Accessing Forbidden NTFS Drives

by Number Syx

The following information is described for the purpose of education.  I'm aware this procedure could be, and has been, used to circumvent the security of any Windows NT machine which the user has physical access to.  I do not condone the use of this information for illegal purposes, nor am I responsible for anything stupid anyone does with this information.  NTFS support in Linux is still Beta, reading and copying from the drive is safe, but copying to the drive is an "at your own risk" deal.

Intro

One of the many misconceptions about Windows NT is that it's a secure operating system and that by formatting a disk with NTFS and properly setting permissions, nobody can access the information on the disk without permission to do so.

There are two problems with this theory.  First, it is wrong.  Second, all it really does is make crash recovery more difficult.  I will describe a method for circumventing NTFS security: using a Linux boot disk.

This can be useful in many ways.  From the system administrator's view, this is an excellent way to get access to important files on a system that has crashed before formatting the hard drive and reinstalling NT.  From the hacker's view, it gives access to the system files.  He would not normally have access to the registry, user profiles, PST Files, etc.

In order to accomplish this you will need some knowledge of Linux.  It is possible to do this with a DOS bootable floppy, but the only NTFS drivers available are read-only and therefore useless to me.  In all fairness, Linux has this vulnerability as well.

The first thing you need is a copy of the latest version of Trinux.  This is a Linux mini distribution designed for network administration and it has many useful features.  Its best feature though is its ability to boot from a floppy on virtually any machine which has more than 8 MB of RAM.

Get two blank floppy disks, go to www.trinux.org, and download the following files: boot.gz, classic.gz, ntfs.o, and rawrite.exe.

The current version as of this writing is 0.62, however use version 0.61 as there is not enough room for extra files on the 0.62 boot disk.  Follow the instructions for unzipping and making the boot disk and the data disk.  If you can't get this far, you have no business doing this in the first place.

When this is done, copy ntfs.o to the boot disk, edit the "Modules" file, add the line "ntfs" to it (no quotes), and save the file.  At this point it is best if you boot the disk a few times, first to test it and second to get familiar with what will happen and how Trinux will respond to commands given to it.  This way there are no surprises.

What Next

Now take the two floppies to the machine you want to access.  Boot the first disk.  When it asks if you have a data disk, put in the second disk and type "Y" then hit return.  It will then ask you again.  Type "n" and hit return.

When it is finished booting, you will have a "Trinux 0.61" prompt.  Type "insmod ntfs.o" - this loads the NTFS support.

Type "mount -t ntfs /dev/hda1 /mnt" - this will mount the first partition on the first hard drive.  This assumes the first partition on the first hard drive is an NTFS partition.  If not, the following table will give you an idea of how to mount the proper drive.

These are for IDE drives:

/dev/hda1 - First partition on the first hard drive
/dev/hda2 - Second partition on the first drive
/dev/hdb1 - First partition on the second hard drive
/dev/hdb2 - Second partition on the second hard drive

You get the idea.

Now you should have access to the drive.  You can now put a third floppy in the drive and type "mount -t msdos /dev/fd0 /floppy".

This gives you access to the floppy so you have someplace to save files to.  Alternately, if you are really clever you could get the proper modules for zip drive support which connects to the LPT (printer) port (scsi.o and ppa.o), which would give you more flexibility in copying files.

I would like to give creative credit to CM, who challenged me to find a way to access an NTFS system from a floppy disk.

Return to $2600 Index