.exe Posted October 3, 2008 Share Posted October 3, 2008 It appears the more security conscious companies have become wise to the hacking communities utilities for password recovery (namely Ophcrack). This utility relies on being able to read the SAM database of a Windows machine by booting into Linux (unless you recover these password using a hash dump (which is hard as Windows locks down access to this file when it starts). By encrypting hard drives its impossible to recover information using a live cd (distro cant read the SAM because the encryption service starts at preboot). So is anybody working on any kind of workaround for the encryption (probably impossible as this is being rolled out by multiple vendors). Im guessing you would need a usb hack or an exploit using Jasager wirelessly in order to get at the hash? Quote Link to comment Share on other sites More sharing options...
El Di Pablo Posted October 3, 2008 Share Posted October 3, 2008 This can be overcome with the cold boot attack. Quote Link to comment Share on other sites More sharing options...
.exe Posted October 3, 2008 Author Share Posted October 3, 2008 This can be overcome with the cold boot attack. This is useful if you can get it running on a standalone usb stick. Can anyone else take this further? Original link is: http://citp.princeton.edu/memory/ The art would be to get this to dump out quickly enough to not require any cooling. Quote Link to comment Share on other sites More sharing options...
dr0p Posted October 3, 2008 Share Posted October 3, 2008 This can be overcome with the cold boot attack. Assuming that they have physical control of the computer when the disk is decrypted. If you shut down your computer the normal way the TC driver will erase the password from the RAM. Quote Link to comment Share on other sites More sharing options...
.exe Posted October 3, 2008 Author Share Posted October 3, 2008 Would it be possible to attach a usb key to the computer to dump out the ram and capture the key? The specific system used where I work has integrated this encryption mechanism into the windows login screen (it unlocks machine and generates decryption key). Quote Link to comment Share on other sites More sharing options...
dr0p Posted October 3, 2008 Share Posted October 3, 2008 Would it be possible to attach a usb key to the computer to dump out the ram and capture the key? The specific system used where I work has integrated this encryption mechanism into the windows login screen (it unlocks machine and generates decryption key). Assuming that they have autorun enabled, yes, you should be able to run an app to dump the RAM. Quote Link to comment Share on other sites More sharing options...
moonlit Posted October 3, 2008 Share Posted October 3, 2008 Would it be possible to attach a usb key to the computer to dump out the ram and capture the key? The specific system used where I work has integrated this encryption mechanism into the windows login screen (it unlocks machine and generates decryption key). This is much easier with Firewire because it has direct memory access, it can suck out a dump of the RAM without the OS even knowing. Quote Link to comment Share on other sites More sharing options...
El Di Pablo Posted October 3, 2008 Share Posted October 3, 2008 Assuming that they have physical control of the computer when the disk is decrypted. If you shut down your computer the normal way the TC driver will erase the password from the RAM. Ah yes, but the whole reason this attack works is that by cooling the RAM chip, it slows degradation of the memory after it has been shut down. I sat through a talk at Toorcon by Jake Appelbaum, one of the hackers who worked on this attack. He said this technique is the one currently being used by the FBI and DHS. Mr. Appelbaum went on to say that you could swipe the laptop from say, a coffee shop, cool the ram chip with the air duster quickly which buys you 10 more minutes, then you could drop the ram chip into a thermos of liquid nitrogen. Now you have over an hour to get the chip back to your place to get the encryption keys from RAM. The problem with this attack isn't so much time, it is gaining physical access which is what you are all proposing anyway. Quote Link to comment Share on other sites More sharing options...
.exe Posted October 3, 2008 Author Share Posted October 3, 2008 Swiping means you alert the target and dicking around with liquid nitrogen is not only impracticle but if you mess it up its going to mean you lose your fingers... (although this is useful in a purely educational way). You probably need about 30 seconds to restart the machine and dump the RAM so cooling may not come into the equation if your quick enough AND you do it at the targets machine. Spinright would probably repair the degradation if any if you ran it on the dump. So the trade off for degradation would be fixing the data once its been grabbed. The two most popular systems are Bitlocker (Vista) and Checkpoint (currently being used by IBM and other major brands). What solutions are available for RAM dumping off a usb stick? If it is more practical then how would you go about doing this via firmware? Breakout box attached to a PCMCIA slot? Moves data to the board which has RAM powered by a battery. If you can pull this data onto storage as far as the target knows there computer has just restarted (which you could put down to Windows patches, act of god, sunspots...........). Quote Link to comment Share on other sites More sharing options...
.exe Posted October 16, 2008 Author Share Posted October 16, 2008 PXE booting solves this nicely :D Was I being noob and not checking the paper properly or is this a recent implementation? Latest hak5 episode cleared up alot of questions. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.