Jordan Drysdale, victim //
Kent Ickler, adversary //
In this post, our victim locks their computer and heads out for a coffee refill. The adversary smashes through all system and user defenses.
With the system locked and the user not defending her PC/Laptop/MacBook, the adversary has Kon-Boot 2-in-1 installed on a USB drive, plugs it in and reboots. http://www.piotrbania.com/all/kon-boot/
Kon-Boot is as simple as a BIOS boot to a thumb drive. The installer is also dead simple and takes about 30 seconds from scratch to weaponized thumb drive.
The adversary runs through BIOS options and chooses to boot to the thumb drive.
Kon-Boot does one of two things for bypassing the password screen. It can be run in bypass mode (note the following one character entry, plus a carriage return). Or, Kon-Boot can be run in ‘New User’ mode and a root or Kon-Boot user will be created and added to local administrators.
That’s it, the adversary is in, can fetch data, run the Bash Bunny for data exfiltration, Wi-Fi profile recovery or just dump files with standard Windows drag and drop.
Finally, the adversary can pull the USB, lock, reboot, do whatever. After the reboot, aside from the missing open programs, files or what-have-you, the user is unaware of any trespass.
Kon-Boot is a must have in every Pentester’s Go Kit.