HostedDB - Dedicated UNIX Servers
nt-part2_58 Analysis of the Security of  Windows NT 1 March 1999 58 is threatened as well. One example of this is ERD Commander that actually boots a stripped down NT system. Intent. The goal with this attempt is to overwrite the SAM database with a new one, which has been created by us beforehand, and therefore includes known user name and passwords. When NT is up and running, it is impossible to replace the SAM database. Result.  We downloaded the program, and did installation as specified on the Web site. The program seems to work as promised. However, we were only able to test the free- ware version. This version has certain limitations, see appendix D.3.3. Therefore, we where not able to replace the SAM database. 7.7.2  NTRecover Description.  Even filesystem remotely mounted as mentioned in section 7.6.2 are writable with the same consequences as stated above. Intent.  The same as for ERD Commander. Result. We installed and configured the utility and the equipment. We were, after this phase, able to both read from and write to the whole NTFS volume on the client machine. We checked this by replacing the SAM database. 7.7.3  NTLocksmith Description. NTLocksmith is a program that must be used together with NTRecover with write permissions to specify a new password, i.e. overwrites the old one, for the administrator on the system. We have tried this program, and the authors claim that it works 100% of the time. This program will destroy both the integrity and the secrecy of any NT system with NTRecover installed. We believe that all this program does is to scan the SAM database for a certain string, and then overwrite the content a certain off- set from this point without knowing the real structure of the database. It is therefore highly unlikely that it will work on systems with SYSKEY, i.e. an extra level of encryption on the password, set in the registry. Intent.  We will try and overwrite the Administrators password with one that we have selected. Result.  After installation, we executed the utility. By doing this we were able to change the password for the Administrator on the target computer. 7.7.4  GetAdmin Description. GetAdmin is a program written by Konstantin Sobolev that will add any user to the local administrator group. It is therefore possible for any user to become administrator on local machine. This in turn opens up for a number of attacks, e.g. installing trojans such as keyboard sniffers or network sniffers as automatic services. In a posting to NTsecurity.Net Thomas Lopatic gives the following analysis of the bug and the program.