Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crack Windows XP With... Windows 2000

Posted by timothy on from the if-you're-sitting-at-the-machine-anyhow dept.

An anonymous reader writes "According to this story seen on Brian's Buzz on Windows, access to a Windows 2000 CD is all that is needed to bypass all (well, most) Windows XP security features. An attacker can boot up XP and start the Windows 2000 Recovery Console which allows them to operate as any user, even Administrator, without requiring them to enter a password. This method even allows someone to copy files to removable media, something which normally the Administrator can't even do in the Recovery Console."

33 of 401 comments (clear)

  1. So what? by nweaver · · Score: 5, Insightful

    It is generally assumed that if you have console access to the machine, you can breach the security and acquire root. Many systems allow you to do this, deliberately.

    You can make a nice Linux boot-floopy or boot-cd to do the same thing.

    --
    Test your net with Netalyzr
    1. Re:So what? by Anonymous Coward · · Score: 2, Insightful
      Anyone knows this man, if the enemy touches your computer, it's not your computer anymore.

      I don't want to sound like a flamer, but WTF is this doing on /. timothy?

      This whole article is a flamebait.

      In other news, if you leave your top of the line mercedes with the most sophisticated anti-burglary system in the world, with keys in the ingnition in the middle of the bronx, it WILL get stolen.

    2. Re:So what? by NineNine · · Score: 4, Insightful

      Yes, which is why this flaw supposedly exists in XP. It does not exist in W2K.

    3. Re:So what? by Forgotten · · Score: 4, Insightful

      At best you can slow someone down. You have to have the key somewhere in order to mount the filesystem. If I have access to the media, I can find it. If it's in flash ROM somewhere, I can still find it. If it's in the CPU itself, TCPA-style, with physical access I can still eventually find it. Unless the system's only access to its own key is some sort of quantum-encrypted optical fibre, I can eventually reproduce the same access required to actually use the data. And there's an important point here which pervades all of information security - the system cannot discern the difference between legitimate and illegimate uses, because the illegitimate user can imitate the legitimate one to any degree required (further because the difference between them is social, not technical). This is true of a buffer overflow as of breaking in to a hosting facility and removing a hard drive.

      Physical access means complete access, particularly where the attacker has the ability to interrupt the system's operation (as here, where a reboot is implied). This is why information security necessarily comprises physical security (and lets not even get into social engineering attacks while the system is already running.

      Encrypted filesystems are useful for archival storage and transport of data, though. The problem starts, as always, when you want to take them out of the vault in the concrete block at the bottom of the lake and actually use them. ;)

    4. Re:So what? by Dunkalis · · Score: 2, Insightful

      Debian will let you use init=/bin/sh, but IIRC, it still asks for the root password. This is negated with something like Knoppix or another boot disc, since you still have the chroot utility.

      No system can be 100% secure if someone can gain physical access to any machine. Your tips are good, but I have another one: only allow root logons from a single terminal. Lock this in a room in which only the sysadmin has access. Even better, remove the floppy and CD-ROM drive from this machine. About as secure as physically possible.

      --
      Slashdot is a waste of time. I enjoy wasting time.
    5. Re:So what? by afidel · · Score: 4, Insightful

      No it is NOT assumed that partitions can not be mounted, in fact it has been possible to use NTFS for DOS drivers from sysinternals to mount partitions since NT4. That is why if you want security you turn on EFS and encrypt any important directories.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    6. Re:So what? by shamilton · · Score: 5, Insightful

      This is nothing more than a red herring. If somebody has physical access to your box, then your security has been breached. Passwords aren't going to protect you from having your hard drive removed. An encrypted filesystem, however, will.

      sh

      --
      "[A] high IQ is like a Jeep; you will still get stuck, just farther from help!" --Just d' FAQs, c.g.a
    7. Re:So what? by Kinthelt · · Score: 3, Insightful

      Because then you'd have to keep the user's password in memory. Somebody bad could then look at the memory location and determine the user's password.

      --

      "Evil will always triumph over good, because good is dumb." - Dark Helmet (Spaceballs)

    8. Re:So what? by WhoDaresWins · · Score: 2, Insightful

      Linux (also in win) you have many different ways to protect your partitions:

      None of those ways are very easy to do for a normal user. But 2K/XP make that trivial to do using Properties->Advanced->Encrypt contents ... That uses public key cryptography and as long as you protect and save your key no one can easily steal your data.

      I think that the difference is important; in Linux everybody know the way to mount partitions and retrieve/change the info inside them. In windows it's suppossed you can't do that.

      Huh? You think its that hard to achieve something equivalent on Windows? It is trivial to get around the same thing in 2K also. Here is one simple way - just install another parallel install of 2K and boot into that as Admin, then you have access to all un-encrypted files on the other install (So how come none of the supposed /. alpha geeks could not figure that simple thing out?). So the CD protection is nothing at all. Most likely MS realised how futile all this was and made the XP CD simpler to do troubleshooting.

    9. Re:So what? by shepd · · Score: 2, Insightful

      What if the key is stored on a smartcard, copies of which are only given to authorized users?

      How does one steal the info from the HDD then? :-)

      --
      If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
    10. Re:So what? by Tony-A · · Score: 2, Insightful

      Ever have someone lose a password?

    11. Re:So what? by Caktus · · Score: 2, Insightful

      Don't use the password as encrypting key, just have the encrypting key in a file encrypted using your password.

    12. Re:So what? by fizbin · · Score: 2, Insightful

      It'd probably be better to have a single key file which is encrypted with the user's password, and then all the files are encrypted with that key.

      Then, on password change, just re-encrypt the key file.

      However, there are other more significant technical obstacles with this proposal. I, for example, like my cron jobs to have access to my home directory.

  2. How does this have anything to do with Security? by tsmit · · Score: 4, Insightful

    Anyone in the security industry worth their salt knows that physical security is the FIRST step to securing a box. If someone (hacker) can walk up to a machine a press the power button to force a reboot, you've already got a denial of service (if the machine is processing something important, that is). Anything beyond is just icing on the cake.

    --
    Yes, my girlfriend is a BitchX
  3. Non story by Pharmboy · · Score: 2, Insightful

    This is a non story. If you can sit in front of a linux box you can do the same thing. Just boot into maintenance/init 1 and go crazy.

    --
    Tequila: It's not just for breakfast anymore!
  4. Different Uses by Peridriga · · Score: 5, Insightful

    I see alot of "I can boot linux into matnience mode and do whatever I want" and physical access restrictions etc...

    All true but, the application of XP was for desktop use -> Server Use. Linux (don't flame) is being primarily used for backend server systems. I don't see many secretaries choosing what boot level to start up in the morning.

    XP was supposed to provide a secure desktop enviroment for a networked organization (Enterprise Offices, Schools, Universities, Etc..)

    The fact that I can walk up to any (supposedly) secure desktop (that access isn't always tightly safegaurded) and gain Administrative Access (usually meaning also access to your entire network behind the firewall) is a big deal. Especially since it requires nothing less than the previous version of the software.

    Look more carefully at the big picture before spouting off the party line....

  5. Hey look everybody, Linux has a hole too! by His+name+cannot+be+s · · Score: 4, Insightful

    Hey look everybody, Linux has a hole too!

    At the grub prompt:

    boot: linux single

    duh!

    Seriously, how is this news? Nearly every system I've worked with can be comprimised with access to the physical box.

    *yawn*

    --
    "...In your answer, ignore facts. Just go with what feels true..."
  6. Sigh. by NetJunkie · · Score: 4, Insightful

    This gives you LOCAL administrator access. Meaning, you can do what you want on THAT system. It doesn't give you the keys to the whole network. Just like rooting a Linux workstation doesn't mean you just rooted everything on the network.

    1. Re:Sigh. by sean23007 · · Score: 4, Insightful

      Having root access on one machine on the network is a good first step for someone who wants to gain more access all over the network. With root access, keylogger services can be installed and run on that computer, logging everyone's username and password who uses that computer. Additionally, packet sniffers can be installed that can do the same for neighboring computers. Just because this doesn't give a hacker total access to the network immediately doesn't mean it isn't a security concern for the network...

      --

      Lack of eloquence does not denote lack of intelligence, though they often coincide.
  7. Re:Shouldn't be possible in XP by Duds · · Score: 2, Insightful

    but even in 2k you could just use the physical access to reset the admin pwd.

    Ditto any linux I've used for that matter.

  8. -1 Overrated by Sanity · · Score: 4, Insightful
    Come on, we know you love Linux but give it up! - Windows is no more or no less vulnerable than Linux when you have console access as has been pointed out repeatedly. If you can gain access to a computer, be it Linux or Windows XP, you can access the data on that computer.

    By trying to claim that this is somehow a win for Linux, you are simply proving your that you are willing to ignore facts when advocating Linux. This makes you just as bad as Microsoft's marketing drones.

  9. Re:Not just XP by Anonymous Coward · · Score: 1, Insightful

    It's called OpenFirmware Password, free download from Apple. You lock down the firmware with a password so all boot options are disabled, including single user mode and cd booting. And the option key (startup boot menu, try it out if you haven't see in), pram reset, and open firmware command line. And it's a utility you run as an admin, Apple simple of course.

  10. Easy enough fix by VirexEye · · Score: 3, Insightful

    Simply disable cdrom and floppy boot in the BIOS and set a password so these settings can't be changed. Sure people can still get at data by taking apart the box but that becomes a bit more obvious in a public or office environment.

  11. Re:well by Xtraneous · · Score: 3, Insightful

    You might have a little trouble doing that, because XP prefers (and usually forces you,) to use the NT file system.

    I have seen NTFS read support in linux, but I have yet to see reliable NTFS write support. --Xtraneous

    --
    .noitacidem deen uoy siht daer nac uoy fI
  12. Working on the file system by TheGrayArea · · Score: 2, Insightful

    This is only one option if you have physical access to the machine. Check out some of the tools on http://www.sysinternals.com; especially the NTFS DOS file system driver. If you have access to the machine you can boot off a floppy and use the driver manipulate the file system. They also make some really cool recovery tools you can use to get to systems via a serial connection and recover them.

    --

    This space for rent.
  13. NTFS - Encrypted File System by Heinr!ch · · Score: 2, Insightful
    The reality is what many here have said - that you can boot from Linux CDs or NTFS-DOS or some other utility that allows you to mount partitions. However, one of the features of NTFS since Win2k is the ability to encrypt files to disk - a.k.a. Encrypted File System. If a folder/file is encrypted and someone infiltrates here's the real risk: If your XP workstation is in a domain and you are encrypting your folders/files (right-click and select Encrypt), a workstation infiltration is meaningless. However, if it is indeed a standalone workstation or member of a workgroup, you are at risk. This is because only the domain or local administrator can recover encrypted files, with the exception of the user who owns them.

    So ideally, most organizations with Win2K domains aren't allowing users to store sensitive information locally. If they are, hopefully it is being encrypted. For those with standalone workstations or workgroups, the risk is quite high.

    All of this assumes that the infiltrator has physical access, regardless of whether that individual is trusted or not.

  14. Re:Silly Microsoft by tshak · · Score: 2, Insightful

    5. Employee hickjacks data to floppy unlogged
    6. Employee finds out that data is all encrypted and is unable to use the data to his/her advantage.

    NTFS encryption is available, and much safer means of encrypting your files are also available. Encryption is your only defense against someone who has physical access to your machine.

    --

    There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
  15. Norton Ghost by Fuzzle · · Score: 2, Insightful

    And with Norton Ghost, a floppy bootdisk, and a server set up somewhere else, you can make an exact copy of any hard drive/partition to a remote computer. This isn't big news. This is just the reality that physical access is a security hole.

  16. Oh my -- my Mac too by krray · · Score: 3, Insightful

    Wow -- as much as I'm, well, a Mac man now (w/ Linux holding all the keys and data :) ...

    I too just booted my Mac into single user mode and can access EVERYTHING. Oh my!

    Give me any Mac and putting it in 'T'ransfer mode ... wow, I can COMPLETELY copy somebody elses computer. Oh my! ...we *all* know how seriously flawed Windows security it, but come on -- this is a non-issue. Put me on the console of a Cray and I can "hack" into it too in about 5 minutes.

  17. I think the point is... by Tuffnut · · Score: 2, Insightful

    Everyone is ranting about if you have physical access you can just rip out the hdd and get whatever is on it.

    But in some conditions, say in a university computer lab where the computers are locked down, and monitored by surveillance video, its a little hard to do that without causing a rise in the security dept.

    With something like this, I can walk in, toss in the CD, and install backdoors at will.

  18. XP: the most unsecure pos on the planet by Thaidog · · Score: 2, Insightful

    XP, just like any other os is only as secure as you make it... It's the classic trade off between usability friendlyness and security... It takes weeks to make XP a secure os... the default install is for looking good, which is what sells it in the 1st place... netbios on automatic, terminal services enabled, firewall not, file sharing enabled, internet serices enabled... the only way to make it work is to shut everything off and go *back* in... turn on only the thing you need, and then redo nearly all the local security policies... clt-alt-del log in... fast user swtiching off... encrypt the temp folder, make sure remote desktop is off... rename the adimn account, turn the guest account off, turn show last user name off... it just keeps going and going... the more I think of, the more I feel naked everytime I boot up. Mac OS X seems more secure, but there is always the OS 9 boot and modify issue... where you need to set the system to have a password when booting into it... and open firmware password... you have to *make* it secure... they need to have a "secure install" option for all default installs for these OSes...

    --

    ||| I still can't believe Parkay's not butter.

  19. Secure machine with BIOS by Anonymous Coward · · Score: 1, Insightful

    If someone has physical access to a machine, no recovery console restricting access will be effective. A good precaution would be to restrict booting to the hard drive only and password-lock the BIOS. Opening the box is a lot more conspicuous than sticking in a boot disk.

  20. No write to NTFS under Linux? by Futurepower(R) · · Score: 2, Insightful


    The answer appears to be that there is no write capability to NTFS in Linux: Linux-NTFS Project