If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
It takes only an inch in your pocket to carry a Pen Drive :-) Along this post, we’ll see how Backtrack Distro loaded into a Pen Drive or a Live CD can wreck havoc on a Windows machine in just 10 minutes.
The Backtrack Live CD can be a golden resource in bypassing the preloaded Windows XP, it cuts in a way for the hacker to gain access to your native partitions without caring about the original OS.
To perform the below experiment you need
1. BackTrack ISO. Download here
2. Some ISO Burning Program .Download Magic ISO here
3. A little common sense 
Aim of the article is to shed the myth about Windows XP security. Just having a copy of password protected Operating system loaded on your system doesn’t guarantee privacy.
Minute 1
Your computer is open to physical access. For some unethical reason the finds the machine worth attacking.
- The Hacker inserts bootable USB BackTrack Linux Pen Drive / or Live CD in the machine. If the default first boot device is HDD, he goes to BIOS and changes it to USB / CD
Minute 5
After setting the First boot device as USB / CD . He slices in his Backtrack Live OS CD and boots into the Backtrack GUI.
l
To know what is Backtrack , and what makes it lucrative to all hackers ( white hats , black hats, grey hats) ..you might want to read this PDF document
The process followed above tells the machine to skip the operating system loaded onto the HardDisk (in this case we skip MS-WinXP and to boot up BackTrack)
Minute 7
BlackHat Action one
Dump the SAM file
A Windows XP machine usually stores passwords in SAM files stored locally in the X:/WINDOWS/System32/config/system directory. The encrypted file is protected from getting copied/viewed while the user is logged on in Windows XP.
However, by booting the system using a Live CD makes the files wide accessible to the attacker.
Which can be cracked ! by using proper tools
# cd /mnt/hda1/WINDOWS/System32/config
# cp SAM /temp
# cp system /temp
# cd /temp
# bkhive system key
# samdump2 SAM key > /temp/passwords.txt
Black Hat Action Two
Kill that SAM
Owing to the cryptographic limitations, a black hat hacker might not be able to crack the Password (if the length is large). In those cases he might want to remove/disable it !
In most usual cases as far as I’ve tried http://home.eunet.no/pnordahl/ntpasswd/ works great. A cracker just has to burn that .ISO image onto a blank CD and boot the system from it.
By navigating through the text menus and doing as per the onscreen instructions, it
is trivial to reset a chosen user’s password or promote an existing user to Administrator privileges.
In the above image you may see the Password reset option which resets the WinXP password to blank.
Next screenshot shows that the password has been reset to blank.
After using the machine as an administrator, the malicious hacker makes sure to restore back the original SAM file so as clean up the evidence.
# cd /mnt/hda1/WINDOWS/System32/config
# cp SAM /mnt/sda1/
# cp system /mnt/sda1/
Cleaning up the tracks to evade detection
Cracking something might be easy, and so is getting caught.
Usually , a clever black hat takes the backup of original SAM file so that he might restore these files after the attack is finished. Installing a backdoor might be easy , but chances are that the authorized administrator of the compromised system might detect it. In that case its obivious, it will be quickly closed. Popular techniques to ensure successful backdoors include to use an alredy open port. Although, well configured Windows XP keeps logs of users when they access the system and run programs. There are built in programs in Backtrack that assist in log file modification.
WHITE HAT TIP: How to Prevent this happening to you…
- Keep the HardDrives encrypted. Who knows what the attacker might do from your sensitive and personal data
- by disallowing physical access to a system by an attacker. The cardinal rule that physical access equals total access exists for a reason.
- Keep a BIOS Password and Set the HDD as the first bootable device. This’ll prevent cracker from booting your system with a Live CD or USB disk.
- Keep strong passwords. This should mitigate the risk of having the password cracked by Dictionary attacks. Moreover it’ll make the BruteForce attack infeasible.
Hail Open Source
If you like the above post , great Please share .
July 25th, 2008 at 4:46 am
good hack. need to try it later in the day . its best to dump Windows
August 28th, 2008 at 3:52 pm
This does not work!!!for starters why dont u learn what upper and lower case are!before writing crap on the internet!
August 28th, 2008 at 6:47 pm
still wondering what you mean by uppercase and the lower case in context to this post ? your kind suggestions might help great deal
August 28th, 2008 at 6:51 pm
ayo fish, this will work if you know what BackTrack Linux is ! ROTFL =) ne comments ?
August 28th, 2008 at 6:55 pm
i came to know about backtrack while i got on this post frm google… sounds like a great OS but will my fedora RPMs work with this ?
@fiah
why don’t you point out what made you so furious? this is not a new technique, tried and tested at antionline.
August 29th, 2008 at 3:06 am
@ fish
This is the first comment you ever make on this blog and you make a smart ass remark. You come here and comment something “uppercase and lowercase” , without any justification or explanation.
Go be negative somewhere else.
September 15th, 2008 at 5:26 am
Why does the LiveCD have a GUI? Anybody who is fluent with Linux should be able to do everything (at least all of this) from the teletypes, or at least use something lighter than GNOME. Starting up X probably takes a decent amount of precious time. And why is none of this scripted if the whole (or at least a major) purpose of the distro is to do this? I would just remaster a Gentoo minimal CD.
September 15th, 2008 at 8:04 pm
@Nick
The purpose of this distro is for pen-testing and auditing, the *most important part of these activities are the reports the tester creates and hands off when finished, you can’t beat a gui with word processing and graphics tools for that. Also although most of the tools included can quite happily run from a TTY without a frontend requirement but there are loads of tools included and many are quicker and easier to use with a GUI. Even the ability to have multiple Terminals open on screen at once (without having to CTRL+ALT+FunctionKey between sessions) is reason enough to run a GUI. Why handicap yourself by limiting to a command line only when you can have the best of both worlds? I your sole purpose was to crack SAM databases, there are many other Distros available that are much smaller and quicker (like Trinity or numerous others).
Check out http://www.remote-exploit.org/backtrack.html for a full list of features.
September 19th, 2008 at 2:57 pm
Thanks for this tips! it is absolutely useful!
this is truly amazing and very good!
Escoofield -
http://alotofit.com
October 8th, 2008 at 8:21 pm
Just look up ophcrack. It is a linux distribution that is purely created for this, just boot it up, and walk away. A few minutes later the password is cracked. Btw, linux has just as many faults, you can boot into any live cd, and crack/erase the password in a few minutes. And you can also reset the bios password in a few seconds by using the jumper on the motherboard, or taking the bios battery out for a few seconds.
October 9th, 2008 at 4:33 pm
I downloaded the backtrack link and it is some rar with no sign of an ISO in sight, do I have the right file? It has lots of vm stuff and a vmware.log…
October 9th, 2008 at 6:12 pm
you can download the .ISO file here http://www.remote-exploit.org/cgi-bin/fileget?version=bt3-cd
The file you’ve download seems to be meant for VMware. Using Vmware you may create Virtual Machines on your Windows OS.
hope that clears the doubt
October 28th, 2008 at 11:59 pm
I knew why I love Linux