mailing list archives
Re: hacking win2kPro out of the box
From: miguel.dilaj () pharma novartis com
Date: Mon, 6 Dec 2004 12:12:46 +0000
It depends if you consider the option of booting to an alternate OS or
If you don't, exploits like DebPloit could work (not sure if this
particular one was suitable for 2K), but in most cases you've to avoid the
AV, because it will detect the malware.
In the particular case of McAffee 4.5, I found it trivial to deactivate it
using a tool that activates greyed controls named VeoVeo. The original
tool is in Spanish and can be found at www.hackindex.org, but I translated
it into English, you can found it at
The tool has many other interesting functionalities, like a keylogger that
doesn't need administrative privileges, feel free to explore it. You've
source if you want to enhance it ;-)
I you contemplate the option of booting to a Linux live-CD (with NTFS
support) or simply NTFSDOSPro, you can replace the AV executable by a
cmd.exe, thus starting a command shell as SYSTEM when the AV should start
(trick used with McAffee), steal the SAM and do offline password cracking,
Currently in XP with the Accessibility Tools installed, I replaced
sethc.exe with a copy of cmd.exe, and I can press SHIFT 5 times BEFORE
login to start a shell as SYSTEM, there you can do anything, like starting
compmgmt.msc and add yourself to the administrators group, etc.
Avoid future attacks:
To make it short: IMHO if you can boot to another OS the game is over, so
this is the first thing to avoid.
Verify that your AV can't be deactivated with simple tools like VeoVeo.
Recovery? Well, that from total SYSTEM compromise ;-)
Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG
q q <systemcracker () gmail com>
Please respond to q q
To: security-basics () securityfocus com
cc: (bcc: Miguel Dilaj/PH/Novartis)
Subject: hacking win2kPro out of the box
I've just installed win2k pro on an ntfs drive, I'm running zonealarm
and AVG antivirus, and not much else. (no service packs, patches,
upgrades or anything else like that)
Does anyone have any information on common attacks for local
priviledge escalation, and ways to secure against these?
The sort of thing I'm looking for is a detail of an attack, followed
by the procedure(s) I would use to:
a) recover from it if neccessary
b) thwart future attacks of it's type.
I basically want to swap roles between hacker and sysadmin so I can
learn more about the best of both worlds.
The box is not connected to the net.