Security Basics mailing list archives

Re: hacking win2kPro out of the box

From: miguel.dilaj () pharma novartis com
Date: Mon, 6 Dec 2004 12:12:46 +0000

Hi!

It depends if you consider the option of booting to an alternate OS or 
not.
If you don't, exploits like DebPloit could work (not sure if this 
particular one was suitable for 2K), but in most cases you've to avoid the 
AV, because it will detect the malware.
In the particular case of McAffee 4.5, I found it trivial to deactivate it 
using a tool that activates greyed controls named VeoVeo. The original 
tool is in Spanish and can be found at www.hackindex.org, but I translated 
it into English, you can found it at 
http://usuarios.lycos.es/n3kr0m4nc3r/tools/
The tool has many other interesting functionalities, like a keylogger that 
doesn't need administrative privileges, feel free to explore it. You've 
source if you want to enhance it ;-)

I you contemplate the option of booting to a Linux live-CD (with NTFS 
support) or simply NTFSDOSPro, you can replace the AV executable by a 
cmd.exe, thus starting a command shell as SYSTEM when the AV should start 
(trick used with McAffee), steal the SAM and do offline password cracking, 
etc.
Currently in XP with the Accessibility Tools installed, I replaced 
sethc.exe with a copy of cmd.exe, and I can press SHIFT 5 times BEFORE 
login to start a shell as SYSTEM, there you can do anything, like starting 
compmgmt.msc and add yourself to the administrators group, etc.

Avoid future attacks:
To make it short: IMHO if you can boot to another OS the game is over, so 
this is the first thing to avoid.
Verify that your AV can't be deactivated with simple tools like VeoVeo.

Recovery:
Recovery? Well, that from total SYSTEM compromise ;-)

Cheers,

Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG






q q <systemcracker () gmail com>
03/12/2004 15:24
Please respond to q q

 
        To:     security-basics () securityfocus com
        cc:     (bcc: Miguel Dilaj/PH/Novartis)
        Subject:        hacking win2kPro out of the box


Hello there.

I've just installed win2k pro on an ntfs drive, I'm running zonealarm
and AVG antivirus, and not much else. (no service packs, patches,
upgrades or anything else like that)

Does anyone have any information on common attacks for local
priviledge escalation, and ways to secure against these?

The sort of thing I'm looking for is a detail of an attack, followed
by the procedure(s) I would use to:

a) recover from it if neccessary
b) thwart future attacks of it's type.

I basically want to swap roles between hacker and sysadmin so I can
learn more about the best of both worlds.

The box is not connected to the net.

many thanks,
-h.

Current thread:

hacking win2kPro out of the box q q (Dec 03)
- RE: hacking win2kPro out of the box Philip Wagenaar (Dec 06)
- Re: hacking win2kPro out of the box xyberpix (Dec 06)
- <Possible follow-ups>
- Re: hacking win2kPro out of the box H Carvey (Dec 06)
- Re: hacking win2kPro out of the box miguel . dilaj (Dec 06)
- Re: hacking win2kPro out of the box H Carvey (Dec 07)