Enterprise Networking Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
What’s the easiest way for a hacker to break in to your
systems? Getting one of your users to visit a malicious web site? Enticing them
to run a malware-laced attachment? Running a buffer overflow exploit on one of
your servers?
No. There’s a method that’s far more reliable which is often neglected: a
physical access attack. If anyone with malicious intent can get their grubby
mitts on one of your machines – even just for a few minutes – then the
chances are high that you’re in trouble.
Let’s start with the easiest attacks and work upward. What happens if a user
leaves a corporate laptop unattended, perhaps at a conference or in a hotel
business center? If the machine is running, it’s fairly trivial to pop in a USB
stick and load up a Trojan
, keylogger
, or any other piece of malware. The hacker
doesn’t have to think up ways to get a user to unwittingly install the software
– they can do it themselves.
There’s also a great deal of information that’s stored on a Windows machine that
many users think is safe from prying eyes – passwords that Windows has
stored, for example – that a hacker can grab in seconds. A black hat
armed with a freeware utility called Mailpassview (available from
www.nirsoft.net) can run it from a USB stick and
instantly see the usernames, passwords and pop server addresses of all the email
accounts stored in common email clients including Outlook. Since the utility is
a standalone .exe file, the hacker could make a note of the email details and
pull out the USB stick and the user would have no way of knowing that their
email accounts had been compromised.
Nirsoft actually has a number of other powerful standalone utilities which a
hacker with physical access to a Window laptop (or desktop) can run to extract
information, including:
-
MessenPass – reveals the stored username and password of popular public IM
networks -
IEPassView – reveals AutoComplete and HTTP authentication passwords in
Internet Explorer (In Firefox you can see all the stored passwords simply by
going to Tools – Options – Security and clicking on Show Passwords
– unless a master password has been set) -
Asterisk Logger – reveals passwords that are shown as asterisks in a
password box. Many users store the password to FTP, VNC
and other clients within
the application, so armed with this utility a hacker can potentially get their
hands on some very useful information indeed.
One way a user can defend against this is by setting an account password and
ensuring that the computer logs them out of their account after a few minutes of
idle time. That way, the theory goes, a hacker who picks up the laptop won’t be
able to access the machine unless he can guess the account password – and
perhaps the user name as well.
Unfortunately, resetting account passwords when you have physical access to the
machine is also a trivial matter. The account information is stored in a file
called SAM which is protected by the Windows operating system. Windows is the
key word here, because SAM isn’t protected by other operating systems –
like Linux, for example. A hacker with access to an account password protected
laptop could boot the laptop from a floppy or CD containing an open source tool
called chntpw from
home.eunet.no/pnordahl/ntpasswd/
This reveals all the accounts and passwords in the Windows machine’s SAM file,
and provides the option of changing or blanking any of them. The simplest option
then is to blank the user’s account password and reboot the machine for
immediate access. The user may not notice for some time that they are no longer
being asked for an account password when they log on. Even if they do, the
chances are they will just shrug it off and set a new one, without ever
suspecting anything had gone awry.
Graduating to Servers
While physical access attacks are serious when carried out on laptops, they are
potentially far more serious when it’s a Windows server, rather than a user
laptop, that a hacker has access to. Instead of rebooting the machine into a
Linux environment and resetting a password, they could copy the SAM and SYSTEM
files from the Windows directory’s system32/config folder to a memory stick and
remove them.
Why would they do that? Because on another Linux machine, the hacker can then
get to work using a pair of open source Linux tools called bkhive and samdump2
First they’d run bkhive on SYSTEM to get the system key:
bkhive (path to)/SYSTEM systemkey.txt
And then they’d use samdump2 to get at the account names and password hashes
from the SAM:
samdump2 (path to)/SAM systemkey.txt>hashes.txt
That’s all it takes to get a text file – in this case called hashes.txt,
that can be put in to John the Ripper (a password cracking program) to attempt
to find some or all of the account passwords from the server that has been
plundered.
A cracked password is more valuable than a changed one as it is far harder to
detect, and since many people have the habit of reusing passwords, entering
these cracked passwords into a password list is likely to yield results in other
hacks the attacker may carry out on your organization.
By cracking a local administrator password (or resetting it – with the
increased risk of detection) it’s also possible to reset or add a password on a
Windows domain controller – if the hacker has physical access. They can do
that by rebooting the domain controller without Active Directory, and logging in
using the local administrator password which they have previously cracked.
(This is not possible when Active Directory is running because the relevant
password hashes are not stored in the SAM but in Active Directory itself.) It’s
then possible to install a service which adds a domain controller user (and
password) with system privileges once the server is rebooted with Active
Directory.
What can be done to prevent all this? The most obvious answer it to ensure that
tight physical security is maintained at all times. This means access control at
server room entrances, and users looking after their laptops at all times
– not leaving them unattended in hotel bars or coat check rooms.
In addition to this there are a number of other sensible precautions,
particularly for servers. Booting hardware into a different operating system can
be made considerably harder by disabling the ability to boot from CD/DVD and USB
devices in the BIOS, and then protecting the BIOS with a password so that this
cannot easily be modified. End point security systems can also be used to
prevent any reading and writing from USB and optical media.
As far as laptops are concerned, idle timeouts before the machine logs out and
requires a password to log back in should be as short as possible –
although some trade-off has to occur as a laptop that times out while a user is
working is annoying and may be disabled. Users should also be encouraged to shut
down the laptop when they have finished working, rather than putting it in
standby.
Ultimately the message is simple: security is only as strong as the weakest
link, so don’t forget about the dangers of physical access attacks. Doing so is
the equivalent of spending all your money on security locks for your windows,
while leaving your front door wide open. And that makes no sense at all.
