Physical Access Attacks
If an attacker is able to gain physical access to a machine, chances are that he'll hack it. In almost every OS or network device, there exists a “physical backdoor” which allows for manual resetting of a device configuration.
"Technologies used for perimeter security involve, for instance, intrusion detection sensors and alarm systems. In the context of cryptographic implementations, “physical attack” is understood as a term which encompasses all attacks based on physical means against cryptographic devices."
First we see Resetting Microsoft Windows
Resetting Microsoft Windows
As discussed before, Windows stores local user passwords in the SAM. The SAM is locked by Windows and can not be accessed, copied or read while Windows is running. However, if we were to boot the same computer with a different OS (say Linux), then the SAM file would no longer be protected. Our newly booted Linux OS would see the SAM file as just another file on the Windows files system. We can then modify the SAM with specialized tools and reset passwords to our liking. Once the Windows machine boots back up, it will have new passwords in its SAM database.
Here we see that the Windows NTFS partition SDA1 is mounted, with read only (ro) permissions. Since we need to change the SAM file, we will require read / write permissions.
BT ~ # umount /mnt/sda1/
BT ~ # modprobe fuse
BT ~ # ntfsmount /dev/sda1 /mnt/sda1/
BT ~ # mount
tmpfs on / type tmpfs (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) usbfs on /proc/bus/usb type usbfs (rw) /dev/sda1 on /mnt/sda1 type fuse (rw,nosuid,nodev,default_permissions,allow_other) BT ~ #
Now we can dump the SAM file using BKHive and SAMdump
BT ~ # bkhive /mnt/sda1/WINNT/system32/config/system system.txt
Bkhive ncuomo@studenti.unina.it
Bootkey: dc155851060590ee807d3c660a437109
BT ~ # samdump2 /mnt/sda1/WINNT/system32/config/sam system.txt >hashes.txt
Samdump2 ncuomo@studenti.unina.it
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)
No password for user Guest(501)
BT ~ # cat Phashes.txt Administrator:500:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:::: NetShowServices:1001:4e239a9b2c8fca59049021d2a350c02c:021c54b8e10a4c420839b49a7cd21a66::: IUSR_WIN2KSP4:1003:76af34c719386a457aa40990e59dd60e:1c6560db5a2eb3f2da11bfd04d7c5a91::: IWAM_WIN2KSP4:1004:1cad3d74dee85109bb0b6cba129ef50e:7212a9f44e59a1b73d88fa7d670266db:::
we can modify the SAM using a use full tool such as chntpw:
Second Way is Resetting a password on a Domain Controller
Resetting a password on a Domain Controller
Windows domain controllers do not store their user passwords in the local SAM, but in Active Directory. Active Directory can not be manually edited offline, so a different approach is taken. A Windows domain controller can be booted without Active Directory (Active Directory Restore Mode). This is usually done for Active Directory maintenance or defragmentation. When Active Directory is not loaded, the domain controller will temporarily revert to local username authentication, and will once again use the SAM file present on the machine. A possible attack vector would be to reset/crack the Domain Controller's Local administrator password (By SAM manipulation or dumping) and then load it up in “Active directory restore mode” and log in with the modified / cracked password. Once logged in, a service is installed which executes the “net user” command (with SYSTEM privilages). Once the Domain Controller is rebooted and allowed to load Active Directory, the service adds/modifies the user and allows us to log in with our altered password.
Third is Resetting a Cisco Device
Resetting a Cisco Device
In Linux, a similar technique is used to reset root passwords. The machine is either booted in single mode or booted off a different operating system in order to manually change the /etc/shadow file.
