±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35514
New Yesterday: 4 Visitors: 173

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Windows 10 Virtualisation & Microsoft user accounts

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

Brevs11
Member
 

Re: Windows 10 Virtualisation & Microsoft user accounts

Post Posted: Jan 30, 19 09:03

I'm running the latest build of Windows 10, with a Microsoft account protected with a PIN. I removed the Ethernet cable rebooted and I could still login with the same PIN so it's cached locally somewhere.  
 
  

randomaccess
Senior Member
 

Re: Windows 10 Virtualisation & Microsoft user accounts

Post Posted: Jan 30, 19 13:04

Yep it's cached.
I get the feeling it's just treated like a domain account. You can login to a domain account offline
Where does windows cache the passwords there?  
 
  

Brevs11
Member
 

Re: Windows 10 Virtualisation & Microsoft user accounts

Post Posted: Jan 30, 19 13:49

- randomaccess

Where does windows cache the passwords there?

It seems as though only Microsoft and the person who wrote MimiKatz know Smile

The MimiKatz notes get really heavy but I was reading that it's stored in memory somewhere.

I've had a little bit of success this morning extracting a Windows 10 NT Hash using MimiKatz and then using Ophcrack and Rainbow Tables to decode the hash. So it's do-able but not pretty.

What I'm really looking for now is something that will allow you to overwrite the NT hash as blank rather than having to extract the hash and then crack it.

Unfortunately I'm not clever enough by a long way to do it myself Embarassed  
 
  

MrMacca
Member
 

Re: Windows 10 Virtualisation & Microsoft user accounts

Post Posted: Jan 30, 19 15:19

I've been doing some experimentation with VM's and I've had about 90% success rate on systems that have a Microsoft account attached rather than a Local account.

Here was my method:

Software required:
Aomei Backupper standard
Passware 2019 - Password removal disk created using this.
Virtual Box.
Arsenal Recon Image Mounter

1 - Mount the E01 image of the laptop you want to Virtualise with Arsenal Recon image mounter.
2 - Run Aomei Backupper to view the mounted drive and calculate the required size of the drive + 30gb extra
3 - Create a VHD of the required size that is fixed.
4 - Attach this VHD so that Disk management in windows can see it, then format it to GPT
5 - Now open up AOmei Backupper Standard and then clone the E01 image that is mounted to this new blank VHD. The reason I use Aomei Backupper is so that it condenses the drive down to its required size.
6 - Detach this VHD using Disk management and then make a backup copy of it.
7 - Once this is cloned, create a new VirtualBox and attach the VHD to it. Configure the settings of Virtual box to hopefully get it to boot successfully.
8 - If it doesnt boot, then download the Windows ISO 1703 version(I had to use this version as the bootrec commands sometimes didn't work properly). Boot the VM using this ISO and then run a repair. Run the bootrec /Fix MBR, /Fixboot /, /Scanos and /rebuildbcd. (run them individually)
9 Hopefully the image now boots to the login screen. If it does, shut it down.
10 - Add the PASS WARE Password removal ISO tool to the boot and boot into it. (I had to change to and from UEFI to get this to work)
11 - Pass ware password removal should then give you the option to modify the password of the Microsoft account. It will change the password to 12345678
12 - Finalize the changes, reboot and then when back at the login screen, enter 12345678 as the password, and it should log in.

This has allowed us to gain access to other programs such as Roboform and retrieve passwords for additional accounts.  
 
  

Brevs11
Member
 

Re: Windows 10 Virtualisation & Microsoft user accounts

Post Posted: Jan 30, 19 15:48

- MrMacca
I've been doing some experimentation with VM's and I've had about 90% success rate on systems that have a Microsoft account attached rather than a Local account.

If you had VFC could you just create a VM and then attach the Passware ISO image as a virtual CD-ROM drive and then boot to it?

According to the Passware website it does support Windows Live ID's but it doesn't specify if it supports the change to the NT hash location that was made with Windows 10 Anniversary Edition, perhaps that's where your 10% failure rate lies?  
 
  

MrMacca
Member
 

Re: Windows 10 Virtualisation & Microsoft user accounts

Post Posted: Jan 30, 19 15:58

I will do some testing regarding the latest version of Windows and see if that is indeed the issue.

The tool would say that it was changing the password, but when loading up the users and entering the changed password, it would just reject it.  
 
  

sdenis
Newbie
 

Re: Windows 10 Virtualisation & Microsoft user accounts

Post Posted: Mar 11, 19 20:11

I've been able to reset the password for a Microsoft account on a virtual machine with Reset Windows Password from www.passcape.com/

This was with an early version of Windows 10, I haven't needed it since.  
 

Page 2 of 2
Page Previous  1, 2