Kon-Boot is an awesome tool that I’ve used extensively with tech jobs that I’ve had in the past (it’s been around since 2009), for clients that couldn’t remember their password :/ or a employee that was fired etc… Most recently Red-Team pentest engagements when I’ve had physical access to a box and needed quick and stealth access. It allows accessing a target computer (Windows/Mac OSX) without knowing the user’s password.
Kon-Boot does not need to remove or modify the user’s password and all changes are reverted back to previous state after system restart unlike other tools that just remove/modify the password and is currently the only solution that I know of that can bypass Windows 10 online passwords.
Their latest versions (since 2.7), lets me run PowerShell scripts on Win8/10 machines, which allows me to automate data exfiltration or add persistent access quickly onto the box. The Sticky Keys escalation feature (spawns a system prompt before logging in by pressing shift key 5 times) allows for quick access to system-level resources without worrying about user’s level access or group policy.
Supported operating systems:
Microsoft Windows systems (both x86 and x64) : XP, Vista, 7, 8/8.1, 10, Server 2003/2008
Apple OSX / macOS systems: Apple OSX 10.7-10. 11 Apple macOS Sierra (10.12) Apple macOS High Sierra (10.13) Apple macoS Mojave (10.14)
Recently I had done some training where we setup ESXI 6.7 on a Intel NUC. It’s been over a month since I’ve touched it. Apparently during the training my coworker had set a root password for the install, which was supposedly written down, but was either typed wrong in the notes or fat-fingered while setting it. Unfortunately, you can no longer boot into single user mode or Service Console to reset the password and VMware suggest you reinstall ESXI to reset the password. I didn’t want to risk trying that method because I wasnt sure if it would affect the currently installed VMs and I didn’t have a copy of ESXI with me to do so. Instead I used a bootable Kali USB to mount the ESXI drive and reset the root password to a blank password by editing the shadow file.
Here’s the steps I took to gain access to my ESXI NUC.
First, I checked the drives on the machine using the lsblk command. Then used udiskctl to mount nvme0n1p5. Once mounted, I copied the state.tgz file to /tmp then untar’d it. It had another .tgz file called local.tgz inside which I untar’d too using this command: tar -xf state.tgz && tar -xf local.tgz
I then used nano to edit the root password in the shadow file that was now in the /etc folder using nano etc/shadow. (I also saved the hash also because I wanted to try to crack it regardless with hashcat to see what the hell it was)
After saving the file I tar’d it back up and moved it back to the mounted directory, then rebooted and removed the Kali USB.
Upon rebooted I was greeted with the ESXI logon screen, and was able log in with root and a blank password.
Here’s the plaintext output just in case you can get online from your device and want to copy pasta.
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 2.9G 1 loop /usr/lib/live/mount/rootfs/filesystem.squashfs
sda 8:0 1 29.3G 0 disk
├─sda1 8:1 1 3.1G 0 part /usr/lib/live/mount/medium
└─sda2 8:2 1 736K 0 part /media/root/Kali Live
nvme0n1 259:0 0 465.8G 0 disk
├─nvme0n1p1 259:1 0 4M 0 part /media/root/ESXi
├─nvme0n1p2 259:2 0 4G 0 part /media/root/4E99-06DA
├─nvme0n1p3 259:3 0 458.4G 0 part
├─nvme0n1p5 259:4 0 250M 0 part
├─nvme0n1p6 259:5 0 250M 0 part /media/root/4E99-06D71
├─nvme0n1p7 259:6 0 110M 0 part
├─nvme0n1p8 259:7 0 286M 0 part /media/root/4E99-06D72
└─nvme0n1p9 259:8 0 2.5G 0 part
root@kali:/mnt# udisksctl mount -b /dev/nvme0n1p5
Mounted /dev/nvme0n1p5 at /media/root/4E99-06D7.
root@kali:/mnt# cp /media/root/4E99-06D7/state.tgz /tmp
root@kali:/mnt# cd /tmp
root@kali:/tmp# tar -xf state.tgz
root@kali:/tmp# tar -xf local.tgz
root@kali:/tmp# rm *.tgz
root@kali:/tmp# nano etc/shadow
root@kali:/tmp# tar -cf local.tgz etc/
root@kali:/tmp# tar -cf state.tgz local.tgz
root@kali:/tmp# mv state.tgz /media/root/4E99-06D7/
root@kali:/tmp# udisksctl unmount -b /dev/nvme0n1p5