Re: [Full-disclosure] Abusing Windows 7 Recovery Process
Discussion is drifting away. It is a nice discovery but nothing with big impact. Am 14. Juli 2013 08:27:23 schrieb Moshe Israel : My response was to "how many system implement such controls". You could however (since u have access) disconnect the network cable, replace magnify wt cmd etc. add admin, replace the cmd back and reconnect. Solved?? :) On Jul 13, 2013, at 11:49 PM, valdis.kletni...@vt.edu wrote: > On Sat, 13 Jul 2013 22:13:38 +0300, Moshe Israel said: >> All secured/regulated systems as required by most certifications/standards/best practices. > You're new in the industry, aren't you? :) > The point you're missing is that the vast majority of computers aren't covered > by said certifications and standards. And most of the certifications are > merely a money grab by the auditors - the last numbers I found, something like > 98% of breaches of systems that were covered by PCI were of systems that at > the time of the breach were PCI-compliant. In other words, being PCI compliant > didn't actually slow the attackers down one bit. > You social engineer your way into the 5th office building you pass, pick a > random PC on the 4th floor - I'll bet you that PC is probably *not* running > sufficient monitoring to detect an intruder rebooting it and messing with > the system. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
And dont forget the logs/audits etc... On Jul 14, 2013, at 9:27 AM, Moshe Israel wrote: > My response was to "how many system implement such controls". > > You could however (since u have access) disconnect the network cable, replace > magnify wt cmd etc. add admin, replace the cmd back and reconnect. > Solved?? :) > > On Jul 13, 2013, at 11:49 PM, valdis.kletni...@vt.edu wrote: > >> On Sat, 13 Jul 2013 22:13:38 +0300, Moshe Israel said: >>> All secured/regulated systems as required by most >>> certifications/standards/best practices. >> >> You're new in the industry, aren't you? :) >> >> The point you're missing is that the vast majority of computers aren't >> covered >> by said certifications and standards. And most of the certifications are >> merely a money grab by the auditors - the last numbers I found, something >> like >> 98% of breaches of systems that were covered by PCI were of systems that at >> the time of the breach were PCI-compliant. In other words, being PCI >> compliant >> didn't actually slow the attackers down one bit. >> >> You social engineer your way into the 5th office building you pass, pick a >> random PC on the 4th floor - I'll bet you that PC is probably *not* running >> sufficient monitoring to detect an intruder rebooting it and messing with >> the system. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
My response was to "how many system implement such controls". You could however (since u have access) disconnect the network cable, replace magnify wt cmd etc. add admin, replace the cmd back and reconnect. Solved?? :) On Jul 13, 2013, at 11:49 PM, valdis.kletni...@vt.edu wrote: > On Sat, 13 Jul 2013 22:13:38 +0300, Moshe Israel said: >> All secured/regulated systems as required by most >> certifications/standards/best practices. > > You're new in the industry, aren't you? :) > > The point you're missing is that the vast majority of computers aren't covered > by said certifications and standards. And most of the certifications are > merely a money grab by the auditors - the last numbers I found, something like > 98% of breaches of systems that were covered by PCI were of systems that at > the time of the breach were PCI-compliant. In other words, being PCI > compliant > didn't actually slow the attackers down one bit. > > You social engineer your way into the 5th office building you pass, pick a > random PC on the 4th floor - I'll bet you that PC is probably *not* running > sufficient monitoring to detect an intruder rebooting it and messing with > the system. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
All secured/regulated systems as required by most certifications/standards/best practices. On Jul 13, 2013, at 8:52 PM, valdis.kletni...@vt.edu wrote: > On Sat, 13 Jul 2013 13:23:18 +0200, Alex said: >> This one is a classic, but it will fail integrity checks of >> tripwire/ossec/whatever you use. > > What percent of systems actually do this? > > On Sat, 13 Jul 2013 14:19:19 +0200, Alex said: >> And trigger automated incident/alarm > Trigger the automated alarm from the tripwire program you just axed? > > Much more likely is some monitoring system like Big Brother or Zabbix > alerting that the system has been rebooted. And again, the vast majority > of systems don't have this sort of monitoring. > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
I am aware of this. However it is not the default and far from standard. Just saying encrypted disks are the exception and not the norm. On Jul 13, 2013 10:31 PM, "Dennis E. Hamilton" wrote: > > Bit Locker full disk encryption has been available since Windows Vista. It was improved in Windows 7 and apparently even more for Windows 8. > > > > Not all hardware supported it originally. Recent Windows desktops and especially laptops should. > > > > - Dennis > > > > From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Gage Bystrom > Sent: Saturday, July 13, 2013 03:58 PM > To: Alex; full-disclosure@lists.grok.org.uk > > Subject: Re: [Full-disclosure] Abusing Windows 7 Recovery Process > > > > Since when was full disk encryption standard in windows 7 let alone windows environments in general? Sure there are probably some but nonetheless > [ … ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
Since when was full disk encryption standard in windows 7 let alone windows environments in general? Sure there are probably some but nonetheless On Jul 13, 2013 6:47 PM, "Alex" wrote: > > You didn't tell us how you cracked the full disc encryption. (There are ways around controls, but that is why we have multiple security layers.) > > > > Am 13. Juli 2013 22:49:11 schrieb valdis.kletni...@vt.edu: > >> On Sat, 13 Jul 2013 22:13:38 +0300, Moshe Israel said: >> > All secured/regulated systems as required by most certifications/standards/best practices. >> >> You're new in the industry, aren't you? :) >> >> The point you're missing is that the vast majority of computers aren't covered >> by said certifications and standards. And most of the certifications are >> merely a money grab by the auditors - the last numbers I found, something like >> 98% of breaches of systems that were covered by PCI were of systems that at >> the time of the breach were PCI-compliant. In other words, being PCI compliant >> didn't actually slow the attackers down one bit. >> >> You social engineer your way into the 5th office building you pass, pick a >> random PC on the 4th floor - I'll bet you that PC is probably *not* running >> sufficient monitoring to detect an intruder rebooting it and messing with >> the system. > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
You didn't tell us how you cracked the full disc encryption. (There are ways around controls, but that is why we have multiple security layers.) Am 13. Juli 2013 22:49:11 schrieb valdis.kletni...@vt.edu: On Sat, 13 Jul 2013 22:13:38 +0300, Moshe Israel said: > All secured/regulated systems as required by most certifications/standards/best practices. You're new in the industry, aren't you? :) The point you're missing is that the vast majority of computers aren't covered by said certifications and standards. And most of the certifications are merely a money grab by the auditors - the last numbers I found, something like 98% of breaches of systems that were covered by PCI were of systems that at the time of the breach were PCI-compliant. In other words, being PCI compliant didn't actually slow the attackers down one bit. You social engineer your way into the 5th office building you pass, pick a random PC on the 4th floor - I'll bet you that PC is probably *not* running sufficient monitoring to detect an intruder rebooting it and messing with the system. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
On Sat, 13 Jul 2013 22:13:38 +0300, Moshe Israel said: > All secured/regulated systems as required by most > certifications/standards/best practices. You're new in the industry, aren't you? :) The point you're missing is that the vast majority of computers aren't covered by said certifications and standards. And most of the certifications are merely a money grab by the auditors - the last numbers I found, something like 98% of breaches of systems that were covered by PCI were of systems that at the time of the breach were PCI-compliant. In other words, being PCI compliant didn't actually slow the attackers down one bit. You social engineer your way into the 5th office building you pass, pick a random PC on the 4th floor - I'll bet you that PC is probably *not* running sufficient monitoring to detect an intruder rebooting it and messing with the system. pgpCMwP1cVcZ9.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
On Sat, 13 Jul 2013 13:23:18 +0200, Alex said: > This one is a classic, but it will fail integrity checks of > tripwire/ossec/whatever you use. What percent of systems actually do this? On Sat, 13 Jul 2013 14:19:19 +0200, Alex said: > And trigger automated incident/alarm Trigger the automated alarm from the tripwire program you just axed? Much more likely is some monitoring system like Big Brother or Zabbix alerting that the system has been rebooted. And again, the vast majority of systems don't have this sort of monitoring. pgpNSxbA6xZ8T.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
Swap out tripwire/ossec/whatever you use? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
And trigger automated incident/alarm Am 13. Juli 2013 13:54:04 schrieb Julius Kivimäki : Swap out tripwire/ossec/whatever you use? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
This one is a classic, but it will fail integrity checks of tripwire/ossec/whatever you use. Am 12. Juli 2013 17:45:57 schrieb Chris Arg : Swap out a binary while in recovery...for instance the magnify.exe binary with cmd.exe. Reboot and at the login screen (if it's still enabled) run the magnify tool. CMD opens up with SYSTEM privs. Add your local admin user. Dirty and fast. On Fri, Jul 12, 2013 at 5:40 AM, Alex wrote: > ** > > I doubt that you can use the SAM from another computer on yours. The SAM > file is encrypted. > > For further reading/information google "bkhive" and/or "samdump2". > > I still agree, that the computer is compromised once you get physical > access. If you do it via USB/CD live boot or removing the HDD doesnt matter. > > > > Am 2013-07-10 23:27, schrieb some one: > > > On Jul 10, 2013 9:16 PM, "some one" wrote: > > > > > > On Jul 10, 2013 1:51 PM, "Gregory Boddin" wrote: > > > > > > It won't. > > > > > > The whole point is to have full local access to hard-drives (from a > locked workstation for eg), to modify/read things in it. > > > > > > The loaded environment IS a live environment. I would say: almost a > copy of the install CD loaded from the hard-drive. > > > > > > What you can do is : take the SAM, modify somewhere else (not a > windows expert tough), re-inject and gain local access. (which is kind of > useless since local data are already available once the recovery is booted, > unless there's software you would like to run in that workstation once the > password is reset). > > > Oops, pressed send... Try again... > > Hmm, not sure about this... > > Haven't tried but lets say recovery console is running as system which can > read the SAM and it lets us copy it off the box to a share or usb or > whatever, if we can get it off i'm guessing we can rip out the hashes for > the users and attempt to crack them, spray them about or whatever... > > But changing one so we know the password and then putting it back, doubt > this will work will it, as essentially we are changing the SAM file anyway > aren't we when we create a new legit user through net commands and it > discards this change when we reboot, or are there 2 SAM files? One in live > environment which dissapears and the real one... > > Pass, i will try it out again when i get 10mins..:-) > > > > > > > > On 9 July 2013 20:39, some one wrote: > > >> > > >> My initial thoughts after adding the user and rebooting was that it > was only valid in the recovery console session or something as once i > rebooted it was gone... > > >> > > >> Tried it again today in a different place and same deal. Reboot no > new user... > > >> > > >> Anyone have this working after reboot? > > >> > > >> Once you've inserted your payload with admin-or-better rights, it can > be > > >> anything from a rootkit that GP can't touch to a patched GP subsys > that > > >> doesn't apply AD policies. This isn't really a caveat. > > >> > > >> > > >> On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote: > > >> > There may be an Active Directory domain policy which only allows a > > >> > configured set of groups/users to be admin of your workstation. > > >> > Keep in mind domain policies are applied at startup and > periodically. > > >> > > >> ___ > > >> Full-Disclosure - We believe in it. > > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > >> Hosted and sponsored by Secunia - http://secunia.com/ > > >> > > >> ___ > > >> Full-Disclosure - We believe in it. > > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
Swap out a binary while in recovery...for instance the magnify.exe binary with cmd.exe. Reboot and at the login screen (if it's still enabled) run the magnify tool. CMD opens up with SYSTEM privs. Add your local admin user. Dirty and fast. On Fri, Jul 12, 2013 at 5:40 AM, Alex wrote: > ** > > I doubt that you can use the SAM from another computer on yours. The SAM > file is encrypted. > > For further reading/information google "bkhive" and/or "samdump2". > > I still agree, that the computer is compromised once you get physical > access. If you do it via USB/CD live boot or removing the HDD doesnt matter. > > > > Am 2013-07-10 23:27, schrieb some one: > > > On Jul 10, 2013 9:16 PM, "some one" wrote: > > > > > > On Jul 10, 2013 1:51 PM, "Gregory Boddin" wrote: > > > > > > It won't. > > > > > > The whole point is to have full local access to hard-drives (from a > locked workstation for eg), to modify/read things in it. > > > > > > The loaded environment IS a live environment. I would say: almost a > copy of the install CD loaded from the hard-drive. > > > > > > What you can do is : take the SAM, modify somewhere else (not a > windows expert tough), re-inject and gain local access. (which is kind of > useless since local data are already available once the recovery is booted, > unless there's software you would like to run in that workstation once the > password is reset). > > > Oops, pressed send... Try again... > > Hmm, not sure about this... > > Haven't tried but lets say recovery console is running as system which can > read the SAM and it lets us copy it off the box to a share or usb or > whatever, if we can get it off i'm guessing we can rip out the hashes for > the users and attempt to crack them, spray them about or whatever... > > But changing one so we know the password and then putting it back, doubt > this will work will it, as essentially we are changing the SAM file anyway > aren't we when we create a new legit user through net commands and it > discards this change when we reboot, or are there 2 SAM files? One in live > environment which dissapears and the real one... > > Pass, i will try it out again when i get 10mins..:-) > > > > > > > > On 9 July 2013 20:39, some one wrote: > > >> > > >> My initial thoughts after adding the user and rebooting was that it > was only valid in the recovery console session or something as once i > rebooted it was gone... > > >> > > >> Tried it again today in a different place and same deal. Reboot no > new user... > > >> > > >> Anyone have this working after reboot? > > >> > > >> Once you've inserted your payload with admin-or-better rights, it can > be > > >> anything from a rootkit that GP can't touch to a patched GP subsys > that > > >> doesn't apply AD policies. This isn't really a caveat. > > >> > > >> > > >> On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote: > > >> > There may be an Active Directory domain policy which only allows a > > >> > configured set of groups/users to be admin of your workstation. > > >> > Keep in mind domain policies are applied at startup and > periodically. > > >> > > >> ___ > > >> Full-Disclosure - We believe in it. > > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > >> Hosted and sponsored by Secunia - http://secunia.com/ > > >> > > >> ___ > > >> Full-Disclosure - We believe in it. > > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
I doubt that you can use the SAM from another computer on yours. The SAM file is encrypted. For further reading/information google "bkhive" and/or "samdump2". I still agree, that the computer is compromised once you get physical access. If you do it via USB/CD live boot or removing the HDD doesnt matter. Am 2013-07-10 23:27, schrieb some one: > On Jul 10, 2013 9:16 PM, "some one" wrote: >> >> >> On Jul 10, 2013 1:51 PM, "Gregory Boddin" wrote: >> > >> > It won't. >> > >> > The whole point is to have full local access to hard-drives (from a locked >> > workstation for eg), to modify/read things in it. >> > >> > The loaded environment IS a live environment. I would say: almost a copy >> > of the install CD loaded from the hard-drive. >> > >> > What you can do is : take the SAM, modify somewhere else (not a windows >> > expert tough), re-inject and gain local access. (which is kind of useless >> > since local data are already available once the recovery is booted, unless >> > there's software you would like to run in that workstation once the >> > password is reset). >> > Oops, pressed send... Try again... > > Hmm, not sure about this... > > Haven't tried but lets say recovery console is running as system which can > read the SAM and it lets us copy it off the box to a share or usb or > whatever, if we can get it off i'm guessing we can rip out the hashes for the > users and attempt to crack them, spray them about or whatever... > > But changing one so we know the password and then putting it back, doubt this > will work will it, as essentially we are changing the SAM file anyway aren't > we when we create a new legit user through net commands and it discards this > change when we reboot, or are there 2 SAM files? One in live environment > which dissapears and the real one... > > Pass, i will try it out again when i get 10mins..:-) >> >> > >> > On 9 July 2013 20:39, some one wrote: >> >> >> >> My initial thoughts after adding the user and rebooting was that it was >> >> only valid in the recovery console session or something as once i >> >> rebooted it was gone... >> >> >> >> Tried it again today in a different place and same deal. Reboot no new >> >> user... >> >> >> >> Anyone have this working after reboot? >> >> >> >> Once you've inserted your payload with admin-or-better rights, it can be >> >> anything from a rootkit that GP can't touch to a patched GP subsys that >> >> doesn't apply AD policies. This isn't really a caveat. >> >> >> >> >> >> On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote: >> >> > There may be an Active Directory domain policy which only allows a >> >> > configured set of groups/users to be admin of your workstation. >> >> > Keep in mind domain policies are applied at startup and periodically. >> >> >> >> ___ >> >> Full-Disclosure - We believe in it. >> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1] >> >> Hosted and sponsored by Secunia - http://secunia.com/ [2] >> >> >> >> ___ >> >> Full-Disclosure - We believe in it. >> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1] >> >> Hosted and sponsored by Secunia - http://secunia.com/ [2] >> > >> > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1] > Hosted and sponsored by Secunia - http://secunia.com/ [2] Links: -- [1] http://lists.grok.org.uk/full-disclosure-charter.html [2] http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
On Jul 10, 2013 9:16 PM, "some one" wrote: > > > On Jul 10, 2013 1:51 PM, "Gregory Boddin" wrote: > > > > It won't. > > > > The whole point is to have full local access to hard-drives (from a locked workstation for eg), to modify/read things in it. > > > > The loaded environment IS a live environment. I would say: almost a copy of the install CD loaded from the hard-drive. > > > > What you can do is : take the SAM, modify somewhere else (not a windows expert tough), re-inject and gain local access. (which is kind of useless since local data are already available once the recovery is booted, unless there's software you would like to run in that workstation once the password is reset). > Oops, pressed send... Try again... Hmm, not sure about this... Haven't tried but lets say recovery console is running as system which can read the SAM and it lets us copy it off the box to a share or usb or whatever, if we can get it off i'm guessing we can rip out the hashes for the users and attempt to crack them, spray them about or whatever... But changing one so we know the password and then putting it back, doubt this will work will it, as essentially we are changing the SAM file anyway aren't we when we create a new legit user through net commands and it discards this change when we reboot, or are there 2 SAM files? One in live environment which dissapears and the real one... Pass, i will try it out again when i get 10mins..:-) > > > > > On 9 July 2013 20:39, some one wrote: > >> > >> My initial thoughts after adding the user and rebooting was that it was only valid in the recovery console session or something as once i rebooted it was gone... > >> > >> Tried it again today in a different place and same deal. Reboot no new user... > >> > >> Anyone have this working after reboot? > >> > >> Once you've inserted your payload with admin-or-better rights, it can be > >> anything from a rootkit that GP can't touch to a patched GP subsys that > >> doesn't apply AD policies. This isn't really a caveat. > >> > >> > >> On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote: > >> > There may be an Active Directory domain policy which only allows a > >> > configured set of groups/users to be admin of your workstation. > >> > Keep in mind domain policies are applied at startup and periodically. > >> > >> ___ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > >> > >> ___ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
>>Haven't tried but lets say we can copy the SAM off the box somehow, recovery console is running as system which can read the SAM and Did Candlejack get you or somethi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
On Jul 10, 2013 1:51 PM, "Gregory Boddin" wrote: > > It won't. > > The whole point is to have full local access to hard-drives (from a locked workstation for eg), to modify/read things in it. > > The loaded environment IS a live environment. I would say: almost a copy of the install CD loaded from the hard-drive. > > What you can do is : take the SAM, modify somewhere else (not a windows expert tough), re-inject and gain local access. (which is kind of useless since local data are already available once the recovery is booted, unless there's software you would like to run in that workstation once the password is reset). Hmm, not sure about this... Haven't tried but lets say we can copy the SAM off the box somehow, recovery console is running as system which can read the SAM and > > On 9 July 2013 20:39, some one wrote: >> >> My initial thoughts after adding the user and rebooting was that it was only valid in the recovery console session or something as once i rebooted it was gone... >> >> Tried it again today in a different place and same deal. Reboot no new user... >> >> Anyone have this working after reboot? >> >> Once you've inserted your payload with admin-or-better rights, it can be >> anything from a rootkit that GP can't touch to a patched GP subsys that >> doesn't apply AD policies. This isn't really a caveat. >> >> >> On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote: >> > There may be an Active Directory domain policy which only allows a >> > configured set of groups/users to be admin of your workstation. >> > Keep in mind domain policies are applied at startup and periodically. >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
It won't. The whole point is to have full local access to hard-drives (from a locked workstation for eg), to modify/read things in it. The loaded environment IS a live environment. I would say: almost a copy of the install CD loaded from the hard-drive. What you can do is : take the SAM, modify somewhere else (not a windows expert tough), re-inject and gain local access. (which is kind of useless since local data are already available once the recovery is booted, unless there's software you would like to run in that workstation once the password is reset). On 9 July 2013 20:39, some one wrote: > My initial thoughts after adding the user and rebooting was that it was > only valid in the recovery console session or something as once i rebooted > it was gone... > > Tried it again today in a different place and same deal. Reboot no new > user... > > Anyone have this working after reboot? > Once you've inserted your payload with admin-or-better rights, it can be > anything from a rootkit that GP can't touch to a patched GP subsys that > doesn't apply AD policies. This isn't really a caveat. > > > On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote: > > There may be an Active Directory domain policy which only allows a > > configured set of groups/users to be admin of your workstation. > > Keep in mind domain policies are applied at startup and periodically. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
My initial thoughts after adding the user and rebooting was that it was only valid in the recovery console session or something as once i rebooted it was gone... Tried it again today in a different place and same deal. Reboot no new user... Anyone have this working after reboot? Once you've inserted your payload with admin-or-better rights, it can be anything from a rootkit that GP can't touch to a patched GP subsys that doesn't apply AD policies. This isn't really a caveat. On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote: > There may be an Active Directory domain policy which only allows a > configured set of groups/users to be admin of your workstation. > Keep in mind domain policies are applied at startup and periodically. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
I ran into the same "issue". I believe that the recovery environment is the equivalent of booting into a windows live image. When you run the net user command and add a user you are actually modifying the live image and not your install. On Mon, Jul 8, 2013 at 3:47 PM, some one wrote: > E > > The user wasn't there never mind him being admin... > > I'll test this out again when i next do a win7 review on a job > On 8 Jul 2013 11:39, "Fabien DUCHENE" wrote: > >> There may be an Active Directory domain policy which only allows a >> configured set of groups/users to be admin of your workstation. >> Keep in mind domain policies are applied at startup and periodically. >> >> > Message: 1 >> > Date: Mon, 1 Jul 2013 15:16:45 +0100 >> > From: some one >> > To: full-disclosure@lists.grok.org.uk >> > Subject: Re: [Full-disclosure] Abusing Windows 7 Recovery Process >> > Message-ID: >> > > i0+o1yr5w1upoczub...@mail.gmail.com> >> > Content-Type: text/plain; charset="iso-8859-1" >> > >> > I tried this out onsite today. Got the cmd.exe as described and added a >> > user into local admin group... Restart the box try and login as new user >> > and it isn't there... >> > >> > Logged in as a legit admin and ran net users and no mention of my >> created >> > account... Weird... >> > On Jun 30, 2013 10:54 AM, "Cool Hand Luke" < >> coolhandl...@coolhandluke.org> >> > wrote: >> > >> >> -BEGIN PGP SIGNED MESSAGE- >> >> Hash: SHA512 >> >> >> >> On 06/29, Grandma Eubanks wrote: >> >> > However, I think this is still interesting. It's been a while since >> I've >> >> > played with Windows boxes and won't have access to one for a couple >> days, >> >> > but isn't this triggering off of vendor supplied recovery partitions? >> >> This >> >> > is a regular Windows 7 sole partition box you tried this one? >> >> >> >> from a first look, i don't think a vendor-supplied recovery partition >> is >> >> necessary. it appears that it would also be possible if the "system >> >> restore" setting was enabled (but don't quote me on that). >> >> >> >> i'm not sure how likely that is in your average large, corporate >> >> environment. the ones i've seen have system restore disabled and opt to >> >> reimage systems instead when issues occur. i'm sure there are some >> >> environments where this could be useful, however. >> >> >> >> - -chl >> >> >> >> - -- >> >> cool hand luke >> >> >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
Once you've inserted your payload with admin-or-better rights, it can be anything from a rootkit that GP can't touch to a patched GP subsys that doesn't apply AD policies. This isn't really a caveat. On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote: > There may be an Active Directory domain policy which only allows a > configured set of groups/users to be admin of your workstation. > Keep in mind domain policies are applied at startup and periodically. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
E The user wasn't there never mind him being admin... I'll test this out again when i next do a win7 review on a job On 8 Jul 2013 11:39, "Fabien DUCHENE" wrote: > There may be an Active Directory domain policy which only allows a > configured set of groups/users to be admin of your workstation. > Keep in mind domain policies are applied at startup and periodically. > > > Message: 1 > > Date: Mon, 1 Jul 2013 15:16:45 +0100 > > From: some one > > To: full-disclosure@lists.grok.org.uk > > Subject: Re: [Full-disclosure] Abusing Windows 7 Recovery Process > > Message-ID: > > i0+o1yr5w1upoczub...@mail.gmail.com> > > Content-Type: text/plain; charset="iso-8859-1" > > > > I tried this out onsite today. Got the cmd.exe as described and added a > > user into local admin group... Restart the box try and login as new user > > and it isn't there... > > > > Logged in as a legit admin and ran net users and no mention of my created > > account... Weird... > > On Jun 30, 2013 10:54 AM, "Cool Hand Luke" < > coolhandl...@coolhandluke.org> > > wrote: > > > >> -BEGIN PGP SIGNED MESSAGE- > >> Hash: SHA512 > >> > >> On 06/29, Grandma Eubanks wrote: > >> > However, I think this is still interesting. It's been a while since > I've > >> > played with Windows boxes and won't have access to one for a couple > days, > >> > but isn't this triggering off of vendor supplied recovery partitions? > >> This > >> > is a regular Windows 7 sole partition box you tried this one? > >> > >> from a first look, i don't think a vendor-supplied recovery partition is > >> necessary. it appears that it would also be possible if the "system > >> restore" setting was enabled (but don't quote me on that). > >> > >> i'm not sure how likely that is in your average large, corporate > >> environment. the ones i've seen have system restore disabled and opt to > >> reimage systems instead when issues occur. i'm sure there are some > >> environments where this could be useful, however. > >> > >> - -chl > >> > >> - -- > >> cool hand luke > >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
There may be an Active Directory domain policy which only allows a configured set of groups/users to be admin of your workstation. Keep in mind domain policies are applied at startup and periodically. > Message: 1 > Date: Mon, 1 Jul 2013 15:16:45 +0100 > From: some one > To: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Abusing Windows 7 Recovery Process > Message-ID: > > Content-Type: text/plain; charset="iso-8859-1" > > I tried this out onsite today. Got the cmd.exe as described and added a > user into local admin group... Restart the box try and login as new user > and it isn't there... > > Logged in as a legit admin and ran net users and no mention of my created > account... Weird... > On Jun 30, 2013 10:54 AM, "Cool Hand Luke" > wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA512 >> >> On 06/29, Grandma Eubanks wrote: >> > However, I think this is still interesting. It's been a while since I've >> > played with Windows boxes and won't have access to one for a couple days, >> > but isn't this triggering off of vendor supplied recovery partitions? >> This >> > is a regular Windows 7 sole partition box you tried this one? >> >> from a first look, i don't think a vendor-supplied recovery partition is >> necessary. it appears that it would also be possible if the "system >> restore" setting was enabled (but don't quote me on that). >> >> i'm not sure how likely that is in your average large, corporate >> environment. the ones i've seen have system restore disabled and opt to >> reimage systems instead when issues occur. i'm sure there are some >> environments where this could be useful, however. >> >> - -chl >> >> - -- >> cool hand luke >> ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
I tried this out onsite today. Got the cmd.exe as described and added a user into local admin group... Restart the box try and login as new user and it isn't there... Logged in as a legit admin and ran net users and no mention of my created account... Weird... On Jun 30, 2013 10:54 AM, "Cool Hand Luke" wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 06/29, Grandma Eubanks wrote: > > However, I think this is still interesting. It's been a while since I've > > played with Windows boxes and won't have access to one for a couple days, > > but isn't this triggering off of vendor supplied recovery partitions? > This > > is a regular Windows 7 sole partition box you tried this one? > > from a first look, i don't think a vendor-supplied recovery partition is > necessary. it appears that it would also be possible if the "system > restore" setting was enabled (but don't quote me on that). > > i'm not sure how likely that is in your average large, corporate > environment. the ones i've seen have system restore disabled and opt to > reimage systems instead when issues occur. i'm sure there are some > environments where this could be useful, however. > > - -chl > > - -- > cool hand luke > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.12 (GNU/Linux) > > iQF8BAEBCgBmBQJRz0jUXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w > ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5RUE3NjY3OTY3NTE0RjAyMDgyRTNBQzAy > QkE2NTVENTVDODgzNUVCAAoJECumVdVciDXraG4H/0rOTqDYy5wzmI5/Rs8n/1Ts > Z3/xwsUuSCQzFNmA6VuPD5hRNtygPVoq3nhcm4ADZzWHPwOy32RTbtriUgK4mAF/ > S2yuGsGk1rszxPdW4/DZ+APInTCMxTwtViL5NGa9AsVRKAxQ87i9XyxTUeB4V0H5 > XlUMCCzmX1yNupdyIEkE4zYc4RiNTaPeamXlnds+gaW+/hmMVz9d1tC6vYBmtaAz > urXy55TnEUoAwUlAGxgtwKappfKenggqFFEc2OY0s2HTRpd1WbVEiCW7VV3BR33z > JOpwwF3IfRbOvcrZai5BztyIRmSw1r5olymXr2l3PYLXNZVmLJXmQei1CzZJ58I= > =+kX6 > -END PGP SIGNATURE- > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/29, Grandma Eubanks wrote: > However, I think this is still interesting. It's been a while since I've > played with Windows boxes and won't have access to one for a couple days, > but isn't this triggering off of vendor supplied recovery partitions? This > is a regular Windows 7 sole partition box you tried this one? from a first look, i don't think a vendor-supplied recovery partition is necessary. it appears that it would also be possible if the "system restore" setting was enabled (but don't quote me on that). i'm not sure how likely that is in your average large, corporate environment. the ones i've seen have system restore disabled and opt to reimage systems instead when issues occur. i'm sure there are some environments where this could be useful, however. - -chl - -- cool hand luke -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQF8BAEBCgBmBQJRz0jUXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5RUE3NjY3OTY3NTE0RjAyMDgyRTNBQzAy QkE2NTVENTVDODgzNUVCAAoJECumVdVciDXraG4H/0rOTqDYy5wzmI5/Rs8n/1Ts Z3/xwsUuSCQzFNmA6VuPD5hRNtygPVoq3nhcm4ADZzWHPwOy32RTbtriUgK4mAF/ S2yuGsGk1rszxPdW4/DZ+APInTCMxTwtViL5NGa9AsVRKAxQ87i9XyxTUeB4V0H5 XlUMCCzmX1yNupdyIEkE4zYc4RiNTaPeamXlnds+gaW+/hmMVz9d1tC6vYBmtaAz urXy55TnEUoAwUlAGxgtwKappfKenggqFFEc2OY0s2HTRpd1WbVEiCW7VV3BR33z JOpwwF3IfRbOvcrZai5BztyIRmSw1r5olymXr2l3PYLXNZVmLJXmQei1CzZJ58I= =+kX6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
"If you have non-administrator credentials that get you past the bootloader or the entire boot process hasn't been made secure" Aside from this, the scenario I've always seen: 1.) Home/regular user that doesn't know/care 2.) Paranoid user or company machine employing full disk encryption However, I think this is still interesting. It's been a while since I've played with Windows boxes and won't have access to one for a couple days, but isn't this triggering off of vendor supplied recovery partitions? This is a regular Windows 7 sole partition box you tried this one? On Sat, Jun 29, 2013 at 11:54 AM, sec wrote: > If you're not able to boot from another OS because the firmware is > locked down, booting from removable media is disabled, and a software > crypto product is installed, this is a handy way to bypass all that. If > you have non-administrator credentials that get you past the bootloader > or the entire boot process hasn't been made secure, this is an extremely > trivial exploit requiring no special tools. > > I'm making the assumption that the software (or hardware?) crypto is > correctly tied to that machine's TPM to prevent removing the disk and > booting it on another machine. > > Depending on the exact configuration of the target machine, this would > enable the retrieval of sensitive data assumed to be secure, or else > insertion of a trusted machine with malicious payload into a secure > environment. > > I can think of quite a few environments I've encountered where all of > the above assumptions stand. > > > On 2013-06-29 14:49:16 (+0200), Alex wrote: > > Or just add an account to SAM file with local admin privs (while booting > from another OS). Nothing new or special imo. > > > > Am 2013-06-28 19:46, schrieb Anastasios Monachos: > > > >> >> Hi List; > >> > >> > >> > >> The following may be of interest: > http://intelcomms.blogspot.com/2013/05/owning-windows-7-from-recovery-to-nt.html[http://intelcomms.blogspot.com/2013/05/owning-windows-7-from-recovery-to-nt.html]in > particular to those performing physical attacks on Windows 7. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
If you're not able to boot from another OS because the firmware is locked down, booting from removable media is disabled, and a software crypto product is installed, this is a handy way to bypass all that. If you have non-administrator credentials that get you past the bootloader or the entire boot process hasn't been made secure, this is an extremely trivial exploit requiring no special tools. I'm making the assumption that the software (or hardware?) crypto is correctly tied to that machine's TPM to prevent removing the disk and booting it on another machine. Depending on the exact configuration of the target machine, this would enable the retrieval of sensitive data assumed to be secure, or else insertion of a trusted machine with malicious payload into a secure environment. I can think of quite a few environments I've encountered where all of the above assumptions stand. On 2013-06-29 14:49:16 (+0200), Alex wrote: > Or just add an account to SAM file with local admin privs (while booting from > another OS). Nothing new or special imo. > > Am 2013-06-28 19:46, schrieb Anastasios Monachos: > >> >> Hi List; >> >> >> >> The following may be of interest: >> http://intelcomms.blogspot.com/2013/05/owning-windows-7-from-recovery-to-nt.html[http://intelcomms.blogspot.com/2013/05/owning-windows-7-from-recovery-to-nt.html] >> in particular to those performing physical attacks on Windows 7. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
Or just add an account to SAM file with local admin privs (while booting from another OS). Nothing new or special imo. Am 2013-06-28 19:46, schrieb Anastasios Monachos: > Hi List; > > The following may be of interest: > http://intelcomms.blogspot.com/2013/05/owning-windows-7-from-recovery-to-nt.html > [3] in particular to those performing physical attacks on Windows 7. > > Kind regards, -- > AM (secuid0) > Key ID: 0x5EB17EE7 > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1] > Hosted and sponsored by Secunia - http://secunia.com/ [2] Links: -- [1] http://lists.grok.org.uk/full-disclosure-charter.html [2] http://secunia.com/ [3] http://intelcomms.blogspot.com/2013/05/owning-windows-7-from-recovery-to-nt.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/