Harden Your Network Against Physical Compromise
May 20, 2008
Monitoring the security of network services is important, but don't neglect physical security: From laptops to poorly configured servers, every endpoint is a potential liability.
What's the easiest way for a hacker to break in to your systems? Getting one of your users to visit a malicious web site? Enticing them to run a malware-laced attachment? Running a buffer overflow exploit on one of your servers?
No. There's a method that's far more reliable which is often neglected: a physical access attack. If anyone with malicious intent can get their grubby mitts on one of your machines – even just for a few minutes – then the chances are high that you're in trouble.
Let's start with the easiest attacks and work upward. What happens if a user leaves a corporate laptop unattended, perhaps at a conference or in a hotel business center? If the machine is running, it's fairly trivial to pop in a USB stick and load up a Trojan , keylogger , or any other piece of malware. The hacker doesn't have to think up ways to get a user to unwittingly install the software – they can do it themselves.
There's also a great deal of information that's stored on a Windows machine that many users think is safe from prying eyes – passwords that Windows has stored, for example – that a hacker can grab in seconds. A black hat armed with a freeware utility called Mailpassview (available from www.nirsoft.net) can run it from a USB stick and instantly see the usernames, passwords and pop server addresses of all the email accounts stored in common email clients including Outlook. Since the utility is a standalone .exe file, the hacker could make a note of the email details and pull out the USB stick and the user would have no way of knowing that their email accounts had been compromised.
Nirsoft actually has a number of other powerful standalone utilities which a hacker with physical access to a Window laptop (or desktop) can run to extract information, including:
MessenPass – reveals the stored username and password of popular public IM networks
IEPassView – reveals AutoComplete and HTTP authentication passwords in Internet Explorer (In Firefox you can see all the stored passwords simply by going to Tools – Options – Security and clicking on Show Passwords – unless a master password has been set)
Asterisk Logger – reveals passwords that are shown as asterisks in a password box. Many users store the password to FTP, VNC and other clients within the application, so armed with this utility a hacker can potentially get their hands on some very useful information indeed.
One way a user can defend against this is by setting an account password and ensuring that the computer logs them out of their account after a few minutes of idle time. That way, the theory goes, a hacker who picks up the laptop won't be able to access the machine unless he can guess the account password – and perhaps the user name as well.
Unfortunately, resetting account passwords when you have physical access to the machine is also a trivial matter. The account information is stored in a file called SAM which is protected by the Windows operating system. Windows is the key word here, because SAM isn't protected by other operating systems – like Linux, for example. A hacker with access to an account password protected laptop could boot the laptop from a floppy or CD containing an open source tool called chntpw from home.eunet.no/pnordahl/ntpasswd/This reveals all the accounts and passwords in the Windows machine's SAM file, and provides the option of changing or blanking any of them. The simplest option then is to blank the user's account password and reboot the machine for immediate access. The user may not notice for some time that they are no longer being asked for an account password when they log on. Even if they do, the chances are they will just shrug it off and set a new one, without ever suspecting anything had gone awry.
Graduating to Servers
While physical access attacks are serious when carried out on laptops, they are potentially far more serious when it's a Windows server, rather than a user laptop, that a hacker has access to. Instead of rebooting the machine into a Linux environment and resetting a password, they could copy the SAM and SYSTEM files from the Windows directory's system32/config folder to a memory stick and remove them.
Why would they do that? Because on another Linux machine, the hacker can then get to work using a pair of open source Linux tools called bkhive and samdump2
First they'd run bkhive on SYSTEM to get the system key:
bkhive (path to)/SYSTEM systemkey.txt
And then they'd use samdump2 to get at the account names and password hashes from the SAM:
samdump2 (path to)/SAM systemkey.txt>hashes.txt
That's all it takes to get a text file – in this case called hashes.txt, that can be put in to John the Ripper (a password cracking program) to attempt to find some or all of the account passwords from the server that has been plundered.
A cracked password is more valuable than a changed one as it is far harder to detect, and since many people have the habit of reusing passwords, entering these cracked passwords into a password list is likely to yield results in other hacks the attacker may carry out on your organization.
By cracking a local administrator password (or resetting it – with the increased risk of detection) it's also possible to reset or add a password on a Windows domain controller – if the hacker has physical access. They can do that by rebooting the domain controller without Active Directory, and logging in using the local administrator password which they have previously cracked. (This is not possible when Active Directory is running because the relevant password hashes are not stored in the SAM but in Active Directory itself.) It's then possible to install a service which adds a domain controller user (and password) with system privileges once the server is rebooted with Active Directory.
What can be done to prevent all this? The most obvious answer it to ensure that tight physical security is maintained at all times. This means access control at server room entrances, and users looking after their laptops at all times – not leaving them unattended in hotel bars or coat check rooms.
In addition to this there are a number of other sensible precautions, particularly for servers. Booting hardware into a different operating system can be made considerably harder by disabling the ability to boot from CD/DVD and USB devices in the BIOS, and then protecting the BIOS with a password so that this cannot easily be modified. End point security systems can also be used to prevent any reading and writing from USB and optical media.
As far as laptops are concerned, idle timeouts before the machine logs out and requires a password to log back in should be as short as possible – although some trade-off has to occur as a laptop that times out while a user is working is annoying and may be disabled. Users should also be encouraged to shut down the laptop when they have finished working, rather than putting it in standby.
Ultimately the message is simple: security is only as strong as the weakest link, so don't forget about the dangers of physical access attacks. Doing so is the equivalent of spending all your money on security locks for your windows, while leaving your front door wide open. And that makes no sense at all.