Ever find a utility that seems so useful you’re scared to actually use it? That’s Kon-Boot for me. It has some incredible tricks, but I just can’t decide if I should trust it – no code available, how do I know what else it is doing?
What do I know it does for sure? Boot from the Kon-Boot CD and you can completely ignore Windows passwords – or get root on Linux.
Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as ‘root’ user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password.
I’ve cautiously tested it on a Windows XP machine and it definitely seems to work as advertised. The machine I used is an XP box in our corporate domain and, most importantly, disconnected from the network at the time. (That machine is also slated for a wipe and reload before anything else is done with it!)
I’d love to test it more with those domain credentials by putting it on the network first, but I guess that would be kind of like inviting the folks from Nitro Circus to do all my server admin work…
I popped in the CD, booted from it, admired the old school BBS style ANSI graphics and then it started up Windows as normal.
At the Windows user/pass prompt I entered “administrator” and selected our domain. Leaving the password blank I smacked Enter and… holy crap, I was logged in!
Pulled the CD, rebooted and had to provide the original password to log in.
Kon-Boot doesn’t remove the password nor does it change it. This is incredibly helpful when you need to do a spot of maintenance on someone’s machine and they’re not around. No more changing their domain password on ‘em.
But can we trust it?
I spent an hour or so this evening searching around, didn’t really find anything definitive. Plenty of folks claiming safe/not-safe, but not much for details. A fellow in this hacker-news topic gave about the most details I found – all in 3 or 4 sentences…
Anyone else using it or have more information?
No related posts.
Loading tweets...
4 comments
the man
November 14, 2009 at 12:56 pm (UTC -7)
i found a trojan horse and a key logger they send the info as soon as the computer is connected to the internet
Dudedude
November 20, 2009 at 11:12 pm (UTC -7)
Looks like the creator is going after blackmailing the users into ddosing banks if they don’t pay.
or sell ur info on yahoo chat room
Chris
November 20, 2009 at 11:26 pm (UTC -7)
Ouch. Got a link for more info?
Dudedude
November 20, 2009 at 11:13 pm (UTC -7)
P.S making the user legally responsible for all resulting damages and losses.