Windows Security - Pete's Tech Blog

MBR Lab

Lab Objectives:

Create a bootable MBR drive in Windows 10
Copy boot files to the drive from Windows
Examine boot files in Windows
Examine the MBR in Linux

1. Open a command prompt as an Administrator
2. Enter: diskpart

Microsoft DiskPart version 10.0.19041.964 Copyright (C) Microsoft Corporation. On computer: DESKTOP-8M0RP18 DISKPART>

3. Enter:

 list disk

DISKPART> list disk Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 60 GB 1024 KB Disk 1 Online 57 GB 0 B

4. Enter:

 select disk <number>

Where <number> is the number of the disk you are going to partition. Ensure you select the correct disk or you may destroy your filesystem!

Disk 1 is now the selected disk.

5. Enter:

 clean

To erase the disk.

DiskPart succeeded in cleaning the disk.

6. Enter:

 create partition primary

To create a new primary partition.

DiskPart succeeded in creating the specified partition.

7. Enter:

 select partition 1

To select the newly created partition.

Partition 1 is now the selected partition.

8. Enter:

 format fs=ntfs quick

To format the new partition with the New Technology File System. (NTFS)

100 percent completed DiskPart successfully formatted the volume.

9. Enter:

 active

To set the partition as active (bootable)

DiskPart mark the current partition as active.

10. Enter:

 assign letter=B

To assign a drive letter mount point for the partition.

DiskPart successfully assigned the drive letter or mount point.

11. Enter:

 exit

To return to the command prompt. We will now copy the Windows boot files to the partition using bcdboot.

12. Enter:

 bcdboot C:\Windows /s B: /f BIOS

To copy system files to the B: drive for BIOS booting (assuming Windows is installed to C:\)

Boot files successfully created.

13. Enter:

B:

To switch to the B: drive.

14. Enter:

dir

To get a directory listing.

Directory of B:\ File Not Found

Notice that no files are listed. Why is this?

15. Enter:

 dir /as

To list hidden system files (dir /ah also works).

Directory of B:\ 02/04/2022 05:11 PM <DIR> Boot 02/01/2022 03:22 PM 413,786 bootmgr 12/07/2019 01:08 AM 1 BOOTNXT 02/04/2022 04:18 PM <DIR> System Volume Information 2 File(s) 413,787 bytes 2 Dir(s) 61,388,775,424 bytes free

Notice that bootmgr has been copied from our Windows 10 system to the drive. Windows 10 does not provide the tools necessary to work directly with the MBR, so we will need to switch to a Linux system to examine our drive there.

16. After connecting the drive to the Linux machine enter:

 lsblk

To list block storage devices.

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 465.8G 0 disk |-sda1 8:1 0 512M 0 part /boot/efi |-sda2 8:2 0 464.3G 0 part / `-sda3 8:3 0 976M 0 part [SWAP] sdb 8:16 1 57.3G 0 disk `-sdb1 8:17 1 57.3G 0 part nvme0n1 259:0 0 3.7T 0 disk |-nvme0n1p1 259:1 0 190M 0 part |-nvme0n1p2 259:2 0 128M 0 part |-nvme0n1p3 259:3 0 3.7T 0 part |-nvme0n1p4 259:4 0 990M 0 part |-nvme0n1p5 259:5 0 17.3G 0 part `-nvme0n1p6 259:6 0 1.4G 0 part

On this machine, sdb is the attached drive we created. Note: Since the MBR exists outside of the NTFS filesystem partition, we won't be mounting the drive to examine it. Instead we must work directly with the block device sdb. We need to copy the first 512 bytes from sdb in to a file so we can examine the MBR.

17. Enter:

 sudo dd if=/dev/sdb of=~/MBR.bin bs=512 count=1

This will copy 1 block that is 512bytes in size.

1+0 records in 1+0 records out 512 bytes copied, 0.00198152 s, 258 kB/s

Now we can examine the MBR.bin file to see the contents of the MBR.
18. Enter:

 vim ~/MBR.bin

To open the file in vim.

Notice the output is not legible. This is because we are trying to view binary data as ASCII text. We need to view it as hexadecimal.
19. Enter:

 :%!xxd

To filter the entire file with the xxd hexdump utility

00000000: 33c0 8ed0 bc00 7c8e c08e d8be 007c bf00 3.....|......|.. 00000010: 06b9 0002 fcf3 a450 681c 06cb fbb9 0400 .......Ph....... 00000020: bdbe 0780 7e00 007c 0b0f 850e 0183 c510 ....~..|........ 00000030: e2f1 cd18 8856 0055 c646 1105 c646 1000 .....V.U.F...F.. 00000040: b441 bbaa 55cd 135d 720f 81fb 55aa 7509 .A..U..]r...U.u. 00000050: f7c1 0100 7403 fe46 1066 6080 7e10 0074 ....t..F.f`.~..t 00000060: 2666 6800 0000 0066 ff76 0868 0000 6800 &fh....f.v.h..h. 00000070: 7c68 0100 6810 00b4 428a 5600 8bf4 cd13 |h..h...B.V..... 00000080: 9f83 c410 9eeb 14b8 0102 bb00 7c8a 5600 ............|.V. 00000090: 8a76 018a 4e02 8a6e 03cd 1366 6173 1cfe .v..N..n...fas.. 000000a0: 4e11 750c 807e 0080 0f84 8a00 b280 eb84 N.u..~.......... 000000b0: 5532 e48a 5600 cd13 5deb 9e81 3efe 7d55 U2..V...]...>.}U 000000c0: aa75 6eff 7600 e88d 0075 17fa b0d1 e664 .un.v....u.....d 000000d0: e883 00b0 dfe6 60e8 7c00 b0ff e664 e875 ......`.|....d.u 000000e0: 00fb b800 bbcd 1a66 23c0 753b 6681 fb54 .......f#.u;f..T 000000f0: 4350 4175 3281 f902 0172 2c66 6807 bb00 CPAu2....r,fh... 00000100: 0066 6800 0200 0066 6808 0000 0066 5366 .fh....fh....fSf 00000110: 5366 5566 6800 0000 0066 6800 7c00 0066 SfUfh....fh.|..f 00000120: 6168 0000 07cd 1a5a 32f6 ea00 7c00 00cd ah.....Z2...|... 00000130: 18a0 b707 eb08 a0b6 07eb 03a0 b507 32e4 ..............2. 00000140: 0500 078b f0ac 3c00 7409 bb07 00b4 0ecd ......<.t....... 00000150: 10eb f2f4 ebfd 2bc9 e464 eb00 2402 e0f8 ......+..d..$... 00000160: 2402 c349 6e76 616c 6964 2070 6172 7469 $..Invalid parti 00000170: 7469 6f6e 2074 6162 6c65 0045 7272 6f72 tion table.Error 00000180: 206c 6f61 6469 6e67 206f 7065 7261 7469 loading operati 00000190: 6e67 2073 7973 7465 6d00 4d69 7373 696e ng system.Missin 000001a0: 6720 6f70 6572 6174 696e 6720 7379 7374 g operating syst 000001b0: 656d 0000 0063 7b9a 85f2 195a 0000 8020 em...c{....Z... 000001c0: 2100 07fe ffff 0008 0000 00f8 2807 0000 !...........(... 000001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000001f0: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U.

Is this drive marked as bootable? How can you tell?