exploit process

1. create a bootable floppy disk. a bootable floppy disk can be created by going
to �windows explorer� or �my computer�. from there, an ms-dos startup disk can be
recreated. after the bootable floppy disk is created, the following files can be
safely deleted to save space for later use:
� display.sys
� ega2.cpi
� ega3.cpi
� ega.cpi
� keyb.com
� keyboard.sys
� keybrd2.sys
� keybrd3.sys
� keybrd4.sys
� mode.com

2. copy into the bootable floppy disk the ntfs file system recognition program.
one such example is sysinternal�s ntfsdos v3.02r+. the file ntfsdos.exe is only
52kb and can be easily fitted into one disk.

3. copy compression program into the bootable floppy disk. there are a few
compression programs in the market, but the one i use is rar version 3.30 for dos.
after extracting all the files from the distribution file, only two files are
required:
� emx.exe
� rar32.exe

4. boot target machine using the bootable floppy disk. if the target machine is
set up to boot from the floppy disk drive, then this step will just be putting
your disk into the drive, reboot the system, and have a sip of your favourite
drink while the boot up process is under way. otherwise, you will need to go to
cmos to change the bootable sequence. if cmos is password protected, a cmos
password cracker or physically resetting it might be required. but cracking cmos
password is outside the scope

scope of this document.

5. load the ntfs file system recognition program. if sysinternal�s ntfsdos has
been put on the floppy disk, all you need to type at the dos prompt is: ntfsdos.

6. compress and copy the system and sam files into the bootable floppy disk. if
rar is used, all you need to do is to type the following two commands:
� rar32 a �m5 �v system.rar location of system file\system
� rar32 a �m5 �v sam.rar location of sam file\sam

location of the system and sam files are in the same location, which is:
d:\windows\ system32\ config

7. extract system and sam files from the bootable floppy disk. after the system
and sam files are compressed and stored into the floppy disk, they can be
extracted from the disk by using the following rar commands:
� rar32 e system.rar
� rar32 e sam.rar

8. remove syskey protection in the system and sam files. this step may not be
necessary since i�ve heard that some password crackers (used in step 9) can crack
password that is syskey protected, but it will take a longer time to crack. to
minimise the time used, two tools can be used to remove the syskey before cracking
the passwords in step 9: bkhive and samdump2. the following two commands can be
issued to do so:
� bkhive system output- systemkey
� samdump2 sam systemkey > hashfile

the output file hashfile will contain the lm hashes.

9. crack passwords in the lm hash file. there are quite a few password crackers
that can crack lm hash files. the one i used is john the ripper. the command to
start cracking the hash file is:
john hashfile

after the cracking process finishes, one can also find the result by issuing the
command:
john �show hashfile.

the result is:

administrator: xxxxxxx:500:??? ??????????????? ??????????????? :::

2 passwords cracked, 0 left

time taken for the cracking process:

step 1 � 3: 3 minutes
step 4 � 6: 3 minutes 30 seconds
step 7 � 9: 124 minutes 4 secs (for an 8-letter password)
total: 130 minutes 34 secs
implication
as one can see, the administrator account with an 8-letter password can be easily
cracked within 131 minutes. with administrator account being compromised, further
exploits can be easily carried out. one example is that a malicious attacker can
install key loggers to capture all passwords of other users, which in turn leads
to the abuse of user accounts.

recommendations
1. disable floppy disk drive and cd-rom drive as first bootable drive. protect
cmos with password. this step only allows the minimum protection since it is very
easy to bypass or break cmos password.
2. use strong passwords. this implies password lengths of at least eight
characters and includes lower and upper case letters, numbers, symbols (e.g. _, *,
^, $, etc), and possibly also unicode characters. m$ further suggests using a
password that has at least 15 characters. but to be honest, not too many of us
will use such long passwords without forgetting them.
3. disable lm hash when storing password. run �local security settings� in
�administrative tools�. locate the �security options� folder in the �local
policies� folder. then change the entry �network security: do not store lan
manager hash value on next password change� to �enabled�. then, change the
password for the local administrator account.