by

How to Call Administrator Command Prompt at the Windows Login Screen

Labels:

Quick Summary: We are going to learn how to hack Windows 8 and get administrator rights to anyone without knowing the login information. This was my solution during a hackaton that happened here in Australia some time ago and I decided to share with you guys.

If you’re really in a hurry, here’s how it works…

Before the solution, a quick chit-chat…

The debugger process takes very high execution precedency in Windows. As a matter of fact, the debugger actually is running at the moment in your windows background and you never realised that.

Sidekick-plus-1.0If you’ve been around long enough to remember the old MS-DOS days, back then there was an application called SideKick. SideKick was executed at the computer boot and then stayed there hibernating. Then when the used pressed Ctrl+Alt, it magically appeared in the screen. It was awesome! Best thing ever! You could call this application from anywhere. It was done because during the initial execution, SideKick placed itself between the keyboard pressing command and the actual call in the CPU. It was a “man in the middle” kind of application, for the good.

That’s the same principle here, and to prove the point that the debugger is always running on Windows we will do this cool experiment in 3 Steps:

1) Open RegEdit and find the Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optionscommand-prompt-windows-login-screen-1

2) Create a new string key called DisplaySwitch.exe. In this key set Name: Debugger, Data:cmd.exe

command-prompt-windows-login-screen-2

3) Lock your windows and press WindowsKey+P

command-prompt-windows-login-screen-3

Amazing hey! You’re calling the Command Prompt from your windows login screen. How about that for a power show-off with your infrastructure friends Smile

The Explanation

The Debugger process is always running and intercepting all the calls made on windows, even during the login screen, and checking against the list defined in that registry key we talked about at the beginning. Now we only had to find an application, a service or anything that can be executed and send the instruction to the debugger to execute something else for us. That’s where the DisplaySwitch.exe comes into play.

DisplaySwitch.exe is executed when we press WindowsKey+P to allow us to select multiple monitors. The registry entry says “If the DisplaySwitch.exe gets called, call the Debugger instead and pass the parameter cmd.exe”. We are intercepting the keyboard call and making it execute the command prompt. Neat hey!

by
No comments:
by

032789_NSASecretListener - NSA Secret Listener Service in Windows

Labels: , ,
I was debugging some services in one of my Azure servers when I came around the command sc which allows to communicate with the Windows Service Control Manager. My problem required me to retrieve the SID for my local SQL Server Service. To make a short a long story, I ended up playing around with the service names and IDs, such as the command below.
C:\>sc showsid trustedinstaller




sc-showsid-trustedinstaller

Why I started doing this? for nothing. Sheer curiosity, fishing for something new to learn. Then I came across this service called “NSA Secret Listener”.

C:\>sc showsid 032789_NSASecretListener




sc-showsid-nsa-secret-listener

Note that it has a hardcoded numeric value at the beginning, which I believe it was put there on purpose just so it does not become so obvious..but again why use the NSA name on it and why this prefix?

Obviously we can see that the service has the status: Inactive; however I am curious to see the reasoning behind it.

Another point: If I run the command to get the display description, it shows that the service does not exists. “Security by obscurity” maybe?

sc-showsid-nsa-secret-listener-does-not-exists


Anyone has any hints? I would love to know the ins-and-outs of it.
No comments:
by

Women in IT

Labels:

Percentage of women age 15 or up who participate in the labour force, around the world.

where women work

No comments:
by

Pocket Supercomputers

Labels:

BdWuAw7CAAA4jOH

No comments:
by

Recommended car speed for city

Labels:

The case for recommending a maximum speed of 30km/h within the CBDs.

cycling

No comments:
by

New York Respect Cyclists, Pedestrians

Labels:

Nice, clear message from New York city to its residents.

new-york-respect-pedestrians

No comments:
by

How Boot in Safe Mode on Windows 8

Labels:

Back in the days when our Windows was slow or crashing we used to press F8 during boot and it would take us to something called “Safe Mode”, which is the minimum set of programs loaded just enough for windows to function. But if you try to do this in Windows 8, it does not work. There is no access to Safe Mode pressing F8. So, how to do it?

Just type “msconfig” in the start menu and when you get to this screen choose these options.

windows-8-boot-in-safe-mode

Additionally, by doing this, it allows you to perform a selective boot where you can disable which services should or shouldn’t be started.

Also it is great for PowerShell with enough power to do remote access to someone else’s computer, since you can’t remotely press F8 on other machines.


by
No comments:
Subscribe to: Posts (Atom)