Lost or stolen laptops which fall into the wrong hands can be used to launch an attack on the corporate LAN using tools obtained online or from auction websites.
Stolen Laptops Providing Gateway To Hackers
In a recent demonstration showing network vulnerability, a sample laptop with commonly used password security was used to carry out a series of hack attacks to show how these mobile devices can act as a gateway to data housed on internal systems.
Local user passwords were compromised allowing data residing on the hard drive to be harvested and attacks were launched on the device’s associated network connections.
The first step to compromise the laptop entailed hacking the BIOS before the Windows operating system had launched. A BIOS reset connector, typically used by manufacturers to deactivate and reset the laptop BIOS password during repair, can easily be made or purchased from Ebay and allows complete access to data housed on the hard disk.
Alternatively, the hacker can remove the hard drive from the laptop entirely and install this in another device without a BIOS password, again allowing access to data on the drive.
Compromising Windows passwords was equally as simple. Backtrack, a Linux tool on CD-ROM, was booted on to the device, providing access to the Windows file system before the operating system had even launched.
Software hacking programmes such as GetSyskey and Gethashes were downloaded from the internet and used to access the Windows encrypted passwords. In addition, Rainbow Crack, a software tool which creates Rainbow Tables was used to compute the various password hashes used by the LM password algorithm.
Using a precomputed table of over 60GB of hashes, the administrator password was cracked in under two minutes. Moreover, encrypted WEP passwords and remote desktop log-in details from the Windows registry file were discerned using password recovery software.
Having cracked these passwords, the desktop could be browsed at leisure and files and documents on the laptop could be identified, even those which the user had deleted from the hard drive. Disk Investigator, a downloadable software tool, was used to recover deleted files from the file system, as well as locating deleted files from flash media such as USB pen drives.
Finally, a fictitious corporate LAN was broken in to using a remote access client. An installed Cisco VPN client was used, and cached login credentials stored locally in a .pcf file were located, enabling access. Cain and Abel, a tool readily available online, was then used to crack the Cisco VPN encrypted client passwords, decoding these into clear text.
Once inside the network, an enumeration attack was carried out to browse named hosts. These PCs and servers, often given away by telltale names ranging from the obvious, such as ‘Payroll’, to old techie favourites such as Star Wars or Lord of the Rings characters, planets or Greek Gods, were easily identified.
Having selected a target client, a free, open-source exploit tool called Metasploit, which provides a simple graphical user interface, was then used to gain administrative access. The hacker was now free to export data from the internal host or carry out corporate sabotage or espionage.
The risk of attack to the corporate LAN has increased along with the popularity of mobile working and hotdesking. FBI Computer Crime and Security Survey claims around 50 per cent of organisations reported mobile device theft in 2005 and it’s a problem that affects both the private and public sector.
Over the last twelve months in the UK 21 laptops have been stolen from Department of Trade and Industry (DTI) buildings and five laptops have been misappropriated from the Office of the Deputy Prime Minister. Any of these devices could have been used to compromise the core networks of business or government using these simple tools and techniques.
Here are recommendations to organisations with mobile workers to help combat information theft:
At the very least, encrypt your sensitive files with freely available software.
Set a BIOS password, even if they can be reset.
Don’t allow users to boot from USB keys, floppy disks, CD ROMs or from a network.
Use a secure VPN technology.
Don’t allow the caching of passwords or user names in RAS clients.
Educate your staff. All too often credentials can be found in notepad files on the desktop.
Incorporate biometric logon devices.
Consider full disk encryption.
PIN lock GPRS or 3G SIM cards.
Encourage staff to report laptop or mobile device theft immediately on discovery and ensure you have a 24-hour process to enable this.
Consider using passwords which use UK-specific character sets, as most RainbowTables currently available are computed from American keyboard codepages.
Article courtesy of Security Park