Recently, a box full of laptops found their way into my possession. They had come from a number of small businesses via various sales and trades and were destined to a new startup. My job was to sanitize them, and reinstall the OS for the client. In the meantime, they presented an opportunity to see how the small-business system administrator secures his or her systems.
The systems ranged from Windows 98 through Windows XP systems. They underwent a simple physical inspection/inventory and then subjected to "evil" acts. They were used in a demonstration of Metasploit as live-fire targets. Malicious USB drives were inserted into them. Finally they were subjected to forensic examination.
Without fail, blind plinking from metasploit, (or a simple nessus scan followed by less-blind plinking with metasploit) resulted in a compromised system. To be fair, the machines hadn't seen Windows Update in a month or two, they had been sitting idly on shelves or packed in boxes. The Windows 98 systems enjoyed a bit of security through obsolescence and were tougher targets for metasploit.
Anti-Virus and Anti-Spyware Protection
Every system had some sort of Anti-virus protection. This is a good thing.
All systems, except for the win98 systems, had Anti-Spyware as well, Spybot S&D was very popular, followed by adaware.
With all of the AV and Anti-spyware running on the systems, none detected the malicious USB drives. Most systems happily complied with the autorun requests. There were many SAM files captured this way.
The systems that resisted the malicious USB drives did not stand up to booting up with knoppix and pulling the files that way. None of the systems used any drive encryption or BIOS protection.
VNC and other BackDoors
Many of the systems booted up with VNC running in listen mode. Probably handy for the sysadmin to maintain their flock, but a strong password, or maybe system-specific passwords may have been a better choice.
One admin created a backdoor account with Administrator privileges (but they do get points for not granting Administrator privileges to all of their users) unfortunately with such a weak password, the strong password protecting the real Administrator account didn't keep my class out of your machine.
Cain and Abel and John the Ripper made quick work of the password hashes. There was not a single instance of a special character in any of the passwords. Great classics like: password and 1234567 were disappointingly common. Administrator passwords were also weakly protected, with only simple tricks attempted like reversing the company's name.
Imaging drives, recovering files, documentation-- good times, but important if you're going to build a case, and important to practice. It doesn't come without its rewards. In the course of the simulated investigation we uncovered two failing marriages, one interoffice romance (nestled ironically amongst power-point presentations on Sexual Harassment in the Workplace,) and all the pr0n one could hope for from Google Images. Sigh.
The surprising find was a lack of rootkits. I was surprised to find very little spyware as well.
There is a surprising amount of company information that leaves the door on the average laptop. Although the word has gotten out about AV and Anti-spyware protection, USB lockdown and drive encryption should also be universally applied to mobile assets. You never know where your old equipment may end up, and who might be writing about what they find?
kliston -at- isc.sans.org
Dec 25th 2006
1 decade ago