Learn about rootkits

>learn about rootkits
>realise that using windows requires you to constantly give administrator access to random exes you've downloaded from third party websites
>no way of ever knowing if the site you downloaded from was compromised and if the proprietary exe you have has been injected with a rootkit installer
wtf, how is windows even secure?
winfags are walking through a minefield literally every time they install anything, all it takes is one poorly secured download server and someone gains access to your entire system undetected.

Attached: 1477604477589.jpg (403x403, 53K)

Other urls found in this thread:

null-byte.wonderhowto.com/how-to/hack-any-windows-7-8-10-user-password-without-logging-0166833/
chromium.org/chromium-os/poking-around-your-chrome-os-device#TOC-Putting-your-Chrome-OS-Device-into-Developer-Mode
static.googleusercontent.com/media/research.google.com/en//pubs/archive/42038.pdf
en.wikipedia.org/wiki/Microsoft_SmartScreen
zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/
twitter.com/NSFWRedditImage

>all it takes is one poorly secured download server
and a user with more trust than brains

There are still things you're not allowed to do even with admin privileges

This is why you don't give them admin access to install them retarded catposter

>learn about rapists
>realise that going outside requires you to constantly be where rapists are
>no way of ever knowing if the bloke you just walked past was a rapist and if he's going to sneak up behind you and rape you
>wtf, how can you be stupid enough to go outside?
>people are walking through a minefield literally every time they go outside, all it takes is one rapist and someone is dragged into a side alley and raped.

Attached: 1543371871437.jpg (180x240, 9K)

Attached: agree.png (500x500, 94K)

What is virustotal??

There is a fundamental difference between the linux and windows security model.
Linux is like a doctor who only performs surgery in a properly sterilized white room.
Windows is like a doctor who performs surgery on a random bed in a rented hotel room, but will give you a powerful antibiotic before and after.

null-byte.wonderhowto.com/how-to/hack-any-windows-7-8-10-user-password-without-logging-0166833/

windblowz iz a joke

Attached: 1541549802296.jpg (3996x2250, 864K)

But installing signed kernel-mode drivers is still possible.

Btw: install Qubes.

thats why you only run microsoft signed binaries goy. silly goiyem not using microsoft store

unless you're checking the checksum of literally exe you run, you are in no place to talk

that doesn't work, they don't even check file hashes on kernel bootup. see:

Stop installing things in their default location (Program Files) and then deny any application that requires administrator access.

ur a faget

I'm using GNU/Linux exclusively since 15 years now, and I'm well aware that it's just as perfectly possible for me to download malicious code, run it, and have it take over my system, as it is to do so on Windows. If anything, Windows has more security mechanisms to prevent this than GNU/Linux, not less; things like warning on running unsigned code and UAC (and running on an admin account on Windows is just as stupid as running as root on GNU/Linux). I dislike those features, as many others do, but they are nevertheless security mechanisms that Windows has and GNU/Linux lacks.

>Btw: install Qubes
>lol just run one entire vm per program lmao
This is cancer and needs to die.

>having local physical access allows you to """crack""" the operating system
No shit.

Attached: mio-13.jpg (250x300, 43K)

>pretending this isn't trivial to do in every operating system
>WHY DO PEOPLE CALL ME A FUCKTARDED FAGGOT AND BEAT THE SHIT OUT OF ME EVERYWHERE I GO?

It's 99% "style points" anyway (as Raymond Chen would call it), because it's designed purely to make you look l33t. You can just change the passwords in the SAM file from WinPE itself.

OY VEY THIS IS SOME ANTISEMETIC SHIT TELLING THOSE LIES

Attached: 1539663166579.jpg (638x501, 157K)

This. The NT security model is vastly superior to POSIX.
The problem is, it gets its balls chopped off with weak-ass policies at install time, so Windows is "easy to use".

Attached: Smoke detector.jpg (620x620, 51K)

>The NT security model is vastly superior to POSIX.
Nah, they're just about equivalent. NT does have some "neat tricks" that POSIX lack, but they're mostly in the convenience department (like built-in hierarchical ACLs or globally unique IDs), not so much in actual security. Security-wise, there's not much difference.

Qubes doesnt run one VM per program.
Use Whonix VMs with different purposes and you are pretty safe*.


* If someone has the dollars for 0-days, you are fucked anyway.

>built-in hierarchical ACLs or globally unique IDs
>don't actually make it vastly superior
>to the shit POSIX system, where real ACLs are a bolt-on ffs
Erm… OK.
I - and a lot of other people - would shove an OS that didn't have those right down to the kernel straight into the trash.

As I said, it's just convenience stuff. Not having ACLs makes POSIX more cumbersome to use, but it doesn't make it less secure.

If you have physical access to a machine, the only thing standing between you and "cracking" it is time.
This is why physical security is stressed so much in datacenters.

that's not the point, the OS should be designed to prevent itself from being modified by renaming binaries, at least have a list file with the filesizes and check against the names, make it a challenge.

Chrome OS will notify the user on boot if it has been modified into dev mode.

chromium.org/chromium-os/poking-around-your-chrome-os-device#TOC-Putting-your-Chrome-OS-Device-into-Developer-Mode

static.googleusercontent.com/media/research.google.com/en//pubs/archive/42038.pdf

Attached: 1541550007547.jpg (2000x1125, 547K)

Program files is the best place to install software for security, installing to a separate drive or god forbid your user folder is generally a bad idea. It pains me that many people tend to disregard the default directory structure when it's actually very well crafted and the permissions are set well.

>the OS should be designed to prevent itself from being modified by renaming binaries
Later, in another thread:
>WANGBLOWS FORCES U
>WANGBLOWS WONT LET U
>WANGBLOWS IS SHIT

Attached: steviewonder.jpg (600x600, 68K)

You don't need to give admin privs to almost all programs that you download. If you're running every installer as admin, you're retarded and it's no one else's fault you got gaped.
The ones that you do require admin (stuff with drivers), make sure that they're signed (UAC will be blue instead of yellow). If you really want to go the extra step, check the hash of the downloaded file to make sure it matches what you're expecting.

or even better hashes of the original binaries so u can't just make a bloated file to match the filesize.

yee cracking encryption is more interesting, windows is full of holes m8.

yee it's not hard to boot linux live n then be root from a live session to access ext4 files. full disk encryption is a thing, would probly prevent the windows sys32 modifications too?

But it's a snap to set the same ACL on a different folder or drive - it's Windows. Confession time: I have my own "Program Files" folder in my user profile - but sure as fuck don't use an Administrator to install them, fuck no.

Only if the applications are trustworthy.

>full disk encryption is a thing, would probly prevent the windows sys32 modifications too?
Yes, of course. I thought about posting the BitLocker, VeraCrypt, or whatever logo with *blocks your path*, but memes like that shit me.

wHaT aRe ChEcKsUmS?

What about them?

exactly senpai, this is my point.

huh? i'm not shillin multi-threadz m8.

yee that would prevent some tampering, what about EFI partitions, could they be used for 'rootkit' like OP mentions?

Attached: 1541703992413.jpg (2000x1107, 1.24M)

That's a device specific thing. A standard PC doesn't have that built in - many BIOSes can restrict the boot sequence, and for full security you can just use bitlocker which will encrypt all the files on the disk so nothing can be modified.

Something freetard's walled gardens - in fact, all apps stores - do for them, so they don't have to think about it.

"my package repository is awesome - but hurr durr itunes/ms app store are ebil"

>what about EFI partitions
Boot loader is signed - it's kinda why secure boot exists.

yep win8/10 ((secure boot)) n full disk encryption would prevent tampering. i guess most OS's have 'backdoors'.

Linuxfags BTFO

Windows is full of holes just as much as Linux or Mac is when it comes to physical access.
That's why infosec managers treat physical access as basically the same as being hacked. That's why you don't let your company laptop unattended, and use disk encryption so if it gets lost/nigged they can't use that info to possibly break into the network.

>A standard PC doesn't have that built in
Huh? Windows can do all this (with help from UEFI) right back to Vista SP1.

so the bootloader is sign'd by the OS is fully modifiable unless disk encryption is on., interesting.

yee disk encryption n files on active directory n such is best practices.

>infosec managers treat physical access as basically the same as being hacked
This. Read it, understand it, internalise it, anons.

No, that's not even close to what I said. Secure boot and FVE are two different things. Not to mention FVE doesn't encrypt the boot loader (for pretty obvious reasons).

A Windows software center would be great if it wasn't the fucking awful "MS Store" or whatever abomination they put in Windows 10.

Not all computers have secure boot, and I don't know how many come with secure boot enabled by default.
You'd also have to set a BIOS password or something to keep it from being fucked with. Do BIOSes yell at you if secure boot was turned off?

>Not all computers have secure boot
No, but most made in the last 10 years do.
>I don't know how many come with secure boot enabled by default
Pretty close to zero, I imagine. Why is this relevant, though?
>Do BIOSes yell at you if secure boot was turned off?
I met one workstation years ago that did, but otherwise a definite negative.

As a hacker, you could:
> spend TONS of time trying to worm your way into a company's network from the outside
or
> pretend to be a repairman, walk inside, and slide some nasty stuff on the closest critical computer

Exactly correct - we call those "social engineering attacks", and they're probably the hardest to defend against.

desu the reason i even learn'd that trick with osk/cmd files is because some boomr installed' win10 (during the frei upgrades adware) and locked themselves out of their desktop because they made a typo in their microsoft account username/email.

ironically they called me after the reboot cycles start during the upgrades and i offered to come over when and look at it but they didn't want to admit fault for clicking the microkuk adware so they call me the next day again after they fuck'd up the win10 first use step.

sorry senpai i wasn't paying attention.

yep every normie PC i've encountered that wasn't enterprise assets don't use secure boot/bitlocker. bios password can be reset via batteries.

>Pretty close to zero, I imagine. Why is this relevant, though?
Since the comparison was being made to Chromebooks that notify you if the device was modified in dev mode.
Most people aren't going to have secure boot turned on with a BIOS password, so it would be possible to modify the OS undetected.

>at least have a list file with the filesizes and check against the names
So just update the list of filesizes as well when you replace the binary. Nice fix, fag.

But why even bother? Why not just use the standard folders? Applications like a browser will already store user data in %appdata% anyways, as will the majority of any software written for Windows which follows its standards, so it's not like you're saving important user data, you're just throwing executable software into your user folder for no reason.

Generally, this is how I would set up my system:

>Program Files/OS on SSD
>User profile location set to large HDD

When it comes time to reinstall or upgrade, I just wipe the drive or move the drive with my user profile data over to the new rig, point Windows to the drive for my user profiles and bam, I have the same settings, configurations etc while also having a completely fresh OS without the need to worry about excess software or executables.

>bios password can be reset via batteries.
On consumer PCs. Any actual business computer will require you to get a one-time unlock code from the manufacturer, where you have to give the serial number and they check to make sure you're a real representative of the business.

Um... but that trick doesn't actually work with M$ accounts. Only locals (though could be theoretically deployed against DCs - though if you don't have your DC behind locked doors, you deserve to be raped).

If you're going all-out to secure your machine in this way, why would you miss something as obvious as a setup password?

...

>If you're going all-out to secure your machine in this way, why would you miss something as obvious as a setup password?
You wouldn't. That's why the dude who thought that the exe replacement "exploit" makes windows insecure is retarded.

(Checked)
Because my user profile is on a separate partition to my Windows install. I'm on Win7, so changing ProfileDir doesn't break anything.

Well, he's fucking retarded because the whole thing can be done from WinPE (absent FVE) anyway - just like any other OS.

could those sys32 modifications be down remotely with malware then the target machine would be ready for a cmd at login on next reboot, assuming u could walk in n mess with the login prompts, iirc i've even used it to launch IE and git into routers/network settings b4.

nice tripz, yee i know that would be ez so checksumz r better, just saying make it more work then renaming a single file.

cool DRM senpai.

yee i doesn't work but we could still access the files in the users original (now MS account) directory using 7zip filemanager which ignored the windows permizzion issues. the password on the original account was not able to be reset since the recover email was invalid and ofc the user didn't know what they typed as password.

needless to say i lost that customer after the win10 recovery process, boomrz h8 'i told u so' they were too prideful to call me the day when they started the upgrade.

spoil'd bitch didn't trust her husband to keep and eye on the place while a tech could come over that day she fell for the adware, would rather try to complete wut she started. luckily they use macz mostly be this wuz some old dell pc they had win7 on b4.

(Me)
Or a Linux liveCD, or pretty much anything. The weak spot is the physical access - as rightfully pointed out.

If it's for space I can understand, but personally would still have a separate program files directory on the other partition just for the sake of keeping the structure clean.

Changing the profile environment variable doesn't break anything on Windows 10 either.

If you can modify System32 with your malware, you've already won. Making any modification to that folder requires SYSTEM (windows version of root) privileges.

>could those sys32 modifications be down remotely with malware then the target machine would be ready for a cmd at login on next reboot
Yes - if you had access to an administrator account. It's one of those "other side of the airtight hatchway" things that Raymond Chen is so fond of saying. In order to pwn the machine, you have to already pwn the machine.

>cool DRM senpai.
Yes, it is. We actually love these sorts of checks and balances in corporate, when you zoom out a bit and realise it's not all about you.


>7zip filemanager which ignored the windows permizzion issues
No it didn't - you had access because you were an administrator or LocalSystem.

>i lost that customer
Consider it a blessing.

>spoil'd bitch
>her
>she
Imagine my shock on reading this.

en.wikipedia.org/wiki/Microsoft_SmartScreen
If you're not a normie do md5 checksums on every fucking thing you download

Ultra kek

After XP, even LocalSystem is walled off from a lot of stuff. TrustedInstaller is the man you want.

Ehh, SHA256 is preferred these days.

Even getting access to the default administrator user is a win, because you can take ownership of files and directories away from SYSTEM, generally you can accomplish this just by asking an illiterate user for administrative access.

This sort of thing leaves a lot of fingerprints, though - and has been known to break stuff. Hence why I like making myself TrustedInstaller, and truck across C:\Windows with absolute impunity.

explorer didn't allow access to the users directory, but 7zFM did go figure. client who turns down 'i can be there in 30 mins' when their computer is a reboot cycle n their a freaking out, they said nah come the next day, asking for it desu.

the whole 2015-2016 win10 upgrade wuz the worst year, i released microkukz true intention of implementing glow in the dark ciaware on the machines and the avg normie gitz the boot in the face.

another users' machine took 4-5 hours to upgrade to win10 which was very trying of patience since the machine wuz on site at their home, needless to say i don't do that kind of kukold haus calls anymore, it's just too gross to see normies shitholes and dirty screens/keyboards/malware. hell that skinwalkr bitch even got malware popups on an android since some app told her to disable verified apps only or w/e.

Attached: 1542839564206.jpg (1920x1425, 665K)

>Changing the profile environment variable doesn't break anything on Windows 10 either.
I meant ProfileDir in the registry (it's where Windows puts user profiles, so obviously defaults to C:\Users). And yes, it does. It breaks tons of shit in Windows 8 and later (especially Metro), because MS got heavy on using hardlinks for things inside the user profile (app installs, etc) - and hardlinks don't work across file systems.

>normies shitholes and dirty screens/keyboards/malware
I'm honestly unsure how so many people live in absolute squalor. Literal trash everywhere, food/drink/cum encrusted keyboard, greasy mouse, splattered monitor. It's like they're barely self aware.

yep, cost benefit is shit for PC users.
>It's like they're barely self aware.
NPC dronez, ironically i'm moving more into the mac os consulting bizness these days and the apple users even more stupid, they would rather not think about computers at all, its so weird. the current year is a hell dimenzion, imo apple could open its software to partner OEMs n fug over microkuk slowly eating the pie but they won't cuz they r faggots n have non-compete with microkuk.

The NPC meme is pretentious, but is honestly based in reality.
I think that many people are just not capable of critical thinking or self-awareness.
They're the ones that get taken to the cleaners by anyone who performs a service since they're incapable of doing most things for themselves.

I know what you are talking about, I have been using a modified ProfileDir entry for every version of Windows above XP and have never had any problems, they do not use hardlinks for app installations, application installations are never done to %userprofile%, they are done to %programfiles% or %programfiles(x86)%, all application data, including net installers are stored in %localappdata% or %appdata% variables etc, this has been standard practice for decades and has not changed. They would not even be able to hardlink as a possibility because they would have no way to call the path to the user location without a username, there is no actual username variable, only a user profile directory location variable.

Here is a screencap of me using a separate drive as my user profiles location, you can clearly see ntuser.dat in this folder as well as AppData, next time don't lie to make yourself feel better for using a deprecated version of Windows.

Attached: Untitled.jpg (1920x1080, 457K)

>Want some open source stuff
>Realize the repo got taken over by some chinese dude
>All my bitcoins are gone

zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/

At least you know when the rapist is raping you.

Whoo boy.
*cracks knuckles*
OK, let's fuck this chicken.

But first, note this:

>Irrelevant information removed for exposition purposes
E:\user>set
USERNAME=user
USERPROFILE=E:\user
LOCALAPPDATA=E:\user\AppData\Local
APPDATA=C:\user\AppData\Roaming

>I know what you are talking about
Then stop saying environment variables if you mean registry. It ruins the credibility of the above statement. The envvars are just a sometimes-useful side-effect of the user profiles registry keys, nothing more.

>I have been using a modified ProfileDir entry for every version of Windows above XP and have never had any problems,
Windows 2000 here, and same - except when I got to 8, trouble began.

>they do not use hardlinks for app installations,
Incorrect, but we'll get to that when I answer the next user.

>application installations are never done to %userprofile%,
Incorrect, but we'll get to that very shortly.

>they are done to %programfiles% or %programfiles(x86)%, all application data, including net installers are stored in %localappdata% or %appdata% variables etc,
Leaving aside that you're using "variables" again (stop it), see above - you are aware that those folders are in the folder pointed to be %USERPROFILE%?

>this has been standard practice for decades and has not changed.
Millions of apps jam themselves into C:\Users\\AppData\Local - or ...\Roaming - which as mentioned, is in your user profile. They've been doing it for years. I actually find it quite offensive, but it's become standard practice.

>They would not even be able to hardlink as a possibility because they would have no way to call the path to the user location
Hardlinks don't need environment variables to work. Hell, they don't even understand them (they're expanded at creation time if you specify them). I suspect you're thinking of directory symbolic links, which are an entirely different thing - and are happy to evaluate envvars on access (which can be handy).

(cont'd)

>there is no actual username variable, only a user profile directory location variable
Incorrect, see above.

I see what you did there. Very sneaky. For anybody interested, this is what this user did:

1) Created new user, logged on (to create the profile folder in C:\Users),
2) Watched the annoying "Hi. We're setting things up for you..." animation, which is when it Windows installs inbox Metro apps per user,
2a) As an annoying thing, this is skipped on remote sessions. Never, NEVER create a user, then do the first logon over RD - no apps (including, but not limited to, Settings app, Action Center, etc.) will work. Pain in the ass; I wrote a batch file to fix it (just a bunch of DISM commands), but only used it once.
3) Installed (sideloaded, grabbed from WinStore, whatever) any other Metro apps he wanted,
3) Logged off, logged on again as an administrator (or booted WinPE),
4) Copied his profile folder (something like C:\Users\user) wholus-bolus to the new location on D:,
5) As the copy progressed, pre-hardlinked files were copied to the new file system. They had the right contents, so already-installed apps would be none the wiser,
6) Fixed his profile entry at HKLM\...\ProfileList, a few entries in the new ntuser.dat (at D:\user), logged in, and everything works.

Of course, this works. It works brilliantly. I, in fact, did consider doing it this way when I found doing it "the right way" didn't work on Windows 8. But I'm fairly liberal with my computers, "oh user, my laptop/desktop/smartphone has died, can I use yours? Sure anonette, I'll just create you a user". Doing it this faggot's way would add a lot of time and effort to that procedure. Then there's the killer:

user? How about you uninstall a Metro app? Or better, install one - go on Windows Store, grab some random guinea-pig freebie, and install it. Let's see how far you get.

(cont'd)

You see, when it downloads, it'll be dropped in C:\Program Files\WindowsApps, and then the per-user installation kicks off and starts hardlinking required files into \AppData\Local\Windows\WindowsApps (NOT ...\Roaming\..., fuck you M$). This is because for a while now, Microsoft has assumed you're going to be using a single file system for Windows, not moving anything to any place out of the ordinary (culminating in the recent 1809 recall - shitty handling of moved user folders was the underlying problem with it), and so could leverage Windows' CBS system (which DISM and PkgMgr are front-ends for), which extensively relies on hardlinks to keep Windows sane during installation of features, updates, etc.

I know I'm preaching to a bunch of mongoloids here who will ignore this little blog post, keep trotting out shit, and attacking anybody who contradicts them. So fucking what? It's Jow Forums, that's what it exists for. But at least now, the facts are where they need to be.

So do you. Look up "Diagnostic Data Viewer".

, reposted for context:
I know what you are talking about, I have been using a modified ProfileDir entry for every version of Windows above XP and have never had any problems, they do not use hardlinks for app installations, application installations are never done to %userprofile%, they are done to %programfiles% or %programfiles(x86)%, all application data, including net installers are stored in %localappdata% or %appdata% variables etc, this has been standard practice for decades and has not changed. They would not even be able to hardlink as a possibility because they would have no way to call the path to the user location without a username, there is no actual username variable, only a user profile directory location variable.

If someone can compromise a download server they could have also changed the checksum

>nice tripz, yee i know that would be ez so checksumz r better, just saying make it more work then renaming a single file.
Yes, replacing a record in a list with checksums seems soo much harder than doing the same in a list with filesizes, fag.

>why would you miss something as obvious as a setup password?
So that the attacker would have to do something as difficult as flipping the CMOS reset jumper? Seems to fix a while lot.

>defining windows
good job
does not apply to linux, sorry

There's windows defender and all that crap. I don't give half a shit about viruses, I want my programs to run and have a good time.

Don't act like you've ever audited a program yourself.