Jump to content


Photo
- - - - -

Windows Account hack


  • Please log in to reply
6 replies to this topic

#1 ArchAngel99969

ArchAngel99969

    Will I break 10 posts?

  • Members
  • 3 posts
  • Gender:Male

Posted 16 September 2010 - 03:00 AM

I'm having a problem with some system, i wonder is there a way to elevate ,in windows XP or 7 or any other version, the privileges.
the problem is:
1) the BIOS is password protected
2) the user account does not have writing privileges to disk C (hell, even the control panel is protected)

so the method of using booting disks are not an option cause i cant configure the BIOS boot order
and the methods to use the log on screen not an option either.

what I'm looking for is a method that will give me the writing privileges to disk C
I don't mind if a solution is some source code in any programming language that by passes this limitations or some tools
any way I'm for any solution, prefer a solution that does not changes the original administrator password or has the ability to restore the old one

any idea, solution, walk through, step by step are welcome
just a student for software engineering so have a limited knowledge in all programing languages equally

please somebody help!!!

p.s. i have a zip file that contains a step-by-step how to hack windows account works even for win7, using kon-boot and grub4dos, assembled my self, works great

Edited by ArchAngel99969, 16 September 2010 - 03:15 AM.


#2 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,092 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 16 September 2010 - 03:40 AM

How much access to you have to the machine?

You could pull the cmos battery, or find out if there is a jumper to short the CMOS on the MoBo. Thus clearing the password protection and returning it to it's default state.

Once the BIOS protection is circumvented, boot knoppix with a USB stick and copy the SAM file to the USB stick. Then boot ntpasswd and reset the admin account (resetting is more consistent than changing it). you now have admin access.... Do whatever, then boot knoppix again with the USB stick and delete the SAM file and copy the original one back (so admin passwd will be the same). Be aware, even though the stamped access time of the SAM will change on every boot (it is accessed when the system boots) the creation time stamp will change once recopied.

That probably isn't the best solution because the BIOS password is removed. If one wanted to be sneaky, they could replace the CMOS battery with a dead one and make it look like there may have been a power-outage (changing the time to blink 12:00pm on all digital clocks in the building, etc... mimicking a power failure). idk, just an idea.

You could also pull the HD and put it into another system and read/ write to it. But full disk encryption would ruin that idea.. Also, you'd need to take ownership of the files/folders with NTFS, because NTFS uses the unique SID and not account name for permissions. So that might be a dead give-away that it has been tampered with.


EDIT: i just happened across this while trying to help a fiend out with his BIOS locked system he got at a garage sale: http://www.biosflash...s-passwords.htm

To my surprise it really worked, and kept the BIOS password intact.

Edited by tekio, 16 September 2010 - 01:02 PM.


#3 lattera

lattera

    Underground Shizzleness

  • Members
  • 511 posts
  • Gender:Male

Posted 16 September 2010 - 08:57 PM

If the box has firewire, then you can use the existing tools to give you administrator access via a firewire exploit. Firewire spec mandates Direct Memory Access (DMA), which means that any firewire device has full access to all physical memory.

#4 ArchAngel99969

ArchAngel99969

    Will I break 10 posts?

  • Members
  • 3 posts
  • Gender:Male

Posted 17 September 2010 - 10:20 AM

How much access to you have to the machine?

You could pull the cmos battery, or find out if there is a jumper to short the CMOS on the MoBo. Thus clearing the password protection and returning it to it's default state.

Once the BIOS protection is circumvented, boot knoppix with a USB stick and copy the SAM file to the USB stick. Then boot ntpasswd and reset the admin account (resetting is more consistent than changing it). you now have admin access.... Do whatever, then boot knoppix again with the USB stick and delete the SAM file and copy the original one back (so admin passwd will be the same). Be aware, even though the stamped access time of the SAM will change on every boot (it is accessed when the system boots) the creation time stamp will change once recopied.

That probably isn't the best solution because the BIOS password is removed. If one wanted to be sneaky, they could replace the CMOS battery with a dead one and make it look like there may have been a power-outage (changing the time to blink 12:00pm on all digital clocks in the building, etc... mimicking a power failure). idk, just an idea.

You could also pull the HD and put it into another system and read/ write to it. But full disk encryption would ruin that idea.. Also, you'd need to take ownership of the files/folders with NTFS, because NTFS uses the unique SID and not account name for permissions. So that might be a dead give-away that it has been tampered with.


EDIT: i just happened across this while trying to help a fiend out with his BIOS locked system he got at a garage sale: http://www.biosflash...s-passwords.htm

To my surprise it really worked, and kept the BIOS password intact.


well the machine is behind a padlock so opening it up is kinda tricky although i have some lock piking knowledge and after doing what i need switching the battery with an empty one simulating a battery failure and covering the trace sounds interesting but kinda a movie mission impossible, still loved the idea thnx. about the biosflash well i need to check it out, what is it how it works, experimenting in my lab etc. will let you know what i have found thnx any way

Edited by ArchAngel99969, 17 September 2010 - 10:22 AM.


#5 ArchAngel99969

ArchAngel99969

    Will I break 10 posts?

  • Members
  • 3 posts
  • Gender:Male

Posted 17 September 2010 - 10:25 AM

If the box has firewire, then you can use the existing tools to give you administrator access via a firewire exploit. Firewire spec mandates Direct Memory Access (DMA), which means that any firewire device has full access to all physical memory.


well the machine doesn't has any firewire but any way i heard about that but never took some time to check how it works, maybe its the time to look it up, sounds promising, thanks a lot

#6 Lord Wud

Lord Wud

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 423 posts
  • Location:New Jersey

Posted 17 September 2010 - 11:26 PM

If you have access to the AT command then this is probably the easiest trick. Open a command prompt and type "at 00:17 /interactive cmd.exe" but replace "00:17" with the military time for one minute in the futre. Then when that time comes around, a new prompt will pop up that has system priveledges. Then you just kill explorer, and launch it again from that prompt and you're gold. Here's a link with pictures and more details http://www.askstuden...lation-exploit/

If that doesnt work look around for other priviledge escalation tricks. I'm sure you'll find one, especially if you have not been patching this box.

Also, Since you already have user-level access it should be fairly simple to get a shell on another box running metasploit. Then you could try running the escalate privileges plug-in, i think its called getsystem. If you enter the question mark enough times it should explain itself. It doesn't always work, but its an easy way to try a few different exploits in one shot.

Now the firewire trick is way cooler then any of those, so you should probably go that route, but I thought I'd throw out some more options.

#7 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,092 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 18 September 2010 - 10:54 AM


How much access to you have to the machine?

You could pull the cmos battery, or find out if there is a jumper to short the CMOS on the MoBo. Thus clearing the password protection and returning it to it's default state.

Once the BIOS protection is circumvented, boot knoppix with a USB stick and copy the SAM file to the USB stick. Then boot ntpasswd and reset the admin account (resetting is more consistent than changing it). you now have admin access.... Do whatever, then boot knoppix again with the USB stick and delete the SAM file and copy the original one back (so admin passwd will be the same). Be aware, even though the stamped access time of the SAM will change on every boot (it is accessed when the system boots) the creation time stamp will change once recopied.

That probably isn't the best solution because the BIOS password is removed. If one wanted to be sneaky, they could replace the CMOS battery with a dead one and make it look like there may have been a power-outage (changing the time to blink 12:00pm on all digital clocks in the building, etc... mimicking a power failure). idk, just an idea.

You could also pull the HD and put it into another system and read/ write to it. But full disk encryption would ruin that idea.. Also, you'd need to take ownership of the files/folders with NTFS, because NTFS uses the unique SID and not account name for permissions. So that might be a dead give-away that it has been tampered with.


EDIT: i just happened across this while trying to help a fiend out with his BIOS locked system he got at a garage sale: http://www.biosflash...s-passwords.htm

To my surprise it really worked, and kept the BIOS password intact.


well the machine is behind a padlock so opening it up is kinda tricky although i have some lock piking knowledge and after doing what i need switching the battery with an empty one simulating a battery failure and covering the trace sounds interesting but kinda a movie mission impossible, still loved the idea thnx. about the biosflash well i need to check it out, what is it how it works, experimenting in my lab etc. will let you know what i have found thnx any way

Depending on physical security, flipping the switch on the circuit breaker would be relatively simple. If you're thinking about picking the lock you either have a legit reason for physical access or security is rather lax. Circuit breakers are usually not to secure, because sometimes "shift monkeys" that work nights may need to access them. Of course there is always a chance they've got a generator, but there is always a slight chance machines will go down before the generator kicks in. It is quite common where I work, we test the generators every single week. And sometime boxes do go down before it kicks in. Just ask the Russians. Chernobyl was partly to blame for the lapse in time it took for a generator to kick in that mandated the flow of liquid to cool the rods of reactor #4.




BinRev is hosted by the great people at Lunarpages!