tofu: modular tool for hacking offline Windows filesystems and bypassing login screens

tofu

A modular tool for hacking offline Windows filesystems and bypassing login screens. Can do hashdumps, OSK-Backdoors, user enumeration, and more.

How it works :

When a Windows machine is shut down, unless it has Bitlocker or another encryption service enabled, its storage device contains everything stored on the device as if it was unlocked. This means that you can boot from an operating system on a bootable USB and access its files – or even just connect the filesystem to another computer.
This tool helps for the part after booting from another OS (like Linux) or connecting the filesystem to another computer; it has utilities that can dump NTLM password hashes, lists users, and installs backdoors to spawn an elevated command prompt at the login screen, and more.

How to use the osk_backdoor :

1. Restart the Windows computer and as it’s turning on, boot from a Linux bootable USB (this process varies from computer to computer)
2. Download tofu, set it up, and run it
3. Use the ‘osk_backdoor.py’ module after setting the options
4. Restart the computer, this time booting into Windows
5. In the accessibility settings (bottom right), select ‘On Screen Keyboard’
6. Wait/Press ‘On Screen Keyboard’ again until it works
7. Success!
If you encountered an error along the lines of “CMD.exe does not exist at PATH”, it could be an IO error; You can confirm this by trying to browse to the drive in the file explorer

Modules :

Because tofu works on modules, it can be expanded for different purposes. See the ‘modules’ section for examples.
Current Modules:
1. hashdump.py – Dumps NTLM hashes from the target Windows filesystem
2. osk_backdoor.py – Backdoor osk.exe to bypass the login; also includes an ‘unbackdoor’ module
3. list_users.py – List the users with a profile on the Windows filesystem
4. chrome_history.py – Dump chrome history of all users on the Windows filesystem
5. get_dpapi_masterkeys.py – Dump DPAPI master keys from the Windows filesystem
6. enum_unattend.py – Enumerate unattend files
7. memory_strings.py – Search through the memory of the computer to find data
8. startup.py – Inject a program into a user’s startup directory

Install

git clone https://github.com/puckblush/tofu.git

(need to run as root because PyPyKatz’ import path directory is dependent on the current user, and this needs to run as root)

sudo pip3 install -r requirements.txt
sudo python3 tofu.py

Usage :

Source: https://github.com/puckblush/