Security Basics mailing list archives
Re: hacking win2kPro out of the box
From: miguel.dilaj () pharma novartis com
Date: Mon, 6 Dec 2004 12:12:46 +0000
Hi! It depends if you consider the option of booting to an alternate OS or not. If you don't, exploits like DebPloit could work (not sure if this particular one was suitable for 2K), but in most cases you've to avoid the AV, because it will detect the malware. In the particular case of McAffee 4.5, I found it trivial to deactivate it using a tool that activates greyed controls named VeoVeo. The original tool is in Spanish and can be found at www.hackindex.org, but I translated it into English, you can found it at http://usuarios.lycos.es/n3kr0m4nc3r/tools/ The tool has many other interesting functionalities, like a keylogger that doesn't need administrative privileges, feel free to explore it. You've source if you want to enhance it ;-) I you contemplate the option of booting to a Linux live-CD (with NTFS support) or simply NTFSDOSPro, you can replace the AV executable by a cmd.exe, thus starting a command shell as SYSTEM when the AV should start (trick used with McAffee), steal the SAM and do offline password cracking, etc. Currently in XP with the Accessibility Tools installed, I replaced sethc.exe with a copy of cmd.exe, and I can press SHIFT 5 times BEFORE login to start a shell as SYSTEM, there you can do anything, like starting compmgmt.msc and add yourself to the administrators group, etc. Avoid future attacks: To make it short: IMHO if you can boot to another OS the game is over, so this is the first thing to avoid. Verify that your AV can't be deactivated with simple tools like VeoVeo. Recovery: Recovery? Well, that from total SYSTEM compromise ;-) Cheers, Miguel Dilaj (Nekromancer) Vice-President of IT Security Research, OISSG q q <systemcracker () gmail com> 03/12/2004 15:24 Please respond to q q To: security-basics () securityfocus com cc: (bcc: Miguel Dilaj/PH/Novartis) Subject: hacking win2kPro out of the box Hello there. I've just installed win2k pro on an ntfs drive, I'm running zonealarm and AVG antivirus, and not much else. (no service packs, patches, upgrades or anything else like that) Does anyone have any information on common attacks for local priviledge escalation, and ways to secure against these? The sort of thing I'm looking for is a detail of an attack, followed by the procedure(s) I would use to: a) recover from it if neccessary b) thwart future attacks of it's type. I basically want to swap roles between hacker and sysadmin so I can learn more about the best of both worlds. The box is not connected to the net. many thanks, -h.
Current thread:
- hacking win2kPro out of the box q q (Dec 03)
- RE: hacking win2kPro out of the box Philip Wagenaar (Dec 06)
- Re: hacking win2kPro out of the box xyberpix (Dec 06)
- <Possible follow-ups>
- Re: hacking win2kPro out of the box H Carvey (Dec 06)
- Re: hacking win2kPro out of the box miguel . dilaj (Dec 06)
- Re: hacking win2kPro out of the box H Carvey (Dec 07)