Focus on Microsoft
Windows NT Desktop Nov 22 2007 01:31PM
sisram2 gmail com (2 replies)
RE: Windows NT Desktop Nov 22 2007 05:46PM
Thor (Hammer of God) (thor hammerofgod com)
RE: Windows NT Desktop Nov 22 2007 05:08PM
James D. Stallard (james leafgrove com)
This is not a mailing list where we tell you how to hack. If you want to
hang out with hackers, go play with IRC.

Notwithstanding, Windows NT does not support USB devices, so unless the BIOS
supports booting from USB and that is switched on in the BIOS, you are stuck
there. If the admin has done his job properly and you cannot introduce an
external device, then you are left with the old physical attack of popping
the top and introducing a second internal harddrive with your own OS on it.
Windows NT suffered from hundreds of attach vectors, but you don't provide
enough information to suggest a good one.

If you can boot from USB then a bootable USB/CD/floppy drive is all you need
to introduce anything you like in the way of rootkits or straight password
reset/hack tools. However, if the admin is any good, he will have locked
down the BIOS properly (as you suggest), will detect your attempts to add
yourself to the local admins group or create local users and will have a way
of automatically resetting group memberships and changing the local admins
account password often enough that you can't keep up in your attempts to
hack it.

Given time, skills and physical access to a machine, it is only possible to
truly keep out a would-be hacker with total drive encryption and intelligent
network quarantining.

A technique I once used years ago involved an early version of L0phtcrack
with a built-in hash sniffer. The sniffer was run on a laptop (configured in
a workgroup of the same name as the domain) and waited for the SMS server to
try and install the client app, whereupon the password hash of the SMSAdmin
account was captured and cracked offline. That provided a domain admin
account that allowed me to elevate to localsystem with the AT job hack and
from there clear the policies out of the registry and do what I liked
locally or anywhere on the domain. It's an old technique and unlikely to
work these days, but it's enough to get you thinking on the right lines.

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of sisram2 (at) gmail (dot) com [email concealed]
Sent: 22 November 2007 13:32
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Windows NT Desktop

Hi All,

I was wandering if anyone could help me with the following


There are couple of PC's (Windows NT) which are part of a domain (say XYZ).
For the users of this domain the USB, CD drive etc. are disabled. The
commond prompt , RUN option, Regestiry and BIOS is also disabled. Also the
admin has done the hardening at desktop level and not at domain level

The PC's have access to an application on remote server via html login. All
the processing is done online and nothing is stored locally

Objective and ethical test that needs to be done

I want to get local admin rights or somehow change the privilge levels to
enable USB or Floppy drive. The other option is if I could access other
domains thru this one.

It would be nice if someone could suggest a methodology or approach

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus