nt-part2_58
Analysis of the Security of Windows NT
1 March 1999
58
is threatened as well. One example of this is ERD Commander that actually boots a
stripped down NT system.
Intent. The goal with this attempt is to overwrite the SAM database with a new one,
which has been created by us beforehand, and therefore includes known user name and
passwords. When NT is up and running, it is impossible to replace the SAM database.
Result. We downloaded the program, and did installation as specified on the Web site.
The program seems to work as promised. However, we were only able to test the free-
ware version. This version has certain limitations, see appendix D.3.3. Therefore, we
where not able to replace the SAM database.
7.7.2 NTRecover
Description. Even filesystem remotely mounted as mentioned in section 7.6.2 are
writable with the same consequences as stated above.
Intent. The same as for ERD Commander.
Result. We installed and configured the utility and the equipment. We were, after this
phase, able to both read from and write to the whole NTFS volume on the client
machine. We checked this by replacing the SAM database.
7.7.3 NTLocksmith
Description. NTLocksmith is a program that must be used together with NTRecover
with write permissions to specify a new password, i.e. overwrites the old one, for the
administrator on the system. We have tried this program, and the authors claim that it
works 100% of the time. This program will destroy both the integrity and the secrecy
of any NT system with NTRecover installed. We believe that all this program does is to
scan the SAM database for a certain string, and then overwrite the content a certain off-
set from this point without knowing the real structure of the database. It is therefore
highly unlikely that it will work on systems with SYSKEY, i.e. an extra level of
encryption on the password, set in the registry.
Intent. We will try and overwrite the Administrators password with one that we have
selected.
Result. After installation, we executed the utility. By doing this we were able to
change the password for the Administrator on the target computer.
7.7.4 GetAdmin
Description. GetAdmin is a program written by Konstantin Sobolev that will add any
user to the local administrator group. It is therefore possible for any user to become
administrator on local machine. This in turn opens up for a number of attacks, e.g.
installing trojans such as keyboard sniffers or network sniffers as automatic services. In
a posting to NTsecurity.Net Thomas Lopatic gives the following analysis of the bug
and the program.