ComputerSecurityStudent (CSS) [Login] [Join Now]




|FORENSICS >> Password Clearing >> Current Page |Views: 7548

(Password Clearing: Lesson 3)

{ Use a Windows Recovery CD to Replace sethc.exe with cmd.exe }


Section 0. Background Information
  1. What is sethc.exe 
    • sethc.exe is a program that controls some the accessibility options for disabled people to read the login prompt.
    • The accessibility option is invoked by clicking in the Windows Password Box and pressing the shift key 5 times.  
    • From the windows login screen, winlogon.exe launches sethc.exe that provides the aforementioned accessibilities options.
    • Consequently, sethc.exe can be compromised, since the winlogin.exe does not exactly check what is launched when pressing the shift key 5 times in the password text box.

  2. Lab Notes
    • In this lab we will do the following:
      1. Boot the Windows 7 VM from a Windows 7 Recovery CD
      2. Select the Recovery Option
      3. We will use the recovery cmd prompt to compromise sethc.exe by replacing it with cmd.exe
      4. We implement the exploit by pressing shift 5 times.
      5. We will active and reset the administrative account.

  3. Prerequisites
  4. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2012 No content replication of any kind is allowed without express written permission.

 

Section 1. Start your Windows 7 VM
  1. Edit Virtual Machine Settings
    • Instructions
      1. Click on Windows 7
      2. Click on Edit virtual machine

     

  2. Configure CD/DVD (IDE)
    • Instructions
      1. Configure CD/DVD (IDE)
      2. Check the Connect at power on checkbox
      3. Click the radio button "Use ISO image file:"
      4. Click the Browse button and Navigate to the location of the windows 7.iso
      5. Click the Okay button

     

  3. Start Windows 7
    • Instructions
      1. Click on Windows 7
      2. Click on Play virtual machine

     

  4. Access the Boot Menu
    • Instructions
      1. Once you see the below vmware screen, (1) Left Click in the screen and (2) press the <Esc> key.

     

  5. Boot from CD-ROM Drive
    • Instructions
      1. Arrow Down to where CD-ROM Drive is highlighted
      2. Press <Enter>

 

Section 2. Using the Windows Recovery CD
  1. Press any key to continue
    • Instructions
      1. Press <Enter>

     

  2. Install Windows
    • Instructions
      1. Language to install: English
      2. Time and currency format: English (United States)
      3. Keyboard or input method: US
      4. Click Next

     

  3. Repair Your Computer
    • Instructions
      1. Click Repair your computer

     

  4. System Recover Options
    • Instructions
      1. Select the Use recover tools radio button.
      2. Click the Next Button

     

  5. System Recovery Command Prompt
    • Instructions
      1. Click the Command Prompt

     

  6. Replace sethc.exe with cmd.exe
    • Instructions
      1. copy c:\Windows\System32\sethc.exe c:\Windows\System32\sethc.exe.bkp
      2. copy c:\Windows\System32\cmd.exe c:\Windows\System32\sethc.exe
      3. Yes
      4. Click the Restart Button

     

Section 3. Implement the Accessibility Option
  1. Implement the Accessibility Option
    • Instructions
      1. In the password box, Press the Shift Key 5 Times

     

  2. Do you want to turn on Sticky Keys?
    • Instructions:
      1. Click No

     

  3. Administrative Command Prompt
    • Note(FYI):
      • Now you will see an administrative command prompt. 
    • Instructions:
      1. net user administrator * /active:yes
      2. shutdown -r -t 5 -c "Nice Trick"

     

  4. Login as Administrator
    • Instructions
      1. Click the Administrator account
    • Note(FYI)
      • Previously, only Security Student was the active account.

     

  5. Administrator Password
    • Instructions
      1. Provide the password created in (Section 4, Step 3).

 

Section 4. Proof of Lab
  1. Open A Command Prompt
    • Instructions
      1. Click on the Start Button
      2. Type "cmd" in the search box
      3. Click on cmd
     
  2. Proof of Lab Instructions
    • Instructions:
      1. net user administrator
      2. date
      3. Press <Enter>
      4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
      5. Do a PrtScn
      6. Paste into a word document
      7. Upload to Moodle

 

Section 5. Post Lab Restore Work
  1. Access Virtual Machine Settings
    • Instructions
      1. Virtual Machine --> Virtual Machine Settings...

     

  2. Configure CD/DVD (IDE)
    • Instructions
      1. Configure CD/DVD (IDE)
      2. Check the Connect at power on checkbox
      3. Click the radio button "Use ISO image file:"
      4. Click the Browse button and Navigate to the location of the windows 7.iso
      5. Click the Okay button

     

  3. Restart Windows
    • Instructions
      1. Click Start Button
      2. Click Restart

     

  4. Access the Boot Menu
    • Instructions
      1. Once you see the below vmware screen, (1) Left Click in the screen and (2) press the <Esc> key.

     

  5. Boot from CD-ROM Drive
    • Instructions
      1. Arrow Down to where CD-ROM Drive is highlighted
      2. Press <Enter>

     

  6. Press any key to continue
    • Instructions
      1. Press <Enter>

     

  7. Install Windows
    • Instructions
      1. Language to install: English
      2. Time and currency format: English (United States)
      3. Keyboard or input method: US
      4. Click Next

     

  8. Repair Your Computer
    • Instructions
      1. Click Repair your computer

     

  9. System Recover Options
    • Instructions
      1. Select the Use recover tools radio button.
      2. Click the Next Button

     

  10. System Recovery Command Prompt
    • Instructions
      1. Click the Command Prompt

     

  11. Restore sethc.exe
    • Instructions
      1. copy c:\Windows\System32\sethc.exe.bkp sethc.exe
      2. Click Restart

 



Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth