Network MITM (Man-in-the-Middle) ARP attacks with ettercap.
Gone in 60 Seconds! Reset a windows 10 local administrator account in 60 seconds using a bootable Kali USB drive and three commands in the terminal!
To be honest, I don’t run Kali Linux on my daily driver. I find that Ubuntu with the right tools installed, gets me the mileage I need to get by. With that being said, Kali is a super powerful tool to have in my arsenal, especially in the form of a bootable USB. In a recent engagement where we tasked with searching for ways into various parts of the IT infrastructure, we were provided a company provisioned device (and basic user account) to start with. Our first step? Find a way to elevate the local privilege’s with the information and devices provided to determine what we could see. Here’s how we did that.
Enter the Kali Bootable Drive
The steps to build a Kali bootable drive are well documented in the various corners of the internet. I prefer the DD approach as it’s a simple one-liner to prep the drive and I pretty much live in the terminal most days anyway.
Boot from USB
Again, booting from USB should be standard fair. On the Dell kit we were provisioned, it a quick bump to F12 on reboot and select the boot options (this can vary from manufacturer to manufacturer though). This kit didn’t have secure boot turned on nor was the OS drive encrypted so my job suddenly got a whole lot easier. Boot to “Kali Live (Forensic Mode)” and chill for a bit.
Tracking down the SAM is pretty straightforward – head to the host’s OS drive and then to /Windows/System32/Config and then drop to a terminal session from here.
Doing the ‘actual’ work
The actual work of resetting the password or elevating privilege as simple as three commands.
To show you the users in the SAM > chntpw -l SAM
To remove the password of a user in the SAM (where username is the actual user) > chntpw -u username SAM
and then follow that up with pressing ‘1’ to clear the user password or ‘3’ to promote a user to admin.
As a extra step, you’ll likely want to ensure the account is unlocked and enabled by pressing ‘2’.
Save your work
Don’t close the terminal yet – make sure you ‘q’ from chntpw and save your changes to the SAM. Once you do that you should be golden.
All in all, this a quick way to elevate privileges or take over a local admin account on a workstation and see where you can go. No guarantee this will work in every scenario but definitely a worthwhile place to start!