Académique Documents
Professionnel Documents
Culture Documents
Physical Access
Many.people.within.the.computer.industry.have.the.opinion.that.security.does.not.count.when. an.attacker.has.physical.access.to.your.computer..I.strongly.disagree.with.that.opinion;.security. always.counts.especially.when.an.attacker.is.able.to.get.physical.access.to.your.box..It.does.not. have.to.be.game.over.just.because.an.attacker.gets.physical.access.to.your.machines..There.are. measures.you.can.take,.such.as.disk.encryption,.to.secure.your.computers.from.physical.attack.. This.chapter.will.discuss.what.measures.can.be.taken.to.secure.a.Microsoft.Windows.operating. system.and.how.vulnerable.these.systems.can.be.when.proper.precautions.are.not.taken. The.majority.of.people.who.approach.a.computer.at.a.Windows.logon.screen.are.halted.in. their.tracks..The.average.individual.figures.that.without.the.username.and.password,.there.is.no. chance.of.getting.into.the.system..A.skilled.hacker.with.physical.access.should.be.able.to.break. into.a.Windows.operating.system.in.less.than.5.minutes..When.a.hacker.sees.this.logon.screen,. they. know. there. are. several. tools. they. can. use. to. easily. get. into. this. system.. This. chapter. will. discuss.several.ways.to.get.into.a.Windows.operating.system.without.having.the.username.or.the. password.
Hacking Windows OS 3
These.key.sequences.work.in.Windows.2000,.XP,.2003,.Vista,.2008,.and.Windows.7..Sethc. .exe.and.Utliman.exe.are.the.files.associated.with.these.Windows.programs.that.can.be.launched. prior. to. logon.. The. Windows. operating. system. can. be. easily. hacked. by. locating. these. files. in. %SYSTEMROOT%\system32.and.replacing.them.with.other.known.good.Windows.files.like. cmd.exe.or.explorer.exe..This.chapter.will.guide.you.on.how.to.use.a.Live.CD.to.perform.these. steps..However,.before.you.embark.on.hacking.Windows.you.will.need.to.know.how.to.burn.an. ISO,.or.disk.image.file.
Live CDs
There.are.a.large.variety.of.Live.CDs.that.can.be.utilized.to.assist.you.in.your.quest.for.Windows. domination..A.Live.CD.is.a.special.utility.that.can.run.an.entire.operating.system.from.the.CD,. and. allow. the. user. to. access. and. manipulate. files. on. the. hard. drive.. The. website. http://www. ..ivecdlist.com.provides.a.good.list.of.many.popular.Live.CDs.and.links.to.download.the.ISO.files. l
Live.CDs.are.extremely.useful.tools.that.can.be.utilized.by.individuals.with.good.and.bad. intentions..A.Live.CD.will.allow.network.administrators.to.run.Linux.on.their.system.without. installing.it.or.changing.any.of.their.systems.configurations..Law.enforcement.can.use.Live.CDs. like.HELIX.or.KNOPPIX.to.acquire.a.forensically.sound.copy.of.a.hard.drive..Pentesters.can.use. a.distribution.like.BackTrack.to.scan.networks.and.computers..And,.any.Live.CD.with.a.browser. can. be. utilized. by. individuals. who. want. to. surf. the. net. without. leaving. any. artifacts. on. their. harddrive.
Hacking Windows OS 5
Once.you.have.downloaded.the.ISO.file,.you.will.need.some.type.of.burning.software..Nero. Burning.Rom.is.one.of.the.best.burning.suites.available..However,.it.is.not.a.free.product..(Nero. does.offer.a.free.trial.version.if.you.go.to.their.website.at.http://www.nero.com.).There.are.also. many.free.burning.programs.that.work.quite.well..Imgburn.is.a.graphical.user.interface.(GUI). application.that.allows.users.to.burn.or.create.ISO.files..It.can.be.downloaded.from.http://www. .imgburn.com..The.five.steps.for.burning.the.BackTrack.4.ISO.are.as.follows: . 1..Download.the.bt4-beta.iso.file.from.http://www.backtrack-linux.org/downloads/. . 2..Download.and.install.the.ImgBurn.program.from.http://www.imgburn.com/. . 3... pen.the.ImgBurn.program.and.select.Write.image.file.to.disc. O
When.the.burning.process.in.finished,.the.media.will.automatically.eject.from.your.system..You. can.now.use.the.media.as.a.bootable.Live.CD/DVD.
Hacking Windows OS 7
Figure 1.2 CMOS jumper on the motherboard to reset the BIOS password.
There.is.a.disadvantage.to.a.hacker.removing.a.jumper.or.taking.the.battery.out.to.get.into. the.BIOS;.if.a.password.has.been.changed,.the.person.who.set.the.password.will.know.that.the. BIOS.has.been.reset..For.example,.a.colleague.of.mine.changed.the.settings.on.his.computer.that. required.users.to.enter.a.BIOS.password.in.order.to.start.the.system..It.seemed.he.did.not.want.his. wife.or.kids.using.his.high-end.system..I.explained.to.him.that.if.the.CMOS.battery.or.jumper. was.removed,.they.would.be.able.to.get.into.his.system..He.agreed.that.methods.exist.to.reset. the.BIOS.password;.however,.if.his.password.was.reset.he.would.know.his.system.was.accessed.. A.more.stealthy.way.for.a.hacker.to.enter.the.BIOS.is.to.use.a.default.or.backdoor.password.. There.are.lists.of.BIOS.passwords.that.can.be.retrieved.from.the.Internet.using.Google..One.of.the. most.effective.ways.to.keep.people.from.resetting.BIOS.passwords.is.to.lock.the.computer.case.. While.most.computer.case.locks.can.be.picked.fairly.easily,.this.technique.can.be.used.as.a.deterrent.to.prevent.someone.from.changing.BIOS.settings.like.boot.order..However,.keep.in.mind. that.even.if.the.case.is.locked,.if.someone.has.a.backdoor.or.default.password,.locking.the.system. will.not.prevent.them.from.accessing.the.system..A.simple.lock.on.the.computer.will.not.thwart. a.determined.attacker. After. opening. the. case. of. some. newer. computers,. you. may. receive. a. Chassis. Intrusion. Detected.message.when.you.put.the.cover.back.on.and.power.on.the.machine..Chassis.intrusion. messages.are.an.annoying.feature.included.in.some.newer.BIOS.versions..In.most.cases,.the.. hassis. c intrusion.cable.is.plugged.into.a.jumper.on.the.motherboard..If.you.unplug.the.cable.from.the. jumper.on.the.motherboard.and.place.a.new.jumper.(you.can.always.find.extras.on.old.motherboards,.cards,.or.hard.drives),.the.alarm.should.not.go.off.any.more..Sometimes,.several.reboots. will.be.necessary. After.entering.the.BIOS,.a.user.can.navigate.around.by.using.the.arrow.keys.(not.by.using. the.mouse)..Manufactures.may.have.opted.for.use.of.the.keyboard.only.in.the.BIOS.screen. to. keep. novice. users. from. changing. important. BIOS. settings.. One. incorrect. BIOS. setting.
could.result.in.the.computer.not.booting..The.layout.of.the.BIOS.utility.will.vary.depending. on.the.manufacturer..Most.BIOS.screens.have.a.setting.referred.to.as.Boot.Device.Priority,. Boot,.Startup.Sequence,.or.a.similar.type.setting..The.way.to.change.the.boot.order.will.also. vary. depending. on. the. BIOS. manufacturer.. On. the. BIOS. of. some. systems,. hitting. Enter. after.selecting.the.first.boot.device.will.pull.up.a.menu.that.allows.you.to.select.from.a.list. of.choices.that.can.become.the.new.first.boot.device..Other.BIOS.setup.screens.require.users. to.use.the.up.and.down.arrow.until.you.get.all.of.the.devices.in.the.order.you.desire..Ifthe. hacker. is. booting. to. a. CD. or. DVD,. the. DVD. drive. should. be. the. first. device. in. the. boot. order.
On.modern.computers,.the.USB.thumb.drive.is.also.a.boot.choice,.and.this.option.is.quickly. becoming. popular.. Once. the. BIOS. settings. have. been. changed,. the. Save. Changes. and. Exit. selection.needs.to.be.located.from.within.the.BIOS.menu..This.task.can.usually.be.accomplished. by.hitting.the.F10.key.on.most.systems..Once.the.BIOS.has.been.modified.to.boot.to.the.proper. device,.you.can.boot.to.your.BackTrack.DVD.or.other.Live.CD.
Utility Manager
The.Utility.Manager.was.designed.to.help.people.with.disabilities..For.this.next.exercise,.your. victim.computer.should.be.running.any.of.the.following.Microsoft.Windows.operating.systems:.Windows.Vista,.Windows.2008.Server,.or.Windows7..This.attack.can.even.be.launched. against.systems.utilizing.Smart.Card.and.fingerprint.readers..If.the.computer.is.off,.turn.it.on. and.insert.the.BackTrack.DVD.immediately..If.the.. omputer.is.presently.at.the.logon.screen,. c insert.the.DVD.and.click.the.shutdown.button..If.the.shutdown.selection.is.not.available,.you. will.need.to.put.the.DVD.in.the.drive.and.reset.the.computer..If.the.computer.does.not.have. a.reset.button,.just.power.it.off.and.power.it.back.on.again.
Hacking Windows OS 9
Use.the.following.steps.to.break.into.the.Windows.7.operating.system: . 1..Select.BT4.Beta.Console.at.the.Boot.menu.
. 2..At.the.BackTrack.4.Beta.menu,.login.as.root.with.the.password.of.toor..Then.type.startx.to. launch.the.GUI.
. 3..Launch.the.terminal.by.clicking.the.black.icon.to.the.left.of.the.Firefox.icon.
Hacking Windows OS 11
9..The.System32.directory.is.the.primary.location.for.most.of.the.Windows.executables..One. of.these.executables,.Utilman.exe,.launches.the.Utility.Manager..Luckily,.this.application. can.be.launched.prior.to.logon..During.this.step.Utilman.exe.is.renamed.to.Utilman.bak. in.case.the.correct.file.needs.to.be.restored..Then.a.new.Utilman.exe.is.created.by.copying. the.cmd.exe.file.and.renaming.it.Utilman.exe..When.the.user.reaches.the.logon.screen.and. they. invoke. the. Utility. Manager,. a. command. prompt. will. launch.. Rename. Utilman.exe. Utilman.bak.by.typing.mv.Utilman.exe.Utilman.bak..Copy.the.cmd.exe.file.by.typing. cpcmd.exe.Utilman.exe.
. 10..Change. back. to. the. root. directory. by. typing. cd. /root.. Next,. unmount. the. partition. by. typing.umount./dev/sda2..Note.that.the.command.to.unmount.is.umount,.not.unmount.. Type.eject,.remove.the.DVD.and.close.the.tray.. . . Note:. Eject. does. not. work. in. VMware.. Type. reboot. to. restart. your. computer. to. your. Windows.7.operating.system.
. 12..When.the.internal.command.set.is.typed,.the.username.displayed.is.SYSTEM..
The.six.integrity.levels.in.Windows.7.and.Vista.are.listed.below.in.order.from.highest.to.lowest: . . . . . . . 1.. 2.. 3.. 4.. 5.. 6.. Installer.(software.installation) System.(system.processes) High.(administrators) Medium.(user) Low.(Internet.Explorer.when.protected.mode.is.enabled) Untrusted.(lowest.level)
Hacking Windows OS 13
. . . . . . . . . .
Changing.user.passwords Adding.users.to.the.administrators.group Changing.the.registry Starting.and.stopping.services Scheduling.services Copying,.adding,.or.deleting.files.and.folders Modifying.date.and.time.stamps Starting.services.that.allow.users.to.connect.remotely Changing.port.numbers.for.remote.services Disabling.the.firewall
All.of.these.tasks.will.be.discussed.throughout.the.chapters.in.this.book..The.. et.user.comn mand.can.be.utilized.to.create,.activate,.and.delete.users.as.well.as.change.their.passwords..The. net.localgroup.command.can.be.used.to.add.users.to.the.administrators.group..The.following.is. a.list.of.net.commands.used.to.manipulate.user.accounts.on.the.system.from.the.command.line: . net.user.hax0r.Pa$$w0rd./add:.Adds.a.user.account.called.hax0r.with.the.password. of.Pa$$w0rd. . net.localgroup.administrators.hax0r./add:.Adds.the.user.hax0r.to.the.administrators. group..The.name.of.the.group.is.administrators.with.an.s,.not.administrator. . net.user.administrator./active:yes:.Activates.the.administrator.account,.which.is.disabled.by.default.on.Windows.Vista.and.Windows.7..The.administrator.account.is.active. on.Windows.Server.2008. . net.user.administrator.Pa$$w0rd:.Gives.the.administrative.user.account.the.password. of.Pa$$w0rd. . net.user.administrator./comment:.You.are.0wnd:.Gives.the.administrator.account. the.comment.You.are.0wnd. . net.user.guest./active:yes:.Activates.the.guest.account,.which.is.disabled.by.default.on. all.Windows.versions.(except.95,.98,.and.ME,.where.it.does.not.exist). . net.guest.Pa$$w0rd:.Gives.the.guest.user.account.the.password.of.Pa$$w0rd. . net.localgroup.administrators.guest./add:.Adds.the.user.guest.to.the.administrators. group.
. 13..Most. tasks. that. a. user. completes. using. a. GUI. can. also. be. completed. from. a. command. prompt.. Many. times,. a. hacker. will. not. have. access. to. a. GUI.. In. order. to. be. effective,. the. skilled. hacker. will. need. to. be. able. to. complete. most. tasks. from. a. command. line.. If. the explorer. command. is. invoked. at. the. C:\Windows\system32\utilman.exe. prompt,. the. Windows.Explorer.will.be.displayed..Notice.that.SYSTEM.is.listed.as.the.logged-on.user.
After. opening. the. Windows. Explorer,. by. clicking. on. the. Pearl. (Start). and. right. clicking. on. Computer,.the.Computer.Management.console.can.be.opened..By.clicking.the.Users.folder.under. Local.Users.and.Groups,.the.users.that.were.created.and.managed.at.the.command.line.will.be.displayed..Additional.users.can.also.be.created.and.managed.from.the.Local.Users.and.Groups.console.