Page 1 of 5 123 ... LastLast
Results 1 to 10 of 42

Thread: Pen-test of a "secured" Windows-based laptop

  1. #1
    Junior Member lanwarrior's Avatar
    Join Date
    May 2008
    Posts
    39

    Default Pen-test of a "secured" Windows-based laptop

    I recently came across a project that my colleague is working on for a client who wants him to audit the security of their Windows laptops.

    The client's Windows admin claim their laptops are very secure because of the following:

    1). HDD Encryption
    They use PointSec that encrypt the HDD. When booting up the laptop, there is not even a BIOS prompt and it goes straight to the PointSec login screen.
    - ADMIN CLAIM: Backtrack or any other UNIX-based LiveCD will not work

    2). NO ADMIN PRIVILEGE
    Anyone in the company, from CEO to Accountant, do not have Administrative privileges.
    - ADMIN CLAIM: no copying of SAM or Security file (for cracking local Windows Admin password), no installing tools like Cain & Able, not even running VMWare OS.

    3) SPYWARE, ANTIVIRUS, FIREWALL
    - ADMIN CLAIM: these tools will detect and automatically delete cracking tools like JohnTheRipper, prevent website with spyware, and block inbound network access such as Remote Desktop, Telnet, VNC, RDP, or tool like MetaSploit, etc.. These tools are managed centrally so users (or hacker) cannot disable it.

    We were given a sample laptop for us to do the pen-test and so far:

    1) We couldn't run BackTrack due to the HDD encryption
    2) We were given the local user account with no admin access. We couldn't run any password cracking tool or connect remotely. The spyware, antivirus, and firewall were blocking this.

    So before my colleague write the audit report, which will show that the clients laptop are indeed secured and cannot be broken with anything (unless the technology changes), is there any other thing we can try?

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Pen-test of a "secured" Windows-based laptop

    I kind of doubt where this is headed, but why not powerup the machine and run a scanner against it and check for running and or vulnerable services and go from there.
    Pretty much standard and straightforward way of going about things.

  3. #3
    Junior Member skidmarq's Avatar
    Join Date
    Jan 2010
    Posts
    88

    Default Re: Pen-test of a "secured" Windows-based laptop

    I'm in agreement as far as the legitimacy of this but I'll give you the benefit of the doubt...with pre-boot authentication (encryption software such as PGP Desktop), you are not going to have much luck from a physical perspective so step back a bit and begin with the basics.

    When the machine is powered on, what daemons are running? Is the firewall configured to block all daemons from receiving inbound connections?

    What is the scope of your test? Are you allowed to socially engineer, etc?
    Last edited by skidmarq; 07-03-2010 at 04:17 PM.
    I got 99 problems but the bits ain't one...

  4. #4
    Junior Member lanwarrior's Avatar
    Join Date
    May 2008
    Posts
    39

    Default Re: Pen-test of a "secured" Windows-based laptop

    The scope of the project is to assess the IT security posture from the following perspective:
    1) Network (External only)
    2) Web-applications (External only)
    3) Mobile devices

    We can use any pen-test tool but the following are prohibited:
    1) Any test with the goal of brining the network down (DDoS, etc.)
    2) Physical contact (robbery, break-in to the office, etc.) --> Social Engineering falls under this

    This thread focused on #3, which include the test laptop discussed above. The goal of test #3 is to determine that, if the client laptop is stolen / lost, is it protected as follow:
    1) Prevent access to the laptop (HDD encryption)
    2) Prevent local admin privilege
    3) With #1 and #2, the data in the laptop is protected.

    Quote Originally Posted by Archangel-Amael View Post
    ….why not powerup the machine and run a scanner against it and check for running and or vulnerable services and go from there.
    Pretty much standard and straightforward way of going about things.
    We did, as I mentioned in the 1st post, step no. 2. For example, we run basic NMAP / Nessus and can only see very few ports open and the services:
    - 139 (NetBIOS)
    - 912 (NMAP/Nessus reported this is WU-FTPD, which seems correct since we tried to FTP to it and instead of getting connection denied, we get "Incorrect username/login"
    - 1505 (FunkProxy)
    - 8081 (McAfee EPO Agent - they use centrally managed anti-virus)

    We tried connecting remotely using NetBIOS using the normal Windows user account that we are given, but no connection is allowed.

    Quote Originally Posted by skidmarq View Post
    When the machine is powered on, what daemons are running? Is the firewall configured to block all daemons from receiving inbound connections?

    What is the scope of your test? Are you allowed to socially engineer, etc?
    No on social engineering. The scope of the test is as mentioned above.

    When we login using the normal Windows account, there are a bunch of processes running. Some are normal Windows processes, some are stuff that maybe interesting but we couldn't do much on it, so far:
    1) Altiris (AeXAgentUIHost.exe, AeXNSAgent.exe, etc)
    2) Funk Software Proxy (phtray.exe)
    3) DameWare MRC agent (DWRCST.exe)
    4) enstart.exe (This is from Windows Services list, part of EnCase Enterprise Note from Guardian)

    We did found out that when the laptop wakes up from sleep mode, there is no PointSec login prompt. Also, when the laptop is rebooted (Windows -> Restart), we see the BIOS screen and the option to boot from CD. So these 2 is the primary focus for our pen-test, where we would like to see if there is anyway we can get Local Administrator privilege.
    Last edited by lanwarrior; 07-03-2010 at 06:58 PM.

  5. #5
    Just burned his ISO
    Join Date
    Jun 2010
    Posts
    2

    Default Re: Pen-test of a "secured" Windows-based laptop

    I would offer that while social engineering is prohibited, it is a real world possibility. If someone were to steal the laptop, they could/would, use social engineering to access it, or escalate privileges. I know this doesn't help now, and I'm sure you have already thought of that, but I figured I would say something anyways.

  6. #6
    Just burned his ISO
    Join Date
    Jun 2010
    Posts
    10

    Default Re: Pen-test of a "secured" Windows-based laptop

    You mention the laptops have a lot of "centrally managed" security features like AV. Have you tried finding vulnerabilities in their network/server? Not like DoS attacks but straight on ways to access their main system that runs the lappys?

  7. #7
    Junior Member skidmarq's Avatar
    Join Date
    Jan 2010
    Posts
    88

    Default Re: Pen-test of a "secured" Windows-based laptop

    I do see a couple of angles you might use for privilege escalation....
    I got 99 problems but the bits ain't one...

  8. #8
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: Pen-test of a "secured" Windows-based laptop

    Quote Originally Posted by skidmarq View Post
    I do see a couple of angles you might use for privilege escalation....
    You're not the only one.

    That said, a few of us are obviously unsure of the legitimacy (nature of the internet and a buck-tiny post count etc), in which case you pretty well have to finish your report up with: "Just because we can't get in doesn't mean someone else couldn't in the future" (obviously worded a bit better than that).
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  9. #9
    Just burned his ISO
    Join Date
    Jun 2010
    Posts
    10

    Default Re: Pen-test of a "secured" Windows-based laptop

    Quote Originally Posted by Gitsnik View Post
    in which case you pretty well have to finish your report up with: "Just because we can't get in doesn't mean someone else couldn't in the future" (obviously worded a bit better than that).
    No matter who you are and how much an expert/professional (if professional, even more so), that statement should be in the summary of the report because you can't guarantee that it is fool proof. Never can you be so sure of yourself that you would say without a doubt this system is secure.

    "It takes many to build a wall but only one to knock it down." ~ probably some fricken Chinese proverb

  10. #10
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Pen-test of a "secured" Windows-based laptop

    Quote Originally Posted by lanwarrior View Post
    The client's Windows admin claim their laptops are very secure because of the following
    Secure against what? Have they determined the likely threats or attacks that might be launched against this system given what it will be used for? If you are going to claim something is secure you need to understand what the threats are.

    Quote Originally Posted by lanwarrior View Post
    1). HDD Encryption
    They use PointSec that encrypt the HDD. When booting up the laptop, there is not even a BIOS prompt and it goes straight to the PointSec login screen.
    - ADMIN CLAIM: Backtrack or any other UNIX-based LiveCD will not work
    Lets be more specific here. This will prevent accessing of the files on the hard drive via a method like booting from BackTrack, but it wont necessarily prevent you booting from something like BackTrack. Im not quite sure how they managed to prevent the BIOS prompt from appearing, though its likely that with physical access you could bypass it. Pointsec itself doesn't provide the BIOS level protection, I have tested Pointsec for PC encrypted laptops myself - using several different versions of the software, including the most recent build after they were bought out by CheckPoint, and I have been able to boot them from alternate media, although I haven't been able to access the contents of encrypted sections of the disk (you don't have to encrypt the whole disk using this software, so keep that in mind). So if you can figure a way to get past that BIOS setting (maybe just the right keypress is required at boot time) you should be able to boot BackTrack, and then confirm that there are no unencrypted partitions storing data on the hdd. Or you could physically remove the drive from the laptop and try and access it that way (if thats permitted in the terms of engagement). And what about physically resetting the BIOS parameters - there might be a hardware switch to allow this, or pulling the CMOS battery might do it too.

    An evil maid style attack may also be possible (Google it). And what about firewire ports on the laptop? You may be able to grab the contents of memory of a running system and extract encryption keys. And Im assuming that the screen locks when the screensaver activates, and requires a password to unlock (yes I have seen secure laptop builds that didn't require a password to unlock...)

    Quote Originally Posted by lanwarrior View Post
    2). NO ADMIN PRIVILEGE
    Anyone in the company, from CEO to Accountant, do not have Administrative privileges.
    - ADMIN CLAIM: no copying of SAM or Security file (for cracking local Windows Admin password), no installing tools like Cain & Able, not even running VMWare OS.
    How well is it patched, and how well is the Windows install hardened? As others have mentioned, privilege escalation....

    Quote Originally Posted by lanwarrior View Post
    3) SPYWARE, ANTIVIRUS, FIREWALL
    - ADMIN CLAIM: these tools will detect and automatically delete cracking tools like JohnTheRipper, prevent website with spyware, and block inbound network access such as Remote Desktop, Telnet, VNC, RDP, or tool like MetaSploit, etc.. These tools are managed centrally so users (or hacker) cannot disable it.
    Excuse me while I chuckle politely to myself. Antivirus can be bypassed - you will be able to find information via Google, and I have even done a few posts on my blog on the subject. Local firewalls can be bypassed - is IE allowed to communicate outbound? Try a reverse_http payload, where the communication is channeled outbound by the PassiveX ActiveX object within an IE session. The Canvas HTTP Mosdef payloads also use IE (I'm pretty sure). You might not even need to get that complicated if outbound access is unrestricted, just a regular reverse tcp connection will suffice.

    I'd also want to test the claim that it cannot be disabled in any way. Can you change the configuration? I have seen AV systems that check their configuration every x minutes and reset it back to the baseline. No problem, just have a process that changes the settings to your desired values every few seconds.

    And again - patching. Are third party applications, like Shockwave, Flash and Adobe Reader kept up to date? They are brilliant ways to get that initial foothold onto the system. And you can bypass AV detection for those too (Ive done a blog entry on bypassing AV detection for PDF files).

    So basically, depending on how everything is configured you may have to customise some stuff to get it to work, but a claim that AV and a firewall makes a system bulletproof is ridiculous. It may, however, be "good enough", if you have to have detailed knowledge of how the system works, have to customise common tools and jump through ridiculous hoops to get access that may be OK from their perspective (this should be reflected in the risk rating of the finding in any report). They do seem to have an unjustified sense of invulnerability from what you have described, though, so it might be worth pointing out that this is not necessarily justified.
    Last edited by lupin; 07-04-2010 at 04:54 AM. Reason: Added some more stuff
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Page 1 of 5 123 ... LastLast

Similar Threads

  1. Replies: 4
    Last Post: 02-24-2011, 04:52 PM
  2. Replies: 9
    Last Post: 06-26-2010, 07:03 PM
  3. connect to "secured" open WLAN
    By voodoosau in forum OLD BackTrack 4 (pre) Final
    Replies: 4
    Last Post: 10-07-2009, 04:24 PM
  4. Replies: 12
    Last Post: 10-27-2008, 07:38 AM
  5. Laptop hangs on: "starting PCMCIA CardBus support"
    By 'til infinity in forum OLD LiveCD Support
    Replies: 3
    Last Post: 03-25-2008, 08:25 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •