Page 2 of 5 FirstFirst 1234 ... LastLast
Results 11 to 20 of 42

Thread: Pen-test of a "secured" Windows-based laptop

  1. #11
    Junior Member lanwarrior's Avatar
    Join Date
    May 2008
    Posts
    39

    Default Re: Pen-test of a "secured" Windows-based laptop

    Quote Originally Posted by Gitsnik View Post
    You're not the only one.

    That said, a few of us are obviously unsure of the legitimacy (nature of the internet and a buck-tiny post count etc), in which case you pretty well have to finish your report up with: "Just because we can't get in doesn't mean someone else couldn't in the future" (obviously worded a bit better than that).
    I don't know how else I can proof the legitimacy on this other than what I mentioned in the first thread without breaking the NDA. I merely asking for expert opinion. Otherwise, I think anybody that ask about "How to hack this and that" in this forum can be deemed to be ALL non-legitimate, right?

    The best I can say is that you can search my username in this forum and I have been asking question for a long time, even help give me my 2-cents on how to make writeable BT image on SD card.

    In terms of writing report, as some of you may know in any security related project... yes, you can put the statement above, but it's the responsibility of the consultant to do due diligence to make sure all the basic is covered. I can't just say "Oh, you have web application with username and password protection, that's secure". What happened if there's a SQL Injection vulnerability in that web application? If I attempted SQL injection and other pen-test using, say, WebInspect, and there's no finding at that time, then I've done my due diligence.

  2. #12
    Junior Member lanwarrior's Avatar
    Join Date
    May 2008
    Posts
    39

    Default Re: Pen-test of a "secured" Windows-based laptop

    Lupin,

    Thank you for the information.

    The claim from the client's Windows admin is.. well.. that's it.. his claim. Of course, I am not buying just of his word. That's why the client brought in my company to do the external pen-test from outside perspective.

    About the HDD encryption, basically this is what I see (using the test laptop I have)
    1) COLD BOOT (machine off)
    a. Turn on laptop
    b. No BIOS is presented, only PointSec login screen
    c. Enter PointSec username and password
    d. Boot immediately to Windows. They use SSO in PointSec, so no need to enter Windows username and password for a second time.
    2) FROM SLEEP or RESTART
    In this manner, then I can see the BIOS prompt to force the laptop to boot to CD. However, the HDD is still encrypted.

    I have removed the HDD, put it in an USB enclosure, and tried to access it from another computer, but the HDD is still encrypted. In Windows, it will show up as unformatted HDD, in Mac, it'll show up as "NTFS Compressed" but cannot be mounted. In BT, it just won't recognized. So this was my original thinking that BT cannot be used for direct pen-test with an encrypted HDD.

    About the AV, Firewall and Spyware, yes, outbound communication is allowed. I have tested several connection, such as HTTP, HTTPS, telnet, ssh and FTP and they all work.
    The McAffee processes cannot be disabledů. so far. I tried from command line and task manager, even from Windows Services and no go. I'll research more on McAfee (disabling services, etc.)

    In term of patching, they're pretty good. They use Altiris to manage application and OS patches. They actually disable non-essential software, such as Adobe PDF and Flash. Even running Windows Defragmenter is not allowed under normal Windows user account.

  3. #13
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Pen-test of a "secured" Windows-based laptop

    Quote Originally Posted by lanwarrior View Post
    The claim from the client's Windows admin is.. well.. that's it.. his claim. Of course, I am not buying just of his word. That's why the client brought in my company to do the external pen-test from outside perspective.
    Yes, Ive heard the same sort of claims.

    Quote Originally Posted by lanwarrior View Post
    About the HDD encryption, basically this is what I see (using the test laptop I have)
    1) COLD BOOT (machine off)
    a. Turn on laptop
    b. No BIOS is presented, only PointSec login screen
    c. Enter PointSec username and password
    d. Boot immediately to Windows. They use SSO in PointSec, so no need to enter Windows username and password for a second time.
    2) FROM SLEEP or RESTART
    In this manner, then I can see the BIOS prompt to force the laptop to boot to CD. However, the HDD is still encrypted.

    I have removed the HDD, put it in an USB enclosure, and tried to access it from another computer, but the HDD is still encrypted. In Windows, it will show up as unformatted HDD, in Mac, it'll show up as "NTFS Compressed" but cannot be mounted. In BT, it just won't recognized. So this was my original thinking that BT cannot be used for direct pen-test with an encrypted HDD.
    Yes, the software is pretty decent, as long as its implemented correctly. If the hard drive is encrypted and you don't have the key, basically you're not getting in. The only things you can check here are whether any unencrypted data exists on the hard drive (e.g. if the software was configured to only encrypt one partition), and whether you can steal one of the keys used to perform the encryption, via evil maid, firewire direct memory access, or other memory access methods (like a trojan on the system).

    Quote Originally Posted by lanwarrior View Post
    About the AV, Firewall and Spyware, yes, outbound communication is allowed. I have tested several connection, such as HTTP, HTTPS, telnet, ssh and FTP and they all work.
    The McAffee processes cannot be disabled…. so far. I tried from command line and task manager, even from Windows Services and no go. I'll research more on McAfee (disabling services, etc.)

    In term of patching, they're pretty good. They use Altiris to manage application and OS patches. They actually disable non-essential software, such as Adobe PDF and Flash. Even running Windows Defragmenter is not allowed under normal Windows user account.
    Without vulnerable software on the system you are pretty much limited to social engineering style attacks to get the user to run some sort of trojan executable, or maybe hijacking of some legitimate traffic to serve up something nasty in place of an expected "nice" file. USB/CD/DVD autorun might also be an option.

    When you tried to kill the AV process via task manager, did you get an access denied message or did it just start up again? It might be monitored by another process that you have to kill simultaneously, you can kill multiple processes at once using the taskkill command, and even stick it in a batch file with a loop just in case one go around wont stop it (I have had to do this with malware before, it might work here too).
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  4. #14
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Pen-test of a "secured" Windows-based laptop

    I am going to guess that those services above in your second post are out of question since two of them have vulns listed,( I of which has no remedy as of 3 july2010 after being reported on 8 august 2002. I will let you figure out per your own research which ones, I am talking about) otherwise you would have mentioned this.
    Also of interest you are talking about wu-ftpd being run, which is to my knowledge a unix ftp service and a deprecated one at that.

  5. #15
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default Re: Pen-test of a "secured" Windows-based laptop

    Quote Originally Posted by lupin View Post
    When you tried to kill the AV process via task manager, did you get an access denied message or did it just start up again? It might be monitored by another process that you have to kill simultaneously, you can kill multiple processes at once using the taskkill command, and even stick it in a batch file with a loop just in case one go around wont stop it (I have had to do this with malware before, it might work here too).
    Very important information there, a lot of these programs are monitored by sometimes "un-obvious processes", a looped taskkill script may even let the attacker get the job done, without finding that "un-obvious" process.
    Sometimes I try to fit a 16-character string into an 8ľbyte space, on purpose.

  6. #16
    Junior Member lanwarrior's Avatar
    Join Date
    May 2008
    Posts
    39

    Default Re: Pen-test of a "secured" Windows-based laptop

    Quote Originally Posted by lupin View Post
    When you tried to kill the AV process via task manager, did you get an access denied message or did it just start up again? It might be monitored by another process that you have to kill simultaneously, you can kill multiple processes at once using the taskkill command, and even stick it in a batch file with a loop just in case one go around wont stop it (I have had to do this with malware before, it might work here too).
    I did, but I got Access Denier error, mostly due to the non-administrator account that I have or that it's enforced by McAfee EPO?

    Quote Originally Posted by Archangel-Amael View Post
    I am going to guess that those services above in your second post are out of question since two of them have vulns listed,( I of which has no remedy as of 3 july2010 after being reported on 8 august 2002. I will let you figure out per your own research which ones, I am talking about) otherwise you would have mentioned this.
    Also of interest you are talking about wu-ftpd being run, which is to my knowledge a unix ftp service and a deprecated one at that.
    Thanks for the tip, I will research on that but the audit report is due this Friday, so I hope I can get something in the next 48 hours.

    Regarding the UNIX Ftp service, it sounds like this port is used by WS-FTP. I know the client use WS-FTP heavily to transfer data between customers and them.

  7. #17
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Pen-test of a "secured" Windows-based laptop

    Quote Originally Posted by lanwarrior View Post
    I did, but I got Access Denier error, mostly due to the non-administrator account that I have or that it's enforced by McAfee EPO?
    Most likely a permissions issue due (due to your non admin status) I would say. If you have access to an admin account, or can install the software on a system where you do have admin rights, you could find out for sure.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  8. #18
    Junior Member lanwarrior's Avatar
    Join Date
    May 2008
    Posts
    39

    Default Re: Pen-test of a "secured" Windows-based laptop

    Quote Originally Posted by lupin View Post
    Most likely a permissions issue due (due to your non admin status) I would say. If you have access to an admin account, or can install the software on a system where you do have admin rights, you could find out for sure.
    Correct, and that's what I was trying to do in my first post, but alas I don't have Admin privilege

    I'll try to boot from Floppy after entering the PointSec magic key combo and see what happens.

  9. #19
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Pen-test of a "secured" Windows-based laptop

    Quote Originally Posted by lanwarrior View Post
    Thanks for the tip, I will research on that but the audit report is due this Friday, so I hope I can get something in the next 48 hours.
    Took me about 2 minutes to google all of your above listed services. I will assume you can do the same.
    Regarding the UNIX Ftp service, it sounds like this port is used by WS-FTP. I know the client use WS-FTP heavily to transfer data between customers and them.
    If you mean the ws-ftp application from Ipswitch, inc. there are 3 different versions one of which is pretty basic and could be compromised.

  10. #20
    Junior Member lanwarrior's Avatar
    Join Date
    May 2008
    Posts
    39

    Default

    Quote Originally Posted by Archangel-Amael View Post
    Took me about 2 minutes to google all of your above listed services. I will assume you can do the same. If you mean the ws-ftp application from Ipswitch, inc. there are 3 different versions one of which is pretty basic and could be compromised.
    I meant, research, try each of the vulnerabilities, document it, and prep the audit report. That will take longer than 2 minutes. The holy grail is still the same: gain elevated privilege from the normal account, which I do have access to.

    UPDATE:

    Well, I have tried the meterpreter scripts with MetaSpolit to attempt to kill the AV and I get "Operation Failed". I believe this is due to the non-admin privilege account and the combo of the AV/Spyware itself. I tried to do the "Aurora" IE exploit, same thing.. no go...

    I tried booting from Floppy by pressing the combo key during PointSec authentication (it only gives Floppy, PXE or HDD), but nothing boots from Floppy. I believe it works only with PointSec Recovery floppy and nothing else.

    Quote Originally Posted by skidmarq View Post
    I do see a couple of angles you might use for privilege escalation....
    Em.... care to enlighten me?
    Last edited by Archangel-Amael; 07-06-2010 at 03:31 PM.

Page 2 of 5 FirstFirst 1234 ... LastLast

Similar Threads

  1. Replies: 4
    Last Post: 02-24-2011, 04:52 PM
  2. Replies: 9
    Last Post: 06-26-2010, 07:03 PM
  3. connect to "secured" open WLAN
    By voodoosau in forum OLD BackTrack 4 (pre) Final
    Replies: 4
    Last Post: 10-07-2009, 04:24 PM
  4. Replies: 12
    Last Post: 10-27-2008, 07:38 AM
  5. Laptop hangs on: "starting PCMCIA CardBus support"
    By 'til infinity in forum OLD LiveCD Support
    Replies: 3
    Last Post: 03-25-2008, 08:25 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •