Team Sigma - Personal.psu.edu

Team Sigma
Final Project
Eric Brandman
Matt Teller
Sam Albert
Matt Storm
Mark Ricci
Seth Kimmel
Scenario
You are an IT director at Johnnies Online Jobs, a private company that provides online job
ads. A recent act of cyber-vandalism by a group of three internal employees has been brought to
your attention. All the computers have different operating systems, and are password protected.
None of the employees are cooperating with the business, and it is your job to break into their
systems and gain access to their files.
Objectives
●
●
●
Gain access to an administrator account on a Windows XP system.
Gain access to an administrator account on a Windows Vista system.
Gain access to an administrator account on a Windows 7 system.
Download Windows XP, Vista and 7:
This section will detail how we have legally obtained the operating systems in our project:
1. Log into MSDNAA: http://msdn06.eacademy.com/elms/Storefront/Home.aspx?campus=tpsu_infsys_tech
2. Download each operating system in .ISO form
Setting Up VMware:
This section will detail how we have setup our VMware software to replicate the suspects
computer:
1. Download VMware installer from: https://www.vmware.com/tryvmware/?p=vmwareworkstation&lp=1
2. Install VMware as a trial/evaluate
3. Open VMware and create new Virtual Machine
4. File --> New Virtual Machine
5. Follow the on screen wizard
6. Select one of the operating system ISO files when prompted
7. Once installation of OS is complete repeat steps 3a and 3b with the other two operating
systems.
8. Further documentation can be found at: http://www.trainsignaltraining.com/installwindows-7-in-vmware-workstation
Part I - Breaking into Windows 7 with KonBoot
Kon-Boot is a software image widely available for free download on the Internet. Kon-Boot is
described as a “boot-kit”, which will take advantage of the system boot to directly inject code its
own code into the memory code of the operating system. As opposed to other boot kits available,
Kon-Boot is memory-persistent, meaning that the system will no longer be affected after the
bootable media is removed.
1. Go to http://www.megaleecher.net/Easiest_Way_To_Hack_Windows_And_Linux_Computers
and download the Kon-Boot .iso file. The password to access the software is “kon-boot”.
After gaining access, burn the .iso to a bootable CD.
2. Insert the CD into the machine and reboot. Prior to the machine booting into its native
operating system, press “F8” to boot into BIOS mode.
3. In the BIOS menu, go to “Boot Order” and select “CD-ROM” to force the machine to boot
from the created CD-ROM.
4. Select the “Exit” tab, and then select “Exit Saving Changes”
5. On the conformation window that appears, select “Yes”
6. Kon-Boot will then load and bypasses the Windows 7 password. Access the Admin account
by simply clicking on the User Icon.
Though Kon-Boot allows access to Admin accounts, it will not give a user access to files encrypted
with EFS (Encrypted File System), allow a user to change the password of the account which was
hacked (Though you can change passwords of other local accounts), and to bypass the
authentication on an Active Directory Domain.
Protecting yourself from Kon-Boot
There are a number of things that will mitigate the risk of your system being successfully attacked
with Kon-Boot, or any other boot kits.


Set a password at the hard disk level. This can be done from the BIOS menu, and will
prevent attackers from booting the operating system installed on the hard disk.
Disable the ability to boot from USB/Firewire. This will prevent the use of external disks.
Part II - Breaking into Windows XP with Ophcrack Live CD 2.3.1
Ophcrack uses pre-computed rainbow tables containing the hash values for many combinations of
common passwords. It then dumps the registry hashes on the machine that the Live CD has been
loaded on. It will compare the values in the rainbow tables against the values found in the registry
hashes.
1. Go to http://ophcrack.sourceforge.net/download.php?type=livecd to download the Live CD
version of Ophcrack. It will be in the form of an .ISO file which means it will be bootable
independently of the host operating system. Burn the .ISO file to a CD
2. Insert the Live CD into the target machine.
3. Reboot machine and hit F8 to enter the BIOS which will allow you to change the boot device
to the CD-ROM drive. Once the boot order is changed and the changes are saved, the
machine will reboot.
4. The Ophcrack Live CD will be boot. Select the Ophcrack Graphic Mode – Automatic choice
from the menu.
5. Once loaded, Ophcrack will attempt to recover the passwords of all user accounts on the
machine. All of the cracked passwords will be displayed beneath the “NT Pwd” section.
Protecting yourself from Ophcrack
One main way to protect yourself from Ophcrack discovering the passwords on your machine is to
use strong passwords. A password of at least 14 characters containing numbers and special
characters will significantly reduce the chance of Ophcrack finding out the password. Another
method to protect yourself is to not allow physical access to those who are not authorized access.
This will eliminate the possibility of a Live CD version of Ophcrack from being used and will require
the attacker to find other methods to obtain the Windows password hashes.
Part III - Breaking into Windows Vista with Active Password Changer 3.0
Active Password Changer 3.0 is a CD based password changer that works on Windows NT, 2000,
2003, XP, and Vista. Active Password Changer 3.0 comes bundled on a bootable Windows rescue
CD called Hiren’s Boot CD. The version of Hiren’s Boot CD that we are using in the example is
Hiren’s Boot CD 9.7. Active Password Changer 3.0 works by accessing and erasing passwords from
a file called a SAM database file, which is stored in the Windows registry. The SAM file stores all of
the individual users account information and links their password to their specific account.
Because Active Password Changer 3.0 works by erasing passwords stored in the SAM database, you
can use this tool to boot into any specific Windows User’s account without a password and then set
a new one for yourself.
To get Hiren’s Boot CD 9.7:
1. Open any Internet Browser and go to http://www.hirensbootcd.org/hbcd-v97/ and
download the 170 MB Zip file called “Hirens.BootCD.9.7.zip”.
2. Unzip the Zip file using Winzip or any other .zip compression program.
Accessing Active Password Changer 3.0 on Hiren’s Boot CD 9.7
1. Now that you have the .ISO file extracted from the Zip file, you can burn the ISO file to a CD
using your favorite CD image burning program.
2. Once you have burned the ISO file to a CD, simply insert the CD into your computers CD
drive and restart the system. The CD should now automatically be read first and you should
automatically boot into Hiren’s Boot CD as the computer reboots. If this does not happen,
you may have to press a specific button to get your computer to boot the CD before the hard
drive. Refer to your computer’s instruction manual on how to do this as the process varies
from computer to computer.
3. Now that you have successfully booted into Hiren’s Boot CD, you should see a screen that
looks like this:
Choose “Start BootCD” to access the programs located on the Boot CD.
4. Once the CD loads the programs, you are presented with a list of categories to choose from.
The list looks like this:
Choose option 9, “Next” by pressing Enter. After that, choose option 4 on the next page titled
“Password & Registry Tools...” by pressing Enter again. When the programs list loads under
“Password and Registry Tools...”, you should now see “Active Password Changer 3.0.420” selectable
as option 1 at the top of the new list.
Using Active Password Changer 3.0 to Delete the Account Password
1. After pressing Enter on “Active Password Changer 3.0.420” to load the program, a small
beige box will come up asking you to select the method of executing the program. Simply
choose “Auto” and let it load.
2. You will now see the main menu of “Active Password Changer 3.0”, which looks like this:
The three options are explained in detail below:
a) Choose Logical Drive - This option allows you to manually select the hard drive you
wish to scan for the SAM database on. This is useful if you have several operating
system partitions on a single hard drive or multiple operating systems on multiple
hard drives inside of your computer.
b) Search for MS SAM Database(s) on all hard disks and logical drives - This option
allows you to search all logical partitions and hard drives and displays the
location(s) of the SAM database file(s) for the user automatically.
c) Exit - This option allows you to exit “Active Password Changer 3.0” and go to the
Hiren’s command prompt. The command prompt will be used at the end of this
tutorial.
3. Choose option 2 by entering “2” in the Your Choice prompt and pressing Enter. The
program will now search for any SAM databases located on your hard drive(s). When it is
finished, you will get a screen that looks like this:
Depending on your computer, your results will be different. Because in this tutorial we only have
one hard drive partition, we simply hit Enter to continue.
4. The next screen allows us to select which account we want to delete the password from:
Since our target is “owner”, we simply type “1” in Your Choice and press Enter to continue.
5. The next screen is where the important part of this tutorial is. This is the screen where we
can erase the password from the account “owner”:
The “Existing” column shows the current options that are present in the SAM database file. The
“Change to” column shows the options we can use to modify the SAM database file. In this tutorial,
we are simply going to use the “Password Never Expires” option and the “Clear this User’s
Password” option. However, you can also lock the account, force the user to create a new password
at next login, or set specific hours that the user is able to use their account. Again, for the simplicity
of this tutorial, we are going to accept the default options and hit “Y” to apply changes.
6. Once the changes have been saved, simply hit the Escape key several times until you are
brought back to the main menu of “Active Password Changer 3.0”.
7. Type “3” and hit Enter to exit “Active Password Changer 3.0”. You are now brought to the
Hiren’s Boot CD command prompt that was mentioned earlier:
Simply type “reboot” as shown above and hit Enter. The computer now reboots and you are
brought back to the Hiren’s Boot CD boot menu:
8. This time, choose “Boot From Hard Drive” to start Windows. You are now able to log onto
the account “owner” successfully because “Active Password Changer 3.0” erased the
password from the SAM database file.
You have now reached the end of the “Active Password Changer 3.0” tutorial.
Shortcomings of Active Password Changer 3.0
While the program “Active Password Changer 3.0” certainly is a very useful tool for bypassing
Windows login passwords, it is not without its faults. One of its primary faults is that the program
does not allow you to select more than one user account at a time to wipe passwords with. This can
be bad if a specific computer has many accounts that need their passwords to be reset, and the fact
that the program can only do one account at a time makes doing many accounts a very tedious task.
Another fault of the program is that it does not work on Windows 7, Microsoft’s latest operating
system. However, the program version used was released in 2006, and a newer version of this
program (if it exists) would most likely work on Windows 7.
Protecting Yourself from Active Password Changer 3.0
There are a couple of things you can do to protect yourself from “Active Password Changer 3.0”.
These are:
1. Set a password for yourself at the BIOS level - This forces anyone who touches your
computer to first enter a password before any piece of hardware or software boots up on
your computer. You can also have your BIOS set a password for your hard drive too so that
even if your hard drive is removed and placed in another computer, criminals would still
have to know the password to gain access to your accounts.
2. Disable CD and USB stick booting in the BIOS - This will not allow Hiren’s Boot CD to boot
from either a CD or a USB stick, and thus criminals cannot access “Active Password Changer
3.0” on your computer.