Lab E2: Bypassing Authentication and Resetting Passwords TTM4175 November 3, 2014 The purpose of this lab is to get familiar with methods for bypassing the authentication and access control of Windows and Linux machines. The scenario in this lab is that you have a Windows 7 machine for which you would like to obtain its contents. Unfortunately, the computer is password protected and you do not know the password. Your task will be to bypass the authentication mechanisms of Windows in order to get access to the machine. Additionally, you will also be changing or clearing the user password for an Lubuntu Linux virtual machine as well, demonstrating that bypassing the authentication is not only possible on Windows machines. 0 Enabling hardware virtualization support This section is optional and is only meant to make VirtualBox run a bit faster on the lab computers. You can safely skip this section if you do not mind the speed of VirtualBox. Simulating an entire operating system in software can be a computationally demanding task. Fortunately, most modern CPUs provide hardware supported virtualization technology that programs like VirtualBox can make use of to speed up their operations. On some computers this feature is enabled by default, but on others it has to be enabled in BIOS1 . The following description explains how you can enable this on the lab computers. If you want to enable this on your own laptop you will probably have to follow similar steps as the ones described here (i.e., go into BIOS and make some adjustments), but the exact steps will most likely be different depending on your hardware. Restart the lab computer. When the boot screen appears (the big HP logo), press F10 and select “English”. Then use the keyboard arrows to navigate to the “Security” menu then select “System Security”. Now enable the lines “Virtualization Technology (VTx)” and “Virtualization Technology Directed I/O (VTd)” by pressing the right/left arrows on your keyboard. Hit F10 to accept, then go to “File” and select “Save Changes and Exit” to confirm and restart the machine. After the you have logged into your lab computer again you need to make VirtualBox take advantage of the virtualization feature. Do the following for each of your installed 1 Basic Input/Output System – the first software that runs when you turn on your computer. Its task is to initialize all the hardware and start the installed operating system (often called bootstrapping). 1 virtual machines. Go to “Settings → System → Acceleration” then enable Hardware Virtualization as shown in Figure 1. That’s it. You can now run your virtual machines as normal, but hopefully it will run a little bit faster. Figure 1: Enabling hardware virtualization support in VirtualBox. 1 Bypassing the Windows log in Start the Windows 7 machine in VirtualBox and verify that you cannot access the ttm4175 user account without having the password. Shut down the machine again. If Windows 7 was running on a real physical machine we would run Kali from a live-USB (like you did in Lab E1) in order to access its contents from the “outside”. However, in this lab we will instead simulate that Windows 7 and Kali were installed on the same physical machine by attaching the virtual hard disk containing Windows 7 to the Kali machine. 1.1 Attaching the Windows 7 disk to the Kali machine in VirtualBox In VirtualBox, with the Kali VM selected, click on “Settings” then “Storage”. Next to the label “Controller SATA” click on the icon that reads “Add Hard Disk” (see Figure 2). 2 Figure 2: Attaching another partition to our Kali VM. Select the option “Choose existing disk” and find the file called Windows 7.vdi2 . Add it to the Kali machine and click “OK”. Your settings should now look similar to that in Figure 3. It is important that the Windows 7 virtual machine is turned off while doing this. Figure 3: Windows 7 disk attached to the Kali VM. 1.2 Mounting the Windows 7 partition within Kali You are now ready to begin bypassing the Windows authentication from within Kali. Boot up Kali, and once inside start up a terminal and verify that the Windows 7 disk is successfully detected as a device from within Kali, by using the utility program fdisk, which lists information about all the disks and partitions attached to your machine: 2 Note that if you are doing this on your own laptop and you followed the lab description from Lab E1, then this file would most likely be called Windows 7-disk1.vmdk. 3 # fdisk -l The output should be similar to that of Figure 4, where Kali has assigned the Windows disk to the device label sdb2. Figure 4: Locating the Windows device. Important! The device labels (sda, sdb, sdc, etc...) that Kali assigns to a disk can be different from system to system. The Windows disk might be assigned to a different label on your machine! Therefore it is important that you identify the correct device label on your own system. By looking at a combination of the file system (“System” in Figure 4), disk size, and the number of partitions on the disk, one can usually quite easy recognize the correct label. Before you can access the contents of the Windows disk you need to mount its file system inside Kali. Typically, plug-and-play peripherals (like USBs, flash drives, etc...) are mounted within the folder /media, whereas hard disks are mounted under /mnt3 Make a folder called /windows under /mnt and mount the Windows 7 partition in it with the mount command: # mkdir /mnt/windows # mount /dev/sdb2 /mnt/windows % create folder to mount the Windows file system % this will incorporate the Windows file system under the /mnt/windows folder in Kali # ls /mnt/windows Now the Windows 7 partition is fully incorporated as a file system within Kali, you are free to view, edit, move or delete all its files as if they where any regular file in Kali. 1.3 Changing the user password While having access to the Windows files from within Kali is nice, our next goal is to be able to run Windows 7 normally. To accomplish this we will need to bypass the 3 This is just a convention. You are free to mount the file system wherever you want. 4 Windows log in screen. Since we do not know the users password we will simply have to change it! By modifying some crucial system files in Windows from within Kali, we can give ourselves access to a command line prompt with administrator access the next time we boot up Windows 7. So that is what we are going to do next. Make sure that the Windows 7 virtual machine is turned off before continuing! On your Kali machine, with the Windows disk mounted as described in the previous section, change into the System32 directory of the Windows file system from within Kali: # cd /mnt/windows/Windows/System32 This folder contains many of the most important files for the Windows operating system. In particular, it contains the binaries for the command line prompt, i.e., cmd.exe, but also the binaries for the on-screen-keyboard, osk.exe, which allows you to type characters into Windows without having a keyboard. The interesting thing about the on-screen-keyboard utility is that it can be run before you have logged in (Figure 5). Even more interesting is it that programs executed before having logged in are run with administrator privileges! Figure 5: The on-screen-keyboard utility available before having logged in. So what would happen if we were to swap out the osk.exe binary (the on-screenkeyboard) with the cmd.exe binary (the command line)? Let’s find out. Start by moving the real osk.exe to a backup file: # mv osk.exe osk.exe.backup % rename the file osk.exe to osk.exe.backup Now copy cmd.exe to osk.exe so that enabling the on-screen-keyboard will actually give us a command prompt instead: # cp cmd.exe osk.exe % overwrite the osk.exe binary with the cmd.exe binary 5 Now unmount the Windows 7 partition and shut down Kali: # umount -l /mnt/windows # halt % ‘‘release’’ the Windows partition from the Kali file system Start the Windows 7 virtual machine and select to login as user ttm4175. Enable the on-screen-keyboard when you reach the login screen. What happens? Hopefully you got what is shown in Figure 6. Figure 6: The on-screen-keyboard tricked into giving us a command line prompt – with administrator access! In the command prompt type: C:\Windows\system32> whoami The whoami command shows you the username and user privileges that the currently logged in user has. Particularly, in Figure 6, it is shown that you are “logged in” as the system user which has full administrator privileges. This means that you can now do whatever you like on the system. For example, you can start explorer.exe to get access to the taskbar even when you are not logged in: C:\Windows\system32> explorer.exe Ultimately, however, we want to get normal access to the system, i.e. not mounting it within Kali. The good news is that with your current administrator rights this is easy! Your task is now to change the password of user ttm4175 to a password of your choosing, allowing you to log in as normal. Hint: There is a command line utility for Windows called net user which could potentially be useful. To get more information on how to use this command type net user ? in the command line window or look it up online. 6 Note: After you have successfully logged in as user ttm4175 you will notice that there is an interesting folder on the desktop called private_folder. Can you access it and its content? (See also Question 1). 2 Clearing the user password in Windows As an alternative to swapping out system files in order to be able to change the users password, one can also simply clear it. Your next task is to do exactly that. 2.1 Updating chntpw Windows 7 passwords are stored hashed in the Security Accounts Manager (SAM) database, which is a registry hive file, and located in the /Windows/System32/config folder. The Windows Registry is a special kind of database used by the Windows operating system to store important configuration settings and options. The files in the Windows Registry are called registry hives. We will manipulate the SAM registry hive to clear the hashed password pertaining to user ttm4175. As before, start by mounting the Windows partition (with the Windows machine turned off!) within Kali and go to the following folder: # mount /dev/sdb2 /mnt/windows # cd /mnt/windows/Windows/System32/config # ls The SAM file is stored in a binary format and is not readily readable without a proper tool. In order to clear the users password from the SAM file, we will be using a program called chntpw4 . Unfortunately, the version of chntpw that ships with Kali (0.99.6) does not actually work. Thus, we need to replace it with a newer version. Issue the following commands to first remove the old version, then download and install the new: # # # # apt-get remove chntpw wget https://launchpad.net/ubuntu/+archive/primary/+files/chntpw_1.0-1_i386.deb dpkg -i chntpw_1.0-1_i386.deb rm chntpw_1.0-1_i386.deb % remove the installation file 2.2 Clearing the Windows password with chntpw Start chntpw in interactive mode by using the -i flag option and read in the SAM file. Note that the SAM file is stored either in upper-case as SAM or in lower-case as sam so choose the name that is used on your system. # chntpw -i sam 4 If you want to run this program on your own, e.g. from a bootable USB, you can get a working version from http://pogostick.net/~pnh/ntpasswd/. 7 Now you just have to follow the on-screen instructions as shown in Figure 7. Figure 7: Starting chntpw in interactive mode. In particular, select Option 1 to begin clearing a user password (the number in square brackets denotes the default), then select that you want to clear the password for user ttm4175 by entering its RID (0x03e8 in Figure 7). Do not clear the password of the user called Lab3 DO NOT WIPE! – duh! Choose Option 1 again to clear the password of ttm4175 (Figure 8). Finally, write these changes to disk by quitting the current context (q) and confirm when asked whether you would like to save the changes (y). You have now cleared the users password! Unmount the Windows partition from Kali Linux before continuing. In order to unmount Windows, you’ll have to step of the Windows folders first, so change to your home folder first. 8 # cd ~ # umount /mnt/windows Figure 8: Clearing the password of user ttm4175. Turn off Kali and reboot the Windows 7 machine. Hopefully, you should not need to type in any password when logging into the ttm4175 account. Again, try to access the folder named private_folder (Question 1). Note: After you have finished poking around in user ttm4175’s personal files, turn off the Windows machine and detach the Windows 7 hard disk from the Kali Linux machine. Go to the “Settings” of your Kali Linux machine again and click on “Storage”. Select the Windows 7 disk and click on the “Remove attachment...” button (Figure 9). 9 Figure 9: Clearing the password of user ttm4175. 3 3.1 Bypassing Linux authentication Importing Lubuntu into VirtualBox and starting Kali Live We have prepared a virtual machine containing a small variant of Linux called Lubuntu in the file Lubuntu.ova. Either ask the teaching assistants for an USB containing the file or download it from here: http://www.item.ntnu.no/fag/ttm4175/downloads/ Lubuntu.ova (the file is approximately 900 MB). Lubuntu is a lightweight version of Ubuntu which we will use to simulate the lab computer environment. First import the machine by going to the main window of VirtualBox and clicking “File → Import Appliance...”. Find the file Lubuntu.ova and click “Import” (you can leave all settings at the default). If you boot it up you will be taken to the login screen shown in Figure 10. 10 Figure 10: The login prompt of Lubuntu. We could now have done the same as in the previous sections and added the Lubuntu hard drive to the Kali Linux machine. Instead, we will clear the login password of the Lubuntu machine by running Kali Linux from a live-CD (similar to the live-USB you created in Lab E1). However, we will not create a physical CD, but rather imitate everything within VirtualBox. Turn off your Lubuntu machine and click on “Settings → Storage”. Now we simulate that we are inserting a CD-ROM (containing Kali Live) into the machine by clicking on “Add CD/DVD Device” (Figure 11). Select “Choose disk” and locate the Kali Linux ISO file kali-linux-1.0.8-i386.iso on your host machine. Figure 11: Attaching a (virtual) CD-ROM to the Lubuntu virtual machine. 11 Start your Lubuntu machine. It will choose to boot from the (virtual) CD-ROM containg Kali Linux instead of the (virtual) hard disk containing the Lubuntu operating system. Thus it will give you the menu shown in Figure 12. Select the “Live (686-pae)” boot option. Figure 12: Running Kali Linux from a live-USB. 3.2 Clearing the log in password on Linux with Kali Live The strategy for bypassing a Linux machine’s login prompt is quite similar to what you did for Windows 7. That is, we first need to mount the Lubuntu partition within Kali, then make some changes to the files responsible for handling login data like usernames and passwords. Inside Kali create a mount point for Lubuntu and mount it. Since Lubuntu uses the same file system as Kali, be careful that you mount the right partition and not accidentally mount the Kali partition within itself. In Figure 13 the Lubuntu hard drive is assigned to the device /dev/sda and the operating system partition to /dev/sda1. # mkdir /mnt/lubuntu # fdisk -l # mount /dev/sda1 /mnt/lubuntu % Find out which device contains Lubuntu % sda1 in our example -- could be different for you! 12 Figure 13: Finding the device label assigned to Lubuntu within Kali Live. With the Lubuntu partition mounted inside of Kali you can modify all its files just as if they were normal files in Kali. Your task now is to make changes to the Lubuntu partition so that the next time you boot it up you will not be required to enter a password in order to log in. Hint: Many Linux systems store their users credentials in the files passwd and shadow located in the /etc folder. What are the contents of /mnt/lubuntu/etc/passwd and /mnt/lubuntu/etc/shadow? (See also Question 3). After having bypassed the login screen of Lubuntu pick a new password using the passwd command line utility (note that this is not the same as the /etc/passwd file!). That is, open a command line window from inside Lubuntu (click the Lubuntu icon down to on the left and go “System Tools → UXTerm”) and issue the following command: ttm4175@ttm4175-Lubuntu:~$ passwd ttm4175 Enter new UNIX password: Enter your new password.5 Now take a loot at the contents of /etc/passwd again. What is different from before? How can you turn it back to the way it was before you modified it? (Again, see Question 3). 3.3 Other ways of bypassing the Linux login ? This part is optional Like for the Windows machine, there are several different ways of bypassing the authentication mechanisms in Linux. See if you can find a different method for achieving the same goal, then try it out. 5 It can be interesting to note that the passwd command usually requires administrator rights in order to be used, i.e., you would normally have to prepend sudo in front of the command and type in your (current) password to use it. However, it this case you have blanked the users password so there is no password to ask for! 13 3.4 Wiping the password of the lab computers ? This part is optional Create a physical live-USB with Kali Linux (like you did in Lab E1) and use it to bypass the authentication of the lab computers. If you are doing the lab on your own laptop, feel free to try this out on your own machine also, but be careful that you do not mess up your own system – we do not take any responsibility if you leave your computer in a broken state! Questions Q1. After having changed the password of user ttm4175 in Section 1.3 could you access the folder named private_folder and its contents? Why? Why not? Similarly, after clearing the users password in Section 2, could you then access the folder? What are the requirements for getting into this folder? Q2. You have just seen that the authentication process of both Windows 7 and Linux can easily be circumvented if you have physical access to the machine. Is the authentication of a Mac running OS X more secure against this? If yes, why is that? If no, how would you bypass it? Q3. Most modern distributions of Linux use both /etc/passwd and /etc/shadow to store their user credentials. What is the purpose of the shadow file? Q4. How can we protect our computers against the attacks in this lab? Q5. Many modern operating systems automatically mounts a disk or peripheral (like a USB drive) if it detects that it is connected. What could be the reasons for Kali not choosing to do this? 14
© Copyright 2024 ExpyDoc
