It doesn’t take much to sit down at a computer and bypass pretty much any security that is set up on local accounts. There is a variety of LiveCD linux distributions that can be used to pop into any computer and gain full control over the system.
All modern linux distributions have the ability to read and write to to a “laundry” list of file systems including NTFS. Linux gives you more control over the files on a Windows system, since it gives you access to folders you wouldn’t be able to even as an Administrator of the Windows OS.
The problem comes in when you need access to more then just the files on the system. What if you have to make changes to registry, or run an application that is installed on said computer? It is these times when you need to be able to bypass the logging screen on a Windows OS.
Getting someones password can at times be difficult, especially if the user is remotely security conscience and don’t write their password down and tape under the keyboard or some other obvious place. There are programs out there such as Ophcrack, that will try and crack the users password. That is done by using a dictionary attack against the file where passwords are stored. In Windows OS, that would be the SAM file. The SAM file can be found under ‘c:windowssystem32configSAM’.
The main problem with programs like Ophcrack is the same problem you have when trying to perform any dictionary attack, if the password you’re trying to crack is not in the dictionary list you have, you never crack it.
An alternative is to change or clear a user’s password. I’ve used and still use a bootable CD called ERD Commander. ERD Commander is like a Windows version of a Linux LiveCD. It will boot up and ask where Windows is installed on the system, then I am able to edit the registry as needed or use a program called Locksmith that allows you to change the user’s password. ERD Commander had a few other features, one that I have set up has got some network drivers built into it, and also has Ghost.
The biggest issue I have with ERD Commander is that it is slow to load. So then chntpwd came along I stopped using ERD Commander. Chntpwd is a linux utility to reset a Windows user’s password. You also have the ability to edit the registry on a Windows computer.
So now you could use a Linux LiveCD once again to boot the machine. Most distros will have chntpwd installed or in the repositories. Just navigate to where the SAM file is located and type
chntpwd -1 sam. This will give you a list of all Windows users for the system and some information about their accounts. Now you can type chntpwd –u username sam to edit a user’s account (replace username with the user’s name). From this point on you just follow the onscreen instructions. You will have the options to blank their password, change their password, or upgrade their account. It is suggested that you blank their password rather than change it. Changing the password doesn’t always work. But if you blank their password you can always set a new password once you have logged into their account on the Windows side. When chntpwd asks if you want to hive, choose yes. This will save your changes.
Upgrading or downgrading a user’s account will give or take permissions from the user. Chntpwd is a fster alternative to ERD Commander. It also gives you the ability to clear/blank the password on Vista systems whereas ERD does not work on Vista systems.
The big stumbling block to using either of these options is that they change or clear a user’s password. So, the next time the user goes to login, they won’t be able to since their password has been changed. You won’t be able to change their password back since you don’t know their password (if you did, you would not have to use either of these programs.).
We have another option in a very small bootable iso image called Konboot. Konboot can be downloaded in a very small zip file. It is about 8.7kb zipped up. Once downloaded, unzip the iso and burn it to CD using your favorite CD burning program. When you put this CD in a computer and boot from it, you will a boot screen that says “kryptos Logic” with a scrolling banner below it. The first time I used it, I sat at that screen for a little while till I realized had to press “any key”. I pressed “Enter” and the system continued to boot. It seems like the system is booting normally and you will end up at the login screen you are used to. There is one difference at this point: You don’t need a password to login. Just choose a user and hit “Enter”. You are now logged in as that user.
When you are done doing whatever it is that you need to do, just restart the computer without the CD in the drive. The system is back to normal with the original password. According to the Konboot website, Konboot has been tested on Windows XP, Vista, Windows 7, Server 2003, and Server 2008. It’s also mentioning that there is a version of Konboot for Linux systems.
Other ways to get through the login screen on a Linux system is with chroot. Available either by default or through repositories, chroot allows you to change what the system sees as the root directory. Boot a LiveCD containing chroot and mount the hard drive partition that contains the Linux OS that you want access to. If the partition is mounted to /media/disk, then open a terminal screen and run
chroot /media/disk. Now, anything you do in that terminal will act as though it is running on the system you have chrooted to.
At this point, you can use the password command to change a user’s password much like we did with chntpwd for Windows. The command would be typed like this: passwd username. Replace username with the user’s name that you would like to change. Type the new password an
d confirm it by typing it a second time. This will successfully change the password.
Now given the number of different ways we can bypass local security on most systems. I present these questions to you, “How secure is your system? How do we protect ourselves from these types of attacks?” One way is to set a Bios password. This is a good deterrent, but there are ways to get around that, too.
I believe that encrypting your hard drive is the best policy. This will stop all the attacks I have listed above. Setting a hard drive password also works rather well and is not so easy to get around. If you set a hard drive password or encrypt your drive, be sure to remember your password or you’re screwed.