Stolen Laptops Providing Gateway To Hackers
Lost or stolen laptops which fall into the wrong hands can be
used to launch an attack on the corporate LAN using tools obtained online or
from auction websites.
In a recent demonstration showing network
vulnerability, a sample laptop with commonly used password security
was used to carry out a series of hack attacks to show how these mobile devices
can act as a gateway to data housed on internal systems.
Local user
passwords were compromised allowing data residing on the hard drive to be
harvested and attacks were launched on the device’s associated network
connections.
The first step to compromise the laptop entailed
hacking the BIOS before the Windows operating system had launched. A BIOS
reset connector, typically used by manufacturers to deactivate and reset the
laptop BIOS password during repair, can easily be made or purchased from
Ebay and allows complete access to data housed on the hard disk.
Alternatively, the hacker can remove the hard drive from the
laptop entirely and install this in another device without a BIOS password,
again allowing access to data on the drive.
Compromising Windows
passwords was equally as simple. Backtrack, a Linux tool on CD-ROM, was booted
on to the device, providing access to the Windows file system before the
operating system had even launched.
Software hacking programmes
such as GetSyskey and Gethashes were downloaded from the internet and used to
access the Windows encrypted passwords. In addition, Rainbow Crack, a
software tool which creates Rainbow Tables was used to compute the various
password hashes used by the LM password algorithm.
Using a precomputed
table of over 60GB of hashes, the administrator password was cracked in
under two minutes. Moreover, encrypted WEP passwords and remote desktop log-in
details from the Windows registry file were discerned using password recovery
software.
Having cracked these passwords, the desktop could be browsed
at leisure and files and documents on the laptop could be identified, even those
which the user had deleted from the hard drive. Disk Investigator, a
downloadable software tool, was used to recover deleted files from the
file system, as well as locating deleted files from flash media such as USB pen
drives.
Finally, a fictitious corporate LAN was broken in to using a
remote access client. An installed Cisco VPN client was used, and cached login
credentials stored locally in a .pcf file were located, enabling access. Cain
and Abel, a tool readily available online, was then used to crack the
Cisco VPN encrypted client passwords, decoding these into clear text.
Once inside the network, an enumeration attack was carried out to
browse named hosts. These PCs and servers, often given away by telltale names
ranging from the obvious, such as ‘Payroll’, to old techie favourites such as
Star Wars or Lord of the Rings characters, planets or Greek Gods, were easily
identified.
Having selected a target client, a free, open-source exploit
tool called Metasploit, which provides a simple graphical user interface, was
then used to gain administrative access. The hacker was now free to
export data from the internal host or carry out corporate sabotage or espionage.
The risk of attack to the corporate LAN has increased along with
the popularity of mobile working and hotdesking. FBI Computer Crime and Security
Survey claims around 50 per cent of organisations reported mobile device
theft in 2005 and it’s a problem that affects both the private and public
sector.
Over the last twelve months in the UK 21 laptops have been
stolen from Department of Trade and Industry (DTI) buildings and five
laptops have been misappropriated from the Office of the Deputy Prime
Minister. Any of these devices could have been used to compromise the core
networks of business or government using these simple tools and techniques.
Here are recommendations to organisations with mobile workers to help
combat information theft:
- At the very least, encrypt your sensitive files with freely available
software. - Set a BIOS password, even if they can be reset.
- Don’t allow users to boot from USB keys, floppy disks, CD ROMs or from a
network. - Use a secure VPN technology.
- Don’t allow the caching of passwords or user names in RAS clients.
- Educate your staff. All too often credentials can be found in notepad files
on the desktop. - Incorporate biometric logon devices.
- Consider full disk encryption.
- PIN lock GPRS or 3G SIM cards.
- Encourage staff to report laptop or mobile device theft immediately
on discovery and ensure you have a 24-hour process to enable this. - Consider using passwords which use UK-specific character sets, as
most RainbowTables currently available are computed from American keyboard
codepages.
Article courtesy of Security Park