exploit process 1. create a bootable floppy disk. a bootable floppy disk can be created by going to �windows explorer� or �my computer�. from there, an ms-dos startup disk can be recreated. after the bootable floppy disk is created, the following files can be safely deleted to save space for later use: � display.sys � ega2.cpi � ega3.cpi � ega.cpi � keyb.com � keyboard.sys � keybrd2.sys � keybrd3.sys � keybrd4.sys � mode.com 2. copy into the bootable floppy disk the ntfs file system recognition program. one such example is sysinternal�s ntfsdos v3.02r+. the file ntfsdos.exe is only 52kb and can be easily fitted into one disk. 3. copy compression program into the bootable floppy disk. there are a few compression programs in the market, but the one i use is rar version 3.30 for dos. after extracting all the files from the distribution file, only two files are required: � emx.exe � rar32.exe 4. boot target machine using the bootable floppy disk. if the target machine is set up to boot from the floppy disk drive, then this step will just be putting your disk into the drive, reboot the system, and have a sip of your favourite drink while the boot up process is under way. otherwise, you will need to go to cmos to change the bootable sequence. if cmos is password protected, a cmos password cracker or physically resetting it might be required. but cracking cmos password is outside the scope scope of this document. 5. load the ntfs file system recognition program. if sysinternal�s ntfsdos has been put on the floppy disk, all you need to type at the dos prompt is: ntfsdos. 6. compress and copy the system and sam files into the bootable floppy disk. if rar is used, all you need to do is to type the following two commands: � rar32 a �m5 �v system.rar location of system file\system � rar32 a �m5 �v sam.rar location of sam file\sam location of the system and sam files are in the same location, which is: d:\windows\ system32\ config 7. extract system and sam files from the bootable floppy disk. after the system and sam files are compressed and stored into the floppy disk, they can be extracted from the disk by using the following rar commands: � rar32 e system.rar � rar32 e sam.rar 8. remove syskey protection in the system and sam files. this step may not be necessary since i�ve heard that some password crackers (used in step 9) can crack password that is syskey protected, but it will take a longer time to crack. to minimise the time used, two tools can be used to remove the syskey before cracking
the passwords in step 9: bkhive and samdump2. the following two commands can be issued to do so: � bkhive system output- systemkey � samdump2 sam systemkey > hashfile the output file hashfile will contain the lm hashes. 9. crack passwords in the lm hash file. there are quite a few password crackers that can crack lm hash files. the one i used is john the ripper. the command to start cracking the hash file is: john hashfile after the cracking process finishes, one can also find the result by issuing the command: john �show hashfile. the result is: administrator: xxxxxxx:500:??? ??????????????? ??????????????? ::: 2 passwords cracked, 0 left time taken for the cracking process: step 1 � 3: 3 minutes step 4 � 6: 3 minutes 30 seconds step 7 � 9: 124 minutes 4 secs (for an 8-letter password) total: 130 minutes 34 secs implication as one can see, the administrator account with an 8-letter password can be easily cracked within 131 minutes. with administrator account being compromised, further exploits can be easily carried out. one example is that a malicious attacker can install key loggers to capture all passwords of other users, which in turn leads to the abuse of user accounts. recommendations 1. disable floppy disk drive and cd-rom drive as first bootable drive. protect cmos with password. this step only allows the minimum protection since it is very easy to bypass or break cmos password. 2. use strong passwords. this implies password lengths of at least eight characters and includes lower and upper case letters, numbers, symbols (e.g. _, *, ^, $, etc), and possibly also unicode characters. m$ further suggests using a password that has at least 15 characters. but to be honest, not too many of us will use such long passwords without forgetting them. 3. disable lm hash when storing password. run �local security settings� in �administrative tools�. locate the �security options� folder in the �local policies� folder. then change the entry �network security: do not store lan manager hash value on next password change� to �enabled�. then, change the password for the local administrator account.