Tutorial - Boot Jacking
#1
Boot Jacking With USBs
Physical attacks are some of the most dangerous in the world of information security. Physical attacks bypass many software-based protections. I'm going to teach you one an attack that isn't talked about too much that I've decided to call boot jacking (I don't know if that's been used or not or if it even needs a name, but fuck it sounds cool lol). The only requirements for this tutorial are a USB with a bootable OS on it and a target computer (my tutorial on making a bootable Kali USB: Making a Kali USB. It's pretty easy to follow along with, so feel free to test it on your own computer if you want. Disclaimer: you could very easily steal information, backdoor an OS, or destroy data with this method. But I do not encourage or condone illegal activity. If you PM me asking what to do now that you broke into laptop you stole, I might just report your stupid ass to the FBI
Note: this tutorial is more intermediate. if you're a beginner you could possibly follow along, but there's some things I don't explain how to do because you need some prerequisite Linux and computing knowledge.

I'm going to assume you already have a live USB with some Linux distro. I use Kali generally, but it's not ideal for a few reasons. First, you want the USB to boot up fast. If you're in a situation where you could get caught doing this, you need it to boot fast. Kali boots in < 30 seconds on reasonably fast hardware but it's not fast enough for me. Kali also got rid of the light version I'm pretty sure, which would've been more ideal since we don't need 50,000 pentesting tools to do this attack. I've tried making custom images a few times, but have yet to get it to work.
Reboot the target computer
Reboot the computer, stick the USB in one of the computer USB ports, and enter the BIOS. Choose the USB to boot from.
Mount the Target OS's Hard Drive
Now that we're booted into our OS, we need to find the target OS's hard drive and mount it. You will need to be root for most of the things we'll be doing and nobody wants to enter sudo before every command. Pull up a terminal and enter the following command
Code:
sudo su && lsblk
It'll switch your user to root and show you all the drives on system. The Kali USB is usually named /dev/sda but it could be different. You could also just find out by running "df." Once you know which one of the hard drives is the other operating system's, mount the relevant partition. The partition you'll usually want to mount is the biggest one in size. This is usually the one with all the user and operating system data on it.This is done like this:
Code:
mount /dev/<insert partition name> /mnt
You can mount the drive wherever you want, I just typically mount it in /mnt. There are some nuances to mounting other filesystems. I tried to mount my Fedora LVM partitions like this and it turns out it's a little more complicated than that. Granted, you won't run across Fedora much, but Windows has some little quirks you have to deal with too. If you can't mount a Windows partition, try running this:
Code:
ntfsfix /dev/<partition name>
You have to do this because Windows doesn't completely shut down when you turn off your computer (hibernation mode). Ntfsfix fixes that issue. You should be able to mount it after that.
Digging into the target filesystem
This is where the fun part starts. One thing you could do (don't recommend trying on your system though) is screw up the other OS. You could make it unbootable by just overwriting the boot partition or core pieces of the OS. You could also erase certain data on the OS
Code:
deletedfiles=0; for i in $( find /mnt -type f ); do shred -uz --random-source=/dev/urandom $i; let deletedfiles++; done && echo "All done. Deleted $deletedfiles files."
. Obviously this is very destructive and kinda boring.
Next you could grab the Windows SAM and SYSTEM files. These are in C:\Windows\System32\config. You could then save the files and take them home later for password cracking.
Code:
# Not 100% sure the paths are correct because I don't have a windows system to test this on atm. If someone wants to try it and let me know, I'll update this.

cp -v /mnt/Windows/System32/config/SAM SAM; cp -v /mnt/Windows/System32/config/SYSTEM SYSTEM
Doing the same thing for Linux is easy
Code:
cp -v /mnt/etc/shadow shadow; cp -v /mnt/etc/passwd passwd
On MacOS, I'm not totally sure how it stores passwords. If someone wants to try it out and let me know, I'd appreciate it. You could also insert new users on a *nix system. Just modify the /etc/passwd and /etc/shadow files. On Windows, I'm not too sure how that would work because again I don't have a Windows system available right now. You could always just write a batch script or maybe some powershell to create a user and put it in the startup folder/registry so it would run on next boot.
You could also make a reverse shell connect back to your system at next boot. There's no limit to what you can write to, so we can put files into startup directories, registry items, modify services, etc. For example you could make a powershell script, put it into the Windows startup directory and it will run on next boot. On Linux you could put commands into the ~/.bashrc file, which would run next time the user opened up a terminal.
The limit is your imagination really. You could insert commands into other programs, put new programs and services on system, make new users, trojanize programs on system. I'm working on a tool to automate some of this, but with the numerous things you can do, there's a lot of writing to do. Go try this out on your own systems and let me know how it goes and if you have ideas about other things you could do feel free to reply to this thread or PM me.
Reply
#2
Pretty sure you can also use this method to change the user-passwords or create new accounts to gain remote ssh access. I've used similar methods on my own servers when I've forgotten password: Connect to server via KVM java console. Mount the drive and just change root password.

https://www.maketecheasier.com/reset-roo...ord-linux/

But interesting idea with grabbing SAM for windows. Never thought about that.
Reply
#3
(04-29-2020, 01:49 PM)Insider Wrote: Pretty sure you can also use this method to change the user-passwords or create new accounts to gain remote ssh access. I've used similar methods on my own servers when I've forgotten password: Connect to server via KVM java console. Mount the drive and just change root password.

https://www.maketecheasier.com/reset-roo...ord-linux/

But interesting idea with grabbing SAM for windows. Never thought about that.
There's actually a tool for changing Windows passwords from a live USB called chntpasswd or something like that. It comes preinstalled on Kali. Of course, changing the password isn't the stealthiest thing ever. Besides, if you're going to go to the trouble of changing the password you could just as easily get whatever you wanted straight from the filesystem or just configure remote access from the live USB. I wish I had a good Windows machine to test it on. I might see if anyone on the discord wants to help me experiment.
Reply
#4
(04-29-2020, 02:02 PM)Dismal_0x8 Wrote: There's actually a tool for changing Windows passwords from a live USB called chntpasswd or something like that. It comes preinstalled on Kali. Of course, changing the password isn't the stealthiest thing ever. Besides, if you're going to go to the trouble of changing the password you could just as easily get whatever you wanted straight from the filesystem or just configure remote access from the live USB. I wish I had a good Windows machine to test it on. I might see if anyone on the discord wants to help me experiment.

Cool! Never heard of that one before. But remember back in the day I used to have KonBoot. Make it into bootable USB and just login without password.
Wonder if that method still works today.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  New Laptop - Secure Setup Tutorial Protag 6 8,091 11-07-2015, 02:46 PM
Last Post: Protag
  RAT tutorial Atlas 12 24,569 10-21-2015, 07:14 PM
Last Post: Hackzors