- 浏览: 278664 次
文章分类
- 全部博客 (276)
- burp+hydra暴力破解 (1)
- kali linux工具集 (6)
- kali (59)
- linux (54)
- password (14)
- web (63)
- 渗透测试 (50)
- windows (40)
- metasploit (9)
- 信息收集 (32)
- burp suit (4)
- 安全审计 (9)
- https://github.com/secretsquirrel/the-backdoor-factory (0)
- nmap (4)
- arachni (2)
- 工具 (5)
- sql (3)
- 网络 (2)
- 后渗透测试 (10)
- 内网 (5)
- 无线 (2)
- C (3)
- bios (1)
- RoR (12)
- mongodb (1)
- linxu (1)
- gdb (1)
- linux,虚拟化 (1)
- python (4)
最新评论
原文地址:http://www.gosecure.it/blog/art/500/sec/sethc-access-to-every-pc-and-become-local-admin/
This article talk about to connetting to a pc when you don’t have password and:
– you have physical access to the pc
– you can boot from a CD/usb/other HD
This is an old method that I rediscovered after many years and, with big surprise, is still present on modern MS operating systems (win 7 and.
At the base of this “feature” I’m going to describe there is a windows executable: c:\windows\system32\sethc.exe (but it’s not the only way: you can also use shutdown.exe).
If you have a Windows system you can activate this program by pressing 5 times the left SHIFT, this operation runs the executable (sethc.exe).
There are two problems if you analyze this situation: first it can be runned also in the login screen before authentication, second the privilege used to run the executable is SYSTEM (in the login screen no user is already logged in)
This is quite terrible.
Before, in XP sp2 and early xp sp3, this file was used to escalate privilege whitout phisycal access to the pc: the file was accessible by everyone and was not locked by the system, so a user could remove the legittimate sethc.exe, copy the cmd.exe from the same folder and rename it in sethc.exe.
What was the window that poped-up when the user hits CTRL for 5 times after this alteration? A CMD shell! What was the privilege of this shell? System!
Luckily Microsoft patched this problem in late XP sp3 and now the file is locked and can’t be manipulated when the Operating System is started, but the setch.exe is still there.
Some weeks ago I had some problems to access a windows laptop (win 7 SP1). Although I had the authorization to access to it I didn’t have the password to enter and no options to recover it. so I tried this:
I put a linux bootable CD and boot the pc using it. Then I simply mounted the windows file system and used some command like this:
[root@localhost /]# mkdir -p /media/c
[root@localhost /]# mount -t ntfs /dev/hd02 /media/c
[root@localhost /]# cd /media/c/Windows/System32
[root@localhost /]# cp sethc.exe _sethc.exe
[root@localhost /]# cp cmd.exe sethc.exe
Than I rebooted the system from HD and, when in the login screen, I simply pressed 5 times the left SHIFT.Ta-da! I got a SYSTEM shell.
I used a basic command line to create a new user and put it in Administrators group and, less than 5 minutes later, I had the full graphic control of the box.
This caused me a hundred of ideas, so, put aside this latop, I went on with my tests.
I tried it over a Win8 box, on a domain PC and against a server with strong domain policy and every time it worked fine.
So this is my assume (but you can refute):
If you have physical access and if you can boot from an external device (using bios or physically adding a new HD to the pc case) you can log into a Windows pc using SYSTEM privilege.
That’s why in every Company, that believe in IT security, the external device booting, the PXE, and the access to the PC case must be regulated.
ASAP I will write some example to become Domain admin strarting from this point, to highlight how dangerous is every litle door that a sys admin leaves open.
This article talk about to connetting to a pc when you don’t have password and:
– you have physical access to the pc
– you can boot from a CD/usb/other HD
This is an old method that I rediscovered after many years and, with big surprise, is still present on modern MS operating systems (win 7 and.
At the base of this “feature” I’m going to describe there is a windows executable: c:\windows\system32\sethc.exe (but it’s not the only way: you can also use shutdown.exe).
If you have a Windows system you can activate this program by pressing 5 times the left SHIFT, this operation runs the executable (sethc.exe).
There are two problems if you analyze this situation: first it can be runned also in the login screen before authentication, second the privilege used to run the executable is SYSTEM (in the login screen no user is already logged in)
This is quite terrible.
Before, in XP sp2 and early xp sp3, this file was used to escalate privilege whitout phisycal access to the pc: the file was accessible by everyone and was not locked by the system, so a user could remove the legittimate sethc.exe, copy the cmd.exe from the same folder and rename it in sethc.exe.
What was the window that poped-up when the user hits CTRL for 5 times after this alteration? A CMD shell! What was the privilege of this shell? System!
Luckily Microsoft patched this problem in late XP sp3 and now the file is locked and can’t be manipulated when the Operating System is started, but the setch.exe is still there.
Some weeks ago I had some problems to access a windows laptop (win 7 SP1). Although I had the authorization to access to it I didn’t have the password to enter and no options to recover it. so I tried this:
I put a linux bootable CD and boot the pc using it. Then I simply mounted the windows file system and used some command like this:
[root@localhost /]# mkdir -p /media/c
[root@localhost /]# mount -t ntfs /dev/hd02 /media/c
[root@localhost /]# cd /media/c/Windows/System32
[root@localhost /]# cp sethc.exe _sethc.exe
[root@localhost /]# cp cmd.exe sethc.exe
Than I rebooted the system from HD and, when in the login screen, I simply pressed 5 times the left SHIFT.Ta-da! I got a SYSTEM shell.
I used a basic command line to create a new user and put it in Administrators group and, less than 5 minutes later, I had the full graphic control of the box.
This caused me a hundred of ideas, so, put aside this latop, I went on with my tests.
I tried it over a Win8 box, on a domain PC and against a server with strong domain policy and every time it worked fine.
So this is my assume (but you can refute):
If you have physical access and if you can boot from an external device (using bios or physically adding a new HD to the pc case) you can log into a Windows pc using SYSTEM privilege.
That’s why in every Company, that believe in IT security, the external device booting, the PXE, and the access to the PC case must be regulated.
ASAP I will write some example to become Domain admin strarting from this point, to highlight how dangerous is every litle door that a sys admin leaves open.
发表评论
-
[图] windows 10
2015-08-18 20:37 284网上下载的图片,忘了来源 -
windows提权集合
2015-06-30 00:23 541https://blog.netspi.com/5-ways- ... -
[转]Top Five Ways SpiderLabs Got Domain Admin on Your Internal Network
2015-06-29 21:46 1474原文地址:https://www.trustwave.com/ ... -
[转]如何获得window管理员权限
2015-06-29 21:21 448引用A tutorial on how to get into ... -
Window提权基本步骤
2015-06-03 22:00 753原文地址: http://www.fuzzysecurity. ... -
[转]malware persistence
2015-05-06 23:46 384原文地址:http://jumpespjump.blogspo ... -
[转]backdoor a windows domain
2015-05-06 22:56 473原文地址:http://jumpespjump.blogspo ... -
[译]解密MSSQL密码
2015-03-26 00:43 2821原文地址: https://blog.ne ... -
[转]badsamba
2015-03-20 00:55 301原文地址:http://blog.gdssecurity.co ... -
window增加硬盘性能方法
2015-02-05 01:03 337参考地址:http://way2h.blogspot.com/ ... -
[译]Skeleton Key Malware & Mimikatz
2015-01-28 20:29 771原文地址: http://adsecurity.org/?p= ... -
绕过PowerShell执行策略的15种方法
2015-01-28 02:27 847https://blog.netspi.com/15-ways ... -
[翻译]oledump: Extracting Embedded EXE From DOC
2015-01-04 22:40 915原文地址:http://blog.didierstevens. ... -
[工具]volatility----Windows内存取证
2015-01-04 22:01 1518下载地址:https://github.com/volatil ... -
[译]Windows提权:ahcache.sys/NtApphelpCacheControl
2015-01-03 21:12 1005原文地址:https://code.google.com/p/ ... -
[译]使用Volatility从memory dump获得密码
2014-12-30 12:27 3739原文地址:https://cyberarms.wordpres ... -
vmss2core将VMware镜像转换成memory dump
2014-12-26 23:59 0参考:http://kb.vmware.com/selfser ... -
Windows工具集
2014-12-25 00:54 502参考:https://community.rapid7.com ... -
Kerberos攻击
2014-12-18 01:39 595参考: 1. http://securityweekly.co ... -
命令行执行JavaScript
2014-12-15 00:10 387rundll32.exe javascript:"\ ...
相关推荐
Access To MySQL Access 转 MySQL
MySQL to Access MySQL 转 Access 亲自测试,好用
PC Access SMART 说明书
vb下使用PC ACCESS 与P LC 通讯 通过OPC 与S7-200进行通讯
Access To MSSQL
Enable AAA on R2 and configure all logins to authenticate using the AAA TACACS+ server and if not available, then use the local database. Step 5. Configure the line console to use the defined AAA ...
AxureRP-extension-for-Chrome-0.6.2 Chrome Version 33.0.1750.146 m 因为众所周知的原因,此插件不能正常下载,但是可以通过离线安装 使用说明: 1 设置---更多工具--扩展程序 2 打开开发者模式 ...
一个相当好用的MYSQL到ACCESS转换工具
S7‑200 PC Access SMART 是可用来从 S7‑200 SMART PLC 提取数据的一款软件应用程序。 您可以创建 PLC 数据变量,然后使用内含的测试客户端进行 PLC 通信。 S7‑200 PC Access SMART 安装了“Siemens PC Access ...
S7-200SMART_PC_ACCESS_V2.3安装包
西门子 PC Access Smart V2.0 用于S7-200 smart 的opc server
This article introduces how to configure ODBC DSN in Server to access local DB2 for windows in detail. Then I give a sample how to access local DB2 database with ODBC by DB Query Analyzer expediently.
S7200 SMART OPC 软件 PC_ACCESS_V2.3,PC Access SMART 2.3,不能安装在XP系统。
S7‑200 PC Access SMART 是可用来从 S7‑200 SMART PLC 提取数据的一款软件应用程序。 您可以创建 PLC 数据变量,然后使用内含的测试客户端进行 PLC 通信。 S7‑200 PC Access SMART 安装了“Siemens PC Access ...
Pc_Access_for_S7-200SMART_V2.0
Access to MySQL Access 转成 MySQL
有时 PC Access SMART 软件进行客户端测试时,系统会提示:服务器组态文件已写保护?该如何设置? 答:如下图所示,有些用户进行客户端测试时,系统出现提示信息:服务器组态文件已写保护。
S7‑200 PC Access SMART 是可用来从 S7‑200 SMART PLC 提取数据的一款软件应用程序。 您可以创建 PLC 数据变量,然后使用内含的测试客户端进行 PLC 通信。 S7‑200 PC Access SMART 安装了“Siemens PC Access ...
access轻松转换成sql数据库格式
access TO mysql,这是一款把access转换成mysql的工具,简单实用