Obtaining The Administrative Account

Thursday, February 11, 2010 by BBTUNA
So you want administrative privileges on that windows box do ya? Well, sit back, grab a cup of coffee or your
favorite beverage and continue reading on.

This tutorial is going to explain the different methods of obtaining administrative privileges, such as cracking
the administrator's password hash, injecting your own password hash into the administrator's account, and exploiting
windows in such a way that you'll have the privileges on the user account you are using at the time.


Cracking The Hash:

This is my favorite way of obtaining administrator on a windows box, mostly because it allows me to know what the
administrator's password is, which is often times used in more than one place and for more than one purpose.

The Administrator's hash is stored in the %windir%\system32\config\SAM file. SAM stands for Security Accounts Manager.
This file stores all the hashes for the local user account on the windows machine, so you can crack not only the
administrator's, but any users (which is a good thing when you want to know someone's actual password).

The safest way to crack the administrator's hash from a SAM file is by grabbing a copy of the SAM file and cracking it
in another location, such as home. This assures that you won't be caught right there cracking it, and if you need to leave
a box running to bruteforce it without the box being tampered with you can do so in the safety of your own home. I prefer
e-mail it to myself, but you can use a USB drive also.

There are plenty of programs that will dump the accounts and hashes from the SAM file. I use Cain and Abel on my windows box.
The infamous John The Ripper will also dump/crack these hashes for you. You can either spend your time bruteforcing the
hashes, dictionary attacking the hashes, or just checking to see if there is any sites online that has the hashes cracked
already and stored, such as:

http://securitystats.com/

If it isn't cracked here and it means that much to you, allow the bruteforcer to run against the hashes for a couple days.

For wordlists I strongly recommend:

argon24MB.zip, to find this just type in google:

intitle:“index of /” “argon24MB.zip”

There is also a version 2 of The Argon, which is a 2GB wordlist file.


Injecting Your Own Hash:

This method is very dangerous as it will change the administrator's password and they will realize it as soon as their
password doesn't work that something is going on. With this method you'll either have to be able to boot from a CD, USB
drive, or floppy disk. This might mean changing the BIOS setting, but that shouldn't be a problem. If there is a password
on the BIOS, take the CMOS battery off the motherboard for a good minute and a half or so, put it back on, and the BIOS
password will be gone.

The program that we will use to inject our own password into the SAM file is called “chntpw” and can be found at:

http://freshmeat.net/projects/chntpw/

And two liveboot CDs that I know for a fact have this utility on them are:

Knoppix-STD (http://www.knoppix-std.org/download.html)
Auditor (http://www.remote-exploit.org/index.php/Auditor_mirrors)

Just stick either one of these CDs into the machine and you'll be greeted by a nice GUI. From there you can run chntpw
and follow the prompts to set the password of your choice on the local user account of your choice.

Also, you can use this Emergency BootCD to reset the password of any local user account:

http://ebcd.pcministry.com/

Be very careful when using this method.


Exploiting Windows:

By exploiting windows I just mean finding an exploit to use against windows that will either drop you down to an
administrative (or system) command prompt, or exploiting it so that it creates a new administrative account.

I did a video tutorial on the jpeg buffer overflow exploit, so if you watch that, it should give you an idea of what
I am talking about.

Sites you can check for exploits:

www.milw0rm.com
www.packetstormsecurity.org
www.securiteam.com

These sites will allow you to search and find exploits that will help you out in your journey to obtaining administrative
privileges. If there isn't an exploit that works right off the bat, sit and wait for one to come out, as they do quite often.
I suggest learning how to compile source code, as that's what these exploits are going to be, the source code you need to
compile in order to run.
Posted in | 0 Comments »

0 comments:

Post a Comment

About Me

Blog Archive