Jump to content

Windows Sticky keys hack - wtf?

Carter
By Carter
in Operating Systems
 Share
Posted

Didn't really know where to post this, but my mate showed me this and I genuinely couldn't believe what I was seeing, so I guess my question is how could Microsoft let us do this...

So, to explain, the way he did it was to boot the pc, then hold power off to kill it, causing it to give the option of startup repair (I guess you could just press f8 go on advanced or whatever it is and select it).

He then used the options in startup repair after it has finished analysing to access the hdd, navigated to system32 and found sethc.exe (this must relate to sticky keys, the menu or whatever it brings up). He renamed this to sethc1.exe, then made a copy of cmd.exe, pasted it in the same directory (sys32) and renamed it as sethc.exe.

Yes, it really did do what you think - he rebooted and at the login screen hit shift 5 times and opened a command prompt! And this was on a network too, so he could use any of the 'net' commands to change user passwords, create accounts etc...

All of this was done with no knowledge of the system and no 'logging on'. Umm, bit of a security floor?

Btw, we are not hackers and have no malicious intent, just found this both hilariously funny and shocking at the same time that it was possible... What do you guys think!

OnePlus 6T

Link to comment
https://linustechtips.com/topic/114735-windows-sticky-keys-hack-wtf/
Share on other sites
Link to post
Share on other sites
Posted

In order to do this, you need Administrator account privileges.

If I have your admin account, me too I can go with your computer (or remote desktop if you give me your IP, and have it configured), and go at virus.com and get the latest viruses from there.

Also, if I have a screw driver, I can pull out your HDD/SSD and plug it in mine and access all your files, as they are not encrypted.

SHOCKING NEWS! Where's the security ?!?!, WHO IS THINKING ABOUT THE CHILDRREENNN Ooohh the humanity! [copying some news media reaction when it comes to "new" attacks, for comedic purposes.]

No mater your OS, if you have administrative access (meaning the attacker knows the password), then the system is compromised, whether be Linux based OS, MacOS, or even your custom made OS that you just developed on. If you can get in, so can an attacker.

That is why Windows doesn't let you access a computer on the network that doesn't have a password. And Microsoft is upping the password requirement.

Strong password and not disabling UAC (to not allow a program to do the process automatically), is strongly recommended.

Link to post
Share on other sites
Posted

In order to do this, you need Administrator account privileges.

If I have your admin account, me too I can go with your computer (or remote desktop if you give me your IP, and have it configured), and go at virus.com and get the latest viruses from there.

Also, if I have a screw driver, I can pull out your HDD/SSD and plug it in mine and access all your files, as they are not encrypted.

SHOCKING NEWS! Where's the security ?!?!, WHO IS THINKING ABOUT THE CHILDRREENNN Ooohh the humanity! [copying some news media reaction when it comes to "new" attacks, for comedic purposes.]

No mater your OS, if you have administrative access (meaning the attacker knows the password), then the system is compromised, whether be Linux based OS, MacOS, or even your custom made OS that you just developed on. If you can get in, so can an attacker.

That is why Windows doesn't let you access a computer on the network that doesn't have a password. And Microsoft is upping the password requirement.

Strong password and not disabling UAC (to not allow a program to do the process automatically), is strongly recommended.

Basically, if you have physic access... you can do anything.

Signatures are stupid.

Link to post
Share on other sites
Posted

Not news, not even new. He had physical access to the machine and an admin account. What is so strange about what he did? I can do anything I want with a computer if I have physical access to it even without credentials. I can run a cd and wipe all passwords off the machine and access any account I want. I can remove BIOS/BOOT passwords too.

CPU: i7-3930K @ 4.8GHz MOBO: IV Gene RAM: 16GB Crucial Ballistix Tactical Tracer 1866MHz GPU: GTX 780 Ti CASE: Corsair 350D STORAGE: 2 x Samsung 840 Pro 256 GB, 2x WD Red 4TB
PSU: EVGA SuperNova 650W DISPLAY: 1 x ASUS VG248QE, 3 x Dell U2414H COOLING: Corsair H100i INPUT: Corsair Vengeance K70, SteelSeries Sensei AUDIO: Sennheiser HD 280 Pro, ATH-M50s, Beredynamic DT770 Pro, Steelseries H Wireless

Link to post
Share on other sites
Posted
  • Author

Not news, not even new. He had physical access to the machine and an admin account. What is so strange about what he did? I can do anything I want with a computer if I have physical access to it even without credentials. I can run a cd and wipe all passwords off the machine and access any account I want. I can remove BIOS/BOOT passwords too.

I know all of this is possible, my point was that it was done with NO login or account info and no live cd's/utilities...

OnePlus 6T

Link to post
Share on other sites
Posted

I know all of this is possible, my point was that it was done with NO login or account info and no live cd's/utilities...

He specifically set that his account (admin) has no password. That is his problem. Much like disabling all firewall like abilities of your router, remove all security features of your systems. And make your network public, and be downtown, and then freak out how one day someone compromised your network and potentially computer(s).

By the way, don't feel bad. It's all about understanding security, and what your friend did. You are not the first, definitely not the last. :D

Link to post
Share on other sites
Posted

Sure, no problem.

You don't have to put a password when you create your first account in Windows, and if you did, there the option to remove it.

Meaning, at the end of the day, when he powers the computer, there is no password to go into your friends computer, it just logins automatically.

Meaning, if you sneak over his place while he sleeps or away, and power the computer on, it will login and you'll have full access to his system.

To be secure, have a password for your account. Like this, when your friends smart-ass as he think he is, try the same trick on your home computer, without knowing your password, he wont' get any far (not unless he uses other tools to remove your password, like a Windows password reset disk, or other tools, or even simply, a Windows disk, where he can install Windows over yours, replacing it, but not your files, and then puts his own password... but that is physically gaining access to the computer. Might as well get a screw driver and pull your hard drive or Solid state drive from your system and plug it on his, and now he has access to your files)

Link to post
Share on other sites
Posted
  • Author

Sure, no problem.You don't have to put a password when you create your first account in Windows, and if you did, there the option to remove it.Meaning, at the end of the day, when he powers the computer, there is no password to go into your friends computer, it just logins automatically.Meaning, if you sneak over his place while he sleeps or away, and power the computer on, it will login and you'll have full access to his system.To be secure, have a password for your account. Like this, when your friends smart-ass as he think he is, try the same trick on your home computer, without knowing your password, he wont' get any far (not unless he uses other tools to remove your password, like a Windows password reset disk, or other tools, or even simply, a Windows disk, where he can install Windows over yours, replacing it, but not your files, and then puts his own password... but that is physically gaining access to the computer. Might as well get a screw driver and pull your hard drive or Solid state drive from your system and plug it on his, and now he has access to your files)

Ok I think I know what you mean but this was at school and they're sh*t up on security. I guess technically he was using 'an account' by using the startup repair console. You can't login automatically, even locally they all have passwords, one of which he removed. You say try it on a pc with a password and he won't get very far, but that's the whole point, we didn't have to know anything, we could do it on anyone's pc, assuming startup repair isn't disabled.

OnePlus 6T

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Operating Systems

×