There's other tools that you can load on to CDs that will give you that same kinda of access without lugging an entire laptop or other machine around.

I read about this on the MaxPC website. It's sounds pretty scary to me.

Think about it. How can you access whats on a CD if the system is locked. Logout of your system and then insert a CD. It won't autorun.


This hack takes advantage of the fact that Firewire allows you to directly access the memory of the target host.

I have and use the cd rom to access and disable windows passwords ALL the time. I can put anything or take off anything from the machine without a password. Even if I don't have the bios set to boot from the CDROM it will still boot from this disk. People forget their admin password or never knew it in the first place, so computer techies like myself use such boot disks to do things you normally wouldn't be able to do.

I can access any version of window without a password, including vista. No firewire or laptop needed.

First I'm not stupid. I've been hacking on things for most of my life...hell I've tested firewalls, SSL based VPN's, Ipsec based VPN's appliances including conformance testing for our port of OpenSSH as well as testing IKE and IPSec polices (i.e. making sure our Diffie Hellman groups use the right group of primes and negative tests of our AES implementation. Also I'm very familiar with tools like Cain and Abel and l0pht Crack and other tools that brute force password hashes or use rainbow tables for speedier result

I know my way around security issues. Ok granted I spend most of my time in Unix land and may not be totally up on Windows hacking....

So with that.... I understand about booting off CDrom. Although Mike I'm curious how you get it to boot off of CD if the BIOS is password protected. In fact heres a scenario. The box cannot be rebooted because it's a highly used server and surely any downtime would be investigated by techies such as yourself. The box is located a Locked NOC. However due to poor security practices your able to talk your way in. You have limited time so you can't pull the case off or power anything down. Also it's not your box so you don't have a user account on the box...no privilege escalation for you. Hell lets just say it's a server that has no keyboard also. I could go further and say it doesn't a have a CD-ROM but thats just silly. In 10 seconds I got your domain controller. Also since this hack works on any OS that implements the 1394 spec....for good measure own your NIS server too. total time 20 seconds. Both boxes compromised. Both sides of the house Unix and Windows.


I'm talking
1. Extremely fast way to own a box. No reboot no pulling the case apart.
2. Minimally invasive, No event logs to clear. No changed BIOS settings.

In the time it takes you to walk down the hall and get that print out I've got it done already.

Well, 50% of the time, the machine will boot from a few cd roms even if you have the cdrom set to be the last thing to boot from.

Secondly, if the bios is password protected, 99% of the time you can pull the cmos battery and unplug the power cable.. bout ten seconds... plug it back in and voila.. the bios is reset. (laptops may require soldering, but not difficult) I have yet to come across one in 15 years that I couldn't get into one way or another.

There is a very very rare occasion where there is some boot sector third party software on it that you have to work at.


Here is one of the tools I use frequently.

You still need access to the PC for that amount of time. If I walk into the lab and see you struggling to pull one of our desktop PCs out of the cage its in, I might just question why.

Also, some tablet PCs that we work on do not have a CMOS battery that you can get to without disassembling the tablet. Again, you aren't getting access to the machine long enough to do that.

I've also disabled optical drive booting on the new PCs, so what do you do now ? Point is, the Firewire exploit is done via a front panel plug .. its that easy ! Its like plugging in a thumb drive, only .. hold on .. here's the best part ... you don't even need to LOG IN !!!

I'm with mapes on this one ... I can do more with a Firewire exploit than I can with a bootable CD.

Guess it depends how much you want to lug around and time you're looking at in all honesty.

I think the best of both worlds would be a pre-configurable utility on a USB key that you could just plug in and then view to your heart's content later.

I'm not looking at it from a utility point of view I'm looking at it from a security point of view. If I ran a server farm I'd disable firewire. What the hell do you use it on a server for anyway. Fortunately it's easily mitigated.

I would doubt most servers even have a Firewire controller.

The same goes for walking into the lab with a laptop and plugging in a firewire to your pc/server. I'd ask questions about that too. Anyone who has confidential data surely would be aware of the ongoings in their lab. Usually, people bring their pc's to me and I don't have to go to their lab unless asked, which then trip charges apply.

People talk they're way into everything. It happens all the time. I don't know if you remember but like 7 years back some random guy's...(they never found out who) just walked into Verisign and said we want some digital certificates please ...no really....we're from Microsoft. They got a couple of certs that were...or still are used for digitally signing things like windows drivers and windows updates. I myself have horrible poker face and could never pull something like that off....but, other people can.

That happened to a computer store about 17 miles from here in another town (Baxley). Except this time it was REALLY microsoft ogres and ....well the computer shop isn't open anymore. The guy got busted and 20000 dollars in lawsuits or fines. He was selling Devil's Own to unsuspecting customers for retail price.

Personally, I would ask for identification. I would also get their supervisor's phone number and extension and call them while these monkeys stood in front of me and ask him for information on these asshats standing in front of me. You can bet your ass that if they person on the other end didn't say "This is Microsoft" when they answered... No Go. Then I'd do a reverse phone lookup. Yes.. if they are with microsoft they'd be glad to wait until ALL my suspicion is safely at rest.

After seeing some of the goons at work, I am very suspecting of this type of activity. I have seen a LOT of con artists. I lived with one and he could pull off stuff that I never imagined.

We went into home depot one time and I just watched home depot stockmen load stuff after he bought it .....I guess he bought it... Hell the HomeDepot guys even helped us load it...but he didn't pay anywhere NEAR... thats another subject, though.

correct me if i am wrong, but doesn't vista business & ultimate run bitlocker by default? i've used the CD rom with a linux distro for "recovering 'lost' passwords", but, it seems the once the actual drive is encrypted, noting short of actually booting vista would unencrypt it.

i remember back in the day using a Pgp script to decrypt/encrypt a majority of the HD prior to windows booting. that was fun. time consuming, but fun.



BTW, for anyone not having read this, its great for a good laugh, but also very true.

http://www.microsoft.com/technet/arc....mspx?mfr=true

but, can anyone dispute the fact that after installing ANY version of windows, they violate one of these laws?