You are hereLogon to any password protected Windows machine without knowing the password
Logon to any password protected Windows machine without knowing the password
 | Today we will show you proof of concept on how you can log on to any password protected Windows machine, without knowing the password at all. I am sure you have heard of utilities which will "reset" or "recover the Windows login password for you, but this is way cooler than that, this utility will not write or reset anything to the hard drive. After you are done, on the next reboot the machine will retain its original password. There is no "reset" or lengthy recovery involved. The 5 step process is so easy that after you have seen this, you will be shaking your head |
We are going to demonstrate this process on a Windows XP service pack 3 machine, but the process is essentially exactly the same for other versions of Windows such as Windows 7, Vista, Windows Server 2003 or even Windows 2000 workstation and server. Most of the magic will be done by a nifty utility from Kryptos logic called Kon-Boot, which you can download from its web page located at http://www.piotrbania.com/all/kon-boot/. This same utility can also be used to log on to Linux systems, but that is outside the scope of this article, we will concentrate only on Windows. You will need to download the .iso file from the Kon-Boot website and burn it to a CD. If you need instructions on how to burn a CD from an iso image using a free tool, you can read up on it on our article here. Next, make sure that the BIOS is set to boot from the CD drive. With the CD in the drive, boot the machine |
 | Step1: - After the machine boots from the CD, you will see the splash screen as shown on the left hand side. Simply hit enter to continue |
 | Step 2: - After hitting enter in the previous step, you will find this second splash screen. This is important as as soon as you hit enter on this screen, you will be taken to the next step, which is booting Windows, there are no other steps to configure here. In a few minutes, the normal Windows boot menu will appear, just proceed as you normally do in your normal logon sequence to Windows |
 | Step 3: - On Windows Logon screen, fill in the name of the user whom you want to log on as, leave the password blank and hit enter |
 | Step 4: - Olla! you are logged in! and what's the coolest thing, you have not reset the password for the account at all. It simply let you in because it interacted with the kernel directly using Linux. No alteration was done to any hard drive content at all during the process of logging in. |
 | Step 5: - Remove the CD from the drive, and reboot. Your machine will now present you the normal ctrl+alt+del screen like it always use to, try logging on with the username we tried before with the blank password! The blank password will not work, you can only get in if you knew what the right password was..this demonstrates that the user password was never reset, it still is what it use to be. |
As you can see that this nifty little cd can be of many uses, you do not need to reinstall or repair Windows if you have forgotten your password. If you are locked out, you can use this to log in as well. It also brings raises a question on Windows security. Once again, this method is exceptionally fast and does not actually reset the password. If you have for some reason the need to "recover" and "reveal" a user's password, you can use the tutorial I wrote earlier here and it will actually show you what the password is.
If the method I described above, is being used to gain unauthorized access to then there are really only two ways of protecting against such an intrusion:
1. Block Physical access to the machine or prevent users from hooking in USB devices or booting from CD ROMs and floppies
2. Encrypt your sensitive data. We will cover a step by step article on how to use encryption to protect your data in a forthcoming article
Hopefully this has been informative for you. If you have any further questions, please do leave us a comment or contact us through the Contact Us link on this web site.
- Add new comment
- 1618 reads
-
AddThis
Hi. I have a question regarding the 2 ways to try to protect a workstation against this kind of intrusion.
Step 2 in particular. If an individual (by burning the Kon-Boot iso to cdrom) has the ability to log in as a specific user then how does encrypting your files help? By encrypting, I'm pretty sure you block file/folder access to users other than yourself. So, if the PC "thinks" you are logged in as yourself, then by default it would allow access to the encrypted files and folders, yes?
Step 1 can be virtually meaningless (restrict physical access) in a work environment unless you have an office with a door and you lock said door.
Lastly, I don't see the point in Operating Systems that mandate a password if there is a "looseness" that allows a login without it by using a LIVE CD. OS vendors (as in all OSes) should think about this and close the vulnerability.
That's an excellent point you raise Adam. Kon-Boot does make a mockery of the Windows security, I have used and tested Kon Boot several times and it works like a charm every time. A fix to this is not in place yet, it still works on a fully patched machine with latest service pack installed, running Windows XP.
The methods I mentioned are still a good deterent, although a hacker worth his salt would be able to penetrate any machine he has physical access to. When I mentioned encryption, I meant both, the encryption that comes with Windows (BitLocker etc) and the one that you can get from third party apps (such as TrueCrypt). Encryption using third party apps requires the cipher to be generated usually using a key that is not associated with just your logon credential and hence the key must be entered by the user to decrypt the files, hence even if you are able to look at the files because you have bypassed NTFS permissions, you will only be looking at gibberish and not real data.
Windows encryption works differently, especially in an Active Directory environment, where you have roles such Recovery Agent etc. The encryption is associated with the users log on credentials (including password) and the certificate that is generated, is dependent on that. That is why, if an administrator forcibly resets the password of a user who is using encryption, his certificate gets revoked and the adminitrstor can not look at the encrypted data. Hence it is safe deterent as, when you log on with KonBoot, you are not supplying users password.
Having physcial access to a machine is always the biggest security risk. While in a corporate enviornment users definitely need to have access to physical devices such as CDROMS and USB keys, there is a good expectation of trust and responsible use from them and perhaps a IT policy to enforce it. However, less trusted enviornments (for example one that involves contractors and Kiosks etc) should always be restricted access to these devices using Group Policies or other means, else it can be devestating.
Hope that answers your question a little bit, very good question though. Thanks