F1FORCE Posted February 10, 2018 Share Posted February 10, 2018 I need to pentest a notebook with symantec endpoint encryption enabled. The notebook normally connects to the domain controller and has win7 installed. Is it possible to bypass this kind of security in case of theft? Where do i start? Any help would be appreciated Quote Link to comment Share on other sites More sharing options...
digininja Posted February 10, 2018 Share Posted February 10, 2018 Define what you mean by pentest it. Quote Link to comment Share on other sites More sharing options...
F1FORCE Posted February 10, 2018 Author Share Posted February 10, 2018 My boss asked me to test the companies new notebooks wit full disk encryption activated if it is possible in case of theft to retreive local data from the disk Quote Link to comment Share on other sites More sharing options...
digininja Posted February 10, 2018 Share Posted February 10, 2018 That's not a pentest. First, define your risks, for example, stolen when turned on, turned off, standby, sleep. Then take each of those scenarios and see what state the drive is in and see if you can access it locally or remotely. If it is on and there is VNC with no password then FDE does nothing, if it is off and the password for the encryption I'd strong then you are likely to be OK. You need to think of all the different things between these two. Quote Link to comment Share on other sites More sharing options...
F1FORCE Posted February 10, 2018 Author Share Posted February 10, 2018 The initial scenario is a notebook that is completely off. What i tried is to setup a fake domain controller and try to gain access as a cashed domain user but that didn't work. So i am running out of options. Maybe thats also a good thing for my boss? Quote Link to comment Share on other sites More sharing options...
digininja Posted February 10, 2018 Share Posted February 10, 2018 Does the machine boot from fully off without requiring a password? If so, look for open ports, see what services it is running that are exposed to see if any of those can be exploited. See what the box calls out to when booted, do any of those include credentials? Can any of those be intercepted? Maybe an app checks for updates that you can intercept and reply with a custom one. I've not kept up on them, but do the FireWire attacks still work? There was a DMA issue where you could read memory. There was a second interface type that also allowed it, can't remember which it was. Quote Link to comment Share on other sites More sharing options...
F1FORCE Posted February 10, 2018 Author Share Posted February 10, 2018 It fully boots till the windows logon screen, so i will check for any open ports/services. Also the firewireport is worth testing Thanks for your help.? Quote Link to comment Share on other sites More sharing options...
digininja Posted February 10, 2018 Share Posted February 10, 2018 Check for weak local user passwords and weak domain ones that are cached. Definitely look at the man in the middle for app updates, it can be an easy way to get code running on the box as admin. Quote Link to comment Share on other sites More sharing options...
F1FORCE Posted February 12, 2018 Author Share Posted February 12, 2018 Can't execute a DMA/firewire attack because the firewire port is not available on the notebook. I set up a fake company Domain Controller but no results. I scanned for open ports, but nmap finds nothing. Also monitored the network but there was nothing interesting happening. Seems to me a pretty secure notebook ;-) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.