Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A Security Sampler

Published: 2006-12-25
Last Updated: 2006-12-25 18:44:10 UTC
by Kevin Liston (Version: 1)
0 comment(s)
Recently, a box full of laptops found their way into my possession.  They had come from a number of small businesses via various sales and trades and were destined to a new startup.  My job was to sanitize them, and reinstall the OS for the client.  In the meantime, they presented an opportunity to see how the small-business system administrator secures his or her systems.

The systems ranged from Windows 98 through Windows XP systems.  They underwent a simple physical inspection/inventory and then subjected to "evil" acts.  They were used in a demonstration of Metasploit as live-fire targets.  Malicious USB drives were inserted into them.  Finally they were subjected to forensic examination.


Metasploit Results

Without fail, blind plinking from metasploit, (or a simple nessus scan followed by less-blind plinking with metasploit) resulted in a compromised system.  To be fair, the machines hadn't seen Windows Update in a month or two, they had been sitting idly on shelves or packed in boxes.  The Windows 98 systems enjoyed a bit of security through obsolescence and were tougher targets for metasploit.


Anti-Virus and Anti-Spyware Protection

Every system had some sort of Anti-virus protection.  This is a good thing.
All systems, except for the win98 systems, had Anti-Spyware as well, Spybot S&D was very popular, followed by adaware.


Malicious USB

With all of the AV and Anti-spyware running on the systems, none detected the malicious USB drives.  Most systems happily complied with the autorun requests.  There were many SAM files captured this way.


Knoppix

The systems that resisted the malicious USB drives did not stand up to booting up with knoppix and pulling the files that way.  None of the systems used any drive encryption or BIOS protection.


VNC and other BackDoors

Many of the systems booted up with VNC running in listen mode.  Probably handy for the sysadmin to maintain their flock, but a strong password, or maybe system-specific passwords may have been a better choice.

One admin created a backdoor account with Administrator privileges (but they do get points for not granting Administrator privileges to all of their users) unfortunately with such a weak password, the strong password protecting the real Administrator account didn't keep my class out of your machine.


Passwords

Cain and Abel and John the Ripper made quick work of the password hashes.  There was not a single instance of a special character in any of the passwords.  Great classics like: password and 1234567 were disappointingly common.  Administrator passwords were also weakly protected, with only simple tricks attempted like reversing the company's name.


Forensic Fun

Imaging drives, recovering files, documentation-- good times, but important if you're going to build a case, and important to practice.  It doesn't come without its rewards.  In the course of the simulated investigation we uncovered two failing marriages, one interoffice romance (nestled ironically amongst power-point presentations on Sexual Harassment in the Workplace,) and all the pr0n one could hope for from Google Images.  Sigh.


Surprising Find

The surprising find was a lack of rootkits.  I was surprised to find very little spyware as well.


Final Word

There is a surprising amount of company information that leaves the door on the average laptop.  Although the word has gotten out about AV and Anti-spyware protection, USB lockdown and drive encryption should also be universally applied to mobile assets.  You never know where your old equipment may end up, and who might be writing about what they findů

kliston -at- isc.sans.org
Keywords:
0 comment(s)
Diary Archives