Passwords - Cover or Concealment
Anyone who has ever been in the military, or taken a self defense class involving weapons can tell you there is a major difference between cover and concealment.
The argument of cover vs concealment often uses examples with sandbags and grass. While you could hide in the grass (with proper camouflage) the grass offers little real protection. Sandbags offer excellent cover, but are often the target of more devastating attacks. With a little ingenuity you can have both worlds.
Passwords are not dissimilar. Over the weekend I was invited to participate in a pentest exercise where we needed to prove that passwords did not protect data. Anyone with any background in security already knows this, but I figured I'd go over this anyway.
If the attacker has physical access to the machine, passwords can be changed, or data can be directly accessed without timestamps ever changing. Keyloggers can be added, and additional monitoring can be done even after the attack. These types of attacks are not limited to any one operating system either.
The BlackBox- Windows XP SP2 machine, fully patched. Contained hidden "seed" file in the administrators directory.
Immediately I booted the machine with a popular linux disto with NTFS RW support. The drive was mounted READ ONLY to keep the time stamps from changing.
The seed file could be seen on the system, but could not be extracted due to Windows File System Encryption. It was also noticed that the main Administrator account had been renamed to NSASecret. Cute.
The drive was then remounted with RW permissions.
The registry was updated so a batch file would be run one time..the next time NSASecret logged in.
--snip--
@type 'c:\documents and settings\nsasecret\secret\nsa-secrets.txt' >>C:\windows\exploited.log
@del c:\runonce.bat
--snip--
Now all we had to do is wait for NSASecret to login to his work station.
Sure enough, when Nsasecret (our host) logged into his machine, a nice dos window came up for a minute, then disappeared. On our side, all his dirty secrets were displayed for the whole world to see.
Scenario two: Machine is pulled out of storage after a year. The user doesn't remember his or her password or username. No encryption was used on the drive. The user just needs back in.
Same linux distro, same utility - chntpw. User account 'jsmith' reset to blank password, enjoy.
Scenario three: Machine is pulled out of storage - this time whole directory encryption was used but the password had been forgotten. Windows XP system. We had to recover the password.
Given its speed, reliability, and ease of use, we attempted a brute force ophcrack attack. Within 3 minutes the password was recovered. Ophcrack will brute force any LanMan hash of any alpha-numeric combination up to 14 characters. Speed depending on ram available in machine.
Scenario four: Recover password of security guru from the local geek squad. He uses between 10 and 14 characters, including alpha, numeric, and special characters. Rainbow Tables Alpha-Numeric-System32-Space were used. In under 30 minutes the 12 character password, k2*}jPqoAz-s
Scenario five: Linux workstation - The system administrator was terminated. His personal password, and the root password are unknown. System was rebooted with a linux distro. Several methods of attack could be done here, so we demonstrated two:
/etc/shadow was edited, and password was nulled. PAM allowed for null password logins, successful attack.
/etc/sudoers was given a legit user and sudo passwd root, successful attack.
In all cases keyloggers could have been installed because we had access to the target machine. With a keylogger, even encrypted data could eventually be recovered.
All attacks were timed and took under an hour, with most taking mere minutes. In many cases most of the time was spent booting and rebooting the machine.
Moral of this story:
Passwords are no more than concealment. If you're looking for true cover, look towards full disk encryption, layer 0.
Links: Backtrack, Ophcrack, Rainbow tables
The argument of cover vs concealment often uses examples with sandbags and grass. While you could hide in the grass (with proper camouflage) the grass offers little real protection. Sandbags offer excellent cover, but are often the target of more devastating attacks. With a little ingenuity you can have both worlds.
Passwords are not dissimilar. Over the weekend I was invited to participate in a pentest exercise where we needed to prove that passwords did not protect data. Anyone with any background in security already knows this, but I figured I'd go over this anyway.
If the attacker has physical access to the machine, passwords can be changed, or data can be directly accessed without timestamps ever changing. Keyloggers can be added, and additional monitoring can be done even after the attack. These types of attacks are not limited to any one operating system either.
The BlackBox- Windows XP SP2 machine, fully patched. Contained hidden "seed" file in the administrators directory.
Immediately I booted the machine with a popular linux disto with NTFS RW support. The drive was mounted READ ONLY to keep the time stamps from changing.
The seed file could be seen on the system, but could not be extracted due to Windows File System Encryption. It was also noticed that the main Administrator account had been renamed to NSASecret. Cute.
The drive was then remounted with RW permissions.
The registry was updated so a batch file would be run one time..the next time NSASecret logged in.
--snip--
@type 'c:\documents and settings\nsasecret\secret\nsa-secrets.txt' >>C:\windows\exploited.log
@del c:\runonce.bat
--snip--
Now all we had to do is wait for NSASecret to login to his work station.
Sure enough, when Nsasecret (our host) logged into his machine, a nice dos window came up for a minute, then disappeared. On our side, all his dirty secrets were displayed for the whole world to see.
Scenario two: Machine is pulled out of storage after a year. The user doesn't remember his or her password or username. No encryption was used on the drive. The user just needs back in.
Same linux distro, same utility - chntpw. User account 'jsmith' reset to blank password, enjoy.
Scenario three: Machine is pulled out of storage - this time whole directory encryption was used but the password had been forgotten. Windows XP system. We had to recover the password.
Given its speed, reliability, and ease of use, we attempted a brute force ophcrack attack. Within 3 minutes the password was recovered. Ophcrack will brute force any LanMan hash of any alpha-numeric combination up to 14 characters. Speed depending on ram available in machine.
Scenario four: Recover password of security guru from the local geek squad. He uses between 10 and 14 characters, including alpha, numeric, and special characters. Rainbow Tables Alpha-Numeric-System32-Space were used. In under 30 minutes the 12 character password, k2*}jPqoAz-s
Scenario five: Linux workstation - The system administrator was terminated. His personal password, and the root password are unknown. System was rebooted with a linux distro. Several methods of attack could be done here, so we demonstrated two:
/etc/shadow was edited, and password was nulled. PAM allowed for null password logins, successful attack.
/etc/sudoers was given a legit user and sudo passwd root, successful attack.
In all cases keyloggers could have been installed because we had access to the target machine. With a keylogger, even encrypted data could eventually be recovered.
All attacks were timed and took under an hour, with most taking mere minutes. In many cases most of the time was spent booting and rebooting the machine.
Moral of this story:
Passwords are no more than concealment. If you're looking for true cover, look towards full disk encryption, layer 0.
Links: Backtrack, Ophcrack, Rainbow tables
posted by wiretapp at
21:33
0 Comments
