13

At work we have laptops with encrypted harddrives. Most developers here (on occasion I have been guilty of it too) leave their laptops in hibernate mode when they take them home at night. Obviously, Windows (i.e. there is a program running in the background which does it for windows) must have a method to unencrypt the data on the drive, or it wouldn't be able to access it. That being said, I always thought that leaving a windows machine on in hibernate mode in a non-secure place (not at work on a lock) is a security threat, because someone could take the machine, leave it running, hack the windows accounts and use it to encrypt the data and steal the information. When I got to thinking about how I would go about breaking into the windows system without restarting it, I couldn't figure out if it was possible.

I know it is possible to write a program to crack windows passwords once you have access to the appropriate file(s). But is it possible to execute a program from a locked Windows system that would do this? I don't know of a way to do it, but I am not a Windows expert. If so, is there a way to prevent it? I don't want to expose security vulnerabilities about how to do it, so I would ask that someone wouldn't post the necessary steps in details, but if someone could say something like "Yes, it's possible the USB drive allows arbitrary execution," that would be great!

EDIT: The idea being with the encryption is that you can't reboot the system, because once you do, the disk encryption on the system requires a login before being able to start windows. With the machine being in hibernate, the system owner has already bypassed the encryption for the attacker, leaving windows as the only line of defense to protect the data.

7

Leaving the machine in hibernate is definately not secure, a vulnerabilty has been found where the RAM still contains the key for the bitlocker (and others) in the hibernating memory. There is already a proof of concept attack out there for this vulnerability.

The method of attack is to quickly reboot the PC and read the contents of the RAM (which isn't lost when power is cut) then a program can search the dump for the key.

http://www.eweek.com/c/a/Security/Researchers-Crack-BitLocker-FileVault/

Microsoft may have already fixed this though.

p.s. normal password changing doesn't affect the encryption though, as the encrypted content isn't accesable without the correct password, so simple password changing boot disks aren't security risks.

5

Obviously, if someone has physical access to the machine, all credentials stored can be considered compromised.

If one can, for example, boot from an USB device or optical drive, one can use point and click tools such as Ophcrack to recover all passwords. Instructions here: USB Ophcrack | Windows Login password cracker

Edit: Yes, I'm aware that you theoretically can't get back into an "encrypted hard drive" if the machine is rebooted. Whether or not that claim holds depends entirely on the software used to access the encrypted partitions. BitLocker seems to do a decent job, but many earlier implementations were basically a joke - and if you can access the machine it's trivially easy to dump the SAM database to the USB stick and perform the cracking offline.

4

As was mentioned by workmad3, the best way to attack a machine that's locked without rebooting is to see how vulnerable it is from a network connection.

This will depend on the security policies in place on your network. For instance, do all domain accounts have administrative access to these PCs? If so, check the default share (\pc-name\c$). If the default share has been turned on for any reason, you have access to the entire contents of the PC over the network with your own account. I'm not sure if this works with an encrypted hard drive, but it would be pretty easy to test.

Once you have access to the PC remotely, you can use tools like the Sysinternals PsExec tool to execute programs remotely.

Of course, that's just one vector of attack, and it might not even work with encrypted hard drives, but it gives you an idea of what could be done.

EDIT: If the laptops have an active Firewire Port you could take a look at to this vulnerability. Again, I don't know if this would help with an encrypted machine, since it's based on direct memory access (which should be encrypted).

2

Well, my first thought would be to wake it out of hibernate, get to the password screen and then start seeing what is vulnerable through the network connection. If the actual machines network security isn't up to scratch then you could get access to a lot of the information this way.

1

Yes, it is possible to break into a windows operating system by using a bootable program like, Windows Password Recovery. As far as I know there really is no way to keep this from happening except for making a password with minimum 8 characters long, and at least 1 symbol, 1 number, and 1 upper-case letter. Using Brute Force the only thing really on your side would be the time it takes to get into the laptop or any computer.

0

What kind of encryption are you using? BitLocker? Encrypted filesystem? Without knowing, I can't directly answer your question.

In any case, your security would be as good as the weakest link. You need to ensure all the latest security patches are installed promptly. Otherwise, tools like MetaSploit can be used to test known vulnerabilities and gain user or admin access.

0

Vista and XP-sp3 are much less vunerable than earlier OSs which stored a simply encrypted password for LANMAN comptibility. You can still crack easy passwords using some very large rainbow tables but it is otherwise pretty secure from tools like ophcrack.

0

On my harddisk encryption system (PGP) I am required to enter the encryption password when returning from hibernation.

From a Suspend, it is not allowed.

0

Programs like TrueCrypt will encrypt the data in RAM during hibernation. This will foil such attempts and the machine would be secure.

0

1rd Method: Try following trick which is actually a loophole in Windows XP Setup and a big security hole:

A. Boot using Windows XP Setup CD and follow the instruction like Accepting EULA, etc.

B. When it asks to repair your existing Windows installation, accept it and press "R" to run the repair.

C. Setup will start repairing your Windows and will start copying files, etc.

D. After a few minutes setup will restart your system and when it restarts don't press any key when it shows "Press any key to continue..." otherwise Setup will start from the beginning. Don't press any key and setup will resume where it left.

E. Now it'll start doing other tasks and will show a small progressbar with a few details in left side.

F. Look carefully at the details and when it shows "Installing devices", press +F10 keys in your keyboard.

G. It'll open a Command Prompt window. Now type nusrmgr.cpl and press .

H. It'll open the same "User Accounts" window which you see in Control Panel.

I. Now you can remove or reset any account password without any problem.

2th Method: There are many 3rd party utilities which claim to reset forgotten Windows password: The program that I recommend is the Windows Password Key 8.0. It is a very quick and useful utility for resetting passwords. It not only supports XP, 2000, and NT, I have personally tested it with Vista Home Premium and Ultimate. It works perfectly to reset any local user account to a blank password. Just an easy to use bootable CD/DVD . It can also be used on a USB Flash Drive. http://www.lostwindowspassword.com/

0

All the above are great suggestions, if you actually know the password, but since the problem is that, the password has been forgotten/hacked or whatever, my suggestion is this neat program(Windows Password Recovery Tool 3.0) from PasswordSeeker, it lets you reset/delete user passwords, it is a legal app. and very useful, i've used it on a few PC's including my own and it works, http://www.windowspasswordsrecovery.com

0

lost windows password? There are 4 methods to recover windows password:

Method 1: Take a rest, and try hard to remember the forgotten password

Method 2: Try No Password Administrator Login Backdoor

Method 3: Reset password from another user account with administrator credentials

Method 4: Do-It-Yourself (DIY) third party recovery tool Such as Advanced Windows Password Recovery 3.0 I used it and succeed to log in. download from: http://www.recoverwindowspassword.com