Recovering Passwords from a Locked Workstation
Moving forward with this concept, how cool would it be for a penetration tester (if they had physical access to a system) to be able to grab the passwords off of a Windows system that was sitting at a locked login prompt? And what if you could get these passwords in plain text? Well, if the circumstances are right, you could! A while back, I was wondering if it would be possible to get passwords off of a locked Desktop? You know, a user is using the system and dutifully locks his workstation before leaving for lunch. If you have physical access to the system, this could be done.
First you need to be able to enable the system level command prompt from the login screen. Discussed above, the “Utilman Login Bypass” trick enables a pop-up system level prompt by just pressing the “Windows” and “u” key on the keyboard. Now all we need is a USB drive with Mimikatz installed. The Mimikatz Window’s executable...