91.580.203 Computer & Network Forensics

homuskratNetworking and Communications

Nov 20, 2013 (3 years and 9 months ago)

78 views

91.580.203

Computer & Network
Forensics

Computer Physical Security



Xinwen Fu



Laws of Physical Security


Law #3: If a bad guy has unrestricted
physical access to your computer, it’s not
your computer anymore.


Law #5: Weak passwords trump strong
security


Law #10:Technology is not a panacea


Security is only as strong as the weakest link.





http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx


Dr. Xinwen Fu

2

Dr. Xinwen Fu

3

Scenarios


You are a crime investigator and have a
suspect’s computer


How can you get access to the data on the
hard disk?


How can you get her password on this
computer?



You are a secret agent, and have
10 minutes

of
access to an opponent General’s computer


How can you get access to the data on the
hard disk?


How can you get her password on this
computer?

Dr. Xinwen Fu

4

Simple Approach to Access Hard Disk


Recall you have the physical access to
somebody’s computer


Tools you need to break into an unsecured
PC:

1.

A Phillips
-
head screwdriver

2.

USB Thumb drive

3.
Bootable Linux CD

4.
Bootable Linux Floppy

5.
Hard drive mounting kit

Dr. Xinwen Fu

5

What if the machine has a BIOS password?


BIOS password can be bypassed

1.
Remove the machine’s hard drive and put it in another
machine

2.
Reset the BIOS password via jumpers on the motherboard

3.
Simply remove the CMOS battery to reset

http://www.liverepair.com/encyclopedia/articles/cmosreplace.asp

Dr. Xinwen Fu

6

Laptop CMOS Battery


A little bit work

Dr. Xinwen Fu

7

Mounting CD under
Linux


Once accomplished, boot off CD or floppy.


The hard disk will be automatically mounted to the
Linux on CD or floppy


If not, use Linux command and mount it


What is the next step?


Copy


Delete


Change


What else?

Disk Encryption


Disk encryption doesn’t work.


Keys are stored in memory.


Physical access can reveal the keys


Memory can be preserved between boots.


Canned air increases time to 10 minutes.


Liquid nitrogen increase time by 1 hour.




http://www.freedom
-
to
-
tinker.com/?p=1257

Dr. Xinwen Fu

8

CIS414

Dr. Xinwen Fu

9

Resetting Admin Passwords

Approach one
-

Use Windows XP Installation CD

1.
Insert the Windows XP installation on a healthy installation

2.
Press enter to start setup

3.
Press F8 for the license agreement

4.
When you get the option to
repair
the current installation press
R

to do so

5.
Let it run through and for windows XP wait until it reboots and
is installing devices then press
shift F10

to open a command
prompt.

6.
In windows XP either type in "
nusrmgr.cpl
" w/o quotation
marks at the command prompt and press enter. This should open
up the user accounts applet in XP.

7.
Select the users and change or remove their passwords
accordingly
, apply settings and close the control panel windows
and command prompt windows so that just setup is running
again.

8.
Let the upgrade finish

Dr. Xinwen Fu

10

Resetting Admin Passwords

Approach two
-

Use bootable CDs


Boot the system with the CD


Mount the hard disk to the booted OS


Get access to the password file


Do whatever you want



Petter Nordahl
-
Hagen's Offline NT Password &
Registry Editor

-

A great boot CD/Floppy that can
reset any user’s (including the local
administrator) password.

Dr. Xinwen Fu

11

Step ONE: Select disk where the Windows
installation is

1.
====================================

2.
Step ONE
: Select disk where the Windows installation is

3.
====================================

4.
Disks
:

5.
Disk /dev/ide/host0/bus0/target0/lun0/disc: 2147 MB,
2147483648 bytes

6.
NT partitions found
:


1 : /dev/ide/host0/bus0/target0/lun0/part1 2043MB Boot

7.
Please select partition by number

or

a

= show all partitions,
d

= automatically load new disk
drivers
m

= manually load new disk drivers
l

= relist
NTFS/FAT partitions,
q

= quit

8.
Select: [1]


CIS414

Dr. Xinwen Fu

12

Step TWO: Select PATH and registry files

1.
=====================================

2.
Step TWO
: Select PATH and registry files

3.
=====================================

4.
What is the
path to the registry directory
? (relative to windows
disk) [
windows/system32/
config
] :

5.
-
r
--------

1 0 0 262144 Jan 12 18:01
SAM


6.
-
r
--------

1 0 0 262144 Jan 12 18:01 SECURITY

7.
-
r
--------

1 0 0 262144 Jan 12 18:01 default

8.
-
r
--------

1 0 0 8912896 Jan 12 18:01 software

9.
-
r
--------

1 0 0 2359296 Jan 12 18:01
system


10.
dr
-
x
------

1 0 0 4096 Sep 8 11:37
systemprofile


11.
-
r
--------

1 0 0 262144 Sep 8 11:53
userdiff



12.
Select which part of registry to load, use predefined choices or list
the files with space as delimiter

13.

1
-

Password reset [
sam

system security]

14.

2
-

RecoveryConsole

parameters [software]

15.

q
-

quit
-

return to previous

16.
[1] :

CIS414

Dr. Xinwen Fu

13

Step THREE: Password or registry edit

1.
=====================================

2.
Step THREE: Password or registry edit

3.
=====================================

4.
chntpw

version 0.99.2 040105, (c)
Petter

N Hagen


5.
[.. some file info here ..]


6.
* SAM policy limits:

7.
Failed logins before lockout is: 0

8.
Minimum password length : 0

9.
Password history count : 0


10.
<>=====<>
chntpw

Main Interactive Menu <>=======<>

11.
Loaded hives: <
sam
> <system> <security>

12.
1
-

Edit user data and passwords

13.
2
-

Syskey

status & change

14.
3
-

RecoveryConsole

settings
-

-

-



15.
9
-

Registry editor, now with full write support!

16.
q
-

Quit (you will be asked if there is something to save)


17.
What to do? [1]
-
> 1

Dr. Xinwen Fu

14

Step THREE (Cont.)

1.
===== chntpw
Edit User Info & Passwords

====


2.

RID: 01f4, Username: <Administrator>

3.

RID: 01f5, Username: <Guest>, *disabled or locked*

4.

RID: 03e8, Username: <HelpAssistant>, *disabled or
locked*

5.

RID: 03eb, Username: <pnh>, *disabled or locked*

6.

RID: 03ea, Username: <SUPPORT_388945a0>,
*disabled or locked*


7.
Select:
!

-

quit,
.

-

list users,
0x<RID>

-

User with RID
(hex) or
simply enter the username to change
:
[Administrator]

Dr. Xinwen Fu

15

Step FOUR: Writing back changes

1.
==========================

2.
Step FOUR: Writing back changes

3.
==========================

4.
About to write file(s) back! Do it? [n] : y


Dr. Xinwen Fu

16

EDIT COMPLETE


***** EDIT COMPLETE *****


You can try again if it somehow failed, or
you selected wrong New run? [n] : n



Please answer
n

here and then reboot,
CTRL
-
ALT
-
DEL. Remember to remove the
floppy or CD



Windows XP may do some disk integrity
checking and let it run

Dr. Xinwen Fu

17

Password Related Tools


Windows Password recovery
-

Can retrieve
forgotten admin and users' passwords in
minutes. Safest possible option, does not write
anything to hard drive


Petter Nordahl
-
Hagen's Offline NT Password &
Registry Editor

-

A great boot CD/Floppy that can
reset the local administrator's password


Austrumi

-

Bootable CD for recovering passwords
and other cool tools


EBCD


Emergency Boot CD

-

Bootable CD,
intended for system recovery in the case of
software or hardware faults


Openwall's John the Ripper
-

Good boot floppy
with cracking capabilities

http://www.petri.co.il/forgot_administrator_password.htm

John The Ripper


Program to crack passwords


Advantages


Disadvantages


Practical use?


Demo

Dr. Xinwen Fu

18

Dr. Xinwen Fu

19

Full Fledged Tools


Knoppix
: A full
-
featured Linux
environment with GUI and many tools


FIRE
: FIRE Forensic and Incident
Response Environment Bootable CD


BackTrack
: Merging of two Innovative
Penetration Testing live Linux distributions
Whax

and
Auditor



Others


Auditor
,
Knoppix
-
STD
,
Operator
,
PHLAK
,
L.A.S
Linux
,
Helix
,
nUbuntu
,
INSERT
,
Network
Security Toolkit
,
Gentoo

Forensic Toolkit


Dr. Xinwen Fu

20

References


Shelley Bard,
Week 31: Physical security
--

It is part of
information security
, 07/15/2004


Joel Dubin,
Taking Care of Physical Security
, 10/04/2005


Daniel Petri,
How can I gain access to a Windows
NT/2000/XP/2003 computer if I forgot the administrator's
password? How can I reset the administrator's password if I
forgot it?,
07/10/2006


Don Burleson,
Lost Root Password. Now What?,
01/06/2004


insidepro.com,
SAMInside
, 08/28/2006


Irongeek,
Cracking Syskey and the SAM on Windows XP,
2000 and NT 4 using Open Source Tools
,

3/22/2005

Dr. Xinwen Fu

21

References


Daniel Petri,
How can I gain access to a Windows NT/2000/XP/2003
computer if I forgot the administrator's password? How can I reset the
administrator's password if I forgot it?,
07/10/2006


Don Burleson,
Lost Root Password. Now What?,
01/06/2004


insidepro.com,
SAMInside
, 08/28/2006


Irongeek,
Cracking Syskey and the SAM on Windows XP, 2000 and NT 4
using Open Source Tools
,

3/22/2005


http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci993832,00.html


University Of Wisconsin
-
safety Department,
Fire Suppression Systems
,
04/04/2005


Reliable Fire Equipment Company,
Inergen
, 08/28/2006


Reliable Fire Equipment Company,
VESDA Laser Plus Air Sampling
Systems
, 08/28/2006


SANS InfoSec Reading Room,
Physical Security
, 08/282006


Wikipedia,
Computer security
, 2006


Network Security Center©2000 University of Chicago,
NSC: Physical
Security
, 2000


Anne Saita,
Laptops lifted right under corporate noses
, 10/12/2005


Micki Krause, Harold F. Tipton,
Handbook of Information Security
Management
, Publisher: CRC Press LLC, ISBN: 0849399475, January 1998


marc spamcatcher,
physical security pentesting procedures, tips, audit
programs?
, 12/02/2004