We all have the Windows password bypass boot disks in our tool kits. I’d like to make mention of a new favourite of mine, it is called Kon-Boot which patches the loading kernel in memory and effectively bypasses the authentication mechanic. Kon-Boot supports both Linux and Windows operating systems, allow for root access on both OS’es in seconds and also privilege escalation scenarios on Windows. Kon-boot is a very nice piece of software so much so that a commercial version is available and comes in usb, floppy, cdrom based installations. It also supports VMware virtual machines.
OK so i may sound like an advertisement for Kon-Boot, but I’m not it’s just a really cool tool that all admins and techs should have in their tool kits. I purchased the commercial version and tested out privileged escalation in a Windows domain lab environment. You can actually impersonate users that have logged on to the system previously. This hack is really a bypass as you require physical access to the workstation and i feel it could be stopped if cached credentials are disabled on the domain.
Kon-Boot’s main purpose is to get you back into a Windows or Linux machine that you forget your password on. It does this in a neat way without the need for any injection or modification of the Operating System.