Part 1, Part 2, Part 3

How to Hack Windows (Part 3)

Kurt Seifried

Security in a Microsoft environment is hard. Even if you do everything right, there is still a window of opportunity for attackers while Microsoft is working on security fixes. You can, however, harden your network quite a bit and keep most attackers out (and internal threats to a minimum). Something that comes as a surprise to many administrators is the number of "hacking" tools available for breaking into Windows networks -- tools which leverage more access once in and clean up the evidence.

If you are concerned about security, you should get rid of any Windows 9x and ME machines as soon as possible. This is something most enterprises have done, using NT and now Windows 2000. However, as networks expand and people connect via VPNs from home or while on the road, Windows 9x and ME may creep back "into" your network (if they are attached via VPN, then logically they are part of the LAN).

Boot Time

If an attacker can reboot the machine and boot from removable media, the game is already over. The attacker can then read and modify the contents of the system as desired. There are programs that allow modification of the administrator password, and there is a DOS driver for NTFS (NTFSDOS) that makes manipulating and copying files trivial (you could also do this with a Linux boot disk). Other available tools are "Remote Recover" and "NT Recover"; you can use them to boot "dead" NT machines, or one you want to break into. An attacker could boot the machine and back up the admin password (or simply grab C:\Winnt\repair\sam._. and run L0phtCrack against it). Then, the attacker could use Locksmith to replace the administrator password, boot the system, create another "superuser account", reset the administrative password to what it was, and clean up his tracks (using something like WinZapper, discussed later).