Phantasm66
Posts: 4,909 +8
Here's a nice article I found, its not very detailed but its quick and easy and gives some good pointers for beginners. Just don't tell your system admins at school / college that I pointed you towards this stuff....
source: http://www.linux-box.org/modules.php?op=modload&name=News&file=article&sid=408&mode=thread&order=0
Hacking: The art of gaining local access
Posted by linuxbox Monday, May 13, 2002 - 02:14 PM CEST
Local hacking is, what I myself call, the way of gaining access to a computer while actually sitting at it. This article is a short listing of my experience in this area. When will we need the advantage of Local access
Let me take some examples. At the school i am currently attending, each student have a laptop. This laptop is borrowed from the school but the student may take it home with him or her every day of the year.
I suppose i don't even have to mention that with a bit more than 200 laptops in circulation there is quite some problems from time to time.That is why the school has a technician who repairs computers and, from time to time, Ghost's them (Norton Ghost).
Due to the fact that the standard OS on these computers are either Windows NT (2000 or XP at the students choice) or Linux (Whichever distribution the Student prefers) this technician quite often get computers where the administrator/root password is not specified. At these times there can often take quite a while to find the specific student and check which password he or she uses.
Therefore I was asked to find an easier way to bypass the security, a question which i replied with a smile and the question "How much time do i get" and then, in about 5 minutes gained administrator access to the Windows 2000 machine currently at the desk.
Yet another example.
You succeed, by using social engineering, in gaining access to a company by getting hired. Now you wish to check what the manager has on his or her computer. So, you stay late on night and simply break's into his or her office and boot it up. With your knowledge of local cracking you may in a very easy way gain administrator access.
Drawbacks
The are of course some drawbacks, there always are. In the subject of local cracking though, they are some more than an somewhat larger that usually.
1. Locality: You will actually in most cases have to sit by the computer you wish to gain access to.
2. Input devices: My two major tricks include either a CD or Floppy with some software on in order to be used. This is not a big problem anymore, who whould even be interested in using local cracking on a machine without CD or floppy? In these cases remote hacking would be much more suitable.
3. Traces: Local hacking usually leaves a lot of traces. Unfortunately.
Now on to the important part.
Gaining access to different OS's
M$ DOS/Windows
Gainign access to DOS, what a joke. If at all talking about DOS and not a BIOS password most executions in DOS may be aborted by pressing Ctrl+c. If this does not work you could always try a boot-floppy and then try to access c:. This is basic knowledge that is only added because of the fact that someone might actually been raised on a *X-system and therefor does not know this. Period.
When coming to windows there are loads of ways of gaining access to the machine locally. Surprice!
When talking Windows 1.0 to 3.1 you cannot even specify a password as far a i know. Windows 3.11 you may specify a password but this has just about the same security as 95 and 98. These three OS's does not have a strict policy of who is logging in which will make you ably to specify any non-existing account and instantly log in with it. You may even specify a new password for the account you just created and because of the fact that FAT* does not have any security-policies for each file, or at all, we have full access to every part of the disc. If none of this works you may always use a simle bootdisk in the same fashion as DOS.
Windows NT 4.0+
Here we have a slightly more interesting scenario. You could type your fingers bloody in trying to hack the administrator password. Well, you might try Guest (of course with each language's specific translation.) This account does not normally have any privileges at all. Though sometimes it might just work. We always have IUSR_[computer name] which is the IIS-account. Windows does not normally allow this account anything but you might as well try. The computers name will hopefully be stated in the log-in screen.
When coming to Windows NT 4.0+ there are some tools availble. The best is ERD Commander. This is the tools which gave Microsoft the idea of Recovery Console. A very simple tool which where released in it's 2002-version only weeks ago. This simple bootdisk costs about $600 but handles every task of repairing a Windows NT 4, 5 (2000) and 5.1 (XP) there is. Including what we need, password-changing.
In the 2000-version (which cannot handle NT 5.1) the syntax is as follows:
regload
pwd [account] [password]
exit
Let's make a quit runthrough of what we just did.regload loads the registry of the specified windows-installation (default is the first installation). pwd then changes the password for the specified account and shows a confirmation. Exit reboots the machine.
This example is only included to show how easy it is. Believe me, ERD Commander is worth every cent.
Linux
I suppose at least some of you will raise a eyebrow now. Gaining root-access to a Linux machine is actually even simplier than gaining access to a Windows NT-machine. All you need is a bootable Linux disk which gives you a command prompt. I use Slackware's installdisc. The problem of Linux in this particular point is that once you've logged in as root, you have a root access everywhere. So, on the Slackware install-disk we log in as root in order to be able to map up linux-partitions in order to be able to use these as target partitions. Now, instead of running the setup we mount the partition ourselves. In this example we have the ext2-partition /dev/hda1 (primary master)
mount -t ext2 /dev/hda1 /mnt
Of course we can use ext3 but then we'll need a boot-kernel which supports this fs-type. Anyway, we have the main idea above.
Everyone with a basic knowledge of Linux know what we have here. We have the entire (in most cases) system-partition of the local Linux-installation and we may do nearly anything we want. Perhaps play around with /etc/shadow? (Password file for most Linux-distributions, note for inexperienced linux-users.)
So, we can do anything we want, almost. My personal favourite is:
chroot /mnt passwd root
Just to make a quick run of what we just did. chroot /mnt changes the root to /mnt, this means that all commands are executed from our bootdisk but take their paths and the like from /mnt (or something like that, who cares?). This means that in our example the command passwd, which changes password for any user (if the executing user has a higher level), will use the file /mnt/etc/shadow instead of /etc/shadow (which is our bootdisk). Sure it doesn't take long to se the possibilites in this fairly simple piece of knowledge.
Novell
I am afraid i do not have any live experience of Novell, though there is an article on neworder which deals with it. I'll just link to it here and hope for the best. Novell Logon to the Desktop in 60 seconds or less.
Covering your traces
So, I've told you that this techniques leave traces. What exactly do I mean? Well, as a kick-off, what happens when the owner of the computer comes back and finds that his password is changed?
So, there are two approaches of this problem worth mentioning. First we could just stick the problem up the owners *** and try not covering THAT it happened by WHO did it. Gloves as a start. Fingers leave fingerprints. Period.Second you could try to hold your hands so that no part of it touches the keyboard (skin might scrape of and give the cops a quite good DNA-sample). Upon that, try not to touch any part of your body whith those gloves of yours, same reason as previously (DNA).
Now, let's pretend that we are not breaking into one of the goverments computers so we do not need to take all these precautions.
Then we could always do a backup-copy of the password file and copy it back when we are ready. If the administrator does not check dates this method should work fantastically well out on a Linux-machine. With Windows it's somewhat harder. I know there is a file called the SAM-file which holds information about each user but i cannot tell you where it actually is or whether it will smash something up if replacing it.
Finally
This knowledge might seem lame. But those of you who managed to read this far might have gained, if not pure knowledge at least inspiration for how to do something completely else. No knowledge can ever be bad knowledge, for it might help someone and if even only one of you gain something from this article, it has been a success.
I wish to resign all credits to anything written in this article. This knowledge is old and probably quite frequently used and I have not invented any of it. I just wrote it down to contribute to the community since no one else have (not that I have seen anyway).
So, time to start sending flames about how lame and stupid and script-kiddish I am. Fine with me. Who the hell cares about people sending those kind of messages!? They are only lame themselves who not realize that even if they do not learn anything, still someone else might.
People sending correction and suggestions I'll be most grateful. Those are the admirable kind.
Beam me up, Scottie.
source: http://www.linux-box.org/modules.php?op=modload&name=News&file=article&sid=408&mode=thread&order=0