Jump to content











Photo
* * * - - 2 votes

PEPassPass


  • Please log in to reply
92 replies to this topic

#76 ner0

ner0

    Member

  • Advanced user
  • 83 posts

Posted 11 August 2021 - 12:13 AM

Windows 10 1809 LTSC (10.0.17763.1911) x64 Not Work
Windows Server 2k19 (10.0.17763.1098) Not Work

I realized that the versions in your test list is the OS version and not the DLL version, which is fine but doesn't indicate when the logon validation DLL might be the same. As an example, both versions above use the exact same DLL, which is NtlmShared.dll v10.0.17763.802. Thanks for sharing the DLLs though, I'll take a look as soon as possible.



#77 ner0

ner0

    Member

  • Advanced user
  • 83 posts

Posted 11 August 2021 - 12:38 AM

https://www.mediafir...vw4lyls79ouu6ro

 

1809 NtlmShared.dll files

 

If you need other files just request them

If you or someone else has these running systems to test on:

  • Windows 10 1809 x64
  • Windows Server 2019 x64

First, make sure your \System32\NtlmShared.dll is v10.0.17763.802 (file properties), if it is then backup the original file and replace it with one from the attached zip. They are patched just one byte differently and I'm not sure which works, if any. Please report back.



#78 DarknessAngel

DarknessAngel

    Member

  • Members
  • 33 posts
  •  
    South Korea

Posted 11 August 2021 - 04:36 AM

If you or someone else has these running systems to test on:

  • Windows 10 1809 x64
  • Windows Server 2019 x64

First, make sure your \System32\NtlmShared.dll is v10.0.17763.802 (file properties), if it is then backup the original file and replace it with one from the attached zip. They are patched just one byte differently and I'm not sure which works, if any. Please report back.

v1 : work well

v2 : Error (can't login with/without password)

 

Can you add x86 version?


Edited by DarknessAngel, 11 August 2021 - 04:36 AM.


#79 ner0

ner0

    Member

  • Advanced user
  • 83 posts

Posted 11 August 2021 - 08:56 PM

Thanks for the confirmation.

 

Attached is patched DLL for Windows 10 1809 x86 (NtlmShared.dll v10.0.17763.802).

As with the previous test, backup the original DLL first and replace with the one inside the attached zip.

 

If it works, we only need a slight adjustment in the pattern vs version detection for both x64 and x86.

 

Thanks in advance for yet another test.



#80 DarknessAngel

DarknessAngel

    Member

  • Members
  • 33 posts
  •  
    South Korea

Posted 12 August 2021 - 12:46 AM

Thanks for the confirmation.

 

Attached is patched DLL for Windows 10 1809 x86 (NtlmShared.dll v10.0.17763.802).

As with the previous test, backup the original DLL first and replace with the one inside the attached zip.

 

If it works, we only need a slight adjustment in the pattern vs version detection for both x64 and x86.

 

Thanks in advance for yet another test.

Work well



#81 ner0

ner0

    Member

  • Advanced user
  • 83 posts

Posted 12 August 2021 - 12:54 AM

*
POPULAR

OKay then, thanks again for testing the different versions, that was really helpful.

 

Attached is the latest version of PEPassPass which fixes incompatibility with Windows 10 v1809 and Windows Server 2019.

Attached Files


  • wimb, alacran, devdevadev and 1 other like this

#82 Krinal

Krinal
  • Members
  • 6 posts

Posted 12 August 2021 - 03:54 AM

@ner0 Thanks for the Update.

Is it possible to make the tool working like the dll is patched and once the user login the system after restart it gets autounpatch/normal state. So the changes are temporary and no manual unpatching needed?

Or someone may re*erse the PCUnlocker and find out how it does it's work in the memory and no real file/dll is patched?
KONBOOT OR PCUnlocker works on same principle but they don't patch the real dll. Instead they patch the dll in memory. So after restart all the changes are lost. And system comes back to normal state.

Also check this github page may be you find out any missing patch pattern. It has patch patterns given for the same task we perform by PEPassPass. It also has some linux & Mac Patterns.

https://github.com/c...dules/unlock.py


Also do you have any idea about Liveid/Microsoft id bypass?

Edited by Krinal, 12 August 2021 - 04:18 AM.


#83 DarknessAngel

DarknessAngel

    Member

  • Members
  • 33 posts
  •  
    South Korea

Posted 12 August 2021 - 04:31 AM

OKay then, thanks again for testing the different versions, that was really helpful.

Attached is the latest version of PEPassPass which fixes incompatibility with Windows 10 v1809 and Windows Server 2019.

Thanks for work

10 x86/x64/Server 2k19 Work well

I will delete temporary uploaded files

If you need something request them

Edited by DarknessAngel, 12 August 2021 - 04:32 AM.

  • ner0 likes this

#84 ner0

ner0

    Member

  • Advanced user
  • 83 posts

Posted 12 August 2021 - 11:15 AM

Is it possible to make the tool working like the dll is patched and once the user login the system after restart it gets autounpatch/normal state. So the changes are temporary and no manual unpatching needed?

 

Or someone may re*erse the PCUnlocker and find out how it does it's work in the memory and no real file/dll is patched?
KONBOOT OR PCUnlocker works on same principle but they don't patch the real dll. Instead they patch the dll in memory. So after restart all the changes are lost. And system comes back to normal state.

 

PEPassPass is an unsophisticated tool in comparison, so it doesn't work in memory and as such it works how it was designed to work. It's not for nothing that the tools you listed are currently commercial products; the methods are far from trivial and probably above my capabilities to understand and implement them.

 

 

Also check this github page may be you find out any missing patch pattern. It has patch patterns given for the same task we perform by PEPassPass. It also has some linux & Mac Patterns.

https://github.com/c...dules/unlock.py

 

I don't think we have any missing patch patterns when it comes to Windows OSes. The github repo you linked though is missing a few patterns, it hasn't been updated since 2017, and as far as I can tell the repo and its forks have been abandoned since. I'm personally not planning to include support for MacOS or Linux.

 

 

Also do you have any idea about Liveid/Microsoft id bypass?

 

Unfortunately not, that would be a nice addition honestly because it's often the case that friends have forgotten theirs... I have no clue how the validation mechanism works for those though. It's a good suggestion, I'll try to see if there is any whitepaper of exploit out there that discusses this.


  • Krinal likes this

#85 ner0

ner0

    Member

  • Advanced user
  • 83 posts

Posted 14 August 2021 - 07:58 PM

I can't find a great deal of info on how Windows accesses the stored Microsoft Account password hash for offline validation.

 

I tried completely bypassing MsvpPasswordValidate function in NtlmShared.dll to see if the MS login still worked - and it did; the only other thing of worth that I discovered is that Windows apparently will allow the login to proceed (for local accounts) even in the event that it cannot hash and validate a password. This is was a surprising find, if this proves true across versions then maybe we don't even need the surgical patching we've been doing, simply get out of the function immediately when it is entered and it bypasses the login screen (also valid for runas impersonation).

 

I also tried bypassing another function in a different DLL, MsvSamValidate from msv1_0.dll, but unfortunately that one also doesn't seem to be involved in any way for the purpose of validating the Microsoft account's cached credentials.

 

If anyone has any clue on what functions Windows 8 and later use for Microsoft Accounts (formerly Live ID), please share that information.



#86 Krinal

Krinal
  • Members
  • 6 posts

Posted 14 August 2021 - 09:29 PM

Great finding @ner0. Does it mean that no update will be needed for bypassing local accounts once this static method is implemented that you found?

Indeed ms account bypass is also possible as Kon-Boot does it in it's commercial version. The video is on youtube about it which shows that MS account is bypassed by konboot. So there must be a hidden way.

Now, some testing should be done over the method you found for local account with all old windows. So, future proof bypass can be created.

Eventually we, or someone may find out the way for microsoft Account. (may be you need to find out other similar dll for ms account).

#87 ner0

ner0

    Member

  • Advanced user
  • 83 posts

Posted 14 August 2021 - 10:20 PM

Great finding @ner0. Does it mean that no update will be needed for bypassing local accounts once this static method is implemented that you found?

Possibly, but I don't think we need to go back on previous versions since the current method is working. In the future though, if we find a new roadblock that prevents the existing bypass we might try this overkill approach, given proper testing of course.

 

As for Microsoft / Live ID accounts, msv0_1.dll seems to be a good starting point anyway.


  • Krinal likes this

#88 Krinal

Krinal
  • Members
  • 6 posts

Posted 14 August 2021 - 10:55 PM

@ner0 why don't you put both conditions in code. Like with current patches that new function you found also gets patched. So, this way we don't have to worry about any changes in future. Also I guess it doesn't harm to have both patches together. Just in case if any normal patch pattern changes then second patch will work and we don't have to update the tool.

I'm insisting for this because for last some years either you were inactive or this project had no any active development/discussions. The tool was not working with latest win10 before you updated it few days ago. So, I had accepted that tool was obsolete and there would be no updates.
It's good you're back and actively updating it. But still I'll be great if you can achieve a fixed way so that tool works in future even without updates. So, even if you abandon a project it keeps working in future.

Don't get me wrong I'm comparing the tools in healthy way. Old version of PC unlocker from 2018 v4.6 is still successfully bypassing latest windows 10 21H1 local account. so,Indeed they implemented a fix way which doesn't need frequent update. May be with PEPassPass we can do the same.

I hope this will convince you.

Edited by Krinal, 14 August 2021 - 11:25 PM.


#89 ner0

ner0

    Member

  • Advanced user
  • 83 posts

Posted 15 August 2021 - 12:00 AM

Both patches work in the same function, the result I got from completely bypassing MsvpPasswordValidate negates the usage of the current patches - so basically it's either one or the other. Furthermore, I'm unsure if there aren't negative side-effects of bypassing the entire function. It's something to test in the future, for sure. At the moment it's just a footnote.


  • Krinal likes this

#90 Krinal

Krinal
  • Members
  • 6 posts

Posted 15 August 2021 - 02:33 AM

Hi, ner0.

I got some new insights in bypass. I was surfing the web and found out something intresting.

http://reboot.pro/in...showtopic=22343

Check this out. It is basically using a hooking to do the process on the fly.
I'm not saying to implement anything. But just got insight and information was related/useful to PEPassPass.

There are some other information available too. But I'll read it first and share later.

Edited by Krinal, 15 August 2021 - 02:34 AM.


#91 ner0

ner0

    Member

  • Advanced user
  • 83 posts

Posted 15 August 2021 - 03:23 AM

I had seen that post before, it is very interesting, although the biggest downside is that you would already need to have privileged access to an account on the target system in order to inject the dll into lsass. Other than that, you might also need to have control over potential anti-malware engines which could block the injection process.


  • Krinal likes this

#92 Krinal

Krinal
  • Members
  • 6 posts

Posted 26 June 2022 - 07:22 AM

@ner0
Any new findings in this topic?
Ms live id?

#93 ner0

ner0

    Member

  • Advanced user
  • 83 posts

Posted 26 June 2022 - 01:40 PM

No, haven't looked into this since we last discussed it here. I also have no motivation to do so at the moment. I'm hoping someone else does and publishes findings on this, regardless of being from this forum or elsewhere.

#94 Krinal

Krinal
  • Members
  • 6 posts

Posted 11 November 2023 - 04:14 PM

@ner0 any progress on this tool? MS Account bypass or PIN bypass. Or Windows 11 detection?

Edited by Krinal, 11 November 2023 - 04:16 PM.


#95 Krinal

Krinal
  • Members
  • 6 posts

Posted 15 November 2023 - 04:30 PM

@ner0 or anyone interested. Found something interesting on Internet.

https://sysexit.word...ernel-debugger/

This article shows picture password bypass patch by patching function in authui.dll, may be other
Windows hello and MS Live id account is also verified by the same dll?

Can someone skilled in reversing test please..

Edited by Krinal, 15 November 2023 - 04:32 PM.


#96 ner0

ner0

    Member

  • Advanced user
  • 83 posts

Posted 26 November 2023 - 02:13 AM

No, haven't looked into this since we last discussed it here. I also have no motivation to do so at the moment. I'm hoping someone else does and publishes findings on this, regardless of being from this forum or elsewhere.

 

@Krinal, this was my post last year and nothing has changed. I don't have time, interest, or patience, to get back to this subject. Thanks for understanding.

 

Best of luck.



#97 Krinal

Krinal
  • Members
  • 6 posts

Posted 26 November 2023 - 02:40 AM

@Krinal, this was my post last year and nothing has changed. I don't have time, interest, or patience, to get back to this subject. Thanks for understanding.

Best of luck.

Okay, Thanks for reply. I was excited about it cause I guess I found dlls responsible for different windows authentication methods like Windows live id password, windows hello pins, Fingerprint and Facial recognition. But this topic seems abandoned now. May be someone else update it. :(

Edited by Krinal, 26 November 2023 - 02:47 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users