How to password recovery

[jugrem]

I can use the command "pcileech wx64_unlock - kmd 0x7fffe000 - 0 1" to crack the account。

but how do I recover the account password without shutting down the computer to avoid being found that the computer has been restarted？

[jugrem]

Dear Ufrisk

[signal-5]

The password could be stored in LSASS.EXE process memory. To recover the password you can try mimikatz. You can sometimes get the password in clear text but otherwise you get the password hash that you then need to crack with a password cracking tool.

[jugrem]

Thank you very much. but I want it to recover the original password without knowing the password of the target computer.

After I use the command to unlock the target computer, I can login without using a password. But can I use other command to make the target computer recover after locking the screen, and need to enter the password again to login. And I didn't have to know his password from start to finish.

[ufrisk]

Om more modern systems the password isn't stored by default in LSASS.EXE - only the hashes are. These are possible to crack using a password cracker (such as hashcat). If you do a full memory dump of your target computer it will be possible to extract these hashes (unless the target computer is running credential guard which unfortunately is rather common nowdays).

If your goal is to restore the computer after your passwordless login you may reboot it. I currently don't have a signature that will restore it to it's original operation without a reboot - but it should be very easy to create such a patch.

[jugrem]

Thank you very much for your time.

Yes, I can recover the password by restarting. However, after I restart, all open programs will be closed, and the computer owner will find that his computer has been restarted.

My goal is to get into the computer and not be perceived afterwards. So I want to ask you, if I use the command "_pcileech wx64unlock - kmd 0x7fffe000 - 0 1" to enter the computer, how can I create a patch based on your pcileleech to restore it. Maybe my statement is not accurate enough, but I would appreciate if you could provide a patch idea.

Anyway, I will close this issue this week. Thanks again!

[ufrisk]

Yes, this would be possible and it would be a quite minor work. I could update the kernel unlock with the ability to restore the signature afterwards.

If interesting, I could do a sponsored development for this. If interested please email me (from your company address) at info@memsec.se

[jugrem]

Thank you very much for your reply.

I will give feedback to my leader, thank you again.

[jugrem]

Dear Ufrisk: Thank you for developing such a meaningful tool as pcileech.I have sent an email to you using the corporate email, but you may not receive it until Monday, because the company has a corresponding network policy that requires email approval. I hope you will reply after receiving the email

The main content of the email is to consult you: (1) How much sponsorship do you expect (2) What is the payment method (3) How long will it take you to complete the patch

Looking forward to your reply!

[ufrisk]

Thanks, and no worries about the delay. I'll take a look at it on Monday or when it arrives!

1) Normal hourly consultancy rate for this work. 2) Invoice and payment via wire transfer (SWIFT/IBAN) would be fine. Sponsoring here on Github may be an option as well. 3) I expect the restoration signature to be quick. If you would need updating of the unlock signatures as well (some of them may be a bit outdated) that may add a few hours. I could probably do this fairly immediate (I'll be away at end of next week for a few days though).

[jugrem]

Dear Ufrisk:

This afternoon, I saw that the email has been approved.

I hope you can estimate the cost. I need to report it to my leader, who will evaluate whether it is worth adding this patch.

By the way, I hope you will not disclose my company and personal information without our knowledge.

Thanks.