ENCKPhysicalAccess.pptx

Click to edit master text style,Second level,Third level,Fourth level,Fifth level,Click to edit master title style,Copyright 2004-2005 NameOfTheOrganization.All rights reserved.,Click to edit master text style,Second level,Third level,Fourth level,Fifth level,Click to edit master title style,Copyright 2004-2005 NameOfTheOrganization.All rights reserved.,Copyright SUPINFO,.All rights reserved,Physical Access,Course objectives,Understand the need for physical access control,Exploit physical protection failures,Implement countermeasures,By completing this course,you will:,Physical Access,Course topics,Introduction to physical access,Bypass BIOS Protection,Exploiting an offline computer,OS Modifications,SAM Dumping,Keyloggers,Opened sessions,Getting simple information,RAM Dumping,Keyloggers,These are the parts that we will approach:,Physical Access,Introduction,Physical Access,A real threat,Introduction,Usually,servers and network equipements are well protected,But operating or administration computers are often easily reachable,Lot of ways to get sensible information through physical access,How?,Introduction,How can physical access be obtained?,Through Social Engineering,Pretend to be part of SI team,Use ignorance of the processes by the staff,More discretly,Different situations,Introduction,Computers might have:,Protected BIOS,Protected Session Access,Different cases when reaching the computer:,Computer off/on,Session open/closed,Need to find ways to get information in any of this situations?,Bypass BIOS protection,Physical Access,Definition,BIOS,-basic input/output system-PC software built into the PC,and the first code run by a PC when powered on(boot firmware).,Bypass BIOS Protection,BIOS Protection,Bypass BIOS Protection,How could we by-pass the BIOS protection?,Erase password,Need hardware access,Hardly possible to hide,Need to be alone in front of the computer,Not always possible,Decrypt it,Ex:CmosPwd,Need an access to the computer logged on,Vicious circle,BIOS Password Record,Bypass BIOS Protection,Where may the BIOS Password be recorded:,CMOS,Easy to erase,Computer must be turned off,Eeprom,Better security solution,Definition,CMOS,a specialized and integrated circuit containing a small memory and a clock kept in continuous operation using a battery or an accumulator.Often contain the BIOS password.,Bypass BIOS Protection,CMOS Jumper,Bypass BIOS Protection,If present,the easiest way to erase BIOS protection.,We could erase CMOS just by moving the jumper,Can be indicated with:,CMOS CLEAR,CLR,CLRPWD,PASSWD,PWD,Etc,Short-Circuit the CMOS,Then,replace the Jumper it in its initial position,CMOS Battery,Bypass BIOS Protection,CMOS don,t always have a jumper.,CMOS memory is volatil,Need electric alimentation,So,we could erase it just by removing it,s battery,For a few minutes,sometimes hours,Definition,Eeprom,Electrically-erasable programmable read-only memory a type of non-volatile memory used in computers and other electronic devices to store small amounts of data that must be saved when power is removed,Bypass BIOS Protection,Eeprom,Bypass BIOS Protection,Eeprom,unlike CMOS memory,is non-volatile,So we can,t erase it easily,Better security solution,BIOS Password Decription,Bypass BIOS Protection,There is no easy way to do it.,Ex:CmosPwd,Need access to open session,Vicious circle:,We need access to a running computer,To access the computer off,Exploiting an offline computer,Physical Access,Exploiting an offline computer,Exploiting an offline computer,Most people think their computer is well protected by its OS login and password when it,s turned off.,But there is lot of way to bypass it:,Restoration,Live-disk,Bootable Usb key,Etc,Often used for maintenance reasons,But really useful for hacking too,OS Modifications,Physical access,OS Modifications,OS Modifications,We can:,Restore the Operating System,Thanks to OS cds,Or using integrated restoration tools,Install another OS,How can we just erase passwords or change users privileges?,Offline NT Password,OS Modifications,An exemple of password erasing tool:,Only 4Mb,Livecd,Bootable Usb key,Available for all Windows version from Windows NT to Seven,Offline NT Password,OS Modifications,Used for:,Erasing passwords,A fortiori,admin password,Adding users to local admin group,Give administration rights,(More discreet),Note,You will see all the steps to follow in the next LABS.,OS Modifications,Offline NT Password,OS Modifications,Not the better solution:,Not really discreet,Admin will see the change when getting back his computer,Change back his password,So we can,t access this system anymore by this way,Become suspicious,So,we prefer to get his password directly,SAM Dumping,Physical access,Password Cracking,SAM Dumping,Permit to:,Stay discreet,Keep invisible,Don,t alert admins,Keep access to computer,Here,we,ll just see an example for physical access case,and details others methods in the OS Attacks chapter.,SAM dumping,SAM Dumping,How to dump the SAM database?,SAM dumping thanks to livecd,Using Backtrack,Target at Windows uniquely,Permit to get hashes,For future use(far to target eyes),Definition,Security Accounts Manager,a registry file in Windows NT,Windows 2023,and later versions of Windows.It stores users passwords in a hashed format(in LM hash and NTLM hash).,SAM Dumping,SAM database,SAM Dumping,Example of Sam database informations:,Administrator:500:0296491B23F40AB2AAD3B435B51404EE:E06DE4D7E4002728184897EBB744AE2C:,security:1004:E52CAC67419A9A22AEB7ECD1E1900E8C:6E1D750B11A7F1E046181EB70439F252:,kevin:1005:4129B5C85878E46CAAD3B435B51404EE:11F58EA115D12AB46680C639DC9EBC12:,UserName:RID:LMhash:NThash:FullName:Description:HomeDirectory,Bkhive,SAM Dumping,After BT4 booted and target partition mounted.,Get the encryption key,Save it in a text file,Usage:,$bkhive ,Exemple:,$,bkhive/mnt/hda1/windows/system32/config/system/tmp/keyfile.txt,Samdump2,SAM Dumping,Then,we can use this key to dump the SAM database:,Samdump2:,Analyse the SAM database thanks to encryption key,Output all hashes,Usage:,$samdump2 ,Exemple:,$,bkhive/mnt/hda1/windows/system32/config/sam/tmp/keyfile.txt,Then,we can take its output to crack it after,Note,We will see how to crack this password in the OS Attack chapter.,SAM Dumping,Opened Session,Physical access,People Trust,Opened sessions,Lot of people don,t think about session locking.,Trust misuse,Leave often their computer alone for a few time,Need to hack quickly,What we can do,Opened sessions,Here are few examples of what can be done when exploiting an opened session:,Get Web explorer passwords,Automated Information getting,Use 3U usb keys,Dump RAM,Install keyloggers,Etc,Getting simple information,Physical access,What kind of information?,Getting simple information,On an open session,we can get easly a lot of informations:,Sensible unprotected documents,Web passwords,Web historical,Etc,Web Passwords,Getting simple information,You can get web passwords with just a few clics:,On Firefox:,Settings security recorded passwords,On internet explorer:,Use IE Pass view,Just need one clic after quick installation,Information Gathering(1),Getting simple information,For exemple,you can get:,IE history,Ex:IE History View,Very useful with IE Passview,Outlook passwords,EX:Outlook PST Password Recovery,Just need one clic after quick installation,Information Gathering(2),Getting simple information,For exemple,you can get:,Network passwords(ex:wpa2 keys),Ex:Network password recovery,Product keys(and its eponymous tool),Network Information,Adaptater watch,But use so many tools is not really useful,Automated Information Gathering,Getting simple information,We could use just one tool for all this tasks.,Switch Blade-Siliv,Thanks to autorun.inf,On usb keys,Get information in a log.txt,SAM dump,Passwords,OS information,Etc,Really quick and discreet,Automated Information Gathering,Getting simple information,We could use just one tool for all this tasks.,Switch Blade-Siliv,Thanks to autorun.inf,On usb keys,Get information in a log.txt,SAM dump,Passwords,OS information,Etc,Really quick and discreet,RAM Dumping,Physical access,RAM Dumping,RAM Dumping,Why dump the RAM?,RAM contains lot of sensible information,Ex:ROM encryption key,Depending on OS,On Windows,RAM Dumping,Create a general crash,For PS/2 keyboards:,HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesi8042prtParameters=1,For USB keyboards:,HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskbdhidParameters,And then,press right Ctrl and Scroll lock twice,All Memory will be dump in C:Windowsmemorydump.pmp,On Windows,RAM Dumping,Create a general crash,For PS/2 keyboards:,HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesi8042prtParameters=1,For USB keyboards:,HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskbdhidParameters,And then,press right Ctrl and Scroll lock twice,All Memory will be dump in C:Windowsmemorydump.pmp,Keyloggers,Physical access,Introduction,Keyloggers,If all other attempts to sniff out domain privileges fail,then a keystroke logger(keylogger)is the solution,Keylogger are stealth software packages that are placed between keyboard hardware and the operating system,so that they can record every keystroke,There are two type of keyloggers:,Hardware-based,Software-based,Hardware-based,Keyloggers,The hardware keylogger is a tiny hardware device that can be attached in between a keybord and a computer,It keeps a record of all keystokes types on the keyboard.The recoding process is transparent to the end user,There are two types of hardware keyloggers:,USB keyloggers,PS/2 keyloggers,Software-based,Keyloggers,Emails are sent on a timely basis,Email system as simply as possible,Enter your email address,Try the email works,Here an example:,Countermeasures,Physical access,Countermeasures,Countermeasures,Physical Attacks can be avoided using simple countermeasures:,Enable BIOS protection,Choose Eeprom BIOS password saving,Always lock your session,Advanced authentication tools,ROM encryption,Protect physical access,Use of protection failures,Course summary,Physical,Tools to get information,The End,Physical access,