Crack Windows XP With... Windows 2000 518
An anonymous reader writes "According to this story seen on Brian's Buzz on Windows, access to a Windows 2000 CD is all that is needed to bypass all (well, most) Windows XP security features. An attacker can boot up XP and start the Windows 2000 Recovery Console which allows them to operate as any user, even Administrator, without requiring them to enter a password. This method even allows someone to copy files to removable media, something which normally the Administrator can't even do in the Recovery Console."
So what? (Score:5, Insightful)
You can make a nice Linux boot-floopy or boot-cd to do the same thing.
Re:So what? (Score:2, Insightful)
I don't want to sound like a flamer, but WTF is this doing on /. timothy?
This whole article is a flamebait.
In other news, if you leave your top of the line mercedes with the most sophisticated anti-burglary system in the world, with keys in the ingnition in the middle of the bronx, it WILL get stolen.
Re:So what? (Score:4, Interesting)
In Linux (also in win) you have many different ways to protect your partitions:
http://koeln.ccc.de/archiv/drt/crypto/linux-disk.h tml [koeln.ccc.de]
I think that the difference is important; in Linux everybody know the way to mount partitions and retrieve/change the info inside them. In windows it's suppossed you can't do that.
Re:So what? (Score:5, Insightful)
Crack OS X with OS 9!! (Score:3, Offtopic)
Seriously I don't see how this is any different.
Linux-based SAM registry hack (Score:3, Informative)
1. Put a diskette in your floppy a:
2. Open up rawrite.exe in the command prompt
3. Use the attached
4. Take out boot disk and put it in the computer that you would like to hack.
5. Boot to the disk and follow the instructions. This disk directly edits the registry (which, of course, have the SAM (Security Account Manager)...which handles handles user and group accounts, and provides user authentication for LSA [techtarget.com].).
Re:So what? (Score:2)
An OS -can- know it's phys sec was breeched... (Score:3, Informative)
As early as Compaq's Deskpro 4000, there was:
- a software-controlled case-lock &
- a case-opened sensor
The box's firmware could be setup to use the
sensed indications that the case had been opened
(with or without use of the s-w-cont'd case-lock)
By the way, has anybody got code that can access
case-opened indicator and/or s-w-cont'd lock, eg
for us in an Open Source OS?
TIA
Re:So what? (Score:5, Insightful)
Re:So what? (Score:5, Insightful)
sh
Re:So what? (Score:4, Informative)
The default local security policy on every XP box I have access to seems to require authentication, but at the same time, more than half of the XP boxes I have access to also have an admin-level account that does NOT have a password on it, at all.
No write to NTFS under Linux? (Score:3, Insightful)
The answer appears to be that there is no write capability to NTFS in Linux: Linux-NTFS Project [sourceforge.net]
Trash (Score:4, Funny)
Silly me.
Not quite (Score:3, Informative)
The Common Criteria Evaluation Assurance Level 4 evaluation given to Windows 2000 only means that Microsoft followed some kind of software engineering methodology when designing and implementing Windows 2000. In fact, the operating system protection profile Microsoft used describes a non-hostile environment (e.g. no viruses, no malicious employees, etc). Jonathan Shapiro said it best in Understanding the Windows EAL4 Evaluation [jhu.edu]:
Definitely one for the sig quote file.Re:So what? (Score:2)
Re:So what? (Score:5, Insightful)
Physical access means complete access, particularly where the attacker has the ability to interrupt the system's operation (as here, where a reboot is implied). This is why information security necessarily comprises physical security (and lets not even get into social engineering attacks while the system is already running.
Encrypted filesystems are useful for archival storage and transport of data, though. The problem starts, as always, when you want to take them out of the vault in the concrete block at the bottom of the lake and actually use them.
Re:well (Score:3, Insightful)
I have seen NTFS read support in linux, but I have yet to see reliable NTFS write support. --Xtraneous
Re:So what? (Score:4, Interesting)
This wouldn't be a bad idea if we made use of the chattr option to set the encropytion bit for files or directories. This could be set as default for the user's home directory and could be toggled off for non sensitive material.
I see a HOWTO brewing...
Re:So what? (Score:3, Insightful)
Re:So what? (Score:3, Insightful)
Re:So what? (Score:3, Insightful)
Then, on password change, just re-encrypt the key file.
However, there are other more significant technical obstacles with this proposal. I, for example, like my cron jobs to have access to my home directory.
Re:So what? (Score:5, Insightful)
1) You can password protect the bios and set it so it only boots off the designated hard drive.
Meaningless. If someone has physical access to your machine, the BIOS can be reset by connecting a jumper in the box.
2) You can configure both grub and lilo so you can't change the default boot level without a password.
Meaningless. If someone has physical access to your machine, they just connect the hard disk as non-primary in another Linux machine, and mount the drive.
3) The Linux kernel supports efs (encrypted file system) through the loop back device. Choose you're favorite method of encryption: triple des, serpent, aes,....
Ah, thats better.
Re:So what? (Score:4, Informative)
Hence there is no difference in this regard between Windows and every other operating system.
And as usual... (Score:3, Insightful)
not losing security (Score:5, Insightful)
so what (Score:5, Insightful)
The first rule of security is removing console access.
Re:so what (Score:2)
Security? (Score:2, Funny)
--SupraX
How does this have anything to do with Security? (Score:5, Insightful)
Non story (Score:2, Insightful)
Re:Non story (Score:2)
Silly Microsoft (Score:5, Interesting)
1. Important computer. Locked down
2. Bad employee, always has to computer for job.
3. Employee "works late" one night
4. Employee brings in Win2K CD
5. Employee hickjacks data to floppy unlogged
6. Employee blackmails company or other bad thigns
I am just amazed that what was secure in 2000 is less secure in XP.
Good ol', silly Microsoft.
Re:Silly Microsoft (Score:2)
You can do this with any system... Even Slashdot's precious Linux.
Re:Silly Microsoft (Score:2)
You won't get any files that way admittedly.
Or if you have time, a DOS boot disk with drive image on and a spare HD.
Re:Silly Microsoft (Score:2, Interesting)
One of the first steps to securing a PC is to change the configuration to only boot only to harddisk, thus eliminate this risk.
Re:Silly Microsoft (Score:3, Insightful)
6. Employee finds out that data is all encrypted and is unable to use the data to his/her advantage.
NTFS encryption is available, and much safer means of encrypting your files are also available. Encryption is your only defense against someone who has physical access to your machine.
Windows has numerous security flaws but... (Score:5, Interesting)
Always remember ... (Score:2, Interesting)
For the most part, I think this may have been more of an oversight on the software engineering team not to come up with all of the possibilities that one could try to gain access to the computer. Still, this should not even remotely be a possibility!!
Boot'n'root (Score:2)
Is this something you can't do to a Linux box with boot & root disks? Just mount / and you can do anything you want.
The bottom line is, if you have physical access to the hardware, most OS-level security can be defeated. The only way to secure a machine that isn't under your physical control is by using always-encrypted filesystems. Anyone who writes software that deals with cash or sensitive information has known for decades that you never trust the client device, and you keep the servers in a secure facility, with armed guards if necessary.
Re:Boot'n'root (Score:2)
And... ? (Score:2, Informative)
Not a big deal! (Score:5, Informative)
"Update: Some posters in the discussion thread point out this report may not be valid. One said that booting from a 2K CD did ask them for an administrator password and didnt let them in without it. Unfortunately, I dont have XP installed here to test it out before I posted."
Either way I don't find this to be terribly upsetting because a) root access can be gained in a similar manner with Linux and b) if one is worried about security, they shouldn't being using Windows to begin with.
Re:Not a big deal! (Score:5, Funny)
You do realize, I hope, that the fact that Linux is, and has always been, vulnerable to a boot disk "attack" (just like
Goodbye NTFS encryption? (Score:3, Informative)
If you can just get Administrator access without reinstalling the OS (and killing the old UID tables), then this data suddenly becomes vulnurable!
Not just XP (Score:2, Interesting)
Remember that on most Linux machines, you can boot from a floppy or CD, mount the hard drive, and do whatever you want, including change the root password or replace system binaries with hacked versions. Of course a PC can be locked down (disable booting from floppy/CD in BIOS, set a CMOS password, padlock the case) while a Mac can't (that I'm aware of), but how many people do that?
If you have physical access to the console, all bets are off. Don't underestimate the importance of physical security.
DMCA (Score:5, Funny)
Re:DMCA (Score:5, Funny)
Re:DMCA (Score:3, Funny)
Wannabe slashdot lawyers (Score:5, Informative)
(2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that--
`(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
`(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
`(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
umm no.. (Score:5, Informative)
Speaking from experience, the win2k recovery console makes you enter the admin password before it will let you do anything, unless they are using some version of the recovery console other than the one that comes with windows 2000 professional.
RTFA (Score:4, Interesting)
Windows 2000, of course, doesn't allow Recovery Console users to access a hard drive without a password, if one previously existed.
Different Uses (Score:5, Insightful)
All true but, the application of XP was for desktop use -> Server Use. Linux (don't flame) is being primarily used for backend server systems. I don't see many secretaries choosing what boot level to start up in the morning.
XP was supposed to provide a secure desktop enviroment for a networked organization (Enterprise Offices, Schools, Universities, Etc..)
The fact that I can walk up to any (supposedly) secure desktop (that access isn't always tightly safegaurded) and gain Administrative Access (usually meaning also access to your entire network behind the firewall) is a big deal. Especially since it requires nothing less than the previous version of the software.
Look more carefully at the big picture before spouting off the party line....
Sigh. (Score:5, Insightful)
Re:Sigh. (Score:2)
They teach you that the first day
Re:Sigh. (Score:2)
It does if you allow it by use of root owned ssh keys, or by the R servers. In the similar way, if you root a WinNT machine, you can grab the SAM and convert it to unix passwd type, and JOHN it. If network logins are in there, you've hit gold mine.
And that stops network access how? (Score:4, Interesting)
Not that most Linux boxes are any better. Most can be breached with a floppy.
Re:Sigh. (Score:5, Insightful)
-1 Overrated (Score:5, Insightful)
By trying to claim that this is somehow a win for Linux, you are simply proving your that you are willing to ignore facts when advocating Linux. This makes you just as bad as Microsoft's marketing drones.
Re:-1 Overrated (Score:4, Funny)
Windows is vulnerable when you have console access.
Linux is vulnerable when you have console access.
All vulnerabilities are created equal.
Windows is just as vulnerable as Linux. (or CP/M or DOS)
Actually Linux is effectively less vulnerable since people tend to question why it was rebooted. A freshly rebooted Windows system is considered "normal".
Re:Different Uses (Score:2)
Only some places store important data on workstations:
- Small businesses with peer to peer networks (I guess this would be bad for them)
- High security places where data cannot be shared on a network (These places generally don't believe in electronic security so they take their physical security to a very high level)
- Places where users are either poorly trained or incredibly stubborn (These places have only themselves or the lusers to blame)
Re:Different Uses (Score:5, Funny)
I do, where I work. Some days it's high heels, some days its sandals, generally the boot level gets higher at the end of the week... in fact on Friday they're often wearing those sexy "fuck me" high boots in preparation for going out later.
Knoppix (Score:2, Informative)
Presto!
It even mounts all the FAT/NTFS partitions and puts little icons on the KDE desktop for you. Click, browse and copy!
(Knoppix is a rather full Linux x86 distribution that boots off of a CD and doesen't need any hard drive to work. You get a greay KDE desktop and a lot of tools.)
Re:Knoppix (Score:5, Informative)
I booted Knoppix. It saw the NTFS partitions fine. The disks appeared on the Knoppix desktop. I opened an FTP connection to another machine, copied off the important files, and was done.
I will ALWAYS have a copy of Knoppix around.
Umm....k.... (Score:2)
"It's just horrible out here! Who would have guessed that the greatest remote access security measures available today could do nothing to protect the integrity of MasterCard's server from a man with a CD-writer!"
Err... (Score:5, Informative)
- A.P.
Hey look everybody, Linux has a hole too! (Score:5, Insightful)
At the grub prompt:
boot: linux single
duh!
Seriously, how is this news? Nearly every system I've worked with can be comprimised with access to the physical box.
*yawn*
Re:Hey look everybody, Linux has a hole too! (Score:3, Informative)
From the GRUB info page:
password --md5 PASSWORD
If this is specified, GRUB disallows any interactive control, until
you press the key
and enter a correct password. The option `--md5'
tells GRUB that `PASSWORD' is in MD5 format. If it is omitted, GRUB
assumes the `PASSWORD' is in clear text.
Physical access (Score:5, Informative)
Take these precautions and you can be fairly secure with physical access. Add an encrypted file system so that if someone steals your hard disk you are safe. Then padlock the PC.
Those are reasonable steps for a Linux machine (and I may have missed some, please let me know if i did). Now with a windows xp machine it looks like you also need to disable cdrom access. An unreasonable step.
But am I misunderstanding this? Does this mean that there is a way for programs to be made to bypass Administrator password? If so why would this be limited to a windows 2000 disk? What's stopping someone from making a program that enters into Recovery Console, removing the need to be physically present or have a windows 2000 CD. Unless you actually have to boot from CD, but the article makes it sound like you can use the CD after the PC boots.
Forget the article - look at the photo! (Score:2)
Oh who am I kidding... noone will go and read the article anyway, and I'm probably the only one reading slashdot old enough to remember "Diff'rent Strokes"
This IS a bigger issue (Score:4, Interesting)
But then I got to thinking about this a little bit more. Microsoft's primary customer is the one that doesn't have a secure data center. Additionally, it's not out of the ordinary to reboot Windows XP computers.
Just think... I run a small business (about 10 people) and I electronically secure my XP server the best I can.
Then the secretary calls and says "oh, I just installed XYZ for you, so I rebooted the server". OK, no big deal.... that happens all the time.
But THEN, instead of simply rebooting, he manages to steal all of my corporate data...
Ouch!
So those who live in the datacenter might see this as a problem that we solve with physical security. But for the regular small XP shop, well, you just can't have physical security without spending $$$.
Of course, in my shop, we reboot on average once or twice a year. So it's a little harder to reboot with the goal of ripping data. Then again, our operators have root access...
Re:This IS a bigger issue (Score:2)
Any system, ANY system, can be hacked with physical access. If you want more protection encrypt the filesystem. That's about the best defense. If I have physical access I can pick up the computer and walk out with it. Then I can spend all the time I want cracking it.
This strange? (Score:3, Informative)
But the thing is probably that micro$oft said this thing would be impossible since winxp is so secure. Whatever.
Ciryon
This is no big deal, all OS' have the same issue (Score:2)
If you have physical access to a Unix system you can get root access using similar bootable media approaches and edit password files to your heart's desire.
If you have physical access you can defeat security.
Some times the user needs phisical access (Score:2)
Just about any machine is vulnerable (Score:2)
Posted by.... (Score:5, Funny)
from the if-you're-denser-than-dark-matter dept.
An anonymous reader (really timothy) writes "According to this story seen on Slashdot this morning, any moron can get postings onto slashdot. Turns out, access to a fucking keyboard and timothy at the queue is all that is needed to bypass all (well, most) of the story submission process features in slashdot. An idiot can write up completely bland and stupid observations, and Timothy will post them. This method even allows the most moronic story to get posted on a Saturday, something which normally the staff at slashdot reserves for Tuesday."
Never has my sig been more correct:
Physical Access (Score:2)
Quicker Way (Score:2)
Once you've done that you have all the time in the world anyway, but stick it in a machine with the same OS and your root access will get you anywhere.
Another Slashdot/MS Troll (Score:2, Informative)
If you want to prevent something like this from happening, kiddies, just go into the bios and disable booting from floppy or cd-rom. Then, set a really good ol' fashioned password on your bios.
Interestingly enough, not only does this follow computer security best-practices, but will actually help secure non-microsoft products too.
Does anyone read comments? (Score:2, Funny)
Let me summarize the 4 comments on this article:
1) Blah Blah physical access blah blah
2) Grumble grumble linux too grumble grumble
3) Hehe DMCA hah ha hehe he
4) slashdot sucks and its comments are stupid.
NTFS or FAT32? (Score:2)
I wonder if this guy's copy of XP is running on an NTFS file system or a FAT32 file system?
If it's FAT32, then no wonder. A Windows 98 boot disk would be sufficient to access any file on the hard disk! The system recovery console won't ask for an Administrator password because it isn't necessary to access a FAT32 partition.
This guy couldn't possibly be trolling for his little spam^Wnewsletter, could he?
Naaaaaaaaah
Nathan
In other news . . . (Score:2, Funny)
I know for a fact this works with Windows XP, but I presume this vulnerability exists in other OS's.
Knoppix (Score:5, Interesting)
http://www.knopper.net/knoppix/index-en.html
Easy enough fix (Score:4, Insightful)
Working on the file system (Score:2, Insightful)
And this just in. . . (Score:5, Funny)
Ashcroft declares possesion is a terrorist computer crime.
KFG
....This is old news (Score:3, Funny)
http://home.eunet.no/~pnordahl/ntpasswd/ (Score:5, Funny)
(o)---P
What about bootable cd-rom or floppy? (Score:3, Interesting)
Oh my -- my Mac too (Score:3, Insightful)
I too just booted my Mac into single user mode and can access EVERYTHING. Oh my!
Give me any Mac and putting it in 'T'ransfer mode
I think I see the problem (Score:3, Interesting)
- Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows 2000 Recovery Console, a troubleshooting program.
- Windows XP then allows the visitor to operate as Administrator without a password, even if the Administrator account has a strong password.
It looks like you may hot have to boot off of the CD to get access to the system.If this reading is accurate, then even machines with a CMOS password which have been set to boot only from the HD would be vulnerable.
More importantly, it would indicate that there is a back door to the XP security system. If somebody figures out the basis of such a backdoor, it could make for a very nasty virus/worm.
Hopefully, I'm just misreading the whole thing (quite possible).
Re:I think I see the problem (Score:3, Informative)
Re:I think I see the problem (Score:3, Interesting)
Consider this as an example of Insecurity through obscurity.
Grow Up... PLEASE. (Score:3, Interesting)
How incredibly pathetic do you have to be to poke fun at a windows exploit involving local access to the machine? Do you somehow think that Linux isn't just as vunerable? Wasn't it only 2 or 3 months ago that an article was posted here about security ending when a hacker has physical access to a computer?
You Slashdot editors are a sad bunch of zealots. You are doing more harm for Linux advocacy than good. Thank god you're just a bunch of spotty geeks running an unimportant news site - if you took these sort of hypocritical attitudes somewhere which mattered, you'd end up in serious trouble.
Encrypting your SAM key (Score:4, Informative)
No, No, NO!!! (Score:5, Informative)
NO!
You can launch the Recovery Console from CD (or hard drive -- hell, I have it installed on all my machines (winnt32
If you're stupid enough to leave the Administrator password blank on your box, then yes, you can just press Enter at the prompt and you're in -- however copying to a floppy, and access to directories Administrator doesn't have rights to access, are DISABLED by default unless you enable "Recovery Console: Allow floppy copy and access to all drives and all folders" (Control Panel > Administrative Tools > Local Security Policy > Local Policies > Security Options). Note this doesn't remove the login requirement -- it only adds more access once you've logged into the Recovery Console.
It's a moot point anyway -- even if you have the Welcome Screen enabled (where Administrator doesn't appear unless there are no other accounts defined), you can just hit Ctrl+Alt+Del twice to blow right past the Welcome Screen and pop up the normal GINA logon dialog, where you can log on as Administrator (or whoever), and whatever password (or blank, if you don't specify one during installation -- thank God Windows Server 2003 warns against an insecure Administrator password during Setup).
...
Okay, I've somewhat calmed down now.
Even though I'll bet 75% of posts to Slashdot are made from Windows machines, I find it unbelievable that trash like this makes the front page, let alone goes unrefuted for this long.
Sheesh...
*sigh*
Old News (Score:3, Informative)
Another way to 0wn a Windows box (Score:3, Informative)
I suppose the moral is to remove all floppy and CD drives from your corporate PCs. Disabling floppy boot in the BIOS will keep the haX0rs out for about 20 seconds, as this is how long it takes to flip open the case and short out JP1 to reset the BIOS password. If they have to bring their own floppy drive it slows them down a bit more, plus it's rather obvious.
Let's trot out this old pony... (Score:5, Funny)
Re:Shouldn't be possible in XP (Score:3, Insightful)
Ditto any linux I've used for that matter.