dbminter Posted February 20, 2006 Posted February 20, 2006 This information is about a year old, so, is it still valid? Because a lot of what it says makes sense. http://forum.s-t-d.org/viewtopic.php?id=2116
lfcrule1972 Posted February 20, 2006 Posted February 20, 2006 Well some of the short cuts they mention work on my work pc..... These are pretty much closed down by default but some do work...
dbminter Posted February 20, 2006 Author Posted February 20, 2006 I'm more worried about the copying of the CMD.EXE to SETHC.EXE Even if you remove Accesibility Tools in Add/Remove, SETHC.EXE should remain because it is needed for Desktop Themes, I think.
Shamus_McFartfinger Posted February 20, 2006 Posted February 20, 2006 This information is about a year old, so, is it still valid? Because a lot of what it says makes sense. http://forum.s-t-d.org/viewtopic.php?id=2116 Interesting. It does the same with Win2K. What?s even more interesting (to me anyway) is that it also brings up basically the same requester with Mandriva Linux. An industry standard perhaps? What remains obvious though is that if you (the nefarious hacker) want to break into a windows box using the above method, you need to be physically sitting in front of it before proceeding to do all the fancy things explained in the forum. If you?re already sitting in front of it, it?d be easier to change (or remove) the admin password allowing you full access to everything without farting around too much. I?ve used a tool called ?Offline NT Password & Registry Editor? a few times when people have given me their machines to look at without supplying the admin password to get into it. The program itself is a few years old but it still works and it?s simple to use. http://home.eunet.no/~pnordahl/ntpasswd/
dbminter Posted February 20, 2006 Author Posted February 20, 2006 Yeah, I noticed that. Basically, you'd need to be at the keyboard to execute it as listed, but, my thinking was if it could be exploited thusly: the payload is designed to represent itself as a system update. It flags sethc.exe to be updated, initiates a call for restart, then, on restart, but, before Windows loads, the update of sethc.exe occurs with a copy of cmd.exe Then, a cmd instance is initiated minimized on start of Windows, with piped code sent to the prompt to add a new user or users. It would then be added at the current signed in level, which would be System according to what I read.
Shamus_McFartfinger Posted February 20, 2006 Posted February 20, 2006 Yeah, I noticed that. Basically, you'd need to be at the keyboard to execute it as listed, but, my thinking was if it could be exploited thusly: the payload is designed to represent itself as a system update. It flags sethc.exe to be updated, initiates a call for restart, then, on restart, but, before Windows loads, the update of sethc.exe occurs with a copy of cmd.exe Then, a cmd instance is initiated minimized on start of Windows, with piped code sent to the prompt to add a new user or users. It would then be added at the current signed in level, which would be System according to what I read. I?m no expert but that sounds logical. Possibly even with a special boot code that executes upon startup. Something like a fake ram drive (or whatever the hell it is) that programs like Partition Magic use when altering the C: drive. It?s way out of my league in any event. The only saving grace for computer illiterates (like most of us), would be a decent firewall like ZoneAlarm that watches for new files or changes in old files wanting access to the outside world. This would have to be disabled also. Logically, unless the firewall was disabled (which BTW is the first process started by windows AFAIK), traffic from outside would be unable to pass through the firewall filters. Not to mention getting past the router (which is mandatory these days) if one is available which doesn?t sound easy. I suppose if all this was accomplished, the victim?s computer would also need to have remote management enabled. Dunno. Just my thoughts. I might be way off. An expert opinion would be nice. L_UK?
Shamus_McFartfinger Posted February 20, 2006 Posted February 20, 2006 Nice app Shamus............ Ain?t it a beauty? He?s a clever fooker. So much for encrypted accounts, huh?
kevdriver Posted February 21, 2006 Posted February 21, 2006 Christ, shamus, all this stuff I'm learning from you guys................ think I'll go underground soon....... The masked kevdriver.......... In all seriousness though, the guy that wrote that app is one clever dude. Worrying though if someone wanted to use it for other means then a productive one . Then again if someone thought that way he probabley would have already the knowledge to do what this app does anyways. At least if one of the guys at work gives me his/her computer to work on but fails to give me a admin password.................. no problem now.............
Shamus_McFartfinger Posted February 21, 2006 Posted February 21, 2006 The masked kevdriver.......... In all seriousness though, the guy that wrote that app is one clever dude. Worrying though if someone wanted to use it for other means then a productive one . Then again if someone thought that way he probabley would have already the knowledge to do what this app does anyways.Agreed. I?d kill to be half as talented. Knowing there are people out there that find ways around the security of operating systems is the primary reason I don?t do online banking. The convenience versus the risk just isn?t worth it. It?s an eye opener seeing what clever people are capable of. At least if one of the guys at work gives me his/her computer to work on but fails to give me a admin password.................. no problem now............. It?s one of those ?must have? tools and a very impressive piece of programming. To me it is anyway.
Recommended Posts