Windows Login - Any Vulnerabilities?

[BestPCBuilder2017]

So, I'm trying to improve my security and was just wondering if there is a way to "break in" to a Windows/local account once the PC awakes from sleep mode and asks/prompts to enter the password for it (OS drive fully encrypted). If there is, I'd just like to know if one exists or not and in what form so I can make sure I can look for a way to cover it. 

 

(hopefully this isn't against the ltt rules)

Edited May 10, 2017 by NCIX Lampy
Added: fully encrypted drive

[BestPCBuilder2017]

@GoodBytes Know any methods? 

[Sauron]

if you can boot from a windows installation media you can login to any windows 10 pc. I don't know of any specific methods to override the login screen after sleep, but rebooting is enough if you haven't taken care of that.as far as I know

[BestPCBuilder2017]

3 hours ago, Sauron said:

if you can boot from a windows installation media you can login to any windows 10 pc. I don't know of any specific methods to override the login screen after sleep, but rebooting is enough if you haven't taken care of that.as far as I know

If the the entire drive is encrypted though? 

 

 

[Sauron]

Just now, NCIX Lampy said:

If the the entire drive is encrypted though? 

 

 

I'm not sure, I haven't tried that. It's still a good idea to lock the bios and disable the boot menu if you're concerned with security.

[SCHISCHKA]

I saw an attack last year on active directory. Can't remember it's name.

are you asking about a physical attack like someone bypassing your login password to mess with your computer?

[BestPCBuilder2017]

3 hours ago, SCHISCHKA said:

I saw an attack last year on active directory. Can't remember it's name.

 

are you asking about a physical attack like someone bypassing your login password to mess with your computer?

Could you be more specific on the second bit? 

[Cryosec]

There is a method to bypass completely any windows (prior to Win10) via live USB. This kind of software, which I won't name for CS reasons, lets you bypass the password prompt on any windows and MacOS by booting from USB. 

 

This can be avoided by using the latest windows 10 and a microsoft account as login instead of a local account. Also, setting your BIOS to not boot from USBs or CDs and using a master password will help.

 

If you want to protect your pc from remote attacks, more precisely avoid priviledge escalation if there is already a remote shell, use latest windows 10 and a really secure 10+ char password

[BestPCBuilder2017]

3 hours ago, Cryosec said:

There is a method to bypass completely any windows (prior to Win10) via live USB. This kind of software, which I won't name for CS reasons, lets you bypass the password prompt on any windows and MacOS by booting from USB. 

 

This can be avoided by using the latest windows 10 and a microsoft account as login instead of a local account. Also, setting your BIOS to not boot from USBs or CDs and using a master password will help.

 

If you want to protect your pc from remote attacks, more precisely avoid priviledge escalation if there is already a remote shell, use latest windows 10 and a really secure 10+ char password

That's not what is being asked here. Please keep it relevant. 

[Droidbot]

If you're running the essentially abandoned Windows 7, you are vulnerable to the 'startup repair' workaround. 

Reboot the machine, then during boot shut it down. Boot into startup repair, then wait for it to finish. Open the log, then save it - then use the explorer window that opens to swap utilman.exe with a copy of cmd.exe. 

Then boot up, and at the login screen, hit the 'Ease of access' button and bam, a command prompt will open. From here you can type 'control userpasswords2' to open a user access prompt, or boot up explorer over the login screen by typing explorer.exe. 

[SCHISCHKA]

4 minutes ago, NCIX Lampy said:

Could you be more specific on the second bit? 

You are asking about vulnerabilities after suspend while typing your password. So do you mean an attack by a person physically at your computer?

[BestPCBuilder2017]

Looks like I need to clarify my original post a bit... I think? 

[Cryosec]

23 minutes ago, NCIX Lampy said:

was just wondering if there is a way to "break in" to a Windows/local account

 

Just now, NCIX Lampy said:

That's not what is being asked here. Please keep it relevant. 

I think I did keep it relevant, tho it does not work for the specific case of a sleeping pc. I simply told you about an attack method you should be aware of

[BestPCBuilder2017]

3 hours ago, SCHISCHKA said:

You are asking about vulnerabilities after suspend while typing your password. So do you mean an attack by a person physically at your computer?

Yes, unless there is a way to do that remotely, which is not something I'm aware of being possible. 

[BestPCBuilder2017]

3 hours ago, Cryosec said:

 

I think I did keep it relevant, tho it does not work for the specific case of a sleeping pc. I simply told you about an attack method you should be aware of

Sounds like you didn't read the entire post. 

[Cryosec]

1 minute ago, NCIX Lampy said:

Sounds like you didn't read the entire post. 

 

29 minutes ago, NCIX Lampy said:

So, I'm trying to improve my security and was just wondering if there is a way to "break in" to a Windows/local account once the PC awakes from sleep mode and asks/prompts to enter the password for it. If there is, I'd just like to know if one exists or not and in what form so I can make sure I can look for a way to cover it. 

You clearly ask in what form these attacks happen. I see you asked for a pc in sleep mode, but if someone want to break in a reboot isn't a problem. Therefore my example.

 

If this isn't what you asked, please be more specific.

[GoodBytes]

@NCIX Lampy

I think it might be best if your write what you seek in bullet points.

[mrzoltowski]

You need to provide more information when asking a question regarding security. People are trying to help you based on the limited information you have provided and you're getting antsy.

Since you asked in "what form", there can be both local (hardware) and remote (software) ways.
  
For example, can the computer be accessed physically by someone without you or anyone else around? 

• Being able to reboot the machine while at the computer (physical access to power/reset button)
• Being able to insert a USB while at the computer

Or are you just worried about remote/soft access hacks, does windows have remote access disabled, do you have WOL disabled to prevent from someone waking your machine etc etc etc

[kalnick]

27 minutes ago, Cryosec said:

 

You clearly ask in what form these attacks happen. I see you asked for a pc in sleep mode, but if someone want to break in a reboot isn't a problem. Therefore my example.

 

If this isn't what you asked, please be more specific.

He asked about a specific situation. When a computer recovers from sleep mode can you hack the login prompt and in what form.

 

Rebooting the computer is not relevant here because once you reboot the computer it is no longer in sleep mode the physical attacker will now have to deal with any bios/drive security before getting to a windows login prompt.

 

Perhaps a better or more relevant way to have responded would have been to address the question that was asked first, then provided the additional advice.

 

I'm not aware of a hack but I would think it is safe to assume that its possible.

[kalnick]

Just now, mrzoltowski said:

You need to provide more information when asking a question regarding security. People are trying to help you based on the limited information you have provided and you're getting antsy.

Since you asked in "what form", there can be both local (hardware) and remote (software) ways.
  
For example, can the computer be accessed physically by someone without you or anyone else around? 

• Being able to reboot the machine while at the computer (physical access to power/reset button)
• Being able to insert a USB while at the computer

Or are you just worried about remote/soft access hacks, does windows have remote access disabled, do you have WOL disabled to prevent from someone waking your machine etc etc etc

I disagree the OP was very clear in his post. Sufficient information was provided for what they where asking.

 

The issue is with the posters who did not read the post, didn't comprehend what was being asked, or just felt to need to bump their post count.

 

 

 

[GoodBytes]

In that case. When the PC wakes up, and you are at the lock screen. there is no way to by-pass it and login.

This excludes any potential newly discovered/exploited security issues that the OS may have.

 

Inserting a USB key or anything, will not help. The only way is to have the password, which can be acquired via a USB keylogger that plug between your keyboard and PC, and somehow, analyze the collected data of what is a password for the login screen, and not anything else (keys that you press in a game, for example).

 

[captain_to_fire]

41 minutes ago, NCIX Lampy said:

Yes, unless there is a way to do that remotely, which is not something I'm aware of being possible. 

I'm not aware of breaking into a password protected computer remotely just yet. It's possible probably if someone discovered an exploit that allows bypassing password login remotely if a PC is connected to an unsecured network, kinda like waking up a PC from sleep and it automatically connects to wifi. 

 

But then if file level encryption is enabled, it would be much harder since each file is encrypted with your Microsoft account password so even if they're able to bypass password login, the files are still inaccessible. Action Center>All Settings>System>About>Device Encryption>Turn On. But unlike Bitlocker full disk encryption where the encryption keys are stored locally either via trusted platform module or a thumb drive, file level encryption in Windows 10 is tied with your Microsoft account and the encryption keys are uploaded to your One Drive account. 

2 minutes ago, GoodBytes said:

In that case. When the PC wakes up, and you are at the lock screen. there is no way to by-pass it and login.

This excludes any potential newly discovered/exploited security issues that the OS may have.

 

Inserting a USB key or anything, will not help. The only way is to have the password, which can be acquired via a USB keylogger that plug between your keyboard and PC, and somehow, analyze the collected data of what is a password for the login screen, and not anything else (keys that you press in a game, for example).

 

File level encryption would even make it harder unless the PC is infected with malware that captures keystrokes ?

[GoodBytes]

13 minutes ago, hey_yo_ said:

I'm not aware of breaking into a password protected computer remotely just yet. It's possible probably if someone discovered an exploit that allows bypassing password login remotely if a PC is connected to an unsecured network, kinda like waking up a PC from sleep and it automatically connects to wifi. 

More like someone with another computer connect to yours via Ethernet, and tries to exploit a security issue of the OS that the hacker found to figure out your password, then simply logins.

 

Quote

 

But then if file level encryption is enabled, it would be much harder since each file is encrypted with your Microsoft account password so even if they're able to bypass password login, the files are still inaccessible. Action Center>All Settings>System>About>Device Encryption>Turn On. But unlike Bitlocker full disk encryption where the encryption keys are stored locally either via trusted platform module or a thumb drive, file level encryption in Windows 10 is tied with your Microsoft account and the encryption keys are uploaded to your One Drive account. 

Well, if your password has been discovered, that won't help you, and Microsoft encryption while good, is not the best by a long shot. Bit Drive Encryption is far superior which uses your TPM chip on your motherboard (assuming you have one, else you can't use that feature). But, if you want the best encryption use the free and open source solution: TrueCrypt.

 

[captain_to_fire]

2 minutes ago, GoodBytes said:

Well, if your password has been discovered, that won't help you, and Microsoft encryption while good, is not the best by a long shot. Bit Drive Encryption is far superior, but if you want the best encryption use the free and open source solution: TrueCrypt.

Indeed, Bitlocker is good for a couple of reasons like the fact that encryption keys are stored locally (e.g. USB flash drive or TPM chip) unlike device encryption in Windows 10, encryption keys are uploaded to the cloud. Also, full disk encryption has way lesser chances of being exploited because of the vulnerabilities of the OS because the OS is not immediately loaded upon boot.

Spoiler

But then, Bitlocker is only good if the PC is powered down. Once the user is logged in, all files are decrypted. 

[BestPCBuilder2017]

 

More like someone with another computer connect to yours via Ethernet, and tries to exploit a security issue of the OS that the hacker found to figure out your password, then simply logins.

 

Well, if your password has been discovered, that won't help you, and Microsoft encryption while good, is not the best by a long shot. Bit Drive Encryption is far superior which uses your TPM chip on your motherboard (assuming you have one, else you can't use that feature). But, if you want the best encryption use the free and open source solution: TrueCrypt.

 

Are you sure it's not VeraCrypt?