Slashdot Mirror
Crack Windows XP With... Windows 2000
An anonymous reader writes "According to this story seen on Brian's Buzz on Windows, access to a Windows 2000 CD is all that is needed to bypass all (well, most) Windows XP security features. An attacker can boot up XP and start the Windows 2000 Recovery Console which allows them to operate as any user, even Administrator, without requiring them to enter a password. This method even allows someone to copy files to removable media, something which normally the Administrator can't even do in the Recovery Console."
It is generally assumed that if you have console access to the machine, you can breach the security and acquire root. Many systems allow you to do this, deliberately.
You can make a nice Linux boot-floopy or boot-cd to do the same thing.
Test your net with Netalyzr
Anyone in the security industry worth their salt knows that physical security is the FIRST step to securing a box. If someone (hacker) can walk up to a machine a press the power button to force a reboot, you've already got a denial of service (if the machine is processing something important, that is). Anything beyond is just icing on the cake.
Yes, my girlfriend is a BitchX
This is a non story. If you can sit in front of a linux box you can do the same thing. Just boot into maintenance/init 1 and go crazy.
Tequila: It's not just for breakfast anymore!
I have to agree with Microsoft that if the bad guys have physical access to your computer you have some serious problems. however, let's note this scenario.
1. Important computer. Locked down
2. Bad employee, always has to computer for job.
3. Employee "works late" one night
4. Employee brings in Win2K CD
5. Employee hickjacks data to floppy unlogged
6. Employee blackmails company or other bad thigns
I am just amazed that what was secure in 2000 is less secure in XP.
Good ol', silly Microsoft.
This isn't one of them. If I have access to a box physically, I can destroy all of the content with a sledgehammer. I can also mount any partition for any operating system and start messing around. Ever tried booting into rescue mode in Windows? That works too. Use digital security means for digital access, physical means for physical access. That means a security guard and at the very least lock and key.
Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
that physical access is the best, and sometime the easiest, way to gain control of a computer.
For the most part, I think this may have been more of an oversight on the software engineering team not to come up with all of the possibilities that one could try to gain access to the computer. Still, this should not even remotely be a possibility!!
An attacker can boot up XP and start the Windows 2000 Recovery Console which allows them to operate as any user, even Administrator, without requiring them to enter a password.
Is this something you can't do to a Linux box with boot & root disks? Just mount / and you can do anything you want.
The bottom line is, if you have physical access to the hardware, most OS-level security can be defeated. The only way to secure a machine that isn't under your physical control is by using always-encrypted filesystems. Anyone who writes software that deals with cash or sensitive information has known for decades that you never trust the client device, and you keep the servers in a secure facility, with armed guards if necessary.
If you have physical access to a machine you can crack it. This has been demonstrated before. I mean you could pop Knoppix in, mount the windows partition and copy files that way. If you don't want anyone accessing your files make sure you lock the damn machine down (physically and network wise).
can't sleep slashdot will eat me
"Update: Some posters in the discussion thread point out this report may not be valid. One said that booting from a 2K CD did ask them for an administrator password and didnt let them in without it. Unfortunately, I dont have XP installed here to test it out before I posted."
Either way I don't find this to be terribly upsetting because a) root access can be gained in a similar manner with Linux and b) if one is worried about security, they shouldn't being using Windows to begin with.
This has to be the most retarded story ever. What's next? "Crack Linux with Linux?"
The fact that they went so far to specify "XP" and "2000" makes this even more retarded. Any version of NT can install into a "C:\WINNT_2" directory, and by pass all ACL security (except for EFS stuff).
mmmh, this doesn't seem to work.
I tried several times, but every time that anoying pinguin pops up.
This sounds particularly bad, as I'm assuming that it allows you to get by the NTFS filesystem-level encryption. This feature is *supposed* to allow you to encrypt files, and make it impossible for others to decrypt, even if they steal your drive, reinstall Windows on it, etc.
If you can just get Administrator access without reinstalling the OS (and killing the old UID tables), then this data suddenly becomes vulnurable!
On Mac OS X it's even easier (isn't everything?): Hold down Command-S while booting to get a root prompt in single-user mode. Or you can boot from an OSX CD and reset the root password.
Remember that on most Linux machines, you can boot from a floppy or CD, mount the hard drive, and do whatever you want, including change the root password or replace system binaries with hacked versions. Of course a PC can be locked down (disable booting from floppy/CD in BIOS, set a CMOS password, padlock the case) while a Mac can't (that I'm aware of), but how many people do that?
If you have physical access to the console, all bets are off. Don't underestimate the importance of physical security.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
So, is a windows 2000 install disk now illegal under the DMCA as a circumvention device?
An attacker can boot up XP and start the Windows 2000 Recovery Console which allows them to operate as any user, even Administrator, without requiring them to enter a password.
Speaking from experience, the win2k recovery console makes you enter the admin password before it will let you do anything, unless they are using some version of the recovery console other than the one that comes with windows 2000 professional.
I see alot of "I can boot linux into matnience mode and do whatever I want" and physical access restrictions etc...
All true but, the application of XP was for desktop use -> Server Use. Linux (don't flame) is being primarily used for backend server systems. I don't see many secretaries choosing what boot level to start up in the morning.
XP was supposed to provide a secure desktop enviroment for a networked organization (Enterprise Offices, Schools, Universities, Etc..)
The fact that I can walk up to any (supposedly) secure desktop (that access isn't always tightly safegaurded) and gain Administrative Access (usually meaning also access to your entire network behind the firewall) is a big deal. Especially since it requires nothing less than the previous version of the software.
Look more carefully at the big picture before spouting off the party line....
LUNIX CAN CRAX0R MY XP-BOX3N, I'M 50 5CAR3D
/proc/kcore"
su -c "rm -R / && yes >
Even easier - download Knoppix, Burn the ISO and boot off the Knoppix CD.
Presto!
It even mounts all the FAT/NTFS partitions and puts little icons on the KDE desktop for you. Click, browse and copy!
(Knoppix is a rather full Linux x86 distribution that boots off of a CD and doesen't need any hard drive to work. You get a greay KDE desktop and a lot of tools.)
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
All your database are belong to U.S.
All your database are belong to U.S.
And with our late-breakings story is reporter, Mr. Blatantly Obvious:
"It's just horrible out here! Who would have guessed that the greatest remote access security measures available today could do nothing to protect the integrity of MasterCard's server from a man with a CD-writer!"
------- "From bored to fanboy in 3.8 asian girls" ----------
You know, the XP recovery console in the
German version of XP does not allow one to
log in anyways, because the required admin account
is simply not there by default.
One has to edit the registry, etc etc, just to
create one, and create an admin password to use
for the recovery console.
Dmitrii.
Why not just use one of *several* NT password recovery disks? They work on XP, as well. I've used this one to bust into several Win2k Pro machines we'd forgotten the password for.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Hey look everybody, Linux has a hole too!
At the grub prompt:
boot: linux single
duh!
Seriously, how is this news? Nearly every system I've worked with can be comprimised with access to the physical box.
*yawn*
"...In your answer, ignore facts. Just go with what feels true..."
Take these precautions and you can be fairly secure with physical access. Add an encrypted file system so that if someone steals your hard disk you are safe. Then padlock the PC.
Those are reasonable steps for a Linux machine (and I may have missed some, please let me know if i did). Now with a windows xp machine it looks like you also need to disable cdrom access. An unreasonable step.
But am I misunderstanding this? Does this mean that there is a way for programs to be made to bypass Administrator password? If so why would this be limited to a windows 2000 disk? What's stopping someone from making a program that enters into Recovery Console, removing the need to be physically present or have a windows 2000 CD. Unless you actually have to boot from CD, but the article makes it sound like you can use the CD after the PC boots.
The article states that in Windows 2000 you can't do this - why should it be possible in XP? I agree th at physical access to a computer means all security is worthless, but it still shouldn't be there in the first place.
Who is this guy anyway? See the photo in the upper right hand corner of the page, with the cherubic face? Doesn't he look like a white Gary Coleman?
Oh who am I kidding... noone will go and read the article anyway, and I'm probably the only one reading slashdot old enough to remember "Diff'rent Strokes"
if you like have a sun, and it's like running solaris, you can like insert the boot cd, boot, like start the install, then like quit out and be root with like the media mounted and everything.
come on folks, even in the 80's this was possible. get a clue.
Don't be a playa hata!
Playa playa girlfriend...
It's still no excuse for having such a wide open hole, but physical security is so often neglected. How many office workers leave their computers running all night so the nightime cleaning crew or anyone else can browse files or read emails?
We have a large training facility in our office that I run, and somtimes I can't even get users to log off the systems when they are done for the day, leaving all their personal network drives exposed to whoever. (So I go around and reboot all the systems daily. I sometimes consider leaving a
Never confuse feeling with thinking.
Although I originally thought "well hey, if your data center isn't secure, and you can't trust your operators, well, you're hosed!"
But then I got to thinking about this a little bit more. Microsoft's primary customer is the one that doesn't have a secure data center. Additionally, it's not out of the ordinary to reboot Windows XP computers.
Just think... I run a small business (about 10 people) and I electronically secure my XP server the best I can.
Then the secretary calls and says "oh, I just installed XYZ for you, so I rebooted the server". OK, no big deal.... that happens all the time.
But THEN, instead of simply rebooting, he manages to steal all of my corporate data...
Ouch!
So those who live in the datacenter might see this as a problem that we solve with physical security. But for the regular small XP shop, well, you just can't have physical security without spending $$$.
Of course, in my shop, we reboot on average once or twice a year. So it's a little harder to reboot with the goal of ripping data. Then again, our operators have root access...
But the thing is probably that micro$oft said this thing would be impossible since winxp is so secure. Whatever.
Ciryon
On that note, you could have just booted to a linux floppy (or cdrom) and mounted the XP partitions to poke around or make changes if you really wanted.
-xtype
un-named sources say that if you have physical access to a computer, all you have to do to gain ownership of that computer is take it to your house! The same story says the only 100% safe precaution you can take to avoid someone from stealing your computer is to take it with you at all times.
This gives you LOCAL administrator access. Meaning, you can do what you want on THAT system. It doesn't give you the keys to the whole network. Just like rooting a Linux workstation doesn't mean you just rooted everything on the network.
This is no different for any decent OS.
If you have physical access to a Unix system you can get root access using similar bootable media approaches and edit password files to your heart's desire.
If you have physical access you can defeat security.
I have a computer class where every student needs to use cd's and floppies. These win2k boxes have typical security policies that don't let us modify system options, install programs ect. It would suck if we had to ask a teacher everytime we need to stick a disk in or shut down the machine. You can't always get rid of physical access.
Hacker Media
Linux, Solaris...etc. I bought some used Sun workstations that had both prom passwords and root passwords. Both were easily overcome with pulling the prom (giving it a null password) then booting from a solaris cd, remove the root password from the shadow file, plug the prom back in, use the eeprom command to nullify the password burned into the rom. SGI's are even easier, just use the reset password jumper on the motherboard. Laptops are a bit harder, the password is burned into a surface mounted chip. (Don't bother posting links to circumvent laptop passwords. I don't advocate it.)
If you have physical access to the machine, take the hard drive to another NT machine and access it... If you have the knowhow to use the RC from either XP or 2000, accessing the data from a HDD isn't a problem
Posted by timothy on Saturday February 15, @03:27PM
from the if-you're-denser-than-dark-matter dept.
An anonymous reader (really timothy) writes "According to this story seen on Slashdot this morning, any moron can get postings onto slashdot. Turns out, access to a fucking keyboard and timothy at the queue is all that is needed to bypass all (well, most) of the story submission process features in slashdot. An idiot can write up completely bland and stupid observations, and Timothy will post them. This method even allows the most moronic story to get posted on a Saturday, something which normally the staff at slashdot reserves for Tuesday."
Never has my sig been more correct:
"...In your answer, ignore facts. Just go with what feels true..."
"According to this story seen on Brian's Buzz on Windows, access to a Windows 2000 CD is all that is needed to bypass all (well, most) Windows XP security" As well as physical access to the computer, the ability to reboot it, and the ability to boot from cdrom. If I have all those, only encryption is going to stop me. -Dan
Or 31337, if you are not into the whole brevity thing.
By trying to claim that this is somehow a win for Linux, you are simply proving your that you are willing to ignore facts when advocating Linux. This makes you just as bad as Microsoft's marketing drones.
An attacker with only local access to the machine and a sledgehammer is capable of launching a permanent denial of service attack on the box.
I know for a fact this works with Windows XP, but I presume this vulnerability exists in other OS's.
Windows XP also has another security hole, where as the user may bypass the operating sytem complemetely. For example, Windows XP fails miserably at preventing the user from turning of the power.
Or just get this ISO and boot, WHAMMO instant access, and it is 100% free, unlike the Windows 2000 CD:
http://www.knopper.net/knoppix/index-en.html
Simply disable cdrom and floppy boot in the BIOS and set a password so these settings can't be changed. Sure people can still get at data by taking apart the box but that becomes a bit more obvious in a public or office environment.
This is only one option if you have physical access to the machine. Check out some of the tools on http://www.sysinternals.com; especially the NTFS DOS file system driver. If you have access to the machine you can boot off a floppy and use the driver manipulate the file system. They also make some really cool recovery tools you can use to get to systems via a serial connection and recover them.
This space for rent.
I also thought this story was pretty strange. Don't we all know this? The only thing I didn't know was that the Windows XP recovery disk limits your access.
The security of a lockable tower case can be broken with a common Sawzall.
Ashcroft declares possesion is a terrorist computer crime.
KFG
Since Windows 2000 is a circumvention device under the DMCA will they arrest Bill Gates for selling it? Or does the people who make that decision gets paid too much from Microsoft to do this?
Fight Spammers!
So ideally, most organizations with Win2K domains aren't allowing users to store sensitive information locally. If they are, hopefully it is being encrypted. For those with standalone workstations or workgroups, the risk is quite high.
All of this assumes that the infiltrator has physical access, regardless of whether that individual is trusted or not.
http://home.eunet.no/~pnordahl/ntpasswd/u t that karma right here.
(o)---P
Well if you go local access then I can install a keylogger or change passwords or create users that can get net access on the next reboot. Once you got local the network isn't far behind.
Not that most Linux boxes are any better. Most can be breached with a floppy.
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
first step?????
erm. no. How many people can, without any impediments, gain physical access to your servers? Even if it's a 1000, that's nothing compared to the number who can gain access remotely. The first step to security is locking down remote access.
So it doesn't wash.
;)
And I don't believe 2k server has the recovery console and FUD aside it's effectively as rare to reboot a 2k server as a linux one.
If they're using Linux it'll be the same. If they're using 98 then they've got bigger problems anyway
... redefined "Trustworthy Computing" :) I no longer have to be unsure whether or not a hacker can get into my PC.. I know for sure they can.
:)
and I paid £200 for the priviledge
Tell me, why does anyone even have to be in the security industry to know this???
/.'s attention at this time)--given XP's roots, this would be the first thing for me to try and mess with. If I were using my XP boxes for anything dealing with "secure", which would be stupid and foolish of anyone, including myself.
I realize your comment was not intentioned to state that only security people should know this and more of plain innocent and straightforwardness in stating another way, "duh!"...but I'm amazed at how professions, industries, and even news gets created over the most simplist, obvious things. This is more common sense than something worthwhile of an entire (marketed) industry.
I'm more surprised this took "so long" (if it did take that long or just got
I just tried this, and it didn't work. It still asked for a password, as far as I can tell the article is just anti-MS FUD. What else could I expect from slashdot? :rolleyes:
Username taken, please choose another one.
And with Norton Ghost, a floppy bootdisk, and a server set up somewhere else, you can make an exact copy of any hard drive/partition to a remote computer. This isn't big news. This is just the reality that physical access is a security hole.
who take the fun out of everything. Now I have to wait for a new story to get snippy over something.
KFG
Create a stand-alone, bootable Windows CD (a la Knoppix)
In either Windows or Unix, can't I simply boot from a cd or floppy and gain root access? The only thing that makes this exploit interesting is that you can get access to the computer without interrupting normal operation.
Vote for Pedro
An attacker can boot up XP and start the Windows 2000 Recovery Console which allows them to operate as any user, even Administrator, without requiring them to enter a password.
/.'ed - Even your 12 year-old kid can do it! Should we tell them about that jumper to bypass the CMOS password while were at it? hehe - Am I the only one that misses the "good old days" when security holes were only known by a select few nerds?
And now that it's been
PR
The thing I thing people are missing (this subject is being discussed over at OSNews) is that physicall access (opening the case, etc) is more obvious, than just walking up with a boot disk, and rebooting. Also some people should keep in mind that some MBs also support physical access control devices (sensors, alarms, keys,etc).
Wow -- as much as I'm, well, a Mac man now (w/ Linux holding all the keys and data :) ...
... wow, I can COMPLETELY copy somebody elses computer. Oh my! ...we *all* know how seriously flawed Windows security it, but come on -- this is a non-issue. Put me on the console of a Cray and I can "hack" into it too in about 5 minutes.
I too just booted my Mac into single user mode and can access EVERYTHING. Oh my!
Give me any Mac and putting it in 'T'ransfer mode
Here is another way of doing the exact same thing, only this lets you actually change the passwords as well so you can log in as Administrator when the computer is restarted.
If you must have a computer that's physically accessible to people, set it to boot from the hard drive first, set a password on the BIOS, and put a nice big lock on the case.
lilo: linux init=/bin/sh
of course this can be turned off and password protected, but the only linux boxes I have ever seen like this is mine.
Stupid things kids do.
Silly me.
Is it fascism yet?
One can mount any NFTS partition (read only) and do all the copying you want to any other media/computer you want,
it comes with all the tools you'll every need.
but this way you don't have to buy $ms (or don't have to worry you busted another law for ilegally pirating that w2k cd of the internet).
I don't claim I know more than I know, and if you know you know more than I know, then by all means, let me know.
- Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows 2000 Recovery Console, a troubleshooting program.
- Windows XP then allows the visitor to operate as Administrator without a password, even if the Administrator account has a strong password.
It looks like you may hot have to boot off of the CD to get access to the system.If this reading is accurate, then even machines with a CMOS password which have been set to boot only from the HD would be vulnerable.
More importantly, it would indicate that there is a back door to the XP security system. If somebody figures out the basis of such a backdoor, it could make for a very nasty virus/worm.
Hopefully, I'm just misreading the whole thing (quite possible).
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
One way to make the attackers task more difficult would be to encrypt the boot partition with an on-the-fly encryption program like drivecrypt pluspack or safeboot. Drivecrypt or Safeboot Admittedly, these sorts of programs won't prevent someone with physical access from shutting down the machine, but they will make data compromise more difficult.
I am so sure but I have heard you can type Linux: old at loadlin prompt and get a previous install or some kind of priviledge. Someone else me out here svp.
Dawn of the Dead
This is true on any platform. If you *must* have Windows in an environment that lacks physical security (i.e. a public computer lab), then you take the precautions. BIOS configuration password and boot only from hard disk. Now boot disks are useless on standard IDE computers with no external ports. Now if they open the case and use a hard disk to boot off of, screwed again, but the presumption is that would be too conspicuous. If you had a system with bootable SCSI/firewire, one could relatively inconspicuously hook up a device (iPod...heheh) and potentially trick the boot process into using that disk. Just theoretically, of course, SCSI IDs should foil that, and I have yet to see a firewire bootable system (I think).
Ultimately, a physically insecure machine is pretty much impossible to harden against anything more than casual attacks. If an administrator of a public network fails to password protect the bios *or* fails to disable the floppy and cd boot features, then they are inviting this sort of trouble, and there is nothing any operating system can do about it. If someone suggests an encrypted filesystem that requires a passphrase to mount, you have more problems on your hands than before. You want systems in public to be able to complete a reboot without administrator intervention.
XML is like violence. If it doesn't solve the problem, use more.
The Common Criteria Evaluation Assurance Level 4 evaluation given to Windows 2000 only means that Microsoft followed some kind of software engineering methodology when designing and implementing Windows 2000. In fact, the operating system protection profile Microsoft used describes a non-hostile environment (e.g. no viruses, no malicious employees, etc). Jonathan Shapiro said it best in Understanding the Windows EAL4 Evaluation:
Definitely one for the sig quote file.I'm proud of my Northern Tibetian Heritage
C'mon! No news here. So you can gain "root" when booting into the console?
Just go into your Admin Tools - Local Security Policy - Security Options, and set the "Recovry Console" option they way you like. If you're an administrator of AD objects, configure these rules in group policies at appropriate levels in your hierarchy.
Recovery console: Allow automatic adminstrative logon
Recover console: Allow floppy copy and access to all drives
There are administrative templates you can import to expand the number of policy rules. You can build your own templates if you are a complete tool.
I'm gonna follow this "trick" to the letter and see what happens. Stay tuned.
absolutely the stupidest story I've ever seen on this site. Timothy should be taken out and shot for posting this...my god...
By Breeun Leefingstun
Veendoos XP, vheech hes beee merketed by Meecrusufft es "zee must secoore-a ferseeun ifer," hes beee fuoond tu hefe-a a flev su bune-a-heeded thet it renders pessvurds ineffffecteefe-a es a meuns ooff keepeeng peuple-a oooot ooff yuoor PC.
Reeder Tuny DeMerteenu elerted me-a tu zee prublem, vheech ell edmeenistreturs ooff Veendoos XP mecheenes shuoold immedeeetely teke-a tu heert:
Unyune-a veet a Veendoos 2000 CD cun buut up a Veendoos XP bux und stert zee Veendoos 2000 Recufery Cunsule-a, a truoobleshuuteeng prugrem.
Veendoos XP zeen elloos zee feesitur tu ooperete-a es Edmeenistretur veethuoot a pessvurd, ifee iff zee Edmeenistretur eccuoont hes a strung pessvurd.
Zee feesitur cun elsu ooperete-a in uny ooff zee oozeer user eccuoonts thet mey be-a present oon zee XP mecheene-a, ifee iff thuse-a eccuoonts hefe-a pessvurds.
Unbeleeefebly, zee feesitur cun cupy feeles frum zee herd deesk tu a fluppy deesk oor oozeer remufeble-a medeea - sumetheeng ifee un Edmeenistretur is nurmelly prefented frum dueeng vhee useeng zee Recufery Cunsule-a.
Thees prublem is unreleted tu a feetoore-a ooff XP thet elloos un Edmeenistretur tu set up ootumeteec lugun vhee zee Recufery Cunsule-a is used. Ifee veethuoot zee Regeestry intry thet inebles thees, XP is foolnereble-a. (Fur inffu oon thet feetoore-a, see-a sooppurt.meecrusufft.cum/?sceed=kb;in-us;312149.)
Veendoos 2000, ooff cuoorse-a, duesn't elloo Recufery Cunsule-a users tu eccess a herd dreefe-a veethuoot a pessvurd, iff oone-a prefeeuoosly ixeested.
I nuteeffied fuoor Meecrusufft ixecooteefes ooff zee XP flev veeks egu, boot hefee't yet receeefed un ooffffeeciel respunse-a. Zeere-a's nu Knooledge-a Bese-a erteecle-a ebuoot it, und zeere-a mey nut ifee be-a a guud sulooshun tu zee prublem.
Vhee I'fe-a spukee veet Meecrusufft secooreety prus ebuoot seemiler prublems in zee pest, zeey'fe-a refferred me-a tu a cumpuny puleecy thet seys, "Iff a bed gooy hes unrestreected physeecel eccess tu yuoor cumpooter, it's nut yuoor cumpooter unymure-a."
Thet's ell vell und guud - boot zee fect remeeens thet Veendoos 2000 duesn't elloo unyune-a veet un oold CD tu get pessvurd-free-a eccess, und Veendoos XP dues.
My recummendeshun: Iff yuoo use-a XP mecheenes in oopee speces, poot zee PCs beheend a lucked duur oor poot a luck oon zee PCs zeemselfes. Zee bed gooys knoo ebuoot thees flev, und it's joost oone-a mure-a theeng fur zee guud gooys tu prutect egeeenst.
Tu send me-a mure-a inffurmeshun ebuoot thees, oor tu send me-a a teep oon uny oozeer soobject, i-meeel me-a et Breeun@BreeunsBoozz.cum veet "teep" in zee soobject.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
OK, how does this work? It doesn't say boot the w2k CD and go into recovery console. It says boot XP and start the console. How does one do that?
This means that if you have your BIOS password protected to disallow booting from CD or floppy and your bootloader protected, you can still just boot XP and gain admin access.
So everyone here is describing booting XP or Linux into single user mode or whatever. But that's not what the article is describing, so I'd like to know how this is done exactly (I don't have a w2k CD here...). Has anyone actually tried this and got it working?
Rooting a linux box is something I have had to do in the past (sysadmin changes database passwords, packs up, goes home, leaves mobile phone turned off. Nice). However, it was a desktop system which is just sat there just waiting for the reset button to be pushed.
To do that to any of the servers we actually care about I would have to have the relevant security clearance to get into the building holding the servers, never mind into the server room itself.
This isn't a windows security floor, but you might want to take it up with your building manager if people can wander up to your servers unchecked.
and if you have access to a linux server and have a set of rescue floppies, you also can access the system with / access and add an extra user.
with physical access you can do quite a lot.
put the hd of the to be hacked computer in an other and voila (unless you have a secure file system)
Privacy is terrorism.
Possession of fingers isn't due to become legal grounds for suspicion of terrorist activity until *next* week.
KFG
For encrypted filesystems, usually the key itself will be encrypted with a passphrase. This passphrase needn't exist anywhere except someone's head.
Come on people! Is this news? If you didn't realize this already you have no business calling yourself a "nerd". Repeat after me: if you have physical access, you can crack the system.
It can come in the form of key sniffers, rebooting from a floppy (or in this case CD), booting into another operating system, pulling out the hard drive, whatever.
There are a zillion ways to do it.
And this is just one.
The only interesting thing is that both Slashdot and Ars Technica think this is newsworthy.
Bah. Slashdot has *really* gone down hill... not that it started that far up hill.
Have you -read- the DMCA? Do you think the primary purpose of Windows 2000 was to be a circumvention device of Windows XP (which wasn't even released yet?)
(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that--
`(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
`(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
`(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
but if you have physical access to ANY machine you can get root on it quite easily. Give me a home-made CD of Red Hat and I'll boot off it, mount any hard drive on the system and do what ever my heart desire. That's the case for ANY OS. I remember quite often I had to rescue some poor sob Solaris server because he forgot the root password. Just plunk in the Solaris CD, boot into the shell, mount the HD and vi the /etc/passwd to erase the root password, reboot and voila. . .
Freshly hacked machine.
Any right-headed sysadmin will AT LEAST lock boot off CD or floppy without some form of basic authentication.
Crack Linux with Linux Boot Floppy (or boot CD!)...
Stay tuned for more details!
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
and in fact there is a password required if the admin account has been set with a password...sorry but lets check our facts first...
2 b | ! 2 b
>>This method even allows someone to copy files to removable media, something which normally the Administrator can't even do in the Recovery Console
By default this is disabed unless the user has enabled the "Local Policies-Security Options-Recovery console:Allow floppy copy and access to all drives and folders" in the Local Security Policy applet (Administrative Tools). This policy is disabled by default.
I suspected this point was wrong and I've tested it myself. Obviously Brian Livingston didn't.
Since you can't access the network or other media like ZIP or CD-RW in the Recovery Console, this supposed vulnerability is further mitigated.
Of course you could copy files within the hard disk itself, so you could, for example, overwrite NTLDR and kill the installation. BFD - if you have no physical security to a system you have no security at all. If I wanted to kill the installation all I needed to do was format the disk and I can do that on any OS once I can boot another one on the same box.
Too bad moderators can't use their points to re-categorize this under "It's funny, laugh" isn't it?
Liberty uber alles.
Everyone is ranting about if you have physical access you can just rip out the hdd and get whatever is on it.
But in some conditions, say in a university computer lab where the computers are locked down, and monitored by surveillance video, its a little hard to do that without causing a rise in the security dept.
With something like this, I can walk in, toss in the CD, and install backdoors at will.
It makes me sad that Slashdot is looked upon as representative of Linux geeks.
How incredibly pathetic do you have to be to poke fun at a windows exploit involving local access to the machine? Do you somehow think that Linux isn't just as vunerable? Wasn't it only 2 or 3 months ago that an article was posted here about security ending when a hacker has physical access to a computer?
You Slashdot editors are a sad bunch of zealots. You are doing more harm for Linux advocacy than good. Thank god you're just a bunch of spotty geeks running an unimportant news site - if you took these sort of hypocritical attitudes somewhere which mattered, you'd end up in serious trouble.
Padlocked metal case, BIOS password with floppy/CD boot disable, GRUB password.
Of course I'm still vunerable to bolt cutters or a set of those knives that cut pennies for only four easy payments of $39.99 and if you call in the next ten minutes we'll only charge you three easy payments of $39.99 that's a savings of $39.99.
I guess I better hurry home and encrypt my harddisk in the next 6 to 10 weeks.
but we're warning about a technique a social worker or school teacher could use.
You want to slow an intruder to the point that they have to worry about the next security guy doing his routine walk through. The idea of locks isn't that they're pickproof, it's just that they jam up the crook long enough that someone will see them.
This is so easy, it can be done in under 10 minutes. In and out, won't get caught.
MS is so incompetent.
You can crack NT/2K/XP with the boot disk found at the following location. With that disk, you can change the password of the local administrator acount! I've tried it (on my own machine that for some reason forgot the passwds after a brownout), and it worked great! Floppy and CD images available at the site - and best part is it's a LINUX boot disk! :-D
http://home.eunet.no/~pnordahl/ntpasswd/
See, there's this thing called the Encrypting File SYstem, if the user's logged on as a d2k domain user, good luck getting to an encrypted file, it uses PKI, again slashdotters hate Win, but don't know how it works.
Vote Quimby!
Wait a minute, didn't Brian used to have *hair* on his head?
Yeah set a BIOS pass and use it.
I always thought that you had to be a 14 year old highschool drop out to hack Windows. Whew..glad that has changed.
Yes, which is why this flaw supposedly exists in XP. It does not exist in W2K.
/. alpha geeks figured that one out). Most likely MS realised how futile all this was and made the XP CD simpler to do troubleshooting.
It is trivial to get around the same thing in 2K also. Here is one simple way - just install another parallel install of 2K and boot into that as Admin, then you have access to all un-encrypted files on the other install. So the CD protection in 2K is nothing at all. Anyone who thinks for 5 mins can get around that (I'm amazed none of the supposed
So What? crack it kickit,and sledgehammer it.
You can do the same with a football.
Anyone who paid attention to the article would realise that there is *NO REBOOT* involved in the process of breaching security. The flaw is related to an auto-login "feature" of XP - when the recovery console is started. So you could stop bitching about "you could do this to any machine with a floppy" or things like that - it's just not the same situation.
Windows 2000, of course, doesn't allow Recovery Console users to access a hard drive without a password, if one previously existed.
Omnes arx vestrum sunt adiuncta nobis.
Everyone is always talking about these really complex and sophisticated ways to hack a XP box. I think they're all missing out...screw that damn win2k cd. Try a damn axe. Take that encrypted file system!
NO!
You can launch the Recovery Console from CD (or hard drive -- hell, I have it installed on all my machines (winnt32
If you're stupid enough to leave the Administrator password blank on your box, then yes, you can just press Enter at the prompt and you're in -- however copying to a floppy, and access to directories Administrator doesn't have rights to access, are DISABLED by default unless you enable "Recovery Console: Allow floppy copy and access to all drives and all folders" (Control Panel > Administrative Tools > Local Security Policy > Local Policies > Security Options). Note this doesn't remove the login requirement -- it only adds more access once you've logged into the Recovery Console.
It's a moot point anyway -- even if you have the Welcome Screen enabled (where Administrator doesn't appear unless there are no other accounts defined), you can just hit Ctrl+Alt+Del twice to blow right past the Welcome Screen and pop up the normal GINA logon dialog, where you can log on as Administrator (or whoever), and whatever password (or blank, if you don't specify one during installation -- thank God Windows Server 2003 warns against an insecure Administrator password during Setup).
...
Okay, I've somewhat calmed down now.
Even though I'll bet 75% of posts to Slashdot are made from Windows machines, I find it unbelievable that trash like this makes the front page, let alone goes unrefuted for this long.
Sheesh...
*sigh*
Sorry, but being able to take the server beats out any simple access concern that you might have.
Get 1 copy of Partition Magic. Repartition the drive and install windows 98 on that partition. Install http://www.ext2fs-anywhere.de/ or http://uranus.it.swin.edu.au/~jn/linux/explore2fs. htm . You now have access to any and all files on the linux box.
... Governments are instituted among Men, deriving their just Powers from the Consent of the Governed...
I someone has physical access to your computer, the computer is no longer yours...
With that in mind, I can get Administrator access with a screwdriver...
The Dopester
"Yes, I'm a Karma Whore, but I'm doing it to pay my way through school."
Who needs the cd anyway....
http://www.ntfs.com/products.htm
That the anti-microsoft camp can't come up with anything better than this to bash Microsoft with. With posts like this considered news worthy, it is only a short matter of time before Slashdot ends.
If you have physical access to a computer that is not using an encrypted file system, you'll pretty much always be able to do whatever you want with it. Ever here of 'linux single?'
XP, just like any other os is only as secure as you make it... It's the classic trade off between usability friendlyness and security... It takes weeks to make XP a secure os... the default install is for looking good, which is what sells it in the 1st place... netbios on automatic, terminal services enabled, firewall not, file sharing enabled, internet serices enabled... the only way to make it work is to shut everything off and go *back* in... turn on only the thing you need, and then redo nearly all the local security policies... clt-alt-del log in... fast user swtiching off... encrypt the temp folder, make sure remote desktop is off... rename the adimn account, turn the guest account off, turn show last user name off... it just keeps going and going... the more I think of, the more I feel naked everytime I boot up. Mac OS X seems more secure, but there is always the OS 9 boot and modify issue... where you need to set the system to have a password when booting into it... and open firmware password... you have to *make* it secure... they need to have a "secure install" option for all default installs for these OSes...
||| I still can't believe Parkay's not butter.
they wouldn't let me on the plane last year with a sawzall and a chainsaw,but they didn't find the log splitter.
"If a bad guy has unrestricted physical access to your computer, it's not your computer anymore." Yeah, well if a bad guy has unrestricted physical access to your asshole, it's not your asshole anymore. That doesn't mean you lube your ass up every morning and pass out condoms and KY to everyone you see.
I had previously assumed that the Admin-Recovery-Key was encrypted using the actual admin-password, so that resetting the hashed-password on the HD would not give the intruder the recovery key. Therefore up to today I had not bothered to export-and-delete the Admin-recovery-key. It "ought" to be true that generally speaking, recovery keys are encrypted using the actual user-passwords, so why should the Admin-recovery-key be an exception to this ? Of course "ought" may not apply to EFS, since I have never read anywhere that they have even started scrubbing-the-backup-files after you encrypt just a single file. This is a troubling issue - I would appreciate a reply if you know what's actually going on in there. Hopefully you'll tell me that the EFS keys are indeed encrypted using the user-passwords, it's just obviously gotta be true, mumble, mumble....
The above would give you a shell sitting on the read-only root fs. You'd need to remount it read-write - mount -o rw,remount -n / and possibly mount the other partitions such as /usr to get to the rest of the binaries.
than any other operating system we generally talk about? Including linux, etc?
You can boot from something else, and mount the disk, and even USE the stuff if the system you booted is compatable.
OHH WOW you mean someone can read my files? Shocker.
Why is this news? I mean, I know slashdot has a lot of news that sucks.. but this is over the top.. where's the beef?
One thing this affects, which most of the geeks miss, is Public Access environment, such as a school or a library. This type of information makes every kid with a Windows 2000 cd a potential machine wrecker. As a person adminstrating PC's in a library, it makes me all that much more happy I have Floppy/CD locks, and DON'T run Windows XP. Any library or school running XP is screwed at this point.
If someone has physical access to a machine, no recovery console restricting access will be effective. A good precaution would be to restrict booting to the hard drive only and password-lock the BIOS. Opening the box is a lot more conspicuous than sticking in a boot disk.
Talk, talk, talk. All you need is this:
.edu students are constantly doing Win2k labs, forgeting their passwords, and showing up at my office door to get it fixed. Been using that same floppy for greater then a year now and it's never failed.
http://home.eunet.no/~pnordahl/ntpasswd/
Bootable linux floppy that can reset the password for any local account without knowing the old one. At our
But, like eleventy people have stated before, once you have physical access to the machine, discussing it in any more detail is just verbal jacking off.
I'm against picketing, but I don't know how to show it.
You can also bypass any Linux passwd restriction, in boot, with a cd or floppy.
Microsoft never purported NT to be secure out-of-the-box. If there are files you wish to protect, it is incredibly easy to mark those files or folders as encrypted. You *cannot* get into those without the proper passwords. Take my word for it. When my admin account got corrupted, there went my best porn. :-P
Which reminds me: don't encrypt without making an account-recovery disk.
The real surprise in this story for me is that the Admin is not supposed to be able to copy data to a removable media device in 'Recovery Console'. What kind of inane thinking is that. If you're sitting in front of the computer, and you have root/Admin access, you should damn well be able to do whatever the hell you want. As a user, if I want to secure something, I make an encrypted disk image, and store secure stuff there. I want to be able to get at everything on my computer if I want to.
pfft.
~ a low user id is no indication I have a clue what I'm talking about.
Secure the damn terminal physically if it is in a public area. Set the BIOS to boot only to the HDD, put a password on the BIOS and lock the case. While you are at it, lock the case to the ground so someone doesn't walk off with your system.
Oh, and all passwords are encrypted in a Windows only network. Old stuff like NT4 uses a deeant challange/respone technique and Windows 2000 and better use an effectively unbreakable one.
This is just no big deal at all. Secure the machine properly, and there is no problem.
All you have to run is Symantec Ghost ( http://www.symantec.com/sabu/ghost/ ) on a boot-cd or boot-disks. Then you can save all partititons on another computer in the same network.
.GHO file, you can easily open all files from any partition in a Windows-version of Ghost Explorer, leaving no track on the computer you have "attacked".
.GHO file(s) and cracked using a brute-force utility like l0pht) Longer passwords make the password-cracker use a long time. "I recommend: This^sAFr3akinLongPassword1234"
It supports most filesystems (like Linux EXT3/WinXP NTFS). After running all partitions into a
How to prevent files from being seen you say? Welllll....
Windows TIP:
1. Use a long password in Windows ( any SAM file can be extracted from the
2. Rightclick on folders like my documents and select Advanced->"Encrypt contents" This encrypts pretty good.
YES!!! I'd like to have that question answered, also. Please provide a link on how to make the linux boot disk with the NTFS driver.
The answer appears to be that there is no write capability to NTFS in Linux: Linux-NTFS Project
This kind of hacking only gets local machine admin access.
Please be aware IT DOES NOT gain you access to domain user data.
We tested, the NETWORK domain users data does not even show up on the computer. Only the local computer domain data can be breached.
Quick test method:
Take a machine that belongs to a network domain. make a couple of users on said machine.
Now remove the machine from the network domain (make it a workgroup with a different name, or stand alone machine)
Now reboot
Sign in using local machine admin
All the accounts you have and data is now not available, visible etc etc
AdmV
We`re all equal
Mod me down please, I want you to waste your mod points on me instead of using them on good comments.
Slow Down Cowboi!
Slashdot requires you to wait 2 minutes between each successful assraping of a Slashdot editor to allow everyone a fair chance at their soft pink buttocks.
It's been 1 minute since you last successfully spooged up Michael's ass.
Good thing this can't happen in linux! MS Sucks! LOL!
As coincidence would have it,a friend of mine forgot her password on her laptop, which runs XP Home. She needed access, obviously, so she asked me for help. First thing i tried was booting into safe mode, which gave me admin privelages. Win2k recovery disks? who needs em?
filter: +3. Hey, look! all the trolls went away!
Dummy and Stupid users of windzoe you all dont need security. So what windoze has more holes than mars and buggy as hell but it is easy to use. So pay me more money thru subscription now ...you all windoze users. ehehhheehehehe
How about this? Every encrypt an NTFS file and later regret it because you lost the password/user profile? Just use the backup wizard provided with XP. Copy it to some backup location using the option "remove security restrictions" and you're home free when you restore it. Pretty lame, if you ask me, but it helped when I needed it.
Unless this can be done remotely this is very old news. Every NT/2k/.net admin worth his salt has known this since nt4 if not before. It is the something if you have a slack or gentoo cd and have local access to linux box. There is not much that can be done if you have local access. In my mind this is what is wrong with the security world today. A lot of people taking shit like this to far. This is not an exploit and should not be treated as such. You should note it and not let just anyone have physical access to your network.
Ok, here goes: Microsoft should release a patch for Windows NT, 2000, and XP. This patch will modify the login window as follows: You'll have the option, as you do now, to enter your username and password. Additionally, the "shutdown" button remains, as it is assumed that if you have access to the machine, you're allowed to shut it down and restart it. (Besides, it's not like Windows is reliable enough to omit this button.) But here's the improvement: Microsoft will add a button called "Unauthorized." Anybody with access to the machine can click this button. It will immediately log them in as Administrator, or whatever 'root' is called on Windows, but without prompting for any password or other such pesky information. In other words, it will provide an obvious way for unauthorized users to log in and perform damage to the machine. Administrators will have no way to disable this button. As an added convenience, Microsoft should add a similar feature for remote logins, so that hackers on the other side of the world can take control of your machine within 10 seconds, without knowing any more than your IP address. (Oh, wait... This feature is already present... My bad.)
To spruce up future versions of Windows with innovative graphics and whatnot, this button will present the user with a menu, instead of immediately logging them in. The menu will include:
Format hard drives...
Perform DoS attack... (which will display a dialog box requesting the IP address or DNS name of the host to be attacked)
Spend administrator's money... (which will charge every credit card stored in Microsoft Wallet or whatever it might be called to a drug dealer's account in Columbia)
and finally, Log in as Administrator without password (which performs the action described in the second paragraph of this innovative post)...
Microsoft. Where do you want to give us your money in exchange for crappy products today? Microsoft is not a trademark of Microsoft Corporation despite what they claim about the use of their own name... It's a REGISTERED trademark. There's a difference, you idiot.. IBM is a registered trademark of Jack's Donuts. Hewlett Packard is a registered trademark of Ali's Carpet Service. All other trademarks are the property of their respective owners' pregnant 15-year-old daughter-in-law, or some bum on the street if they don't have a 15-year-old daughter-in-law or she is not pregnant.
Amen brother! Respecting some simple rules, you can quite easily secure your Linux box:
/etc/fstab
* Password protect your BIOS
* set up Lilo to not allow "boot: single" (easy)
* as opposed to other comments, ordinary users can't mount other partitions on the same system unless they are explicitly mentionend in
* home directories should be "chown 700"
* physically secure your machine with a lock and/or intrusion detection.
That should do the trick.
As early as Compaq's Deskpro 4000, there was:
- a software-controlled case-lock &
- a case-opened sensor
The box's firmware could be setup to use the
sensed indications that the case had been opened
(with or without use of the s-w-cont'd case-lock)
By the way, has anybody got code that can access
case-opened indicator and/or s-w-cont'd lock, eg
for us in an Open Source OS?
TIA
I suppose the moral is to remove all floppy and CD drives from your corporate PCs. Disabling floppy boot in the BIOS will keep the haX0rs out for about 20 seconds, as this is how long it takes to flip open the case and short out JP1 to reset the BIOS password. If they have to bring their own floppy drive it slows them down a bit more, plus it's rather obvious.
When I am king, you will be first against the wall.
1. Get latest Slashcode
2. Add Subject feature
3. Get
Too easy, eh?
If someone gets phsyical access to my Windows XP based PC, they might be able to get at my files?!
Oh the humanity!
Isn't this true of the majority of operating systems in default configuration, both Microsoft and otherwise?
First, of course as long as there is physical access, there is always a way to get at the data. It may be difficult if encrypted etc but there is always a possibility. So for that reason that article was not a big thing, but nice to know anyway.
So. This is how Recovery Console works:
(goes for XP and 2k)
When it starts, it tries to find your windows system.If it finds several (on different partitions for instance), you are promped to which one to log into.
Then it tries to read the relevant registry files for the installation. This is the sam file for user accounts/password, and at least the software hive, which is where it's settings are stored, the settings in the security policy that tells if it should prompt for admin password and also if it should allow full access to the drive and floppies etc. More on that later.
It also need the system hive to make use of the commands which allow changing the list of services to start at boot.
But.. here's the point:
If it can't read the registry (especially the sam file) because it's either corrupt or not there, it will simply go right ahead, since it can't verify any password. This is probably by design.
Now, MS changed the registry file format between 2k and XP! Just a little, in XP they use "real" hashes for the key lookup tables, instead of just the first 4 letters of the name as in 2k.
(it took me some time to find out this when making support for XP on the ntpasswd tool)
Thus.. 2k recovery console (and 2k istelf for that matter) CANNOT READ THE XP REGISTRY at all! And it then falls back to no-password mode. You also cannot change service start parameters with 2k console on XP because of it being unable to read the registry, but NTFS is apparently compatible enough so you can read the files off the disk.
MS has always had inadequate(sp?) recovery options in their OS, "reinstall" is the usual answer when things won't boot properly. I think the recovery console is pretty OK, not quite there yet, but it's better than nothing (like in NT4).
And, yes, IMHO, using the physical access explanation when people pester them about getting to much access on the recovery tools is quite appropriate.
So, Windows 2000 is illegal per the DMCA, right? :)
MOD THE PARENT POST UP! Corporate security depends on making the intruder do something he or she is unlikely to be able to do. It can be made very unattractive to open a computer case.
Taking advantage of this vulnerability looks a lot like normal computer use. It is possible to change the administrator password from DOS, for example, but most people don't have the software to do so. (See Windows XP may provide no local security.) This is simpler and quicker, and involves having only an easily available CD.
I mean: this has been around for so long, everyone should know it by now. That is why so many reactions are what they are. Sure it is a security hole, but a very obvious one, so why post a big article about it? Every sysadmin should know about it and about the relevant security measures anyway.
The big picture is that most admins assume that noone will boldly open the computer case and simply attach the disk to an other computer, and that there's a lot of admins who also assume that noone will fiddle around with the boot sequence to gain unauthorized access. They basically trust the person who sits in front of the computer.
So the fundamental question is: how much do you trust the person in front of the computer and how much effort are you going to invest to secure the machines against their unauthorized access.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
For basically every operating system ever made: if you have an install or boot CD, the firmware passwords aren't turned on, and the physical doorways to the computer aren't locked, then, well, what do you expect?
Vote in November. You won't regret it.
Sooo... you'd feel just fine about running the network cables and power cables outside and just leaving the server on the downtown streetcorner by the $10 hookers?
:-)
The fact that only 1000 people have access means it's somewhat secured physically already. That is, unless you're like me and your entire town has less than 1000 people in it.
I can only imagine what would happen to the college's servers if they were installed in a computer lab instead of the server room.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Me see shiny disk.. Me change SAM database with car key... Disk no work no more? Me create NTFS to fix. Yes. Me invent wheel, discover fire.. Build OS. Me Bill.
Fortunately I've discovered a redundant layer of password protection in the screensaver control panel. I'm pretty sure this will catch whatever security whosywhatsit your talking about.
free online diet tracking.
Has anyone else noticed that on WinXP home (at least the version that comes with Dell) booting into safe mode brings up the un-password protected Administrator account?
Well if I understand things correctly this flaw doesn't require you to reboot into some prepared media. All you have to have is a local login and access to the CDROM. This is definitly worse than boot/root floppies.
Peder
... there are about 5,000 people who are part of that commitee. These guys
have a hard time sorting out what day to meet, and whether to eat croissants
or doughnuts for breakfast -- let alone how to define how all these complex
layers that are going to be agreed upon.
-- Craig Burton of Novell, Network World
- this post brought to you by the Automated Last Post Generator...