Friday, July 25, 2008

Gain Access to Any Windows Computer

Sounds great, right?

The concept is simple: reset the local admin account. Resetting the admin account password is not that difficult. Using a bootable linux CD to start the computer, and overwrite the password file can done the job. However, this will leaves a discover problem, as the real administrator will knows this when they do actual maintenance.

A more clever way is to copy the password file in advance, reset the password to gain access and copy back the backed up password file. This will do the track with less likely to be discovered.

An advanced level is to get the password, instead of copy the password file.

There are two interesting files in any Windows system. They are:
  1. WINDOWS\system32\config\system and
  2. WINDOWS\system32\config\sam
Once you have these two files by any means, you actually have all local passwords. You can extract the syskey and dump all the password hashes. Once you obtained the hashes, you can make use of some rainbow tables online to "check" what the password is.

Because in most cases, local admin password of all workstations are the same due to disk cloning technique for fast deployment in a corporate environment. This means once you distribute a notebook to a user, the user will have the local admin password for all workstations in the environment. If your administrator is so careless to have the domain admin password the same as the local admin password, you are now controlling your whole network of Windows computer.


Recently, I implemented a new change to my home networking infrastructure. Originally, I had some port forwards for RDP and SSH open to all Internet space. This was not good as people on the Internet can do brute force attack on these services.

Now, I had implemented a SSLVPN service at my home network to act as the first authentication gate. The product I am using is SSL-Explorer from 3SP ( The product gives me 1st tier defence by authenticate over a browser. I added two factor authentication by SMS. The product natively support SMS gateway from Clickatel ( The implementation experience was great as the whole installation and profile provisioning only costs me less then 3 hours with AD integration.

In order to avoid certification untrust issue every time I connect via the SSLVPN, I bought a SSL certificate from GoDaddy (

After all these implementation, I disabled all direct port forwarding except TCP 443 to SSLVPN service.

The total investment for this project:
  • AD - already have, nothing added, $0
  • 3SP SSLVPN license -using 2 concurrent users free license, $0
  • PC based server - using a virtual machine with CentOS, $0
  • SMS Gateway - Clickatell, HK$100 for about 220 SMS send out credits (about HK$0.45 per authentication)
  • SSL Certificate - GoDaddy, US$14.95 for 1 year
  • My time - 3 hours of design and implementation

In shout, for home use, it does not cost a lot if you do not need SMS OTP. Other methods of two factor authentication can also be used, like digital signatures, OTP tokens, etc. However, I think SMS is the most accessabile way for me.