How secure is system32

Scott [scopes20]
10 years ago

0

I need to know if its possible to access “system32” as a restricted user.

To cut the story short, a user who was on a restricted account gained access to an admin account by changing the “Sethc.exe” (sticky keys) with a batch file renamed as “Sethc.exe”. This allowed the user to open command prompt by pressing the shift key 5 times, which meant he could open a command prompt on the login screen (which gives the cmd admin rights), a few well known commands later he was on the PC’s default admin acount (which was password protected).

The Sethc.exe is located in the system32 folder (which is hidden for restricted users). How is it possible for a restricted user to get into that file and how would i prevent it from hapening again?

20replies
7voices
239views
lodovico65
10 years ago

0

If you can change the boot sequence, just boot from the Windows installation CD and use the “Command prompt” recovery option.
Move to the folder “windows\system32” and rename the “cmd.exe” in “sethc.exe”. You can now restart and then shift repeated 5 times will give you a CMD window, from which comfortably run the “net user administrator”.
I hope I have understood what you wanted!

daMage
10 years ago

0

Gain access: Boot from external media
Mitigate the above: full disk encryption

lodovico65
10 years ago

0

daMage … the same! LOL

Scott [scopes20]
10 years ago

0

This is a client for the company i work for, i just asked about booting to a device and they say the option to boot to a device is disabled and the BIOS is password protected (PC’s have an actually lock on them so they cant be opened), is there any other way?

Scott [scopes20]
10 years ago

0

tag “disgruntled employee”.

I also asked how there ntfs permission is configured, they didnt reply.

lodovico65
10 years ago

0

I think the only other possibility is contact the Cumaean Sibyl (an oracle) or try the Ouija board … Or if that does not work … Have you try to ask to daMage??? :) LOL

lodovico65
10 years ago

0

Excuse the irony but after a sandwich and a beer that is the only answer that comes! :)

Scott [scopes20]
10 years ago | edited 10 years ago

0

I’m pretty sure that the way they configured there ntfs permissions were inefficiant, i had a quick look at there group policy and active diretory but there was nothing out of the black. (just incase there was). I going to convince them to change to thin clients and have a few managed servers (makes my life easier). cheers guys.

DaGr8Kornolio
10 years ago

0

How to they know it’s the method that has been used? On windows 7, even admins can’t modifiy this file, except if you take ownership.

You could cut the lock… it’s easy. Or get the key… Usually admin always use the same key for evrything. Maybe a copy was throw to the garbage. Lockpick it (don’t think so…) Also, for example, on Dell computer, you can lock the BIOS and change the boot order but you can still hit F12 at boot and access a boot menu. You can hide the message that offer the option… but it still works if you know the key. Maybe it’s the same for your client BIOS.

Maybe we don’t focus on the good thing… maybe the hackers didn’t boot from another source. @damage has written a tutorial that explain how to root windows using DMA. Maybe you could take a look at it…

DaGr8

DaGr8Kornolio
10 years ago

0

They don’t have to “manage” system32 permissions… It’s ok the way it is after installation. I would not hire you again if your solution to this problem was to buy several servers… Their mission is not to make your life easier. My 2 cents…

Scott [scopes20]
10 years ago

0

My solution isnt to buy a few servers, i said i think i know what the problem was, how the person got into that folder is still unknown, im not even on site so the information they gave me is all i have. All i know is that it happend and those are my theorys.

TheXero
10 years ago

0

Why not invoke the sticky keys before being logged on ;)

Scott [scopes20]
10 years ago

0

I could just invoke the sticky keys but DaGr8Kornolio would probably say im not doing my job correctly.

guuf
10 years ago | edited 10 years ago

0

scopes20, this sounds like the technique used to recover passwords, without software. It uses the Windows failure to start system, which consist of turning the system off and on during booting. Checkout this link
&list=UU7eBQV8hH3XDFq0baNEiVTw&index=7">Your text to link here…
This allows access to system32 through the Startup Repair system. Most Hackers don’t like to deal with; fixing, shoring up, or repairing Windows 7 security holes. This is why they prefer you use Unix derivative. Please, do not use for illegal purpose!

Scott [scopes20]
10 years ago

0

Thanks for the link, for all i know the culprit booted to a windows disk

DaGr8Kornolio
10 years ago

0

@Scopes20 : I’m trying to help you… I just though your solution had nothing to do with their problem. How can we help you? You are trying to find a way to hack with the sticky notes because you found that the file has been replaced? What version of windows this is? In the past I’ve used “at” command (cron equivalent) to get an admin command prompt. But it doesn’t work with windows 7.

I guess there is multiple ways to achieve this without booting on a CD…

DaGr8

Gninja
10 years ago

0

Everytime I’ve seen this its always been file replacing or using a Linux boot :D

lodovico65
10 years ago

0

I have the impression that we are not fully understanding what he scopes20 asks …

Scott [scopes20]
10 years ago

0

I think guufs theory fits the bill to be honest. DaGr8Kornolio i know your just trying to help, what i said about you saying im not doing my job correctly was a joke :), BTW they are useing XP sp3.

DaGr8Kornolio
10 years ago

0

@guff!!!!!!!!!! This is great discovery! Well done! I’ll keep that…

About the ducks…. is it 3?!? Does this make me a supreme intelligent being? I think so….

Peace
DaGr8

You must be logged in to reply to this discussion. Login
1 of 21

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss