Password Cracking Windows Accounts

At work we have laptops with encrypted harddrives. Most developers here (on occasion I have been guilty of it too) leave their laptops in hibernate mode when they take them home at night. Obviously, Windows (i.e. there is a program running in the background which does it for windows) must have a method to unencrypt the data on the drive, or it wouldn't be able to access it. That being said, I always thought that leaving a windows machine on in hibernate mode in a non-secure place (not at work on a lock) is a security threat, because someone could take the machine, leave it running, hack the windows accounts and use it to encrypt the data and steal the information. When I got to thinking about how I would go about breaking into the windows system without restarting it, I couldn't figure out if it was possible.

I know it is possible to write a program to crack windows passwords once you have access to the appropriate file(s). But is it possible to execute a program from a locked Windows system that would do this? I don't know of a way to do it, but I am not a Windows expert. If so, is there a way to prevent it? I don't want to expose security vulnerabilities about how to do it, so I would ask that someone wouldn't post the necessary steps in details, but if someone could say something like "Yes, it's possible the USB drive allows arbitrary execution," that would be great!

EDIT: The idea being with the encryption is that you can't reboot the system, because once you do, the disk encryption on the system requires a login before being able to start windows. With the machine being in hibernate, the system owner has already bypassed the encryption for the attacker, leaving windows as the only line of defense to protect the data.

kemiller2002

Posted 2008-10-01T12:54:16.317

Reputation: 451

I can't access it just now, but have a read of mu-b's work on breaking full disk encryption: www.digit-labs.org/files/presentations/sec-t-2010.pdf – Rory Alsop – 2011-09-28T11:07:38.900

Answers

Leaving the machine in hibernate is definately not secure, a vulnerabilty has been found where the RAM still contains the key for the bitlocker (and others) in the hibernating memory. There is already a proof of concept attack out there for this vulnerability.

The method of attack is to quickly reboot the PC and read the contents of the RAM (which isn't lost when power is cut) then a program can search the dump for the key.

http://www.eweek.com/c/a/Security/Researchers-Crack-BitLocker-FileVault/

Microsoft may have already fixed this though.

p.s. normal password changing doesn't affect the encryption though, as the encrypted content isn't accesable without the correct password, so simple password changing boot disks aren't security risks.

GavinCattell

Posted 2008-10-01T12:54:16.317

Reputation:

+1 I think this is what is called a cold boot attack.

– Jonas Heidelberg – 2011-10-09T10:41:01.520

As was mentioned by workmad3, the best way to attack a machine that's locked without rebooting is to see how vulnerable it is from a network connection.

This will depend on the security policies in place on your network. For instance, do all domain accounts have administrative access to these PCs? If so, check the default share (\pc-name\c$). If the default share has been turned on for any reason, you have access to the entire contents of the PC over the network with your own account. I'm not sure if this works with an encrypted hard drive, but it would be pretty easy to test.

Once you have access to the PC remotely, you can use tools like the Sysinternals PsExec tool to execute programs remotely.

Of course, that's just one vector of attack, and it might not even work with encrypted hard drives, but it gives you an idea of what could be done.

EDIT: If the laptops have an active Firewire Port you could take a look at to this vulnerability. Again, I don't know if this would help with an encrypted machine, since it's based on direct memory access (which should be encrypted).

Marc Reside

Posted 2008-10-01T12:54:16.317

Reputation: 1 484

There is a Firewire exploit that allows you to unlock a Windows box without entering a valid password. It doesn't matter if the hard-disk is encrypted. – None – 2008-10-02T10:47:25.863

@Alexander I wasn't aware of that one. Good to know. – Marc Reside – 2008-10-02T13:22:48.363

Have a look at http://storm.net.nz/projects/16 for one of the tools.

– None – 2008-10-02T21:50:18.250

It's not just Firewire, but any expansion port with DMA. This includes PCMCIA, PCCard, ExpressCard, etc. The only difference from the Firewire vector is the protocol to access the bus. – None – 2010-01-20T02:20:56.013

Obviously, if someone has physical access to the machine, all credentials stored can be considered compromised.

If one can, for example, boot from an USB device or optical drive, one can use point and click tools such as Ophcrack to recover all passwords. Instructions here: USB Ophcrack | Windows Login password cracker

Edit: Yes, I'm aware that you theoretically can't get back into an "encrypted hard drive" if the machine is rebooted. Whether or not that claim holds depends entirely on the software used to access the encrypted partitions. BitLocker seems to do a decent job, but many earlier implementations were basically a joke - and if you can access the machine it's trivially easy to dump the SAM database to the USB stick and perform the cracking offline.

Mihai Limbăşan

Posted 2008-10-01T12:54:16.317

Reputation: 149

Well, my first thought would be to wake it out of hibernate, get to the password screen and then start seeing what is vulnerable through the network connection. If the actual machines network security isn't up to scratch then you could get access to a lot of the information this way.

workmad3

Posted 2008-10-01T12:54:16.317

Reputation: 121

I wonder what would transpire if you burned a CD-ROM with an autoplay.ini suitable to the purposes of your experiment, then caused the machine to wake up from hibernate mode. I actually do not know what would happen, but that sort of methodology is what I would explore if trying to attack a hibernating machine -- get it to wake up and introduce an executable into one of its ports. Does it have a firewire port? In theory it is then hackable from that interface.

Heath Hunnicutt

Posted 2008-10-01T12:54:16.317

Reputation: 111

What kind of encryption are you using? BitLocker? Encrypted filesystem? Without knowing, I can't directly answer your question.

In any case, your security would be as good as the weakest link. You need to ensure all the latest security patches are installed promptly. Otherwise, tools like MetaSploit can be used to test known vulnerabilities and gain user or admin access.

spoulson

Posted 2008-10-01T12:54:16.317

Reputation: 1 420

It's an encrypted file system – kemiller2002 – 2008-10-01T13:08:37.703

EFS will only provide a requirement that only the owning user or possibly local admin can access the files. If the PC becomes compromised, this would be trivial to circumvent. See: http://en.wikipedia.org/wiki/Encrypting_File_System

– spoulson – 2008-10-01T13:17:29.663

sorry my bad, I got the terminolgy mixed up. The files are encrypted on disk. – kemiller2002 – 2008-10-01T13:25:26.680

Vista and XP-sp3 are much less vunerable than earlier OSs which stored a simply encrypted password for LANMAN comptibility. You can still crack easy passwords using some very large rainbow tables but it is otherwise pretty secure from tools like ophcrack.

Martin Beckett

Posted 2008-10-01T12:54:16.317

Reputation: 6 073

On my harddisk encryption system (PGP) I am required to enter the encryption password when returning from hibernation.

From a Suspend, it is not allowed.

GvS

Posted 2008-10-01T12:54:16.317

Reputation: 651

If your using EFS hibernate file is NOT encrypted and should be assumed to contain sensitive keying material needed to decrypt EFS files on disk.

If your using full disk encryption the hibernate file is encrypted with everything else and this risk is mitigated.

There are number of attack vectors for bitlocker/TPM including a number of bus snooping and tempest style attacks. TPM was not designed to protect your information from a determined TLA but is still quite effective in the real world general use case.

EFS can be circumvented by cracking a users password unless meaningful syskey options are enabled to mitigate this risk. EFS is better than nothing but unless your using syskey and an Ub3r ra1nb0w table resistant password your not really presenting a significant barrier to compromise of your EFS data in the first place.

Einstein

Posted 2008-10-01T12:54:16.317

Reputation: