Windows and Linux Authentication Bypass with AIM

00:00

welcome back everyone today I want to

00:01

talk about Arsenal image mounter 3.9 and

00:04

they've added three features that are

00:05

just amazing so I thought I should talk

00:08

about them so the first one we're going

00:09

to look at a Linux disk image I'm using

00:11

the magnet Lenovo disk image we can

00:14

mount it as disk device read only and if

00:16

we do that then it will show up as a

00:18

logical volume in Windows we can do a

00:20

disk device right temporary it'll also

00:22

show up as a logical volume but we can

00:24

actually write to it and we're going to

00:26

select that one and then select delete

00:27

differencing file after unmount so

00:30

basically any rights are sent to a

00:32

temporary file instead of to the actual

00:35

suspect data we could also do Windows

00:37

File system driver bypass read only

00:39

problem with this is we're looking at a

00:41

Linux image so this isn't a Windows

00:44

image so this wouldn't work for us then

00:46

click ok so now we have our Linux image

00:48

mounted on e Drive what I can do next is

00:50

launch VM and launch VM requires hyper-v

00:53

installed on Windows you do have to have

00:55

a Windows pro version unless you do

00:57

something kind of hacky and then you can

00:59

get it for Windows was home you want to

01:00

try hyper B out I'll give some

01:02

instructions below okay so we can do

01:03

launch VM and really the new thing that

01:05

I want to show you is bypass Linux

01:07

authentication has been added so if we

01:10

click that click ok now the virtual

01:13

machine is going to start up this image

01:15

does have a user password set so here we

01:18

see the user login account if I just

01:20

click on it and I'm in so they've

01:22

already bypassed the user password now I

01:24

can go to things like the user's browser

01:26

go to passwords and then we can see

01:29

different accounts that have been saved

01:30

and we can see what their actual

01:32

password is what this doesn't do is

01:35

unlock the key ring so it allows you to

01:38

log in and you can get access to

01:40

anything that the user has permissions

01:42

for but things like the key ring are not

01:44

automatically unlocked or at least it

01:46

doesn't seem like they are so that's

01:47

Linux authentication bypass now I can go

01:49

in and interact with the system just

01:51

like I was the user next we can do

01:53

basically the same thing for Windows go

01:55

to mount disk image select the image

01:58

that we want I'm going to choose Lone

01:59

Wolf because I think everyone's familiar

02:01

with that one same idea disk device read

02:03

only disk device right temporary I'm

02:05

going to go ahead and select write

02:06

temporary delete differencing file after

02:08

unmapped click OK it's now mounting and

02:11

you can see we have local disk e g and H

02:14

in the Explorer menu if I click on E

02:17

then we get something that looks a lot

02:19

like the system drive for a Windows

02:21

system and it is actually this drive was

02:24

mounted under e now I can search the

02:26

suspect's data directly from my system

02:28

using whatever tool I choose to recovery

02:32

is exactly what we expect in h we don't

02:34

have access to there's a lot of

02:35

different options now with Windows

02:37

systems but we're going to go ahead and

02:39

launch VM so this looks a little bit

02:41

different than the Linux system we have

02:43

a few more options and they're all

02:44

specific to Windows we can do things

02:46

like inject aim virtual machine tools

02:48

and adjust boot drivers we want to do

02:50

that boot with last Windows shutdown

02:51

time and then bypass Windows

02:53

authentication that's what we're

02:54

interested in here and we specifically

02:56

want to try to bypass data protection

02:58

API or DP eapi and any accounts where

03:02

data protection API can be bypassed

03:04

should be detected here and we do have

03:05

one account that's detected click that

03:07

click ok so now we have our jcloudy

03:10

account and there's the password field

03:12

if I just hit enter I'll be able to go

03:14

in because we've bypassed authentication

03:16

now I can see the user's desktop as they

03:18

would have used it I can also open up

03:20

their browser and it says it wasn't shut

03:22

down correctly do you want to restore

03:23

Pages we could potentially restore that

03:25

I'm not going to and then we can go to

03:27

settings Advanced passwords and forms

03:31

manage passwords we can see the websites

03:33

that were saved the username for that

03:35

website and then the password that they

03:37

were using and unlock that password

03:38

unlike Linux Windows uses data

03:42

protection API and it doesn't use that

03:44

key ring so we don't have to unlock a

03:46

key ring as soon as we bypass data

03:48

protection API we can get access to this

03:50

kind of information and the final thing

03:52

I want to show I'm going to mount disk

03:53

image we're going to choose a Windows

03:55

image here so lone wolf again disk

03:57

device write temporary delete

03:59

differencing file after unmount so now

04:01

it's mounted we have our Mount points

04:03

here I'm going to go to Advanced and

04:07

enable virtual DD and this is one of my

04:10

favorite features because now we have a

04:13

mount point for virtual DD that is f so

04:16

if I click on F virtual DD then you can

04:19

see that we have a what looks like a DD

04:22

image for every single one of our

04:24

logical devices and our physical devices

04:27

let's go look at this this was physical

04:29

device physical Drive 2 okay so we have

04:32

a physical Drive 2.dd Arsenal image

04:34

mounter is providing raw disk access to

04:39

every device on your system so if your

04:42

tools only take raw data then you can

04:45

use enable virtual DD you'll get access

04:47

to all the devices on your system via

04:50

DOT DD kind of virtual image and then

04:52

you can process it using your tools so

04:54

if you've watched this channel for a

04:55

while you know that I love command line

04:57

and a lot of tools from command line

04:58

only like more dealing with raw data

05:02

okay so we can go ahead and CD into F

05:05

drive and this is our virtual DD drive

05:07

we have our physical Drive 2 here we

05:10

have all the physical drives plus our

05:11

logical drives so I'm going to focus on

05:13

physical Drive 2 so I'm going to use

05:15

strings physical Drive DD and then more

05:19

and then we can see here invalid

05:21

partition table error loading operating

05:22

system that looks like the beginning of

05:24

a disk and then I can just do a quick

05:25

string extraction from that raw data

05:27

device providing that DD functionality

05:29

is very useful because we started with

05:30

an e01 which is usually compressed and

05:33

from that we can very easily without

05:35

Imaging get access to a raw device in

05:38

case your tools don't support easy Row

05:40

one so I thought those three features

05:41

were worth sharing Linux authentication

05:43

bypass Windows authentication bypass and

05:46

virtual DD so go check out Arsenal image

05:49

mounter some really cool stuff happening

05:51

there