All secured/regulated systems as required by most certifications/standards/best
practices.
On Jul 13, 2013, at 8:52 PM, valdis.kletni...@vt.edu wrote:
On Sat, 13 Jul 2013 13:23:18 +0200, Alex said:
This one is a classic, but it will fail integrity checks of
tripwire/ossec/whatever you use.
My response was to how many system implement such controls.
You could however (since u have access) disconnect the network cable, replace
magnify wt cmd etc. add admin, replace the cmd back and reconnect.
Solved?? :)
On Jul 13, 2013, at 11:49 PM, valdis.kletni...@vt.edu wrote:
On Sat, 13 Jul
And dont forget the logs/audits etc...
On Jul 14, 2013, at 9:27 AM, Moshe Israel moshe.isr...@grsee.co.il wrote:
My response was to how many system implement such controls.
You could however (since u have access) disconnect the network cable, replace
magnify wt cmd etc. add admin, replace
Discussion is drifting away. It is a nice discovery but nothing with big
impact.
Am 14. Juli 2013 08:27:23 schrieb Moshe Israel moshe.isr...@grsee.co.il:
My response was to how many system implement such controls.
You could however (since u have access) disconnect the network cable,
This one is a classic, but it will fail integrity checks of
tripwire/ossec/whatever you use.
Am 12. Juli 2013 17:45:57 schrieb Chris Arg grkcha...@gmail.com:
Swap out a binary while in recovery...for instance the magnify.exe binary
with cmd.exe. Reboot and at the login screen (if it's still
And trigger automated incident/alarm
Am 13. Juli 2013 13:54:04 schrieb Julius Kivimäki julius.kivim...@gmail.com:
Swap out tripwire/ossec/whatever you use?
___
Full-Disclosure - We believe in it.
Charter:
Swap out tripwire/ossec/whatever you use?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
On Sat, 13 Jul 2013 13:23:18 +0200, Alex said:
This one is a classic, but it will fail integrity checks of
tripwire/ossec/whatever you use.
What percent of systems actually do this?
On Sat, 13 Jul 2013 14:19:19 +0200, Alex said:
And trigger automated incident/alarm
Trigger the automated
On Sat, 13 Jul 2013 22:13:38 +0300, Moshe Israel said:
All secured/regulated systems as required by most
certifications/standards/best practices.
You're new in the industry, aren't you? :)
The point you're missing is that the vast majority of computers aren't covered
by said certifications
You didn't tell us how you cracked the full disc encryption. (There are
ways around controls, but that is why we have multiple security layers.)
Am 13. Juli 2013 22:49:11 schrieb valdis.kletni...@vt.edu:
On Sat, 13 Jul 2013 22:13:38 +0300, Moshe Israel said:
All secured/regulated systems as
Since when was full disk encryption standard in windows 7 let alone windows
environments in general? Sure there are probably some but nonetheless
On Jul 13, 2013 6:47 PM, Alex f...@daloo.de wrote:
You didn't tell us how you cracked the full disc encryption. (There are
ways around controls, but
13, 2013 03:58 PM
To: Alex; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Abusing Windows 7 Recovery Process
Since when was full disk encryption standard in windows 7 let alone
windows environments in general? Sure there are probably some but
nonetheless
I doubt that you can use the SAM from another computer on yours. The SAM
file is encrypted.
For further reading/information google bkhive and/or samdump2.
I still agree, that the computer is compromised once you get physical
access. If you do it via USB/CD live boot or removing the HDD
Swap out a binary while in recovery...for instance the magnify.exe binary
with cmd.exe. Reboot and at the login screen (if it's still enabled) run
the magnify tool. CMD opens up with SYSTEM privs. Add your local admin user.
Dirty and fast.
On Fri, Jul 12, 2013 at 5:40 AM, Alex f...@daloo.de
My initial thoughts after adding the user and rebooting was that it was
only valid in the recovery console session or something as once i rebooted
it was gone...
Tried it again today in a different place and same deal. Reboot no new
user...
Anyone have this working after reboot?
Once you've
It won't.
The whole point is to have full local access to hard-drives (from a locked
workstation for eg), to modify/read things in it.
The loaded environment IS a live environment. I would say: almost a copy of
the install CD loaded from the hard-drive.
What you can do is : take the SAM, modify
On Jul 10, 2013 1:51 PM, Gregory Boddin greg...@siwhine.net wrote:
It won't.
The whole point is to have full local access to hard-drives (from a
locked workstation for eg), to modify/read things in it.
The loaded environment IS a live environment. I would say: almost a copy
of the install CD
Haven't tried but lets say we can copy the SAM off the box somehow,
recovery console is running as system which can read the SAM and
Did Candlejack get you or somethi
___
Full-Disclosure - We believe in it.
Charter:
On Jul 10, 2013 9:16 PM, some one s3cret.squir...@gmail.com wrote:
On Jul 10, 2013 1:51 PM, Gregory Boddin greg...@siwhine.net wrote:
It won't.
The whole point is to have full local access to hard-drives (from a
locked workstation for eg), to modify/read things in it.
The loaded
of groups/users to be admin of your workstation.
Keep in mind domain policies are applied at startup and periodically.
Message: 1
Date: Mon, 1 Jul 2013 15:16:45 +0100
From: some one s3cret.squir...@gmail.com
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Abusing Windows 7
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Abusing Windows 7 Recovery Process
Message-ID:
CA+1kKf460FE0uo7ps780N3f=gFh8G=i0+o1yr5w1upoczub...@mail.gmail.com
Content-Type: text/plain; charset=iso-8859-1
I tried this out onsite today. Got the cmd.exe as described
to be admin of your workstation.
Keep in mind domain policies are applied at startup and periodically.
Message: 1
Date: Mon, 1 Jul 2013 15:16:45 +0100
From: some one s3cret.squir...@gmail.com
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Abusing Windows 7 Recovery Process
Once you've inserted your payload with admin-or-better rights, it can be
anything from a rootkit that GP can't touch to a patched GP subsys that
doesn't apply AD policies. This isn't really a caveat.
On 2013-07-08 12:39:18 (+0200), Fabien DUCHENE wrote:
There may be an Active Directory domain
I tried this out onsite today. Got the cmd.exe as described and added a
user into local admin group... Restart the box try and login as new user
and it isn't there...
Logged in as a legit admin and ran net users and no mention of my created
account... Weird...
On Jun 30, 2013 10:54 AM, Cool Hand
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 06/29, Grandma Eubanks wrote:
However, I think this is still interesting. It's been a while since I've
played with Windows boxes and won't have access to one for a couple days,
but isn't this triggering off of vendor supplied recovery
Or just add an account to SAM file with local admin privs (while booting
from another OS). Nothing new or special imo.
Am 2013-06-28 19:46, schrieb Anastasios Monachos:
Hi List;
The following may be of interest:
If you're not able to boot from another OS because the firmware is
locked down, booting from removable media is disabled, and a software
crypto product is installed, this is a handy way to bypass all that. If
you have non-administrator credentials that get you past the bootloader
or the entire
If you have non-administrator credentials that get you past the bootloader
or the entire boot process hasn't been made secure
Aside from this, the scenario I've always seen:
1.) Home/regular user that doesn't know/care
2.) Paranoid user or company machine employing full disk encryption
However,
Hi List;
The following may be of interest:
http://intelcomms.blogspot.com/2013/05/owning-windows-7-from-recovery-to-nt.htmlin
particular to those performing physical attacks on Windows 7.
Kind regards,
--
AM (secuid0)
Key ID: 0x5EB17EE7
___
29 matches
Mail list logo