This document assumes the reader is familiar with Windows network administration and fundamentals. This document will go into explanation as often as possible but will make general assumptions. Chances are if the reader does not recognize the phrase "HKLM" or has never used Active Directory this document will a) not be useful or b) not be understood without additional research.
Before beginning I would like to make the reader aware that nothing in this document is "new" or "revolutionary." Invividually many of these techniques and principles have been around. Please see the Acknowledgements section at the end of this document.
In addition, this document presents more than just "how to reset a domain administrator password." The offline service injection paradigm represents a general attack vector for accomplishing much tomfoolery and transgression (to put it mildly). Resetting a domain administrator password is but one application of this attack vector.
Lastly, it is widely known that physical access to a computer automatically implies that it can be compromised. In no way should this line of thinking ever leave a network administrator's common sense.
The meat and potatoes of this attack can be summed up in a short sentence. Inject a service (SRVANY) into Windows that will accomplish our goal. The service will run in the LocalSystem context, which has (as part of the design of Windows) administrative level access to nearly every facet of the Windows operating system.
Obviously, if you possessed the proper credentials to begin with, you wouldn't need to go through the trouble of creating a service just to get the necessary priviledges to accomplish a task. If you had the credentials you would already have the access. The framework ahead assumes you do not have proper credentials. It assumes you lack any and all passwords to the target system. Not a domain administrator login, not a domain user login, not a local user login (if on something other than a DC), not the Directory Services Restore Mode password. It does assume, however, that you have physical access to the target computer.
The basic steps are outlined below.
Services in the Windows operating system are very similar in nature to a Unix daemon. They are capable of starting on bootup, can run without any user being logged into the system, and can be started and stopped. In Windows you can view the services MMC console by going to the "Control Panel"->"Administrative Tools"->"Services" or by typing services.msc from the Run menu.
Services are defined in the Windows registry under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services key. CurrentControlSet is a pointer to either ControlSet001 or ControlSet002 and is not available offline. ControlSet001 is the key we will be using.
Below is a regedit export of the service PwnAge, a service created for the sole purpose of resetting the domain administrator password. The values will be discussed below.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PwnAge] "Type"=dword:00000010 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "DisplayName"="PwnAge" "ObjectName"="LocalSystem" "ImagePath"="c:\\temp\\srvany.exe" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PwnAge\Parameters] "Application"="c:\\windows\\system32\\cmd.exe" "AppParameters"="/k net user administrator PassChange1234 /domain"Figure - Regedit Export of relevant key for service PwnAge.
MSDN Reference: Service Configuration Options
Srvany.exe is a wrapper that implements the Service Control Manager interfaces required of Windows services. These programatic interfaces are responsible for handling start, stop, and other sorts of requests. The Windows cmd.exe does not implement these interfaces, thus it cannot be configured as a Windows service. To make cmd.exe a Windows service it is necessary to configure srvany.exe as the Windows service and then have srvany.exe execute cmd.exe.
Sticking with the example above, we create a service called PwnAge by creating the key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PwnAge. This key requires the following values:
The aforementioned values define the service and are used by the Service Control Manager.
We then create the subkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\PwnAge\Parameters. The following values are then created.
The aforementioned values are not used by the Service Control Manager directly, but by srvany.exe, essentially telling it what to run.
Anyone who has used srvany.exe is probably wondering why go through the trouble of all of this registry editting when service installation can be done with the tool instsrv.exe. You are correct, unfortunately with the method ahead it is not possible (yet anyway) to use instsrv.exe. The registry entries must be entered in manually, or via a .reg file. It behooves us to have an in depth understanding of the keys and values that pertain to Windows services.
MSKB 137890: Creating a User-Defined Service
The following .reg file can be merged into the registry.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PwnAge] "Type"=dword:00000010 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "DisplayName"="PwnAge" "ObjectName"="LocalSystem" "ImagePath"="c:\\temp\\srvany.exe" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PwnAge\Parameters] "Application"="c:\\windows\\system32\\cmd.exe" "AppParameters"="/k net user administrator PassChange1234 /domain"
Understanding the registry, services, and how to change a password on the command line is fine and dandy. It doesn't address explain how, without login details and credentials, it is possible to inject the service to begin with. This leads into the second part of this document. Offline Service Injection.
There are many bootable images/discs/tools/os's/etc available that allow offline access to an operating system's files. There are two I have used extensively when it comes to dealing with the Windows operating system. One is Linux based, the other based on the ideas of WinPE and Windows based.
First is Petter Nordahl's Offline NT Password & Registry Editor. This tool consists of a set of very well written scripts wrapped around the Linux kernel designed for registry editting and resetting local user accounts. Keyword is local. In theory it can be used to reset the Directory Services Restore Mode password, but I have tried it and had mixed results. Many of the problems with Linux based tools and offline Windows access stem from the fact that Linux write support for NTFS, while having come a long way, is not what most would consider fully functional. This is no fault of the filesystem hackers either, as it is Microsoft that keeps the implementation and gory details hidden and proprietary.
Second is Bart Lagerweij's BartPE, also called PE-Builder. Similar in design and theory to WinPE, BartPE will give you "a complete Win32 environment with network support, a graphical user interface (800x600) and FAT/NTFS/CDFS filesystem support." Keyword NTFS support. Additionally, the ability to include just about any software that will run in Windows on the BartPE bootable disc through the use of plugins.
We will be building a bootable ISO with BartPE.
This is not a tutorial on how to build BartPE ISO's as there is plenty of documentation available. A few tips and guidelines are in order though.
The basic build process is to download BartPE, and then configure options and plugins.
Download Registry Editor PE, a plugin for BartPE that enables offline access to target machine's registry. The plugin should come as a .cab file. Add a plugin and point it to the .cab.
Ensure the disk controllers (SCSI, RAID, etc) are supported. If they are not try to locate an existing SCSI/RAID plugin for BartPE (there are many already out there). Worst case scenario is make one yourself.
When finished with plugin configuration be sure to point the "Custom" option in the "Builder" screen to a local directory containing srvany.exe and the .reg file to be merged (refer to later in this document for the specifics of the .reg file). This will ensure they are on the ISO and additional media and/or network access will not be required to transfer them to the target computer. When configuration is complete, build the ISO and burn to disc.
Restart the target computer and boot from the disc you have just created. BartPE will begin to load. You can say no to the enabling network support, it is not needed. Best case scenario is after opening the "A43 File Management Utility" inside of BartPE you will see C: listed among the drives and it will contain all of the files on the target computer's C:. If it is missing then chances are the target computer has an odd hard disk configuration involving SATA/SCSI/RAID which will need to be addressed before proceeding. There are resources online that can help.
Create the directory C:\temp and drop srvany.exe and the .reg file there.
Open up Registry Editor PE from the Programs menu. Point it to the target system's Windows directory (usually C:\Windows). Registry Editor PE will ask you to locate the registry hive's and present you with it's best guess. You can say no to loading ntuser.dat files.
After loading the hives you will be sitting in front of standard Regedit. Note that what you see in front of you is the local BartPE registry with the target machine's registry loaded as subkeys in HKEY_LOCAL_MACHINE. Below is the mapping we are concerned with.
This registry path change due to the way in which the target machine's registry is loaded will require a few modifications to the .reg we have been working with up until this point. The updated .reg file is below.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\_REMOTE_SYSTEM\ControlSet001\Services\PwnAge] "Type"=dword:00000010 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "DisplayName"="PwnAge" "ObjectName"="LocalSystem" "ImagePath"="c:\\temp\\srvany.exe" [HKEY_LOCAL_MACHINE\_REMOTE_SYSTEM\ControlSet001\Services\PwnAge\Parameters] "Application"="c:\\windows\\system32\\cmd.exe" "AppParameters"="/k net user administrator PassChange1234 /domain"Figure - Updated .reg file taking account the _REMOTE_SYSTEM path change
Import the .reg file and close out of Regedit. Registry Editor PE will take over and write the hives to disk. At this point, with C:\temp\srvany.exe in place and the PwnAge service injected into the registry there is nothing left to do but reboot and let Windows do the rest.
Reboot making sure to boot off the target machine's hard disk (read: remove the BartPE disc). Allow Windows to load normally waiting for the three key salute to login. Salute Windows accordingly and login with the new password (in our example PassChange1234).
Remove the service by deleting the appropriate registry key and srvany.exe
There is a similar attack floating around that utilizes Petter Nordahl's Offline Password and Registry Editor to reset the Directory Services Restore Mode password. Then login to DSRM, configure a Windows service appropriately and reboot. I have used Petter's tool many times to reset Windows XP workstation passwords but have had trouble with Windows Servers and could not get it to reset the DSRM password even though it in theory *should* be able. Your mileage may vary with it but I wanted something that worked everytime.
The application of this type of attack is nearly limitless. Resetting a domain administrator password is only the beginning, and used for demonstration only because I had a genuine need for it. Offline Service Injection is a very dangerous attack vector, only mitigated by the need to have physical access to the target computer.
Don't be stupid. This isn't intended to be used for nefarious purposes. I'll say it again, don't be stupid. This is proof of concept only.
The video was taken with VMWare's builtin capture movie ability. The 'OWNME' domain is a fictitious domain created inside of VMWare on an installation of Windows Server 2003 SP1 with all of the most recent critical updates (as of 2006.12.15). The video begins with failed login attempts, followed by a hard restart. It then boots into BartPE, performs offline service injection, then reboots again. Windows Server 2003 loads, and the password entered is the password from the injection. Tada!
Tested and confirmed to work in Microsoft Windows Server 2008 R2 using same offline service injection attack.
Version 1.0 (2006.12.15) - Original Release
Version 1.1 (2010.09.05) - Tested and working on Server 2008 R2
John Urbanek weavervsworld.com