Hardware USB Key to Reset Any Windows Password

  • This tool requires physical access of course, and there are many things you can do once you have physical access, but this peaked my curiosity.

    The tool in question: https://www.kickstarter.com/projects/jontylovell/password-reset-key?ref=discovery

    Obviously the magic to this piece of hardware is what's contained on it, and if that is true, any usb key could be used to accomplish the same job. I know there are software like Katana and the like that can do similar things.

    My question is, does anyone know what this could be running to make this happen? Is it rubber ducky-like (http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe) or something else?

    I'm a security professional and penetration tester by trade, but no administrative windows expert and most of my work is done remotely, so I put this out to the on-site guys and the windows experts.

    I'm not looking to knock off the product, in fact, I think quite the opposite, its a cool piece of kit and may purchase one for kicks. Just curious if anyone knows whats going on behind the curtain.

    Try the Hirens Boot CD (HBCD for short). It works great for me... http://www.hirensbootcd.org/download/

    Thanks. I'm familiar with Hirens, great tool. I was more interested in what the kickstarter product is using on the software side.

    I was hoping someone might have knowledge of the software itself, but it probably is some sort of barebones linux with some scripting behind it. Sounds like it may not be off-the-shelf. Thanks for all the great responses, however. I will wait to see if any more come up and then pick an answer. Thanks!

    It's not linux, it kind of emulates XP. But it does change locally stored passwords, along with a ****load of other stuff I never use :)

    I always thought the gui it runs was interesting. Looks like xp, acts like something someone wrote in there garage. It has saved me many times, however, when i didn't quite have drivers for hardware and whatnot.

    Yeah, I agree. Still, I think it's one of the best tools to use for saving users from malware and from themselves all on one disk.

  • Ben

    Ben Correct answer

    7 years ago

    Resetting a windows password is not equivalent to recovering a windows password.

    Resetting a password

    The password can be reset by booting to another operating system and editing the registry hive. This is trivial, and there are many tools which can do it, such as Trinity Recovery Kit. I suspect this USB stick just boots to a version of Linux and runs a few scripts.

    In summary: Just write blank password entries into the SAM (which is basically just stored in the registry protected by an ACL so only SYSTEM can access it).

    However resetting a windows password denies access to EFS encrypted files and DPAPI encrypted data, since the keys for these are encrypted using a KEK derived from the password. When the user changes their password, they are re-encrypted with the new KEK. Access to EFS and DPAPI resources is lost even if the administrator resets the password.

    Recovering a password

    A recovered password allows continued access to EFS and DPAPI protected resources. In addition, it may give access to additional resources (e.g. it may be a domain logon).

    To recover the password you need a tool like John the Ripper, Lopht or HashCat. Which could also run off a USB stick. Extract the hashes from the SAM, feed them to a cracking program. Then reboot and log in with recovered passwords.

    Ben, thanks for the response. Great in-depth writeup about how this works. I didn't realize it was an ACL that protects the registry entry. One thing that made ms08-067 such a huge vulnerability (among other things of course). On the cracking front, it seems like collection to the usb stick and then cracking elsewhere would be a better option, but this isn't being marketed as a hacking tool of course.

    @eficker, Not sure what the relationship to ms08-067 is? The ACL on the registry is not really any different to /etc/shadow being accessible only by root - the same methods will work against Linux of course - if you boot to an OS where you are root, you can read everything.

    ms08-067 gave you a system level access, allowing all kinds of access, including dumping the password hashes out of the registry. Anyway, besides the point.

    Whole-disk encryption would help defend against this. Without the decryption key, even an attacker with physical access will not be able to read/modify the registry when booting to their own media. However, that same attacker could install hardware keyloggers or other tools that would help them capture the keys or the authenticators to unlock those keys for later use.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM