I don’t think that was the real Administrator you changed. The system administrator (named “Administrator”) can’t be changed by going to Control Panel - User Accounts (the place where you can change user icons, names and basic settings). I have an Administrator account w/password on my machine and it does not show up there.
You can only change Administrator from Control Panel - Administrative Tools - Computer Management - Local Users and Groups.
Then again I have XP Pro so I don’t think you have Administrative Tools on XP Home…But I still don’t think the main system admin was changed (at least not by you).
Yes, MS OSes are easily exploited. Linux root password can be hacked as well if you have physical access (and sometimes without). Etc.
But I am surprised that no one has suggested my first thought: Keystroke logger. If he had root priv.s and installed such a program, then all your later changes, including passwords, are his. Some keylogger programs make themselves fairly hard to find. It does come down to reformat and reload to really ensure you have gotten rid of it.
(Or he just grabbed one of the standard “grab admin priv.s” scripts off the net.)
One more log to the fire of “There’s no protection if he has physical access”.
He could have booted from a floppy (BIOS boot order change, etc.) or perhaps used a key capture tool. Here’s a link to KeyGhost, with a pic of what one looks like in use. Ask if Dad seen anything like this around. http://www.keyghost.com/hardware_keylogger.htm
(I know this possibility isn’t within the realm of no-budget kid hacker, but what the heck.) Even with a locked case, boot order set to C: only with BIOS password protection, etc., there are specialized hardware tools whereby you can hook up to the Video card output on the PC and access the hard drive directly. This method enters hardware commands on the Bus, bypassing the operating system. You can dupe the entire hard drive to another system without leaving a mark or changing a bit on the HD. My company trains law enforcement on the use of such things.
You can actually extract every single byte off a harddisk via the Video VGA port and siphon the entire contents? Far out! That’s amazing.
I take it the PC has to be turned on of course. Under such circumstances, does it matter which OS is running on the poor PC which is about to get plundered?
Smackfu, for your reference, the Dad and I uninstalled “PCAnywhere” as part of our housecleaing on the Monday night. It was no longer installed by the time the son started his cracking the next day.
Otherwise, yes, your suggestion would have been very valid.
This is the most likely scenario. In trying to foil the son, you used the “User Accounts” control panel. This is the nice, easy to use control panel for consumers.
The real user controls is located, as stated above, at “Control Panel - Administrative Tools - Computer Management - Local Users and Groups”. Fron there, you will see additional accounts used on the computer, including - Administrator.
Under most circumstances bcullman, yes, I’d agree with you entirely. However, I distinctly recall using the “Computer Management” interface for “Users and Groups” on a number of occasions when I was sitting with the Dad because I also was demonstrating how the “Event Logs” and the “Services” functions were working.
And my memory is still pretty good - there was definitely not an “Administrator” account in the “Computer Management” route either.
However, for those of you who are interested, tonight I performed a test on one of my Windows 2000 “Advanced Server” machines which act as a redundant on line database server.
These are the steps I performed to “crack” the Password system. It was so dead easy it’s bloody frightening…
(1) I shutdown the computer…
(2) I placed a 1995 MS-DOS Boot Disk in the A: drive.
(3) The system booted under DOS and I logged onto C: drive at a DOS prompt level.
(4) cd C:\WINNT\System32\Config
(5) I renamed sam to sam.bak
(6) I removed the DOS boot disk and rebooted the machine. Windows 2000 Advanced Server reloaded.
(7) The system offered my normal “username” as my log in option. It no longer worked. None of my “user defined” logins no longer worked either. I then attempted to log in as “Administrator” WITHOUT a password and I got in easy as pie.
(8) I had full “administration” rights and I could do whatever I wanted.
(9) I chose not to change a thing… but I could NOT rename or copy sam.bak over the sam file - I assume this is because it’s a mission critical file to WIN2K and XP, so I merely performed the DOS boot once again and did the file rename at a DOS prompt level.
(10) Upon rebooting the machine once more, all of my previous user logins were working and visible once again in the “User Accounts” software interfaces.
So there ya go… pretty bloody big hole don’tchya think?
Also, it’s worth noting, the machines I use are really well made IBM Netvista’s and Netfinity’s. Believe it or not, and I’ve checked this guys, the proprietary IBM BIOS doesn’t even allow you to disable the A: drive as a bootable device. Possibly this is achieved at the motherboard jumper switch level - but certainly not at bootup BIOS time.
Boo Boo Foo: if you were able to read the C: drive with a DOS boot disk, I have to ask: if your hard drive file system FAT32 or NTFS? The latter is more efficient and, as far as I know, it’s unreadable by standard DOS. There is a utility within Win2000 to convert the drive over, and it may prevent such an easy floppy-boot hack in the future.
Sigh, you must not realize how retarded MS really is. Trust me, you did not change the administrator account. My computer is setup just like yours. My I am “computer administrator” under user + accounts in control panel.
Boot the computer into safe mode.
Lo and behold theres that ‘hidden’ Administrator account. AND my account. It wasn’t password protected or anything, although I didn’t attempt to delete my passworded account. I’m sure since it has full access it can do whatever it wants.
Yeah, I was wide-eyed about it the first time I saw it done. The example used a connection to a PCI VGA card. I don’t know about whether AGP also can be exploited, but I expect so.
I’m an admin, but not a hardware hack expert. What I personally saw was:
With the PC running, they disconnected the video-to-monitor cable from the PC, and hooked a custom cable from the PC’s Video out to their Forensics box.
On the Forensics box they ran some program from a command line.
A dialog box on the Forensics display started counting up Hard Drive blocks copied.
This was at an informal briefing demonstrating capabilities between employees.
The use of such a box is quite limited. If I’m a cop with siezed evidence, I have no reason not to open the case and plug the drive into a forensics workstation to copy all the HD data (assume all the rules of evidence, care taken to not change data, etc.) The purpose of this tool is to collect data without the owner knowing.
I tried that… and I categorically assure you that your sequence of steps DID not work on my test machine.
However, in your defence, the machine I tried it on is running Windows 2000 Professional. Also, I would like to stress that I also used the “Administration Tools :: Computer Management :: Local Users and Groups” software to RENAME the Administrator account to “Root User”. I suspect this is a major factor.
Would any other Dopers care to try this trick on other versions of WIN2K, or XP?
I just gave it a whirl on my Win 2k Advanced Server test box (sp3). As I suspected, it didn’t work.
As for the SAM file vulnerability, I’m torn about labeling it a “security hole”. All OSs are vulnerable to someone tweaking their files while they’re not running - it’s not something unique to Microsoft. You may as well say that you took the box apart, tore out the harddisks, mounted them as slaves on another machine and were horrified to see you could read data from them.
Your hardware is agnostic - it can’t tell a “hacker” operation from a valid user one. We haven’t really begun to address the problem of running an OS in an entirely hostile environment (i.e. in one where attackers can easily and arbitrarily access and alter the system at a hardware level, or a software level entirely outside the control of the operating system). Ironically, the first steps in this direction are leading to things like aggressive DRM and Palladium. The cure may be worse than the disease.
The bottom line is that if someone has physical access to a machine then they can almost certainly compromise it. What, after all, is to stop them from re-installing the operating system in this case?
You can set the boot order, password protect the BIOS etc, but if they’re willing to get under the desk with a screwdriver even these safeguards fail.
Ultimately, it seems to me that the only TRULY secure system would be one where the OS, or the kernel as least, built into EPROM’s on the motherboard - and then, provide further Read Write RAM on the motherboard which can ONLY be read via the OS BIOS. This would allow stuff like the SAM file to loaded into flash ram on the motherboard. I’m hoping you get my drift here.
Also, under such a “fanciful” situation, would it possible to also build a hard disk into the motherboard as well? Obviously, it would still get it’s voltage from a power supply, but do you think it would be possible? That is, the hard disk is literally soldered onto the motherboard like one huge chip, as it were?
In theory, the only way to access such a hard disk then would be to read it via the OS which has been burnt into EPROM on that motherboard. You could then implement unique serial numbers etc to prevent the hard disk being removed onto another motherboard. Fanciful, I know… but would it work?
One of the oldest hacks is to replace the default system screen saver with cmd.exe. This is possible if users have write access to System32 (on my XP Pro box only Power Users and better have change access, but on different OSes everyone would have full control by default, and of course if your system uses FAT32 then there is no file system security at all). Then, you logoff and wait for the system screen saver to run. When that happens, you get a command prompt running with system credentials. You can then use the net user commands to make your account the administrator, change passwords, whatever.
There is also the widely used l0phtCrack utility (www.whitehatinc.com/w2ktools/l0phtcrack/) - any dictionary word password could be retrieved by any system user within a matter of minutes. Any password could be retrieved in a matter of hours/days.
As others have said, you cannot secure your machine against a user who has physical access. The best you can do is ensure that if the system is compromised, you will know about it. Ordinary steps from here would involve discipline.
Has the father considered installing swappable hard drives. The son can’t fuck with the OS if there isn’t a boot drive in the case. Let him buy his own hard drive to use with the system.
First of all, VGA is a one way data stream, you can’t send data down the pipe so you wouldnt be able to give the command to send the HD. Second of all, VGA is analog. You can’t be certain you are getting the right data unless you can program the sending computer to do stuff like ECC which would make it a whole order of magnitude harder.