I was recently advised of an issue where a user with a local "restricted"

account on an XP Pro machine, somehow managed to grant himself

administrative rights...



Now, unless he knew the local admin password, or the password of one of the

other admins for the machine, is there any easy way that a 14 year old kid

could have done this??? (other than hacking the password etc...)



Thanks,



Brad

Brad Pears wrote:



> I was recently advised of an issue where a user with a local

> "restricted" account on an XP Pro machine, somehow managed to grant

> himself administrative rights...

>

> Now, unless he knew the local admin password, or the password of one

> of the other admins for the machine, is there any easy way that a 14

> year old kid could have done this??? (other than hacking the password

> etc...)

>



"Hacking the password" as you put it is completely brain-dead easy for

someone with physical access to the machine. Any smart tech-savvy

14-year old could do it. I suggest you have a talk with the kid.



Malke

--

Elephant Boy Computers

www.elephantboycomputers.com

"Don't Panic!"

MS-MVP Windows - Shell/User

"" wrote:

> I was recently advised of an issue where a user with a local

> "restricted"

> account on an XP Pro machine, somehow managed to grant himself

>

> administrative rights...

>

> Now, unless he knew the local admin password, or the password

> of one of the

> other admins for the machine, is there any easy way that a 14

> year old kid

> could have done this??? (other than hacking the password

> etc...)

>

> Thanks,

>

> Brad



Well, he could have used a clever service (that runs as system which

has compleate control) to run cmd, which would give him compleate

access to every thing and could run the user management thing and then

give him self admin rights, not exacly hard.



--

Posted using the http://www.windowsforumz.com interface, at author's request

Articles individually checked for conformance to usenet standards

Topic URL: http://www.windowsforumz.com/Securit...ict418104.html

Visit Topic URL to contact author (reg. req'd).  Report abuse: http://www.windowsforumz.com/eform.php?p=1395524

"Sparda" wrote:

> Well, he could have used a clever service (that runs as system

> which has compleate control) to run cmd, which would give him

> compleate access to every thing and could run the user

> management thing and then give him self admin rights, not

> exacly hard.



You ask how he could run a program via a service? well, he could have

found a service exe  that he can change stuff, and replace the exe. If

this is not the case, it can be a bit more tricky, he would have had

to find a way to run a program as system with out going though a

service.



Posted Via webservertalk.com Premium Usenet Newsgroup Services

----------------------------------------------------------

** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **

----------------------------------------------------------

http://www.webservertalk.com

	
Quote:
	

	

		

			
				Originally posted by Sparda 

"Sparda" wrote:

> Well, he could have used a clever service (that runs as system

> which has compleate control) to run cmd, which would give him

> compleate access to every thing and could run the user

> management thing and then give him self admin rights, not

> exacly hard.



You ask how he could run a program via a service? well, he could have

found a service exe  that he can change stuff, and replace the exe. If

this is not the case, it can be a bit more tricky, he would have had

to find a way to run a program as system with out going though a

service.



Posted Via webservertalk.com Premium Usenet Newsgroup Services

----------------------------------------------------------

** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **

----------------------------------------------------------

http://www.webservertalk.com 
			
		
	
	


Hi. 

Dead easy, all he has to do is obtain a copy of the "system" & "sam" files in the winnt/system32/config folder using a win98 boot disc & a programme to copy the 2 files. He can then either extract the password hashes & brute force them to get the password (takes a LONG time if a strong password is used) or (much quicker) post the hashes onto a certain site that has already decoded ALL possible hash combinations (they use something called rainbow tables) then they compare your hashes with the ones contained in the tables & tell you what the corresponding password is).

OR... he could have logged into the admin account in safe mode.... you DID put a password on it, didn't you??? (This account has no password unless you set one.



Regards



CReWdog.

Could you give me an actual example of how this could have been done , using

an actual running service?? I'm just not sure how he could have run

"command" from within the service in order to run the managment console to

give himself admin rights...



My guess is he must have hacked the password but you never know...



"Sparda" <DoNotEmail@WindowsForumz.com> wrote in message

news:3_1395525_4ed3de00a473127f99428391a02d5f08@wi  ndowsforumz.com...

> "Sparda" wrote: 

>

> You ask how he could run a program via a service? well, he could have

> found a service exe  that he can change stuff, and replace the exe. If

> this is not the case, it can be a bit more tricky, he would have had

> to find a way to run a program as system with out going though a

> service.

>

> Posted Via webservertalk.com Premium Usenet Newsgroup Services

> ----------------------------------------------------------

>    ** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **

> ----------------------------------------------------------

>                http://www.webservertalk.com

Brad Pears wrote:



> Could you give me an actual example of how this could have been done ,

> using an actual running service?? I'm just not sure how he could have

> run "command" from within the service in order to run the managment

> console to give himself admin rights...

>

> My guess is he must have hacked the password but you never know...



Why bother to mess around with services or anything that elaborate?

Simply boot with NTpasswd and change the Administrator password to a

blank. Then log in and do whatever you want. Takes less than 5 minutes.



Malke

--

Elephant Boy Computers

www.elephantboycomputers.com

"Don't Panic!"

MS-MVP Windows - Shell/User

"" wrote:

> Brad Pears wrote:

> 

> been done , 

> could have 

> managment 

> know...

>

> Why bother to mess around with services or anything that

> elaborate?

> Simply boot with NTpasswd and change the Administrator

> password to a

> blank. Then log in and do whatever you want. Takes less than 5

> minutes.

>

> Malke

> --

> Elephant Boy Computers

> www.elephantboycomputers.com

> "Don't Panic!"

> MS-MVP Windows - Shell/User



Well, the example that stuck in my mind was that at my High school,

Nortan antivirus couldnt update because it couldnt write to the hard

drive, so the school admins in all there wisedome allowed every one to

write to that folder, in cluding the noroton system monitor. So as you

do, it wrote a wee vb program thats soul pupose was to run cmd... as

system, so replacing the system monitor with my vb program... you see

where im going with this.



--

Posted using the http://www.windowsforumz.com interface, at author's request

Articles individually checked for conformance to usenet standards

Topic URL: http://www.windowsforumz.com/Securit...ict418104.html

Visit Topic URL to contact author (reg. req'd).  Report abuse: http://www.windowsforumz.com/eform.php?p=1397428

Never heard of booting with NTpasswd - is that some sort of utility ??  I

know you can boot to the recovery console etc.. but you need admin password

for that...



Please elaborate!



Thanks,



Brad



"Malke" <invalid@not-real.com> wrote in message

news:e5kMaS8sFHA.1252@TK2MSFTNGP09.phx.gbl...

> Brad Pears wrote:

> 

>

> Why bother to mess around with services or anything that elaborate?

> Simply boot with NTpasswd and change the Administrator password to a

> blank. Then log in and do whatever you want. Takes less than 5 minutes.

>

> Malke

> --

> Elephant Boy Computers

> www.elephantboycomputers.com

> "Don't Panic!"

> MS-MVP Windows - Shell/User

Brad Pears wrote:



> Never heard of booting with NTpasswd - is that some sort of utility ??  I

> know you can boot to the recovery console etc.. but you need admin password

> for that...

>

> Please elaborate!

>

Hi,



http://home.eunet.no/~pnordahl/ntpasswd/







--

torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway

Administration scripting examples and an ONLINE version of

the 1328 page Scripting Guide:

http://www.microsoft.com/technet/scr...r/default.mspx