Physical Hacks Against Windows and Linux Systems
What is a physical hack against a system? Physical hacks are nothing more than hacking the system you have physical access to. No system is 100% secure from a physical attack, which is why physical security is always a priority at every site.
Windows systems can be hacked by using the server’s DVD ROM, or an alternate boot device, such as a USB or an external USB DVD device. You need to understand that performing this hack will require you to reboot the system and switch the boot process to the DVD ROM or USB external device with the server's operating system disc in it.
Creating a Windows Backdoor
A backdoor can be easily created on Windows if the user has administrator privileges on the soon to be “victim” system. This interaction does not require the attacker to interrupt the server. The server can remain online and the backdoor will work efficiently once the task is completed. Follow the steps below, and you'll be able to “pull off” an administrator command prompt whenever you like. This trick works on all Windows systems after Windows Vista (Vista, 7, 8, 10, Windows Server 2008, Windows Server 2012 & Windows Server 2016). This is performed by granting full rights to a specific user, the one that will create the backdoor.
- Go to the “C:\Windows\System32” file
- Search for the “sethc.exe” program
- Right click on it and choose Properties
- Once the Properties Window opens, choose the “Security Tab”
- Once at the Security Tab, click on the “Advanced” button
- On the Advanced Security Options, click on the “Owner Tab”
- The Owner tab will have an option that says “Edit”. Click on it
- Then click on the “Other users or groups” button
- You'll now have the “Select User or Group” Windows, click the “Advanced” button
- Confirm that on the “Locations” Button, you see the victim system's name
- Then, click on the “Find Now” button
- You'll now see the entire user's list available on the system
- Choose the user you would like to grant full rights to
- On the “Select User or Group” Window, you now see the user you selected. Press OK
- Now click “OK” on the Owner Tab
- A Windows Security Popout will appear, press “OK”
- Now you'll be back at the Sethc Properties “Security Tab”
- Click “Edit” and search for the selected user
- Once the user is selected, grant all privileges on the Sethc File
- Press “OK”
- Now rename or delete the “Sethc.exe” File
- Search for the “CMD” file and create a copy of it
- Rename the copy of your “CMD” file to Sethc
- You are done!
- Click “Shift” 5 times
- You now have eternal access to the server (unless someone knows how to undo what you just did)
You now have administrator access to the server (locally) whenever you want. Even if the server is locked! All you have to do now is create a new user and assign Administrator rights to the user. You may also decide to change the Administrator’s password.
You need to have root access to a Linux system, but no password? Yikes! What’s next? No problem. The process varies depending on the Linux distribution. The scariest part is that it doesn't require a copy of the OS! This is performed by rebooting the server and performing some changes during the boot process.
Please read below in order to successfully hack into the device.
Debian Linux (Debian and Ubuntu)
- On the grub page, select Advanced options and press e
- Search for the line that has ro
- Now modify the read only mode (ro) and change it to write mode (rw) and add init=bin/bash after the rw
- Press F10 to continue the boot process
- Once the shell loads, type: passwd root
- The shell will prompt you with an Enter new UNIX Password option
- Enter the new password
- Re-type the password
- Reboot the system
Voila! You now have root access to the system.
- On the grub page, select Advanced options and press e
- Select the list item with vmlinuz in it by using the arrow keys and press e
- Type: type single or init 1 at the end of the selected line
- Now press enter and b to boot the system to user mode (bash shell will be seen)
- Once you have the shell, type: passwd
- You'll be asked: Enter new UNIX password
- Enter new password
- Confirm password
- Reboot system
You now have root access to the system!
After reading this section, I'm pretty sure you now understand the need for great physical security at any site. I only focused on four Linux distributions because they are the most common ones. There are dozens of Linux flavors. It would take me forever to write this down for each Linux distribution.
The billion dollar question is, which system is easier to hack, Windows or Linux? If you performed the exercises above, you already know the answer.
I've got the shell now, now what?
Follow the steps below in order for you to create the administrator or root account on the victim systems (Note, this works on all systems, servers and workstations, as long as no security methods have been added into the system).
- Creating Administrator Accounts on Windows
- Open the Windows Command Prompt
- type: net user “username” “password” /add
example: net user hacker 123456 /add
c. now, assign the new account to the administrator's group
example: net localgroup administrators hacker /add
d. your new account now has administrator privileges on the victim system
e. confirm privileges on account. Type: net localgroup administrators
- Creating Root Accounts on Linux a. type: useradd “username” -p “password -ou 0 -g 0
example: useradd hacker -p 123456 -ou 0 -g 0
You have just created the user account “hacker” and you have given it “root” privileges
-ou = stands for organization unit
-g = stands for group
* Giving both the “0” permission, is giving the create account “root” privileges.
** Keep in mind that this is taught for educational purposes only. Performing these actions on a private/corporate system is considered illegal and you may be prosecuted for hacking **
About the author
Brucelle A. Arizmendi was born on December 8, 1977, in the town of Bayamon, Puerto Rico. He is a computer & cyber security aficionado. His main interests are understanding security flaws & finding security gaps on networks and systems. He currently holds several Security, Cyber Security and IT Se-curity certifications, among them C|EH, C)PEH, C)PTE, C)DFE, C)NFE,C)WSE, C)VA, C)SS, Server+, A+. He is currently working on a book about hacking tricks, tips and guidance, which hopefully should be completed before 2018.