Google Custom Provider for Windows(GCPW) which let user login windows using Google account should be a custom security package sample.
Also, There is a custom Windows Security Package sample which even can extract plaintexts passwords.
Is there anyway to bypass SAM database for windows to Login?
I am working on the Custom Windows Credential provider
I want to create a Passwordless Windows Credential Provider
So far I achieve this goal by saving the combination of
- Username
- Domain
- Password
Into a hashed txt file in my pc. it will be saved somewhere in local PC (eg: C:\Temp\MyCredsDatabase.dat)
Then I authenticate those combination using KERB_INTERACTIVE_UNLOCK_LOGON like this
HRESULT CMyCredential::GetSerialization(
CREDENTIAL_PROVIDER_GET_SERIALIZATION_RESPONSE* pcpgsr,
CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION* pcpcs,
PWSTR* ppwszOptionalStatusText,
CREDENTIAL_PROVIDER_STATUS_ICON* pcpsiOptionalStatusIcon
)
{
...
KERB_INTERACTIVE_UNLOCK_LOGON kiul;
hr = KerbInteractiveUnlockLogonInit((PWSTR)wdomain.c_str(), (PWSTR)wusername.c_str(), (PWSTR)pwd.c_str(), _cpus, &kiul);
...
}
-------------------- QUESTION ------------------
I know this will be a security Leak if I implement this,
- But is it possible for the my Custom Credential Provider to Authenticate based on my custom Database instead of SAM database?
https://stackoverflow.com/questions/6289032/custom-windows-authentication-package?rq=1 - I already post the similar question in shttps://stackoverflow.com/questions/70150814/is-it-possible-to-bypass-the-password-to-login-to-window. One of user stated that I have to implement Custom SSP or AP https://msdn.microsoft.com/en-us/library/windows/desktop/aa375200(v=vs.85).aspx. But I haven't find any exact example how to implement that. Is Custom SSP / AP is the answer that I am looking for?
-
Xiaopo Yang - MSFT 12,231 Reputation points Microsoft Vendor
2021-12-07T03:26:25.543+00:00
1 additional answer
Sort by: Most helpful
-
Limitless Technology 39,511 Reputation points
2021-12-09T08:47:00.81+00:00 Hi there,
By default, Windows credentials are validated against the Security Accounts Manager (SAM) database on the local computer, or against Active Directory on a domain-joined computer, through the Winlogon service.
Credentials are collected through user input on the logon user interface or programmatically via the application programming interface (API) to be presented to the authenticating target.
I suppose you can use other tools like Google admin center to associate a user's existing Windows profile with their Google Account or any other tools that might do this.
--If the reply is helpful, please Upvote and Accept it as an answer--