For a while now, Windows has deferred and disappointed hackers with somewhat secure lock screens for their computers. However, this exploit can bypass these login screens and gain access to internal files. I’ll be doing a full walkthrough on exactly how I did it and hopefully you can get some use out of it.
Disclaimer: Do not do anything mentioned or explained in this article to another person or entity without their permission, and I am not responsible for any actions taken using information from this post.
With that taken care of, let’s get started!
This is a neat bypass method, but you’ll need a few things before you get started →
-
- A Kali Linux bootable USB (I’ll be making a short ‘how-to’ article after this is posted for those who aren’t familiar with Linux)
- Legal access to the computer you’re testing on
- (Optional) A bit of command line knowledge helps, but it’s not necessary.
Physically, you just need a Kali Linux USB. Then, we can head over to the ‘victim’ computer and begin.
1. Boot up the computer on Kali Linux (do NOT complete the boot)
Hopefully you read ahead a bit and didn’t actually load into the Kali Linux OS, because we do need to edit a few things once we get to this screen:
Once you’re on this screen and you’re on ‘Kali GNU/Linux’, press ‘e’. This will bring you to the edit screen for the boot option, and you’ll need to edit a couple of things for our purposes.
2. Edit boot code
Once you’ve hit ‘e’ and made it to this screen, you’ll see something a bit like this, probably with a different resolution. My text looks compacted because I’m on a virtual machine, but it makes little difference for our purposes. Somewhere on your screen, you’ll see ‘ro’ and then either ‘single’ or ‘quiet splash’.
You’ll need to change ‘ro’ to ‘rw’, as we have above. Then, after either ‘single’ or ‘quiet splash’, add ‘init=/bin/bash’. Press Control-X to reboot, and if everything works successfully and you’re presented with a shell move to step 3. Otherwise, repeat the process and change ‘/bin/bash’ to either ‘/bin/zsh’ or ‘/bin/csh’.
3. Root shell! Retrieve and modify some info with our root permissions.
Great. Now we’ve got some things we can do on this machine. We’ll run ‘mount’ to check our work, and if we’re still in the shell everything is good to go.
Run this command to view the usernames registered on the machine:
cat /etc/passwd
This will presumably dump a considerable amount of information, so you might need to sift through it to find the exact username you’re looking for. It should look a bit like this:
root:x:0:0:root:/root:/usr/bin/zsh
...
graham1234:x:1000:1000:graham1234,,,:/home/graham1234
...
A basic command after that…
passwd graham1234
and it will allow you to enter a new password, no checks or authentication required! It works like this for administrative and pretty much worst-case-scenario purposes, but we can use it to our advantage as pen-testers.
4. Lastly, reboot the system
Use this command to reboot, and you should see the default Kali Linux login page:
exec /sbin/init
You should be brought to this page:
Sign in with your credentials that you modified before, using the equivalent of ‘graham1234’ and the password you just set. You should be able to access the filesystem of the user, and now that you’ve changed their password you can use things like ransomware or steal their files (legally, of course). Pretty neat!
I hope this post was informative or helpful to you in some way. If you enjoyed learning about this method, hold down the clap button for a few seconds to support me. If you’d like to see similar articles, check out The Gray Area or grahamzemel.com.
To really contribute to my work and help me out as a writer, sign up for a Medium membership using my referral link.
Thanks!
Originaly published at: https://medium.com/the-gray-area/hacking-a-locked-windows-10-computer-with-kali-linux-82298bc28974
Featured Photo by Renato Ramos Puma on Unsplash
It’s a simple write up that I thought of earlier tonight, as an idea.
How secure is windows 10 vs a method like this? Would it bypass login security?
There’s a much easier and simpler way to do the same thing… Do a clean install of windows 10, from boot with a USB, without formatting the drive. Once it’s finished, you’ll see a windows.old folder… Do with it what you will.
After you’re finished, windows leaves you a handy little option to restore the windows.old backup, this makes it as if you never did any of the above.
At no point in this tutorial was a windows account or OS partition ever touched.
Phase 1, we made boot parameter changes to the Kali live installation on the USB stick. Phase 2, we booted into a root shell having gained admin access of Kali. Phase 3, we list the contents of /etc/passwd. A file containing users on the Kali live OS (not the windows machine) p.s. password credentials don’t live here. They are most likely in /etc/shadow. Phase 4, we changed the password for an account on the Kali live OS, on the usb drive. Phase 5, we logged into Kali Live with the new password we set. This has nothing to do with… Read more »
I don’t see how a locked Windows 10 PC gets hacked?
You can bypass a kali login screen, yes, but windows??
So it seems like click-bait after all.
He wants to access the filesystem of the Windows 10 user, if you read the article he does so using a modded boot loader
Ok, help me understand this pls. From what I understand: We have a kali live USB? What for? Do we boot into it? Anyhow, we somehow end up in the bootloader. The boot options for kali (which is already installed?) are modified correct? Then we get a root shell on kali? Then, we change the password of the user graham1234 of kali? (Afaik, /etc/passwd does not exit on windows, maybe wsl? And the home partition of this user is /home/graham, which is clearly on the kali machine. ) Then, reboot and log into kali with the modified creds? We never… Read more »
Hey there! Just to answer a few questions –
Yes, we have a Kali Linux USB, and we are booting into it but not all the way. We stop the boot to modify our bootloader, and we use the modded Kali distro to access the actual machine itself.
After, we can access credentials stored on the hard drive (through our root permissions), and then if we reboot we can get a GUI with an unprotected filesystem.
The Windows 10 machine is the machine we’re working on, and we don’t need to mount it as we’re just retrieving files and/or credentials.
Hi Graham, Thanks for the clarification. But there are a few things that are still not clear to me. You boot into the the liveUSB, but then, then kali is on a different partition than the Windows OS? Maybe I need to try it myself to see how it works exactly. I know the infamous sticky keys method to bypass the windows login screen, but afaik it does not work on modern windows work-stations anymore. This method seems to be similar but different. Anyhow its an interesting method to bypass the kali login screen. Maybe you could add some more… Read more »
In the tutorial, though, you never accessed files or credentials stored on the windows machine hard disk. To access them, you 100% would have had to mount the drive. Even then, if bitlocker is on, you couldn’t read them.
The only things touched were /etc/passwd (located on the thumb drive) and the boot parameters of kali linux (bootloader on usb drive. The gui you booted was Kali live, not windows.
The password you changed was for a user account on Kali, not windows.
You can do similar account bypasses for windows, but this isn’t it.