Thursday, September 22, 2011

Windows 7 and Cached Credentials

Recently, I provided some help in assessing the security of a Windows 7 image for a client. Quite fun, given that I'm not a windows specialist. As usual, I took that as a good opportunity to learn new stuff. All I was given was the laptop, the BitLocker PIN and the admin password. 

First approach: global and local policies. In order to do that, I used a spreadsheet from the National Checklist Program. This is very comprehensive and covers several domains. Some of them are not applicable in all cases, but the bulk is really interesting and things I wouldn't have thought of at first. I also used some resources from the SANS/CIS.

Second: let's test the beast. It was really tighten down, with lots of restrictions, a service that prevents running programs that are not white listed and things, and disabling that service was greeted with an "Access Denied". How rude. In addition, the firewall is up and running and Forefront protects the whole stuff. These two are pieces of cake: services, disable ...

What about the safe mode in which only the necessary services are started? Booting and pressing F8 like crazy doesn't help. But what about running "msconfig" and changing the boot option to "safe mode"? Ok, it complains that BitLocker will ask for the recovery token. So? Let's go to the BitLocker Manager and let's get it. Then, reboot, BitLocker PIN, BitLocker Recovery Token, and voila! Safe mode, the service is not started and I can disable it. Next ...

After a quick passage into msconfig to restore the boot options to normal, and another reboot, I'm free and I can run executables as I wish. One down.

My weapon of choice in this is usually Metasploit. First because it gives me a very convenient CLI to access the machine plus a bunch of scripts to extract information. So "psexec" and "meterpreter" it is. To find that the exploit runs into a wall.

By default, Windows 7 machines have the "ADMIN$" share disabled. Whatever, a quick trip to regedit to add a DWORD key (LocalAccountTokenFilterPolicy) with value 1 into  HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System and I'm good to go! psexec runs fine and I'm in.

Next stop: password and cache dumps. If the former works fine, the latter doesn't. Hmmm ... What about Cain&Abel? Same problem ... error. Another trip to the registry to find that HKLM\Security is empty. So no cached credentials there. Unfortunately, my knowledge of windows - and the time I could spend with the machine - didn't allow me to find whether these were stored somewhere else.