[pgorman98]

First of all, this is not a post in which a new00b kid wants to know the tricks of cracking a XP admin password.

Aim: to get admin password on limited account of xp.

here is the scenario...
computer science lab of a college connected through lan and has internet access.

Operating System windows XP sp2

attacker has only limited account. Even a flashdrive cannot be installed. no programs can be installed.

There is no cd-rom in any computer so ophrack or linuxlive or bartpe cds will not work.

c:\windows\system32\config cannot be accessed. if sam could be copied then it could have been mailed and cracked on other systems

system cannot be booted from a flashdrive.

no hardware access. otherwise removing the battery could have reset the bios.

what may lead to possible solution..

a unrestricted internet connection is there. so anything can b downloaded and sent out of the system to internet.

if there is a program which need not to be installed and either could give full file system access or crack the hashes could have done the job.

on special request some files are transfered from one system to main system so that students can get those files on pendrive. this whole process is done under supervision of a person. so sam file cannot be taken from the main system also.

please post ur replies...
and tell wht u think. whether this system is penetrable or not.
thanks in advance

[DamegedSpy]

Well there are many local vulnerabilities.
I have rooted my PC just by typing in CMD: at [next h:m] /interactive cmd.exe (A new Command Prompt should open with root access)

You should check milworm and Exploit for all those magic local vulnerabilities/exploits ;)

[baph0m3t]

The interactive schedule trick won't work unless you have admin rights in which case you don't need it. I'd love to hear exactly how you rooted your box with it...

But you are right about local vulns - you could probably just run cain over it and dump the passwords - have they blocked executables?

E:

Quote

First of all, this is not a post in which a new00b kid wants to know the tricks of cracking a XP admin password.

Aim: to get admin password on limited account of xp.

Sorry, that did make me smile.

This post has been edited by baph0m3t: 08 February 2010 - 04:44 PM

[talwoasc]

DamegedSpy, on 08 February 2010 - 03:46 PM, said:

Well there are many local vulnerabilities.
I have rooted my PC just by typing in CMD: at [next h:m] /interactive cmd.exe (A new Command Prompt should open with root access)

You should check milworm and Exploit for all those magic local vulnerabilities/exploits

That used to be as handy as hell until XP SP1 came out and ruined our fun as it worked on limited accounts aswell as admins then.

[fuzzybunny]

I believe Metasploit includes the option to create malware pdf's. Since you have internet access, you can pretty easily construct a pdf to connect to a remote host (your computer) and spawn a shell. Once you have the shell, copy the sam file and start crackin :-) The only obstacle I can see is that you need the admin to open the pdf if you want root access, so you might need a bit of SE. Also, the correct version of adobe pdf reader needs to be installed. Hope that helps

[Anonymous User]

If you can't "install" a flash drive that probably doesn't mean you can't boot from one as it is a security policy inside windows that is stoping you from doing this. What if you restarted the computer with a bootable USB plugged in and jamed on F12 until you got a boot prompt. You could boot into backtrack USB and have your SAM file decrypted in minutes. If you don't get a boot prompt it's because it's disabled in the bios. Restart again and jam on F2 or del until you get into the bios.

Quote

First of all, this is not a post in which a new00b kid wants to know the tricks of cracking a XP admin password.

Could have fooled me.


EDIT:
I swear that bit about not being able to boot from USB wasn't there when I first scanned the post. Still, it doesn't say your post was modified so I guess it's my bad here. nvm...

This post has been edited by Anonymous User: 11 February 2010 - 06:21 PM

[DamegedSpy]

talwoasc, on 08 February 2010 - 05:19 PM, said:

DamegedSpy, on 08 February 2010 - 03:46 PM, said:

Well there are many local vulnerabilities.
I have rooted my PC just by typing in CMD: at [next h:m] /interactive cmd.exe (A new Command Prompt should open with root access)

You should check milworm and Exploit for all those magic local vulnerabilities/exploits

That used to be as handy as hell until XP SP1 came out and ruined our fun as it worked on limited accounts as well as admins then.

You are wrong on that. It also worked with Guest Accounts and if you run into a computer that had been off all this time is easy as hell ;)

[baph0m3t]

Good plan.

And, of course, shorting J6 blanks any password protection of the CMOS. Means going in with a screwdriver, but hey.

[nebriv]

baph0m3t, on 10 February 2010 - 07:45 PM, said:

And, of course, shorting J6 blanks any password protection of the CMOS. Means going in with a screwdriver, but hey.

Or any other metallic object for that matter!

[baph0m3t]

Well if you are unscrewing the pc panels, you might as well use what's in your hand ;)

But yeah, you're right.

[Obfuscater]

Sorry to rain on the BIOS-reset parade, but the scenario here has 'no hardware access' so you're going to have to be more creative, I'm afraid.

[baph0m3t]

Shite, you're right. Right there in black and white.

Poetry. I'll stop.

[Anonymous User]

I think fuzzy makes an excellent point. I don't see a way to achieve this without using SE to gain some kind of increased access to the target machine.