This articles talks about hacking and other activities which
may seems to be illegal and will certainly get you into trouble if you are
caught doing it. I would advise you read it as a form of entertainment and
treat it as entirely fiction without any truth in it. Ok, let’s set this
imaginary environment.
WE all had laptops for a long, long time that I did not even
remember the days where laptop did not exist. Due to special considerations, my
department had always had the privilege of admin rights on our laptop due to
the work we do. We are required to install software, run privilege tasks etc on
a daily basis. We never imagine the day that this would end. We never had the
problem of facing this. Until now.
Due to new firm requirement, we are required to upgrade to a
new version of the laptop OS with some enhancements as well as a new set of
software for our work. This time, the top management came down on us hard and
decided that we should not have administrative rights to the corporate laptop
because we are supposed to perform our privileged task on another laptop. Ok,
let’s leave that out of our story. The fact that we may be caught out in the
field for weeks, it does not seems logical that we do not have access to our
email and other corporate information systems. Therefore, we NEED to have
administrative rights to the laptop. SOMEHOW.
Let’s pause for a minute if you feel that we need to discuss
the moral and legal issue here. Like I said, its an imaginary environment. By
all rights of standard, we should never have to ask for any thing and
everything is given. However, this does not actually happen in the real world
or for that matters, this imaginary world of our. So, someone needs to be the
hero. Someone need to break some rules. Someone will have to do it. Yes, I
know, that would be me.
Ok, lets come back to the story. So, many of us find that we
cannot even insert a thumbdrive (oops, sorry, flashdrive) without triggering an
administrative prompt. Life has been hell since the upgrade and it seems like
the end of days is just about to begin. Unknown to most, a few of us are
already beginning to work on this “problem”. The intention is just to be able
to have enough rights to perform some of our installations etc without having
to tear the laptop apart. Of course, in the process, we would not want to trigger
any alert or alarms as well. Hackers get caught. Good hackers DON’T get caught.
So, we narrowed down our options. One of the endgame
objectives would no doubt be the administrative rights. A more direct answer
would be the administrator password. And inside our laptop, there is the local
administrator account, which is used by the IT support department to roll out
updates and perform installation on our laptop. This seems like the very object
we want.
Usually before I go about the hard way, I try the easy way.
In fact, the easy way usually works. I tried a few passwords. No luck. In fact,
I was very caution to ensure that password lockout was not enable on this
account. For very obvious reasons, if this account is lockout, it will be
difficult to recover the system. I always wonder if this is the reason why
everyone wants to attack the admin account, beside than knowing it has the
rights of god on the machine. So, it does not use a simple password.
Another very direct way to recover a system is to wipe the
password. This is more effective than you can imagine. I had broken tons of
laptop whose owner does not want me to enter their system by simply rebooting
into my boot CD and wiping off the administrator password. However, we have a
problem here. This system is protected by a disk based encryption. When we boot
up from a foreign OS, the encrypted partition simple will not mount. In fact,
this was one problem I was dying to crack. Anyway, wiping the password is not
the way to go.
Another approach is to extract the password hash. We all
heard of rainbow tables and LCP. I guess this would be easy. I had extracted
lots of passwords hashes in the past using PWDump or FGDump. One obstacle lies
ahead. Antivirus. The antivirus is switch on to the maximum mode which simply
detect and delete anything and everything it feels is dangerous. This includes
some of our tools which we use for work as well. Nasty. The question is : Do I
want to break the antivirus as well? Antivirus firm has spend millions on
R&D to ensure their solution works and works well in a corporate
environment. I am sure they had figured out that someone will want to disabled
or uninstall their product in the corporate. Secondly, I also do not want to
trigger some alarm if I had my antivirus off.
In the above detail, I mentioned how easy it was for me
to obtain my administrator’s right simply by social engineering the IT support
department. However, that doesn’t not solve ALL the problems we have. It is
good to have a laptop with an additional local admin account, but it is not
enough to simply have that. There are still other helpless laptops out there.
Ultimately, what I wanted was the admin account so that I can help them out
too.
While I have my admin rights, it’s easy and simple to just
change the password of the admin account to whatever I like, but that’s not my
aim. I also realized that in order to push my hacking tools onto the laptop to
extract the password hash, I will probably have to disable or uninstall the
antivirus system because it is basically blocking and deleting my software
whenever I copy it in.
Touching the antivirus is probably not where I want to go.
Basically, messing with the antivirus may trigger some audit alarms which will
not look nice on me. Secondly, I may not be able to properly uninstall or
install the antivirus back because it may have a secondary password or some
required files for the group policy. Enterprise level antivirus usually has all
these additional stuffs. Destroying the antivirus will be a last resort for me.
Just to recall in the first article, the hard disk has a
disk based encryption and that is why I am unable to use a boot disk or boot CD
to extract the password hash. In short,
I am pretty screw if I continue in this path to try to extract the password
hash. In a separate thread, I did manage to break one of these systems using a
floppy boot up, but that’s another story. I had another thought. That is to
install the system console and boot that up. But the chances that I will be
able to run or do anything else in that restricted shell is quite close to none.
So, what will be better than the password hash? Answer : The password itself.
So, how can one get the password? Let’s backtrack this a
bit. How does the IT department upgrade and change all our passwords? Typically
if you work smart, you will either push it down a GPO or use some sort of batch
processing, maybe even SMS or WUSS. Now, being such a huge enterprise, I would
guess they would use at least one of these. I strike GPO off because the admin
account is a local account. So, what I will do is to find out how they changed
the password (in batch).
I do not know why, but my IT department like to leave a link
to their software repository around on their desktop. I guess that’s probably
the root of corporate piracy if any happens here. In any case, this is the
place I would start. Looking through the folders, I basically had gone through
these times to times for other reasons, so pretty much know which are the new
stuffs, or simply just sort them by date. Then from the new folders, I found
another link to another server which contains the new software sets for this
upgrade. Now, this will contains the binaries for the antivirus. I almost
thought that I would reconsider breaking the antivirus and reinstalling it back
using these binaries. Until I saw a very obvious file in the root
directory. It sound like jackpot. In
fact, there is even a file call “ChangePasswordforXXX.exe” lying around there
for the picking. Bingo.
So, this is a exe file. I would like to break it apart using
IDA Pro or other debugger, but just throwing at a long shot, I thought I would
start with a text editor instead. Based on my experience, most people do not
encrypt or even obfuscate their binary. I had been able to break many
applications and website basically because the binaries is not protected.
Again, this enables me to accomplish what I did. By looking through the binary
file, I notice this is a simple WISE installation binary. Yes, actually I
already knew that when I saw the icon. They did not even bothered to change it.
WISE has tendency to leave some of the configuration in clear text even when it
is compiled into a binary. That is the reason why I saw the things I saw
without even the use of a debugger. Somewhere in the file, I saw the password I
was looking for. In fact, I did not even really take a look at the file, I
simple do a search for “password” and I am brought to that offset in the file.
The password was long, complex and consists of alphanumeric
with upper and lower case and symbols. But it is just another password hacked
by me today.
As an added bonus, I even got hold of an additional password
in the file just right below it. It is the encryption password for the
harddisk. I haven’t figured out how I could use it, but I guess it will
probably be useful, someday.