1 | P a g e

White Paper On

“Cracking Windows 8 Password & its Counter Measures”

Presented By:

Mohit Rawat

Under Guidance of:

Nutan Kumar Panda

Contact: mohitreload@gmail.com

2 Project by – Mohit Rawat

Table of Content

CHAPTER No. Title Page No

1. Introduction of Windows 8 3

2. Backdoor creation in Windows 8 4

3. Step by step process 5

4. What can be done after getting cmd? 15

5. There is certain problem with above steps. 17

6. Alternate Way 17

7. Dump Windows 8 Password in Plain Text 19

8. Security Measures 23

9. Conclusion 29

10. References 30

Contact: mohitreload@gmail.com

3 Project by – Mohit Rawat

1. Introduction to

Windows 8 is an operating system produced by Microsoft for use on personal computers,

including home and business desktops, laptops, tablets, and home theater PCs.

Development of this operating system started before the release of its predecessor in 2009. Its

existence was first announced in January 2011 at Consumer Electronics Show. During its

development and test phases, Microsoft released three pre-release versions: Developer

Preview (September 13, 2011), Consumer Preview (February 29, 2012), and Release Preview

(May 31, 2012). On August 1, 2012, Windows 8 graduated from the development stage and

was released to manufacturing. Windows 8 is slated for general availability on October 26,

2012.

Windows 8 introduces significant changes to the operating system's graphical user interface

and platform, such as a new interface design incorporating a new design language used by

other Microsoft products, a new Start screen to replace the Start menu used by previous

versions of Windows, a new online store that can be used to obtain new applications, along

with a new platform for apps that can provide what developers described as a "fast and fluid"

experience with emphasis on touchscreen input. Additional security features were also added

to the operating system, such as a built-in antivirus program and a secure boot feature on

systems with UEFIfirmware. Secure boot requires the operating system to be digitally signed

to protect malware from infecting the boot process. The implementation of this feature has

sparked controversy among supporters of free software. Windows 8 also introduces an

edition of the operating system designed to run on devices that utilize the ARM architecture,

known as Windows RT.

This project is tested on Windows 8 Consumer Preview and the best thing about this project is this is

done before official release of Windows 8. And the official stable version will release on 26th October

2012.

Contact: mohitreload@gmail.com

4 Project by – Mohit Rawat

2. Backdoor creation in Windows 8

2.1 Define:Backdoor

Creating a backdoor is a technique to maintain Un-authorized access to a system. This is an old and

evergreen technique.

2.2 From where backdoor will generate?

As we know there are certain processes that start with windows startup and runs with the login

screen. We will target one of such process and perform this attack.

2.3 What is that process?

That process is “sethc.exe”. It is the process associated with the service “Sticky key”.

2.4 What to do with sethc.exe?

When we press 5 time shift button this service runs on a windows system by the process sethc.exe.

That means if we press 5 time shift button the sub routine calls the sethc.exe process and though it

starts Sticky Key. If we will change any other service which can provide us admin level privileges to

read, write or edit then we can access the system quite easily.

2.5 What are the services than can be used for backdoor?

You can use anything you want that you think will be helpful to you.

2.6 Any suggestions for the same?

You can use cmd.exe, explorer.exe, etc…

2.7 What you are going to use?

I am going to use cmd.exe to create backdoor. As it will allow me to use windows in cli mode.

Contact: mohitreload@gmail.com

5 Project by – Mohit Rawat

3. Step by step process

Go to my computers.open c drive.

Goto windows. Then goto system32

Find sethc in system32

Contact: mohitreload@gmail.com

6 Project by – Mohit Rawat

Right click in sethc. Click in properties

Contact: mohitreload@gmail.com

7 Project by – Mohit Rawat

Press security tab in it.

Then click in advance tab.

Contact: mohitreload@gmail.com

8 Project by – Mohit Rawat

Then click on change in the front of owner

Contact: mohitreload@gmail.com

9 Project by – Mohit Rawat

Then click on advance tab

Then click in find now option. Click on administrators

Contact: mohitreload@gmail.com

10 Project by – Mohit Rawat

Click on apply and then click on ok.

Allow full control to this. Press ok .

Contact: mohitreload@gmail.com

11 Project by – Mohit Rawat

Find cmd.exe in system32

copy it

Contact: mohitreload@gmail.com

12 Project by – Mohit Rawat

Paste it into desktop. Rename it to sethc

Copy it and paste it into system 32 folder

Contact: mohitreload@gmail.com

13 Project by – Mohit Rawat

Click in replace the file in the destinition folder

Contact: mohitreload@gmail.com

14 Project by – Mohit Rawat

Restart the computer and open login window

Press sift key five time And you will get command prompt.

Contact: mohitreload@gmail.com

15 Project by – Mohit Rawat

4. What can be done after getting cmd?

4.1 We can write commands to see the user name?

>net user

It will show all the available user names

4.2 Than we can change passwords of a user name.Let’s change the password of Administrator

>net user administrator hacked

Here hacked will be the new password for administrator

4.3 To create a new username

>net user devil hacker/add

This will create a new user name devil with password hacker but it will be a limited privileged

account

4.4 To make the new user administrator

>net localgroup administrators devil/add

Here devil will get the administration privilege

4.5 If you don’t want commands you can also do it in GUI

>control userpasswords2

Contact: mohitreload@gmail.com

16 Project by – Mohit Rawat

We can reset password from here or we can add a new user from their by

clicking add

By click on new user we can add a new user in windows 8

Contact: mohitreload@gmail.com

17 Project by – Mohit Rawat

Press ok and we get a new user for windows 8

5. There are certain problem with above steps. 1. If we change the password of Administrator, user can guess that

someonehacked his system.

2. If we create a new user than also user can suspect something fishy.

3. So is there a way without changing the passwords or creating a new

account we can still able to enter into a system?

6. The Alternate Way

By press shift key five tymes we get a cmd and by enter explorer.exe we get a tray at the bottom

of the window

Contact: mohitreload@gmail.com

18 Project by – Mohit Rawat

On

press right click on that tray we get properties option

Contact: mohitreload@gmail.com

19 Project by – Mohit Rawat

On clicking on destrop we get a path to other folder present on system

We can visit anywhere from their.we can also open IE from here

Yes This is the way hackers use to enter into someone’s system without his or her permission.

You can be a victim also.

Tips: Always check your sticky key whether it is opening something

different or the normal screen. If some other thing opens than simply

format your system.

Contact: mohitreload@gmail.com

20 Project by – Mohit Rawat

7. Dump Windows 8 Password in Plain Text

This technique can be used in Windows xp, vista, 7 and also in 8. We use a software called mimikatz

for this.

7.1 Download mimkatz

http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip

open up the mimikatz.exe in the mimikatz folder with your type of OS. As I am having windows 32

bit I am opening mimikatz.exe from win32 folder.

Run as administrator the mimikatz.exe

Then you might get something like mimkatz#

Contact: mohitreload@gmail.com

21 Project by – Mohit Rawat

7.2 Then follow the commands

mimkatz#privilege::debug

Contact: mohitreload@gmail.com

22 Project by – Mohit Rawat

mimkatz#inject::process lsass.exe sekurlsa.dll

mimkatz#@gel/tLogonPasswords

Contact: mohitreload@gmail.com

23 Project by – Mohit Rawat

8. Security Measures

Windows 8 is vurnable to text passwords by using backdoor and by using softwares like mimkatz so

to overcome this we use picture passwords. Procedure to set picture password is given below.

Go to Left bottom corner of the desktop and than settings

Goto settings, then goto more PC setting

Contact: mohitreload@gmail.com

24 Project by – Mohit Rawat

Click on Users

Contact: mohitreload@gmail.com

25 Project by – Mohit Rawat

Click on create on a picture password.

It will ask for current text password . Enter the password and press ok

Contact: mohitreload@gmail.com

26 Project by – Mohit Rawat

select picture to set picture password

Chose picture and click on open.

Click on use this picture. After selecting picture set picture password

Contact: mohitreload@gmail.com

27 Project by – Mohit Rawat

On log window use picture password and press ok

And you see the welcome screen.

Contact: mohitreload@gmail.com

28 Project by – Mohit Rawat

Tips: As Picture password is a new concept. It is quite difficult to hack. So Use

it and be secured.

*************

Contact: mohitreload@gmail.com

29 Project by – Mohit Rawat

9. Conclusion

At the time of comparison between windows & linux OS, we assume that windows is less secure than linux OS .Upcoming latest OS of Windows 8 is one of them it has several vulnerabilities such as we get password of windows 8 in plain text by using software’s like mimikatz. This project is dedicated to password associated vulnerabilities and how to fix them.

Contact: mohitreload@gmail.com

30 Project by – Mohit Rawat

10. References

http://en.wikipedia.org/wiki/Windows_8

http://windows.microsoft.com/en-US/windows-8/release-preview

http://blog.gentilkiwi.com/downloads/mimikatz_trunk.zip