Hi everyone-

Last night while learning Snort I headed towards Ask Raymond site, and came across this cool tool called Kon-Boot it’s a live linux boot disc. What this can do is bypass the domain or local administrators account. I tested this on one of my end users with special permission through my co-partner, this boot CD got me through the  account with no interruption no password required. I realized while on line, it locked out the account, but when offline I did not have any issues. Now just to make sure my account being the Local Domain Admin I went ahead and tested myself a few times, and thank God can’t access my account,only as a local administrator it’s possible. This is very scary because it forces you to set a bios password, and encrypt your hard drive. So far I have not tested on Vista or Windows 7, but I’m sure someone out there can give us some feedback, try it on a 64bit OS maybe it might work. Once you reboot back to your system without the Cd everything should be back to normal.

Link to Kon-Boot---- http://www.piotrbania.com/all/kon-boot/


Ask Raymond Site-http://www.raymond.cc/blog/archives/2009/04/29/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/

PS -Please do things ethical this teaches us to warn others about exploits like this one.
 

I haven't played with this one, but there are many other bootable CDs out there that can get you into a machine without knowing the password. I've used this one in the past and like it:

Offline NT Password & Registry Editor
http://home.eunet.no/pnordahl/ntpasswd/

There is also ERD Commander that was made by Winternals. It has since been bought by Microsoft and is only released to those with Software Assurance contracts. But it has been kept up to date with bootable CDs for both XP and Vista.

There are plenty of others like the Ophcrack CDs, etc. etc. So I don't think this fits into the category of being an exploitable vuln, but it is always something to remember.

This is why sec pros always recommed the extra measures you mention below like power on passwords, full volume encryption, etc. Physical access is always the worst case scenario. OK... maybe not always, but you get what I'm saying.

Don

Yes correct guys I'm in with you with the other Boot Disk, but what makes this one a bit differnet is that it keeps the orignal password intact it does not modify your password I ran Sophos free Anti-Rootkit scanner,and did not find any rootkits installed.I would try it on a non productive computer just for you to see how easy this exploit can be.