Windows Security

MBR Lab
Lab Objectives:
  • Create a bootable MBR drive in Windows 10
  • Copy boot files to the drive from Windows
  • Examine boot files in Windows
  • Examine the MBR in Linux
1.  Open a command prompt as an Administrator
2. Enter: diskpart 
  Microsoft DiskPart version 10.0.19041.964

  Copyright (C) Microsoft Corporation.
  On computer: DESKTOP-8M0RP18

  DISKPART>
3.  Enter: 
 
	list disk  

  DISKPART> list disk

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online           60 GB  1024 KB
  Disk 1    Online           57 GB      0 B
4.  Enter: 
 
	select disk <number>
Where <number> is the number of the disk you are going to partition.
Ensure you select the correct disk or you may destroy your filesystem! 
  Disk 1 is now the selected disk.
5.  Enter: 
 
	clean
To erase the disk. 
  DiskPart succeeded in cleaning the disk.
6. Enter: 
 
	create partition primary
To create a new primary partition. 
  DiskPart succeeded in creating the specified partition.
7. Enter: 
 
	select partition 1
To select the newly created partition. 
  Partition 1 is now the selected partition.
8.  Enter: 
 
	format fs=ntfs quick
To format the new partition with the New Technology File System. (NTFS) 
  100 percent completed

  DiskPart successfully formatted the volume.
9.  Enter: 
 
	active
To set the partition as active (bootable) 
  DiskPart mark the current partition as active.
10.  Enter: 
 
	assign letter=B
To assign a drive letter mount point for the partition. 
  DiskPart successfully assigned the drive letter or mount point.
11. Enter: 
 
	exit
To return to the command prompt. We will now copy the Windows boot files to the partition using bcdboot.

12.  Enter: 
 
	bcdboot C:\Windows /s B: /f BIOS  
To copy system files to the B: drive for BIOS booting (assuming Windows is installed to C:\) 
  Boot files successfully created.
13.  Enter: 
 
	B:
To switch to the B: drive.

14.  Enter: 
 
	dir
To get a directory listing. 
  Directory of B:\

   File Not Found
Notice that no files are listed. Why is this?

15. Enter: 
 
	dir /as
To list hidden system files (dir /ah also works). 
  Directory of B:\

 02/04/2022  05:11 PM    <DIR>          Boot
 02/01/2022  03:22 PM           413,786 bootmgr
 12/07/2019  01:08 AM                 1 BOOTNXT
 02/04/2022  04:18 PM    <DIR>        System Volume Information
                2 File(s)        413,787 bytes
                2 Dir(s)  61,388,775,424 bytes free
Notice that bootmgr has been copied from our Windows 10 system to the drive. Windows 10 does not provide the tools necessary to work directly with the MBR, so we will need to switch to a Linux system to examine our drive there.

16.  After connecting the drive to the Linux machine enter: 
 
	lsblk
To list block storage devices. 
	NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
	sda           8:0    0 465.8G  0 disk
	|-sda1        8:1    0   512M  0 part /boot/efi
	|-sda2        8:2    0 464.3G  0 part /
	`-sda3        8:3    0   976M  0 part [SWAP]
	sdb           8:16   1  57.3G  0 disk
	`-sdb1        8:17   1  57.3G  0 part
	nvme0n1     259:0    0   3.7T  0 disk
	|-nvme0n1p1 259:1    0   190M  0 part
	|-nvme0n1p2 259:2    0   128M  0 part
	|-nvme0n1p3 259:3    0   3.7T  0 part
	|-nvme0n1p4 259:4    0   990M  0 part
	|-nvme0n1p5 259:5    0  17.3G  0 part
	`-nvme0n1p6 259:6    0   1.4G  0 part
On this machine, sdb is the attached drive we created. Note: Since the MBR exists outside of the NTFS filesystem partition, we won't be mounting the drive to examine it. Instead we must work directly with the block device sdb. We need to copy the first 512 bytes from sdb in to a file so we can examine the MBR.

17.  Enter: 
 
	sudo dd if=/dev/sdb of=~/MBR.bin bs=512 count=1  
This will copy 1 block that is 512bytes in size. 
	1+0 records in
	1+0 records out
	512 bytes copied, 0.00198152 s, 258 kB/s
Now we can examine the MBR.bin file to see the contents of the MBR.
18.  Enter: 
 
	vim ~/MBR.bin
To open the file in vim.

Notice the output is not legible. This is because we are trying to view binary data as ASCII text. We need to view it as hexadecimal.
19.  Enter: 
 
	:%!xxd
To filter the entire file with the xxd hexdump utility 
	00000000: 33c0 8ed0 bc00 7c8e c08e d8be 007c bf00  3.....|......|..
	00000010: 06b9 0002 fcf3 a450 681c 06cb fbb9 0400  .......Ph.......
	00000020: bdbe 0780 7e00 007c 0b0f 850e 0183 c510  ....~..|........
	00000030: e2f1 cd18 8856 0055 c646 1105 c646 1000  .....V.U.F...F..
	00000040: b441 bbaa 55cd 135d 720f 81fb 55aa 7509  .A..U..]r...U.u.
	00000050: f7c1 0100 7403 fe46 1066 6080 7e10 0074  ....t..F.f`.~..t
	00000060: 2666 6800 0000 0066 ff76 0868 0000 6800  &fh....f.v.h..h.
	00000070: 7c68 0100 6810 00b4 428a 5600 8bf4 cd13  |h..h...B.V.....
	00000080: 9f83 c410 9eeb 14b8 0102 bb00 7c8a 5600  ............|.V.
	00000090: 8a76 018a 4e02 8a6e 03cd 1366 6173 1cfe  .v..N..n...fas..
	000000a0: 4e11 750c 807e 0080 0f84 8a00 b280 eb84  N.u..~..........
	000000b0: 5532 e48a 5600 cd13 5deb 9e81 3efe 7d55  U2..V...]...>.}U
	000000c0: aa75 6eff 7600 e88d 0075 17fa b0d1 e664  .un.v....u.....d
	000000d0: e883 00b0 dfe6 60e8 7c00 b0ff e664 e875  ......`.|....d.u
	000000e0: 00fb b800 bbcd 1a66 23c0 753b 6681 fb54  .......f#.u;f..T
	000000f0: 4350 4175 3281 f902 0172 2c66 6807 bb00  CPAu2....r,fh...
	00000100: 0066 6800 0200 0066 6808 0000 0066 5366  .fh....fh....fSf
	00000110: 5366 5566 6800 0000 0066 6800 7c00 0066  SfUfh....fh.|..f
	00000120: 6168 0000 07cd 1a5a 32f6 ea00 7c00 00cd  ah.....Z2...|...
	00000130: 18a0 b707 eb08 a0b6 07eb 03a0 b507 32e4  ..............2.
	00000140: 0500 078b f0ac 3c00 7409 bb07 00b4 0ecd  ......<.t.......
	00000150: 10eb f2f4 ebfd 2bc9 e464 eb00 2402 e0f8  ......+..d..$...
	00000160: 2402 c349 6e76 616c 6964 2070 6172 7469  $..Invalid parti
	00000170: 7469 6f6e 2074 6162 6c65 0045 7272 6f72  tion table.Error
	00000180: 206c 6f61 6469 6e67 206f 7065 7261 7469   loading operati
	00000190: 6e67 2073 7973 7465 6d00 4d69 7373 696e  ng system.Missin
	000001a0: 6720 6f70 6572 6174 696e 6720 7379 7374  g operating syst
	000001b0: 656d 0000 0063 7b9a 85f2 195a 0000 8020  em...c{....Z...
	000001c0: 2100 07fe ffff 0008 0000 00f8 2807 0000  !...........(...
	000001d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
	000001e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
	000001f0: 0000 0000 0000 0000 0000 0000 0000 55aa  ..............U.

Is this drive marked as bootable? How can you tell?