Jump to content
Tuts 4 You

Uefi Bios backdoor


Recommended Posts

H1TC43R

Has anyone been able to find any master passwords or backdoors for the newer UEFI bios?

Let me give you an overview of what I'm doing below

I have a windows 10 x64 based machine which works fine, but i want to get into the bios to change settings (Boot order etc) now the older machines used to give you a code on the 3 wrong password attempts which then lets you get a master code for it, but these newer machines have a locked password, which again you get 3 attempts then locks up until reboot no more codes, the bios is the American Megatrends v5.65

 

i don't want to open it up and remove the cmos at the moment for a few reasons plus I'm not sure that old trick still works with (2017+ machines)

 

 

 

 

Link to post
H1TC43R

This is just a follow up as all too often someone makes a post about something then that is it nothing else.


I was fortunate enough to chat with someone on another forum and i was able to make a dump of the bios, and he was able to give me the original password in a couple of minutes, and this has got me interested in the bios dump itself and what it contains.

Yes i could have attempted to use CmosPwd 5 or try to reset it with pulling Cmos out for 20 mins, but I'm not sure that would work anymore.

The old trick of mistyping the password 3 times to get the code followed by using bios-pw does not work on these newer bios, you still have 3 attempts but no longer do you get a code just a freeze/lock which then means you have to restart the device and start over

 

  • Like 1
Link to post
NOP

You were lucky with your machine, you only had the setup protected so booting and then reading was possible

I don't know about your bios as I haven't kept up to date with the newer ones but I know some manufacturer of the newer bios, you need to enter 3 master passwords and then it shows you the hash which you can use in a master password generator
 

eg: FSI bios

First password:  3hqgo3
Second password: jqw534
Third password:  0qww294e

and then it shows you the hash

All of the new machines I have seen recently all have some way of getting the hash, it isn't always obvious so maybe something simlar is needed for your bios

If it was a laptop then removing cmos batt would do nothing and they generally don't have a jumper reset and password / hash is stored on a chip, but you can normally read the chip its stored on or write it without a password if you know what your doing

Link to post
H1TC43R
Posted (edited)

To be honest when i saw the bios was from 2016 i had a better feeling than i when i 1st started, a couple of years have past and there was a good chance there would be a crack in the security, the OEM bought a template bios from AMI and the OEM modified the bios and windows to suit them

I still have a ways to go as windows has also been locked down, so will see if i can recover the original admin account on it rather than change it, Pass-the-Hash is an option but i have only used twice so I'm cautious lol

 

The thing is there is not a lot of info on the latest bios in public and the 1's i saw a lot are outdated and have the same spelling mistakes and missing little things that should be there, so u know a couple have plagiarized someone else's work

 

 

 

Edited by H1TC43R
spelling (see edit history)
Link to post
NOP

It seems AMI has a different system to the usual hash...

Press F2 on startup to enter bios setup, On password prompt press ALT+R which will then prompt you for "Rescue Password" which can be generated from the supplied date code

Windows password can be  changed or removed easily with various programs and even the windows setup, there are lots of tuts on this subject

Link to post
H1TC43R
Posted (edited)

The hot key for this device is Del not F2, also the ALT+R wont work, I'm sure the company created there own sub section so that makes it a bit more creative, but thanks for the ideas always helpful

 

I'm hoping to find a way of getting the original password from windows rather than change if possible, god mode can deal with that if it becomes the final option  

 

Not sure if you know or not but there is a God Mode on windows?, for anyone else interested try this there's plenty of info on it out there


Enabling God Mode in Windows 10

To make this work, you must be using an account with administrative privileges. Go to your desktop and create a new folder by right-clicking any open area, pointing to “New” on the context menu, and then clicking the “Folder” command.

Now, rename the folder to the following:   GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}  and hit return, you’ll notice the folder icon change to a control panel icon.

Edited by H1TC43R (see edit history)
Link to post
NOP

God mode wont help with the password, this mode is simply a collection of shortcuts found in control panel and other sections

To crack the original password, you could create a new user using 1 of many methods and then grab the hashes from the SAM and run a dictionary or brute force attack on it to recover the original password but it all depends on how secure the original password is

Link to post
H1TC43R
Posted (edited)

I was hoping that it may help as the windows system is locked down even defender is blocked, so access to the sections may help in my case.

I'm thinking of trying Kali with Hashcat 6, it's had a major update so its got to be worth 1st shot, my back up option would by John The Ripper 

 

Any comments will be helpful

 

I came across this public user guide and thought it might shed light for anyone following

 

 

Aptio_TSE_Data_Sheet.pdf

Edited by H1TC43R
Old data sheet replaced for newer (see edit history)
Link to post
  • 2 weeks later...
H1TC43R

I have upgraded the ram and hard drive to a higher spec and still works, i also managed to load other software which i couldn't do originally

Only issue i had was a flat ribbon and putting it back on the motherboard, still not 100% it's in right but will come back to that.

The windows is a bit more challenging, as mentioned before it has been locked down by the company, on the sign in screen there is only 1 user listed when i know there are is 2 built in admin accounts, the normal Windows Administrator account and the OEM company's own which is where it gets locked up

I can access to reset the password through CMD net user Administrator password /active:yes and comes up successful but the admin accounts are still hidden, i need to be careful as it is possible that if i delete the original password, it could cause the system a problem, which will then cost some time when i have to reset everything and start again, attached a pic so you see what i mean not sure if its genetic or something else

 

Warning.jpg

Link to post
NOP

Data from the admin will be lost as mentioned but not the main OS, u might lose any user data for that account but not the OS

Have u downloaded the SAM and tried brute forcing the admin password?

Link to post
H1TC43R
Posted (edited)
22 hours ago, NOP said:

Data from the admin will be lost as mentioned but not the main OS, u might lose any user data for that account but not the OS

Have u downloaded the SAM and tried brute forcing the admin password?

Not yet i know where SAM is in the system folder, but I'm cautious because i don't want to loose that particular account (i can recover it to factory settings but takes 2+ hrs to recover) but whilst trying other options i came across Windows Password Recovery

 I tested it on another computer and it did give me 2 of the passwords (well 1st 3 letters/numbers as it's in trial mode)

 

On reading up a bit more, it seems enterprise is not as easy to do because it is not main stream like the pro and home versions that most people have, it's basically a windows 10 pro with extras

Enterprise:

Windows 10 Enterprise provides all the features of Windows 10 Pro, with additional features to assist with IT-based organizations.

 

 

Edited by H1TC43R
added updated info (see edit history)
Link to post
  • 1 month later...
H1TC43R

Been away for a bit but back now and i have managed to source another unit as well now which should be here in a couple of days.

 

Going to start with the Sam and System file to see if i can crack the password but the bigger challenge will be dealing with the group policy, but will create a new post  about that rather than mess up this post

Link to post
  • 5 weeks later...

I managed to get another device and am starting to get somewhere, i have the SAM and SYSTEM files from both units all that needed to be done was

Just open the Command Prompt as Administrator, and then run the following commands:

reg save HKLM\SAM C:\sam

reg save HKLM\SYSTEM C:\system

Or you can change the directory to what you want to save the files too.

 

I also found 2 ways to activate the hidden users so now when i start the machine it asks which user i want to use, it also works with signing out and signing back in with another account

1st way was to regedit and doing the following

Open the Registry Editor (click your Start Button, type regedit and hit enter)

Navigate to: KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

In the right hand pane look for a DWord that has the name of the hidden user account

Double click that DWord, if the value of that DWord is 0 set it to 1

Close the Registry Editor and restart your system . . .

 

2nd way is

 

To enable the Windows 10 administrator account do the following (note: this works in older versions of Windows as well):

Tap on the Windows-key. This should open the start menu or bring you to the Start Screen interface depending on how Windows 10 is configured on the system.

Type cmd and wait for the results to be displayed.

Right-click on the Command Prompt result (cmd.exe)  and select "run as administrator" from the context menu. Alternatively, hold down the Shift-key and the Ctrl-key before you start cmd.exe.

Run the command net user to display a list of all user accounts on the system. You should see Administrator listed as one of the accounts.

To activate the inactive administrator account, run the command net user administrator /active:yes

Windows returns "The command completed successfully" if the operation is successful. Check the spelling and that you are in an elevated command prompt interface if you get error messages.

If you want to enable the guest account as well run the command net user guest /active:yes

 

So now that i have access to the other user accounts it now makes sense for me to find a way to find the passwords out (Mimikatz, Hascat, etc..)

Link to post
  • 2 weeks later...
H1TC43R

I found 1 of the 2 passwords I'm looking for, it was for the default windows admin account, i tested it and works fine, but the company account password looks to be slightly harder (i know 1st 3 keys from previous research) so currently giving Cain & Abel a try on a i7 whilst i have another program running on 1 of the devices, but that's running slower due to limits of the Cpu, after this i can move on to the actual program and its protections

I also upgraded the memory and boosted the ssd to 500gb in the 2nd device also fixed an issue i was having, problem was EaseUS Todo Backup, it wouldn't copy the winload.efi file over correctly, and i think possibly a couple of other small files 1kb etc. and wouldn't load up the device but i got around this and runs like it should finally

Link to post

Do you have a CUDA compatible GPU? It would be MUCH faster using GPU over CPU, C&A is an old app which, I think only officially works with XP, NT and 2000 and has been known not to recover some newer accounts / windows versions

I recommend Hashcat, John the ripper or a pre rolled windows app which supports modern GPUs like the many from Elcomsoft

😀

  • Thanks 1
Link to post
H1TC43R
Posted (edited)

Thanks NOP i went with Elcomsoft in the end as i was having a few problems with hashcat and the tables. it is something i would like to come back to though as its something you need a few days to understand not the few hrs i have had, also would like to dig deeper into John the ripper.

Cain and Abel wasn't that great as you say it's dated as is ophcrack

Anyway i found the password within 10 minutes, it was a 40 character password, and much longer than originally thought and wouldn't be easy to guess as its random " Hj0KNmz2" exc...  so it shows again passwords mean nothing if your using Windows LOL

 

Now i have managed to get total control of both devices, it will be time to close this down as the next part will be to do with the protections, and this is where i have spent a few weeks picking up bits and pieces as it is riddled with protections

 

 

After that i have a dongle to play with so all that should see me til the new year

Edited by H1TC43R
SPELLING (see edit history)
  • Like 1
Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...