Lab E2: bypassing authentication and resetting passwords

Lab E2: bypassing authentication and resetting passwords TTM4175 September 7, 2015 The purpose of this lab is to learn about techniques for bypassing the authentication and access control of Windows and Linux machines. The imagined scenario is that you have come across a Windows 7 machine for which you would like to obtain its contents. Unfortunately, the computer is password protected and you do not know the password. Your task will be to bypass the authentication mechanisms of Windows in order to get access to the machine. In addition, you will also learn how to bypass the authentication mechanisms in Linux as well, demonstrating that bypassing the authentication is not only possible on Windows machines. 1 Bypassing the Windows log in Start the Windows 7 machine in VirtualBox and verify that you cannot access the Lab2 user account without having the password. Shut down the machine again. 1.1 Dual-booting Typically, a computer only has one operating system installed. However, it is fully possible to have multiple operating systems installed on the same machine simultaneously using a technique called dual-booting. In a dual-booting system, two or more operating systems are installed side-by-side on the same physical hard disk, with each OS assigned to its own logical partition on the disk. Alternatively, if the computer has multiple physical hard drives attached to it, each operating system could be installed to its own separate disk. During start up the computer has to decide which operating system to run. If there are multiple IO devices attached to the computer, e.g. CDROM, hard drive, USB, etc., then the computer first has to select which device it should load the operating system from. This is handled by the very first program that runs on your computer, called the BIOS. The BIOS will look at each IO device in turn (the order is configurable), and search for a small program called the boot loader, which is responsible for locating (and running) the actual operating system stored on the device. You have already seen the boot loader of the Kali Linux machine when you did LabE1 (see Figure 1b), and you can simulate the BIOS in VirtualBox by pressing F12 immediately after you start up a virtual machine (Figure 1a). 1

(a) The VirtualBox BIOS. (b) The Kali Linux Bootloader (GRUB). Figure 1: BIOS and bootloader of the Kali Linux virtual machine. We will use VirtualBox to simulate that we are running a dual-boot system with Windows 7 and Kali Linux installed on their own separate hard disks, but attached to the same machine. We do this by attaching the virtual hard disk containing Windows 7 (i.e., the file Windows 7-disk1.vmdk) to the Kali Linux virtual machine you created in Lab E1. 1.2 Attaching the Windows 7 disk to the Kali machine in VirtualBox In VirtualBox, with the Kali Linux VM selected, click on Settings then Storage. Next to the label Controller SATA click on the icon that reads Add Hard Disk (see Figure 2a). (a) Selecting disk. (b) Windows 7 disk attached. Figure 2: Attaching another disk to your Kali Linux virtual machine. Select the option Choose existing disk and find the file that stores the virtual hard drive of your Windows 7 machine, i.e., the file called Windows 7-disk1.vmdk located in 2

the folder /courses/ttm4175/windows 7/. Add it to the Kali machine and click OK. Your settings should now look similar to that in Figure 2b. It is important that the Windows 7 virtual machine is turned off while doing this. You have now created a dual-boot system with both Kali Linux and Windows 7 installed on it. However, the bootloader will not have picked up that you have attached a new disk to the computer, so when you start up your (Kali Linux) machine it will still show the boot selection screen of Figure 1b. To fix this, once you are logged into your Kali Linux machine, open up a terminal and type the following: # update-grub This will update the (GRUB) bootloader to also include the Windows 7 disk to the selection screen. If you now reboot your Kali Linux machine (simply type reboot in your terminal), you should see that Windows 7 has been added to the bootloader screen (Figure 3). This makes it possible to boot (i.e. load) Windows 7 as your operating system on the Kali Linux machine (try it out!). Unfortunately, it will not help you in bypassing the login screen. Figure 3: The hard drive containing Windows 7 has been added to the Kali Linux machine s bootloader. 1.3 Mounting the Windows 7 partition within Kali You are now ready to begin bypassing the Windows authentication from within Kali. If you loaded the Windows 7 operating system in the previous section, turn it off and log in to the Kali Linux operating system instead. Once inside, start up a terminal and verify that the Windows 7 disk is successfully detected as a device from within Kali by using the utility program fdisk, which lists information about all the disks and partitions attached to your machine: # fdisk -l 3

The output should look similar to that of Figure 4, where Kali has assigned the Windows disk to the device label sdb2. Figure 4: Locating the Windows device. Important! The device labels (sda, sdb, sdc, etc...) that Kali assigns to a disk can be different from system to system. The Windows drive might be assigned to a different label on your machine! Therefore, it is important that you identify the correct device label on your own system. By looking at a combination of the file system ( System in Figure 4), disk size, and the number of partitions on the disk, one can usually recognize the correct label quite easily. Before you can access the contents of the Windows disk you need to mount its file system inside Kali. Typically, plug-and-play peripherals (like USBs, flash drives, etc...) are mounted within the folder /media, whereas hard drives are mounted under /mnt 1 Make a folder called /windows under /mnt and mount the Windows 7 partition in it with the mount command: # mkdir /mnt/windows % create folder to mount the Windows file system # mount /dev/sdb2 /mnt/windows % this will incorporate the Windows file system under the /mnt/windows folder in Kali # ls /mnt/windows The Windows 7 partition is now fully incorporated as a file system within Kali, and you are free to view, edit, move or delete all its files as if they where any regular files in Kali. Can you locate user Lab2 s home folder? Based on this user s documents, what do you guess this user s favorite TV show is? Exploring the partitions on a machine While having the Windows 7 disk attached to the Kali Linux machine in a dual-boot setup, it can be interesting to inspect the 1 This is just a convention. You are free to mount the file system wherever you want. 4

different partitions that make up the computer. A very useful program for viewing, creating, modifying and removing partitions on machine is called GParted. Start it by running: # gparted & % the & is to start gparted in process detached from the terminal In its main window it will show you the partitions of the devices attached to your machine. For example Figure 5 shows there are two (virtual) disks attached to the Kali Linux machine, assigned labels /dev/sda (Figure 5a) and /dev/sdb (Figure 5b), respectively. Which one contains the Kali Linux partition and which one contains Windows 7? See Question 1. (a) /dev/sda. (b) /dev/sdb. Figure 5: Exploring the partitions of the Kali Linux machine using GParted. When Kali is running it is trivial to browse the individual filesystems of the partitions attached to it. Go to Places XX GB Filesystem and this will show you all the files of the Windows drive just as if you browsing it from within Windows 7. Can you find user Lab1 s home folder? Create a file on its desktop, then reboot your Kali Linux machine into Windows 7 to see if it shows up in Windows 7 too (recall that user Lab1 has not set a password on its account). 1.4 Changing the user password While having access to the Windows files from within Kali is nice, our next goal is to be able to run Windows 7 normally. To accomplish this we will need to bypass the Windows log in screen. Since we do not know the users password we will simply have to change it! By modifying some crucial system files in Windows from within Kali, we can give ourselves access to a command line prompt with administrator access the next time we boot up Windows 7. So that is what we are going to do next. Make sure that the Windows 7 virtual machine is turned off before continuing! On your Kali Linux machine, with the Windows disk mounted as described in the previous section, change into the System32 directory of the Windows file system from within Kali: 5

# cd /mnt/windows/windows/system32 This folder contains many of the most important system files for the Windows operating system. In particular, it contains the system file cmd.exe which controls the terminal in Windows, and also the on-screen-keyboard program osk.exe which allows you to type characters into Windows without having a keyboard. The interesting thing about the on-screen-keyboard utility is that it can be run before you have logged in (Figure 6). Even more interesting is it that programs executed before having logged in are run with administrator privileges! Figure 6: The on-screen-keyboard utility available before having logged in. So what would happen if we were to swap out the osk.exe binary (the on-screenkeyboard) with the cmd.exe binary (the terminal)? Let s find out. Start by moving the real osk.exe executable to a backup file: # mv osk.exe osk.exe.backup % rename the file osk.exe to osk.exe.backup Now copy cmd.exe to osk.exe so that enabling the on-screen-keyboard will actually give us a command prompt instead: # cp cmd.exe osk.exe % overwrite the osk.exe binary with the cmd.exe binary Now restart your machine and select Windows 7 in the boot menu (Figure 3). Choose to log in as user Lab2. Verify that you cannot log in without the password. Now enable the on-screen-keyboard by clicking the little symbol in the bottom left corner. What happens? Hopefully you got what is shown in Figure 7. 6

Figure 7: The on-screen-keyboard tricked into giving us a command line prompt with administrator access! In the command prompt type: C:\Windows\system32> whoami The whoami command shows you the username and user privileges that the currently logged in user has. Particularly, in Figure 7, it is shown that you are logged in as the system user which has full administrator privileges. This means that you can now do whatever you like on the system. For example, you can start explorer.exe to get access to the taskbar even when you are not logged in: C:\Windows\system32> explorer.exe Ultimately, however, we want to get normal access to the system, i.e. not mounting it within Kali. The good news is that with your current administrator rights this is easy! Your task is now to change the password of user Lab2 to a password of your choosing, allowing you to log in as normal. Hint: There is a command line utility for Windows called net user which could potentially be useful. To get more information on how to use this command type net user? in the command line window or look it up online. After you have successfully logged in as user Lab2 answer the following: what was the last web sites the user visited? Note: Before you continue to the next section you should revert the change you did to osk.exe. That is, delete the current osk.exe file and rename the backup file osk.exe.backup to osk.exe again. However, since Lab2 does not have administrator 7

rights it cannot rename the file, hence it has to be done from within Kali Linux. Reboot the machine; select Kali Linux in the bootloader menu; mount the Windows 7 disk as you did previously; then revert the changes: # mount /dev/sdb2 /mnt/windows # rm /mnt/windows/windows/system32/osk.exe # mv /mnt/windows/windows/system32/osk.exe.backup /mnt/windows/windows/system32/osk.exe 2 Clearing the user password in Windows As an alternative to swapping out system files in order to change the user s password, one can also simply clear it. Your next task is to do exactly that. 2.1 Updating chntpw Windows 7 passwords are stored hashed in the Security Accounts Manager (SAM) database, located in the /Windows/System32/config folder. The SAM file belongs to a special class of Windows files called registry files, which makes up what is known as the Windows Registry. The Windows Registry is used by the Windows operating system to have a central place to store important configuration settings and options. We will manipulate the SAM registry file in order to clear the hashed password of user Lab2. As before, make sure that Windows 7 is mounted within Kali, then go to the following folder containing the SAM file: # mount /dev/sdb2 /mnt/windows # cd /mnt/windows/windows/system32/config # ls The SAM file is stored in a binary format which means that it cannot simply be read by a text editor, but requires a program that understands its format. In order to clear the users password from the SAM file, we will be using a program called chntpw 2. Unfortunately, the version of chntpw that ships with Kali (0.99.6) does not actually work. Thus, we need to replace it with a newer version. First make sure that your Kali Linux machine has Internet access by having the network setting set to NAT 3 ( Settings Network Attached to: NAT ). Then issue the following commands to first remove the old version, then download and installing the new: # apt-get remove chntpw # wget https://launchpad.net/ubuntu/+archive/primary/+files/chntpw_1.0-1_i386.deb # dpkg -i chntpw_1.0-1_i386.deb % install the new version # rm chntpw_1.0-1_i386.deb % remove the installation file 2 If you want to run this program on your own, e.g. from a bootable USB, you can get a working version from http://pogostick.net/~pnh/ntpasswd/. 3 This setting allows a Virtual Machine to share the Internet access of the host computer (i.e. the lab computer) through a process called Network Address Translation. 8

2.2 Clearing the Windows password with chntpw Start chntpw in interactive mode by using the -i flag option and read in the SAM file. Note that the SAM file is stored either in upper-case as SAM or in lower-case as sam so choose the name that is used on your system. # chntpw -i sam Now you just have to follow the on-screen instructions as shown in Figure 8. Figure 8: Starting chntpw in interactive mode. In particular, select Option 1 to begin clearing a user password (the number in square brackets denotes the default), then select that you want to clear the password of user Lab2 by entering its RID (03ed in Figure 8). Important: Do not clear the password of the user called Lab3 DO NOT WIPE! duh! Choose Option 1 again to clear the password of user Lab2 (Figure 9). Finally, write these changes to disk by quitting the current context (q) and confirm that you want to save the changes (y). You have now cleared the Lab2 s password! Unmount the Windows partition from Kali Linux before continuing. In order to unmount Windows, you ll have to step of the Windows folders first, so change to your home folder first. 9

# cd % return to your home folder # umount /mnt/windows Figure 9: Clearing the password of user Lab2. Reboot the machine and select Windows 7. Hopefully, you should not need to type in any password when logging into the Lab2 account. Important: After you have finished poking around in user Lab2 s personal files, turn off the machine and detach the Windows 7 hard disk from the Kali Linux machine. Go to Settings on your Kali Linux machine and click on Storage. Select the Windows 7 disk and click the Remove attachment... button (Figure 10). Figure 10: Removing the Windows 7 hard drive from the Kali Linux machine. 10

3 Bypassing Linux authentication In this section you will learn how to bypass the authentication mechanisms in Linux. 3.1 Importing Lubuntu into VirtualBox We have prepared a virtual machine containing a small variant of Linux, called Lubuntu, in the file /courses/ttm4175/lubuntu.ova. Lubuntu is a lightweight version of Ubuntu, and shares most of its central components with several other popular Linux variants like Ubuntu, Debian, and Kali Linux. Thus, learning how to bypass the authentication mechanisms in Lubuntu will enable you to do the same to all the other variants as well. Start by importing the machine into VirtualBox by clicking File Import Appliance... in the main window of VirtualBox. Find the file Lubuntu.ova in the folder /courses/ttm4175/ and click Import (you can leave all settings at the default). If you boot it up you will be taken to the login screen shown in Figure 11. Figure 11: The login prompt of Lubuntu. 3.2 Running Kali Live In Section 1.4 and 2 we conveniently assumed that both Windows 7 and Kali Linux were installed on the same system so we could access the contents of the Windows 7 disk through Kali. In reality, however, the victim would seldom be so kind as to have installed Kali Linux on the side just for us to exploit! So what to do when Kali Linux is not installed on the machine? The answer is live booting. Live booting means to run an operating system directly from a CD-ROM or USB-drive without being installed to disk. Kali Linux supports live booting from both CD-ROM and USB. To do this you simply plug in the CD/USB containing Kali; restart the computer, and select to boot from CD-ROM/USB. Then 11

you have access to all the tools of Kali Linux without having installed anything. Note that while used in this mode, Kali is running entirely from RAM and CD/USB and no changes made to it will persist after it is turned off. We will test the live booting feature by running Kali directly from CD-ROM and use it to bypass the login screen of the Lubuntu machine. We will simulate the CD-ROM in VirtualBox by attaching the Kali Linux ISO file (the one you used to install Kali Linux with in Lab E1) to the virtual CD-ROM tray of the Lubuntu machine. Turn off your Lubuntu machine and click on Settings Storage. We simulate that we are inserting a CD-ROM (containing Kali Live) into the machine by clicking on Add CD/DVD Device (Figure 12). Select Choose disk and locate the Kali Linux ISO file kali-linux-1.1.0a-i386.iso on your host machine. Figure 12: Attaching a (virtual) CD-ROM to the Lubuntu virtual machine. Now start your Lubuntu machine. It will choose to boot from the (virtual) CD-ROM containg Kali Linux instead of the (virtual) hard disk containing the Lubuntu operating system. This will give you the menu shown in Figure 13. Select the Live (686-pae) boot option. If it ever asks for a username or password, then the defaults are root and toor, respectively. 12

Figure 13: Running Kali Linux from a live-usb. 3.3 Clearing the log in password on Linux with Kali Live The strategy for bypassing a Linux machine s login prompt is similar to what you did for Windows 7. That is, we first need to mount the Lubuntu partition within the Kali Linux filesystem, then make some changes to the files responsible for handling login data like usernames and passwords. Inside Kali create a mount point for Lubuntu and mount it. Since Lubuntu uses the same type of file system as Kali, be careful that you mount the right partition and not accidentally mount the Kali partition within itself. In Figure 14 the Lubuntu hard drive is assigned to the device /dev/sda and the operating system partition to /dev/sda1. # mkdir /mnt/lubuntu # fdisk -l % Find out which device contains Lubuntu # mount /dev/sda1 /mnt/lubuntu % sda1 in our example -- could be different for you! Figure 14: Finding the device label assigned to Lubuntu within Kali Live. 13

With the Lubuntu partition mounted inside of Kali you can modify all its files just as if they were normal files in Kali. Your task now is to make changes to the Lubuntu partition so that the next time you boot it up you will not be required to enter a password in order to log in. On most Linux systems user credentials are stored in two files: passwd and shadow, both located in the /etc folder. What are the contents of /mnt/lubuntu/etc/passwd and /mnt/lubuntu/etc/shadow? Print their contents (See also Question 3). In order to wipe the user s password you have to make one small change to one of these files. Find out which one, and what you have to change, then do it. Verify that you have successfully cleared the user s password by logging in as user ttm4175. After you have bypassed the login screen of Lubuntu, pick a new password using the passwd command line utility (note that this is not the same as the /etc/passwd file!). That is, open a command line window from inside Lubuntu (click the Lubuntu icon in the bottom-left corner and go System Tools UXTerm ) and issue the following command: ttm4175@ttm4175-lubuntu:~$ passwd ttm4175 Enter new UNIX password: Enter your new password. 4 Now take a loot at the contents of /etc/passwd again. What is different from before? How can you turn it back into the way it was before you modified it? (Again, see Question 3). 3.4 Other ways of bypassing the Linux login This part is optional. Like for Windows, there are several ways of bypassing the authentication mechanisms in Linux. One very easy technique on Linux systems is to use the chroot utility. This program allows you to apparently change the root directory to somewhere else. The usefulness of this is that we can use chroot to pretend that the root directory is actually located in the directory beginning at /mnt/lubuntu. This will trick the terminal into believing only this branch of the file system exists, and it will not be able to see or reference anything above it. Thus, from the viewpoint of the currently running terminal session, it appears as if only the files beginning in the /mnt/lubuntu folder exists. Moreover, all other programs will now work relative to the /mnt/lubuntu folder, not the actual root /! In particular, this means that if you run the passwd program, which is used to create or change a user s password in Linux, it will access the /mnt/lubuntu/etc/passwd file, not the /etc/passwd file! And which users credentials are stored in the file /mnt/lubuntu/etc/passwd? User ttm4175 of the Lubuntu machine! 4 It may be interesting to note that the passwd command usually requires administrator rights in order to be used, i.e., you would normally have to prepend sudo in front of the command and type in your (current) password to use it. However, it this case you have blanked the user s password so there is no password to ask for! 14

To summarize, in order to change the password of the user on the Lubuntu machine: mount the file system; chroot into it; then simply change the password using passwd. There are other ways to the bypass the Linux login screen as well. One method does not even require Kali Linux. Can you figure out how to do it? Try it out! 4 Using Kali Live on a physical machine We have prepared three physical machines, with three different operating systems on them. Unfortunately, we have forgotten their passwords! Your task is to bypass their authentication mechanisms and obtain: (1) a secret number stored in the user s home folder; and (2) a screenshot of the user s desktop. If you manage to obtain the secret number of all three computers, what is their sum? We have prepared a few USB drives containing Kali Live which you can use for this task. However, if you instead want to create the bootable USB yourself (recommended), ask the teaching assistants for an empty USB drive, then see the instruction in the next section. 4.1 Creating a Kali Linux live-usb This part is optional. If you have access to a system where you have administrator rights, like on your own personal laptop, you can easily create a bootable USB containing Kali Live yourself. Simply go to http://docs.kali.org/installation/kali-linux-live-usb-install and follow the instructions there on how to set it up on your computer. 4.2 Booting from a live-usb on a physical machine When booting from a live-usb on a physical machine you have to make sure that the computer selects the USB as the boot medium at startup instead of the internal hard drive (otherwise the usual operating system will just run as normal). This is configured in the BIOS, which is the first program that runs on the computer. In order to enter the BIOS configuration menu you have to press a particular key immediately after start up, typically one of F1, F2, F8 or F10. Exactly which button to press is highly hardware dependent and vary from model to model. If the machine started up before you had time to enter BIOS, just hit CTRL+ALT+DEL to restart it and try again. Once inside the BIOS menu you have change the preferred device boot order, i.e. which physical device (USB, CD-ROM, hard drive, etc.) the BIOS will search through first. You want USBs to be listed first. Again, the BIOS menu is highly hardware and manufacturer dependent, so it is not possible to give a specific description on where the setting is located, but usually it is not too difficult to find. Once you have set the boot order, restart the machine and hopefully it will boot from the USB and show you the screen in Figure 13. 15

Important! Do not change anything other than the boot order in BIOS. Moreover, once you have successfully managed to bypass the authentication of the target machine, make sure that restore the user s password to something so that other groups can give it a try as well (however, you do not have to say what it is!). Questions Q1. What is a partition? Explain the partitions shown in Figure 5. What are their file systems? What are the contents and purpose of the small 100MB partition at the beginning of the /dev/sdb disk in Figure 5b? Q2. You have just seen that the authentication process of both Windows and Linux can easily be circumvented if you have physical access to the machine. Is the authentication of a Mac running OS X more secure against this? If yes, why is that? If no, how would you bypass it? What about a smart phone running Android or ios? Q3. Most modern distributions of Linux use both /etc/passwd and /etc/shadow to store their user credentials. What is the purpose of the shadow file? Q4. How can we protect our computers against the attacks in this lab? Q5. Many modern operating systems automatically mounts a disk or peripheral (like a USB drive) if it detects that it is connected. What could be the reasons for Kali not choosing to do this? 16