It takes only an inch in your pocket to carry a Pen Drive :-) Along this post, we’ll see how Backtrack Distro loaded into a Pen Drive or a Live CD can wreck havoc on a Windows machine in just 10 minutes.

The Backtrack Live CD can be a golden resource in bypassing the preloaded Windows XP, it cuts in a way for the hacker to gain access to your native partitions without caring about the original OS.

To perform the below experiment you need

1. BackTrack ISO. Download here

2. Some ISO Burning Program .Download Magic ISO here

3. A little common sense :-)

Aim of the article is to shed the myth about Windows XP security. Just having a copy of password protected Operating system loaded on your system doesn’t guarantee privacy.

Minute 1

Your computer is open to physical access. For some unethical reason the finds the machine worth attacking.

* The Hacker inserts bootable USB BackTrack Linux Pen Drive / or Live CD in the machine. If the default first boot device is HDD, he goes to BIOS and changes it to USB / CD



Minute 5

After setting the First boot device as USB / CD . He slices in his Backtrack Live OS CD and boots into the Backtrack GUI.




The process followed above tells the machine to skip the operating system loaded onto the HardDisk (in this case we skip MS-WinXP and to boot up BackTrack)

Minute 7

BlackHat Action one

Dump the SAM file

A Windows XP machine usually stores passwords in SAM files stored locally in the X:/WINDOWS/System32/config/system directory. The encrypted file is protected from getting copied/viewed while the user is logged on in Windows XP.

However, by booting the system using a Live CD makes the files wide accessible to the attacker.
Which can be cracked ! by using proper tools :-)

# cd /mnt/hda1/WINDOWS/System32/config
# cp SAM /temp
# cp system /temp
# cd /temp
# bkhive system key
# samdump2 SAM key > /temp/passwords.txt

Black Hat Action Two

Kill that SAM

Owing to the cryptographic limitations, a black hat hacker might not be able to crack the Password (if the length is large). In those cases he might want to remove/disable it !

In most usual cases as far as I’ve tried http://home.eunet.no/pnordahl/ntpasswd/ works great. A cracker just has to burn that .ISO image onto a blank CD and boot the system from it.

By navigating through the text menus and doing as per the onscreen instructions, it
is trivial to reset a chosen user’s password or promote an existing user to Administrator privileges.



In the above image you may see the Password reset option which resets the WinXP password to blank.

Next screenshot shows that the password has been reset to blank.

After using the machine as an administrator, the malicious hacker makes sure to restore back the original SAM file so as clean up the evidence.

# cd /mnt/hda1/WINDOWS/System32/config
# cp SAM /mnt/sda1/
# cp system /mnt/sda1/


Cleaning up the tracks to evade detection

Cracking something might be easy, and so is getting caught.

Usually , a clever black hat takes the backup of original SAM file so that he might restore these files after the attack is finished. Installing a backdoor might be easy , but chances are that the authorized administrator of the compromised system might detect it. In that case its obivious, it will be quickly closed. Popular techniques to ensure successful backdoors include to use an alredy open port. Although, well configured Windows XP keeps logs of users when they access the system and run programs. There are built in programs in Backtrack that assist in log file modification.

WHITE HAT TIP: How to Prevent this happening to you…

* Keep the HardDrives encrypted. Who knows what the attacker might do from your sensitive and personal data

* by disallowing physical access to a system by an attacker. The cardinal rule that physical access equals total access exists for a reason.

* Keep a BIOS Password and Set the HDD as the first bootable device. This’ll prevent cracker from booting your system with a Live CD or USB disk.

* Keep strong passwords. This should mitigate the risk of having the password cracked by Dictionary attacks. Moreover it’ll make the BruteForce attack infeasible.

Hail Open Source

If you like the above post , great :-) Please share .