By Mark Baggett
Lets face it, security guys love their password protected screensavers. I am no exception. Without it, many users would likely never lock their computers. This simple mechanism may slow down or in some cases completely prevented the attacker from accessing resources on a remote machine. A strong password on a screensaver was one of the hurdles that you had to overcome in the Christmas 2008 Ethical Hacker challenge, "Santa Claus is hacking to town". Santa really could have used this script.
The Relentless-coding blog recently posted a meterpreter script that bypasses the screensaver password protection. The script patches the lsass process running in memory where the codes check the validity of the password that was entered. After the patch is applied the attacker can enter ANY password to unlock the screensaver. The script works on Windows XP SP2, SP3, Windows Vista and Windows 7. Lets take a look at the script in action:
The script isn't currently part of the metasploit distribution so you'll need to download it from the Relentless-coding site. Save it to your "scripts/meterpreter" directory in your Metasploit installation. In a Backtrack installation you'll find that directory under "/pentest/exploits/framework3/scripts/meterpreter".
Mark Baggett is teaching SANS 504 in Raleigh NC June 21st! Click here for more information.