1
00:00:02,240 --> 00:00:09,100
Technological security solutions won't protect you from local attacks a local attack occurs when the

2
00:00:09,100 --> 00:00:14,770
attacker had physical access to a given element of the network.

3
00:00:14,950 --> 00:00:19,810
You can protect your network against this type of attack by restricting physical access to computers

4
00:00:21,920 --> 00:00:22,760
to achieve that.

5
00:00:22,760 --> 00:00:37,980
You can employ specialized firms set up cameras or lock the server room door.

6
00:00:38,110 --> 00:00:41,940
We will now do an exercise that will show how serious a local attack can be.

7
00:00:43,880 --> 00:00:47,080
The exercise is as follows.

8
00:00:47,100 --> 00:00:53,770
There are two computers on which a system other than the default one has been booted.

9
00:00:53,870 --> 00:00:57,800
The first one was run with a Microsoft tool.

10
00:00:57,960 --> 00:01:04,610
It's called Dirt and it's part of the Microsoft diagnostics and recovery tool set this tool allows you

11
00:01:04,610 --> 00:01:07,120
to change user's passwords offline.

12
00:01:07,610 --> 00:01:15,030
That is without booting the primary operating system in the case of the other computer.

13
00:01:15,340 --> 00:01:20,850
One of the functionality is of the offline entry password and registry editor was used.

14
00:01:20,920 --> 00:01:25,640
It's a widely available free program which allows you to delete a local user's password.

15
00:01:27,870 --> 00:01:34,840
In both cases a person who gets physical access to the computers will gain administrator privilege.

16
00:01:35,010 --> 00:01:40,030
It takes as much time as turning on the computer turning it off and turning it on again.

17
00:01:41,900 --> 00:01:43,410
Let's try that for ourselves.

18
00:01:47,770 --> 00:01:49,880
We'll start with an attack on Windows 7.

19
00:01:51,760 --> 00:01:59,480
A word of explanation put the CD into the drive the computer's booting from CD and not from the hard

20
00:01:59,480 --> 00:02:00,580
drive.

21
00:02:00,800 --> 00:02:04,030
Right now the darte is being loaded and it will start up in a minute.

22
00:02:06,660 --> 00:02:11,060
The passwords of Windows local users are stored in the same file.

23
00:02:11,070 --> 00:02:18,060
This is a security account manager file with the password in the file are encrypted.

24
00:02:18,060 --> 00:02:24,210
It's called multiple encryption despite such protection using darte.

25
00:02:24,240 --> 00:02:29,620
You can modify the file and using enty password and registry editor you can delete it.

26
00:02:32,750 --> 00:02:37,180
Encryption doesn't protect against the modification or deletion of information.

27
00:02:38,600 --> 00:02:40,630
It only protects its confidentiality

28
00:02:43,110 --> 00:02:49,420
dirt tools can only be obtained by Microsoft Partner Program members.

29
00:02:49,450 --> 00:02:56,140
The software isn't publicly available but it's often needed it comes in handy when a user forgets her

30
00:02:56,140 --> 00:02:59,920
password or when a system is attacked by a virus that can be deleted

31
00:03:02,770 --> 00:03:07,510
in the first case you can change the password of a local user who doesn't have a domain name in any

32
00:03:07,510 --> 00:03:08,580
given company.

33
00:03:10,220 --> 00:03:16,520
In the second case you can start the computer with dart and then start an anti virus scan or anti rootkit

34
00:03:16,520 --> 00:03:17,180
tool.

35
00:03:17,270 --> 00:03:18,290
In this environment

36
00:03:21,060 --> 00:03:27,270
this is much more effective than starting the already infected system once again.

37
00:03:27,450 --> 00:03:31,610
We want initialized network connectivity.

38
00:03:31,630 --> 00:03:33,480
We would like to remap the drivers

39
00:03:39,540 --> 00:03:44,940
reaches the American keyboard layout.

40
00:03:45,110 --> 00:03:49,260
Now Dart is gathering the information on the operating system installed on the computer

41
00:03:52,290 --> 00:03:55,710
shortly Windows 7 should be recognized as the operating system

42
00:04:03,220 --> 00:04:04,050
as you can see.

43
00:04:04,050 --> 00:04:08,950
It looks like a standard recovery tool window that you would use to create a startup disk in every version

44
00:04:08,950 --> 00:04:11,600
of Windows.

45
00:04:11,750 --> 00:04:13,670
We will choose an additional option.

46
00:04:15,630 --> 00:04:22,250
Microsoft diagnostics and recovery tool set.

47
00:04:22,430 --> 00:04:30,170
You can see a graphic interface presenting a set of tools one of the tools called locksmith allows you

48
00:04:30,170 --> 00:04:34,680
to reset a local account restart locksmith

49
00:04:37,990 --> 00:04:40,780
which was the account password we like to change.

50
00:04:40,840 --> 00:04:42,610
For example the Administrator account

51
00:04:45,380 --> 00:04:49,940
Microsoft diagnostics and recovery tools wouldn't allow us to not set a new password

52
00:04:53,210 --> 00:04:57,980
now will choose a password that you normally wouldn't use because it's too easy to guess.

53
00:04:59,780 --> 00:05:03,760
The new password is pass.

54
00:05:03,800 --> 00:05:09,190
Then you click next and the whole procedure is over.

55
00:05:09,280 --> 00:05:11,980
You can change every user's password in this way.

56
00:05:14,740 --> 00:05:19,130
Next you shut down the program remove the CD and start the computer again.

57
00:05:23,960 --> 00:05:26,360
Now the operating system will boot normally.

58
00:05:29,170 --> 00:05:32,590
The string of letters we've typed will now be the administrator password

59
00:05:35,180 --> 00:05:37,080
after the system is booted.

60
00:05:37,610 --> 00:05:41,820
We can log in to the Administrator account typing pass into the password box

61
00:05:45,090 --> 00:05:47,710
Microsoft is concerned about security.

62
00:05:47,730 --> 00:05:51,620
So Windows require us to change the current password after the first startup.

63
00:05:56,650 --> 00:06:01,420
When the password is changed we'll be able to log in having full administrator privilege.