I have just had a job explaining to friend that allowing physical access to a PC can reveal quite alot. Even if the PC is off. His problem was understanding that not only can an attacker access all of the information on that PC he can also extract the passwords of anyone who has logged onto it in the past.
So in the scenario where an administrator has logged onto a laptop in the workplace, then the employee takes the laptop home and an unauthorized person has access to the laptop it is relatively easy to reset the local admin password to provide the attacker with admin access to the laptop and from there he can load up some free software and pull off the cached credentials of anyone who has accessed the laptop, such as the administrator from the office.
Obviously it's not just attackers who could do this, a rogue employee could quite easily create a situation where someone with higher levels of access must log onto their PC and then take that laptop home and extract the password that was used.
Tools
- NTPasswd
- Cain & abel
So if the attacker was the employee, he can see who and when another user has logged on to their PC by looking at the Documents and Settings folder and seeing what profiles are created.
Next (this is assuming a standard employee doesn't have admin rights to the PC), after creating a boot disk for a utility such as NTpasswd the PC can be booted with it and the local administrator password can be changed.
After booting up and logging in as the local administrator, the attacker could load a tool such as Cain & Abel and extract the hashes of the cached credentials from that PC.
And then crack them using a number of different methods.
It really is that simple.
Another great tool (although not free) for extracting cached credentials is Elcomsoft's Proactive System Password Recovery tool.
Below is a screenshot of that tool in action on the same PC.
Prevention
Well it's really hard to prevent a rogue employee from doing things like this but things like not giving Domain Admin rights to IT support personnel, and only have an account with domain admin rights to perform domain admin tasks will help. Extra strong password on those accounts is also a really good option. For unauthorized people accessing those laptops, BIOS and boot passwords will make the job harder for them and of course full disk encryption would help loads.
Thats it for this short post.
Links
http://home.eunet.no/pnordahl/ntpasswd/
http://www.oxid.it/
http://www.elcomsoft.com/pspr.html
