Sunday, August 26, 2012

Get access to local Windows machine

Note : Educational purpose only. Author will not be responsible for any harm.

This attack covers a technique to gain Administrator (or any of user's) access to the Windows machine. This needs to have physical access to the machine. Drawback of this attack is that, the original Admin/user will eventually know that, his account was cracked. One needs physical access to the machine. And Administrator of the machine needs to be logged in, to perform following steps.

Tools required: none

Steps followed to perform this attack:
  1. Open C:\Windows\System32 directory. Find the sethc file and change the permissions of the sethc file. It can be done, going by properties > Security > Advanced > Owner > Edit way. Now cut sethc file and paste it to Desktop.
  2. Now, copy the cmd (which is the binary file for the command prompt) file to Desktop. Rename it to sethc. Copy it back to System32 directory.
  3. Now, you are almost done. Whenever you need access to the machine, you have to hit shift key five times, at the login screen. This will invoke cmd instead of StickyKey feature of the Windows operating system. And eventually, you will get access to the command prompt of the machine.
  4. To get the full functionalities, you needs to get access to one of user accounts on the machine.
  5. To do so, in the command prompt, enter : net user <user name> <new password> and by using this new password for the account, you can log in.
Steps to avoid this attack:
  1. On windows machine, the account information is stored in a file called, SAM (Security Accounts Manager). However, the passwords are not in plaintext. They are stored in a hashed format.
  2. On every login, system checks the entered password on this SAM file. If the entered password for account X is same as the password stored on SAM for accound X, system gives access to the user.
  3. By using given technique, the SAM file would be partially enctrypted, so that the password hash values for all local accounts stored in the SAM are encrypted with a key making it hard to intruders to get access.
  4. What we are going to do, is to use this in-built Windows' feature to avoid these kind of attacks.
  5. Steps : Start > Run > SYSKEY > Update > Password Startup then enter password, hit OK, and you are done. This will give protection to the SAM file, and prevent all accounts to be cracked.


No comments:

Post a Comment