Pen-test of a "secured" Windows-based laptop

[lanwarrior]

You're not the only one.

That said, a few of us are obviously unsure of the legitimacy (nature of the internet and a buck-tiny post count etc), in which case you pretty well have to finish your report up with: "Just because we can't get in doesn't mean someone else couldn't in the future" (obviously worded a bit better than that).

I don't know how else I can proof the legitimacy on this other than what I mentioned in the first thread without breaking the NDA. I merely asking for expert opinion. Otherwise, I think anybody that ask about "How to hack this and that" in this forum can be deemed to be ALL non-legitimate, right?

The best I can say is that you can search my username in this forum and I have been asking question for a long time, even help give me my 2-cents on how to make writeable BT image on SD card.

In terms of writing report, as some of you may know in any security related project... yes, you can put the statement above, but it's the responsibility of the consultant to do due diligence to make sure all the basic is covered. I can't just say "Oh, you have web application with username and password protection, that's secure". What happened if there's a SQL Injection vulnerability in that web application? If I attempted SQL injection and other pen-test using, say, WebInspect, and there's no finding at that time, then I've done my due diligence.

[lanwarrior]

Lupin,

Thank you for the information.

The claim from the client's Windows admin is.. well.. that's it.. his claim. Of course, I am not buying just of his word. That's why the client brought in my company to do the external pen-test from outside perspective.

About the HDD encryption, basically this is what I see (using the test laptop I have)
1) COLD BOOT (machine off)
a. Turn on laptop
b. No BIOS is presented, only PointSec login screen
c. Enter PointSec username and password
d. Boot immediately to Windows. They use SSO in PointSec, so no need to enter Windows username and password for a second time.
2) FROM SLEEP or RESTART
In this manner, then I can see the BIOS prompt to force the laptop to boot to CD. However, the HDD is still encrypted.

I have removed the HDD, put it in an USB enclosure, and tried to access it from another computer, but the HDD is still encrypted. In Windows, it will show up as unformatted HDD, in Mac, it'll show up as "NTFS Compressed" but cannot be mounted. In BT, it just won't recognized. So this was my original thinking that BT cannot be used for direct pen-test with an encrypted HDD.

About the AV, Firewall and Spyware, yes, outbound communication is allowed. I have tested several connection, such as HTTP, HTTPS, telnet, ssh and FTP and they all work.
The McAffee processes cannot be disabled…. so far. I tried from command line and task manager, even from Windows Services and no go. I'll research more on McAfee (disabling services, etc.)

In term of patching, they're pretty good. They use Altiris to manage application and OS patches. They actually disable non-essential software, such as Adobe PDF and Flash. Even running Windows Defragmenter is not allowed under normal Windows user account.

[lupin]

The claim from the client's Windows admin is.. well.. that's it.. his claim. Of course, I am not buying just of his word. That's why the client brought in my company to do the external pen-test from outside perspective.

Yes, Ive heard the same sort of claims.

About the HDD encryption, basically this is what I see (using the test laptop I have)
1) COLD BOOT (machine off)
a. Turn on laptop
b. No BIOS is presented, only PointSec login screen
c. Enter PointSec username and password
d. Boot immediately to Windows. They use SSO in PointSec, so no need to enter Windows username and password for a second time.
2) FROM SLEEP or RESTART
In this manner, then I can see the BIOS prompt to force the laptop to boot to CD. However, the HDD is still encrypted.

I have removed the HDD, put it in an USB enclosure, and tried to access it from another computer, but the HDD is still encrypted. In Windows, it will show up as unformatted HDD, in Mac, it'll show up as "NTFS Compressed" but cannot be mounted. In BT, it just won't recognized. So this was my original thinking that BT cannot be used for direct pen-test with an encrypted HDD.

Yes, the software is pretty decent, as long as its implemented correctly. If the hard drive is encrypted and you don't have the key, basically you're not getting in. The only things you can check here are whether any unencrypted data exists on the hard drive (e.g. if the software was configured to only encrypt one partition), and whether you can steal one of the keys used to perform the encryption, via evil maid, firewire direct memory access, or other memory access methods (like a trojan on the system).

About the AV, Firewall and Spyware, yes, outbound communication is allowed. I have tested several connection, such as HTTP, HTTPS, telnet, ssh and FTP and they all work.
The McAffee processes cannot be disabled…. so far. I tried from command line and task manager, even from Windows Services and no go. I'll research more on McAfee (disabling services, etc.)

In term of patching, they're pretty good. They use Altiris to manage application and OS patches. They actually disable non-essential software, such as Adobe PDF and Flash. Even running Windows Defragmenter is not allowed under normal Windows user account.

Without vulnerable software on the system you are pretty much limited to social engineering style attacks to get the user to run some sort of trojan executable, or maybe hijacking of some legitimate traffic to serve up something nasty in place of an expected "nice" file. USB/CD/DVD autorun might also be an option.

When you tried to kill the AV process via task manager, did you get an access denied message or did it just start up again? It might be monitored by another process that you have to kill simultaneously, you can kill multiple processes at once using the taskkill command, and even stick it in a batch file with a loop just in case one go around wont stop it (I have had to do this with malware before, it might work here too).

[Archangel-Amael]

I am going to guess that those services above in your second post are out of question since two of them have vulns listed,( I of which has no remedy as of 3 july2010 after being reported on 8 august 2002. I will let you figure out per your own research which ones, I am talking about) otherwise you would have mentioned this.
Also of interest you are talking about wu-ftpd being run, which is to my knowledge a unix ftp service and a deprecated one at that.

[killadaninja]

When you tried to kill the AV process via task manager, did you get an access denied message or did it just start up again? It might be monitored by another process that you have to kill simultaneously, you can kill multiple processes at once using the taskkill command, and even stick it in a batch file with a loop just in case one go around wont stop it (I have had to do this with malware before, it might work here too).

Very important information there, a lot of these programs are monitored by sometimes "un-obvious processes", a looped taskkill script may even let the attacker get the job done, without finding that "un-obvious" process.

[lanwarrior]

When you tried to kill the AV process via task manager, did you get an access denied message or did it just start up again? It might be monitored by another process that you have to kill simultaneously, you can kill multiple processes at once using the taskkill command, and even stick it in a batch file with a loop just in case one go around wont stop it (I have had to do this with malware before, it might work here too).

I did, but I got Access Denier error, mostly due to the non-administrator account that I have or that it's enforced by McAfee EPO?

I am going to guess that those services above in your second post are out of question since two of them have vulns listed,( I of which has no remedy as of 3 july2010 after being reported on 8 august 2002. I will let you figure out per your own research which ones, I am talking about) otherwise you would have mentioned this.
Also of interest you are talking about wu-ftpd being run, which is to my knowledge a unix ftp service and a deprecated one at that.

Thanks for the tip, I will research on that but the audit report is due this Friday, so I hope I can get something in the next 48 hours.

Regarding the UNIX Ftp service, it sounds like this port is used by WS-FTP. I know the client use WS-FTP heavily to transfer data between customers and them.

[lupin]

I did, but I got Access Denier error, mostly due to the non-administrator account that I have or that it's enforced by McAfee EPO?

Most likely a permissions issue due (due to your non admin status) I would say. If you have access to an admin account, or can install the software on a system where you do have admin rights, you could find out for sure.

[lanwarrior]

Most likely a permissions issue due (due to your non admin status) I would say. If you have access to an admin account, or can install the software on a system where you do have admin rights, you could find out for sure.

Correct, and that's what I was trying to do in my first post, but alas I don't have Admin privilege

I'll try to boot from Floppy after entering the PointSec magic key combo and see what happens.

[Archangel-Amael]

Thanks for the tip, I will research on that but the audit report is due this Friday, so I hope I can get something in the next 48 hours.

Took me about 2 minutes to google all of your above listed services. I will assume you can do the same.

Regarding the UNIX Ftp service, it sounds like this port is used by WS-FTP. I know the client use WS-FTP heavily to transfer data between customers and them.

If you mean the ws-ftp application from Ipswitch, inc. there are 3 different versions one of which is pretty basic and could be compromised.

[lanwarrior]

Took me about 2 minutes to google all of your above listed services. I will assume you can do the same. If you mean the ws-ftp application from Ipswitch, inc. there are 3 different versions one of which is pretty basic and could be compromised.

I meant, research, try each of the vulnerabilities, document it, and prep the audit report. That will take longer than 2 minutes. The holy grail is still the same: gain elevated privilege from the normal account, which I do have access to.

UPDATE:

Well, I have tried the meterpreter scripts with MetaSpolit to attempt to kill the AV and I get "Operation Failed". I believe this is due to the non-admin privilege account and the combo of the AV/Spyware itself. I tried to do the "Aurora" IE exploit, same thing.. no go...

I tried booting from Floppy by pressing the combo key during PointSec authentication (it only gives Floppy, PXE or HDD), but nothing boots from Floppy. I believe it works only with PointSec Recovery floppy and nothing else.

I do see a couple of angles you might use for privilege escalation....

Em.... care to enlighten me?