as command line), along with Proof-of-Concept (PoC) exploit.

Korznikov successfully tested the flaw on the newest Windows 10, Windows 7, Windows Server 2008 and Windows Server 2012 R2, though another researcher confirmed on Twitter that the flaw works on every Windows version, even if the workstation is locked.

While Microsoft does not deem it to be a security vulnerability and some experts argued that a Windows user with administrative permissions can do anything, Korznikov explained a simple attack scenario to explain how a malicious insider can easily misuse this flaw:

Some bank employee have access to the billing system and its credentials to log in. One day, he comes to work, logging into the billing system and start to work. At lunchtime, he locks his workstation and goes out for lunch. Meanwhile, the system administrator gets to can use this exploit to access employee’s workstation.

According to the bank’s policy, administrator’s account should not have access to the billing system, but with a couple of built-in commands in windows, this system administrator will hijack employee’s desktop which he left locked. From now, a sysadmin can perform malicious actions in billing system as billing employee account.

https://www.youtube.com/watch?v=VytjV2kPwSg&feature=player_embedded

Well, no doubt, alternatively an attacker can also dump out system memory to retrieve users’ passwords in plaintext, but this is a long and complicated process compared to just running tscon.exe with a session number without leaving any trace and using any external tool.

The issue has been known to Microsoft since last six years, so it’s likely the company doesn’t consider it a security flaw as it requires local admin rights on the computer, and deems this is how its operating system is supposed to behave.

For more technical details, please check Korznikov’s blog directly.

source: http://thehackernews.com, http://www.korznikov.com/

The post Hacker Reveals Easiest Way to Hijack Privileged Windows User Session Without Password appeared first on ITBlogSec.com.