Slashdot Mirror
Crack Windows XP With... Windows 2000
An anonymous reader writes "According to this story seen on Brian's Buzz on Windows, access to a Windows 2000 CD is all that is needed to bypass all (well, most) Windows XP security features. An attacker can boot up XP and start the Windows 2000 Recovery Console which allows them to operate as any user, even Administrator, without requiring them to enter a password. This method even allows someone to copy files to removable media, something which normally the Administrator can't even do in the Recovery Console."
If you have physical access to a machine you can crack it. This has been demonstrated before. I mean you could pop Knoppix in, mount the windows partition and copy files that way. If you don't want anyone accessing your files make sure you lock the damn machine down (physically and network wise).
can't sleep slashdot will eat me
"Update: Some posters in the discussion thread point out this report may not be valid. One said that booting from a 2K CD did ask them for an administrator password and didnt let them in without it. Unfortunately, I dont have XP installed here to test it out before I posted."
Either way I don't find this to be terribly upsetting because a) root access can be gained in a similar manner with Linux and b) if one is worried about security, they shouldn't being using Windows to begin with.
This has to be the most retarded story ever. What's next? "Crack Linux with Linux?"
The fact that they went so far to specify "XP" and "2000" makes this even more retarded. Any version of NT can install into a "C:\WINNT_2" directory, and by pass all ACL security (except for EFS stuff).
This sounds particularly bad, as I'm assuming that it allows you to get by the NTFS filesystem-level encryption. This feature is *supposed* to allow you to encrypt files, and make it impossible for others to decrypt, even if they steal your drive, reinstall Windows on it, etc.
If you can just get Administrator access without reinstalling the OS (and killing the old UID tables), then this data suddenly becomes vulnurable!
An attacker can boot up XP and start the Windows 2000 Recovery Console which allows them to operate as any user, even Administrator, without requiring them to enter a password.
Speaking from experience, the win2k recovery console makes you enter the admin password before it will let you do anything, unless they are using some version of the recovery console other than the one that comes with windows 2000 professional.
Even easier - download Knoppix, Burn the ISO and boot off the Knoppix CD.
Presto!
It even mounts all the FAT/NTFS partitions and puts little icons on the KDE desktop for you. Click, browse and copy!
(Knoppix is a rather full Linux x86 distribution that boots off of a CD and doesen't need any hard drive to work. You get a greay KDE desktop and a lot of tools.)
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Why not just use one of *several* NT password recovery disks? They work on XP, as well. I've used this one to bust into several Win2k Pro machines we'd forgotten the password for.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Take these precautions and you can be fairly secure with physical access. Add an encrypted file system so that if someone steals your hard disk you are safe. Then padlock the PC.
Those are reasonable steps for a Linux machine (and I may have missed some, please let me know if i did). Now with a windows xp machine it looks like you also need to disable cdrom access. An unreasonable step.
But am I misunderstanding this? Does this mean that there is a way for programs to be made to bypass Administrator password? If so why would this be limited to a windows 2000 disk? What's stopping someone from making a program that enters into Recovery Console, removing the need to be physically present or have a windows 2000 CD. Unless you actually have to boot from CD, but the article makes it sound like you can use the CD after the PC boots.
But the thing is probably that micro$oft said this thing would be impossible since winxp is so secure. Whatever.
Ciryon
Windows 2000 recovery console is only available at boot time from the CD. It can't run once the system is booted.
XML is like violence. If it doesn't solve the problem, use more.
The Common Criteria Evaluation Assurance Level 4 evaluation given to Windows 2000 only means that Microsoft followed some kind of software engineering methodology when designing and implementing Windows 2000. In fact, the operating system protection profile Microsoft used describes a non-hostile environment (e.g. no viruses, no malicious employees, etc). Jonathan Shapiro said it best in Understanding the Windows EAL4 Evaluation:
Definitely one for the sig quote file.I'm proud of my Northern Tibetian Heritage
For encrypted filesystems, usually the key itself will be encrypted with a passphrase. This passphrase needn't exist anywhere except someone's head.
Have you -read- the DMCA? Do you think the primary purpose of Windows 2000 was to be a circumvention device of Windows XP (which wasn't even released yet?)
(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that--
`(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
`(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
`(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
Tried it this afternoon on one of my 2000 Servers and an XP Pro disc. I was greeted by a password prompt.
The default local security policy on every XP box I have access to seems to require authentication, but at the same time, more than half of the XP boxes I have access to also have an admin-level account that does NOT have a password on it, at all.
-- I wanna decide who lives and who dies - Crow T. Robot, MST3K
As has been noted above - Open Firmware Password will sort you out.
NO!
You can launch the Recovery Console from CD (or hard drive -- hell, I have it installed on all my machines (winnt32
If you're stupid enough to leave the Administrator password blank on your box, then yes, you can just press Enter at the prompt and you're in -- however copying to a floppy, and access to directories Administrator doesn't have rights to access, are DISABLED by default unless you enable "Recovery Console: Allow floppy copy and access to all drives and all folders" (Control Panel > Administrative Tools > Local Security Policy > Local Policies > Security Options). Note this doesn't remove the login requirement -- it only adds more access once you've logged into the Recovery Console.
It's a moot point anyway -- even if you have the Welcome Screen enabled (where Administrator doesn't appear unless there are no other accounts defined), you can just hit Ctrl+Alt+Del twice to blow right past the Welcome Screen and pop up the normal GINA logon dialog, where you can log on as Administrator (or whoever), and whatever password (or blank, if you don't specify one during installation -- thank God Windows Server 2003 warns against an insecure Administrator password during Setup).
...
Okay, I've somewhat calmed down now.
Even though I'll bet 75% of posts to Slashdot are made from Windows machines, I find it unbelievable that trash like this makes the front page, let alone goes unrefuted for this long.
Sheesh...
*sigh*
From the GRUB info page:
password --md5 PASSWORD
If this is specified, GRUB disallows any interactive control, until
you press the key
and enter a correct password. The option `--md5'
tells GRUB that `PASSWORD' is in MD5 format. If it is omitted, GRUB
assumes the `PASSWORD' is in clear text.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
hey dumbass, the bios password can EASILY be reset by taking the mobo battery out for 15-30 minutes or just taking the bios itself out. it isn't hard to do, the bios protection is zilch. nada. like, throw me a friggin bone here...
While this exact bug may not apply to Windows 2000, there is a whole family of nearly identical attack schemes that apply to Windows 2000 (and LINUX and SOLARIS, and OS/2, and AS/400, and ...). For example were you aware that there are NTFS device drivers for MSDOS? Just pop a MSDOS boot floppy with this driver into your Windows 2000 box, and et voila, complete access to all the files on the hard disk.
As so many have pointed out on this thread, you need to physically secure your machines, and if you have files that absolutely, positively must be kept confidenteial, you need to encrypt them.
Unless this can be done remotely this is very old news. Every NT/2k/.net admin worth his salt has known this since nt4 if not before. It is the something if you have a slack or gentoo cd and have local access to linux box. There is not much that can be done if you have local access. In my mind this is what is wrong with the security world today. A lot of people taking shit like this to far. This is not an exploit and should not be treated as such. You should note it and not let just anyone have physical access to your network.
As early as Compaq's Deskpro 4000, there was:
- a software-controlled case-lock &
- a case-opened sensor
The box's firmware could be setup to use the
sensed indications that the case had been opened
(with or without use of the s-w-cont'd case-lock)
By the way, has anybody got code that can access
case-opened indicator and/or s-w-cont'd lock, eg
for us in an Open Source OS?
TIA
I suppose the moral is to remove all floppy and CD drives from your corporate PCs. Disabling floppy boot in the BIOS will keep the haX0rs out for about 20 seconds, as this is how long it takes to flip open the case and short out JP1 to reset the BIOS password. If they have to bring their own floppy drive it slows them down a bit more, plus it's rather obvious.
When I am king, you will be first against the wall.
First, of course as long as there is physical access, there is always a way to get at the data. It may be difficult if encrypted etc but there is always a possibility. So for that reason that article was not a big thing, but nice to know anyway.
So. This is how Recovery Console works:
(goes for XP and 2k)
When it starts, it tries to find your windows system.If it finds several (on different partitions for instance), you are promped to which one to log into.
Then it tries to read the relevant registry files for the installation. This is the sam file for user accounts/password, and at least the software hive, which is where it's settings are stored, the settings in the security policy that tells if it should prompt for admin password and also if it should allow full access to the drive and floppies etc. More on that later.
It also need the system hive to make use of the commands which allow changing the list of services to start at boot.
But.. here's the point:
If it can't read the registry (especially the sam file) because it's either corrupt or not there, it will simply go right ahead, since it can't verify any password. This is probably by design.
Now, MS changed the registry file format between 2k and XP! Just a little, in XP they use "real" hashes for the key lookup tables, instead of just the first 4 letters of the name as in 2k.
(it took me some time to find out this when making support for XP on the ntpasswd tool)
Thus.. 2k recovery console (and 2k istelf for that matter) CANNOT READ THE XP REGISTRY at all! And it then falls back to no-password mode. You also cannot change service start parameters with 2k console on XP because of it being unable to read the registry, but NTFS is apparently compatible enough so you can read the files off the disk.
MS has always had inadequate(sp?) recovery options in their OS, "reinstall" is the usual answer when things won't boot properly. I think the recovery console is pretty OK, not quite there yet, but it's better than nothing (like in NT4).
And, yes, IMHO, using the physical access explanation when people pester them about getting to much access on the recovery tools is quite appropriate.