Jaa


My Tuesday Session Offline Access Demo - TechEd New Orleans

Thank you for attending my session! Please remember to do the evaluation - it is extremly important for me! :)

Here is the summary for the Offline Access Demo. In the blog you will also find the PowerShell scripts I was using: https://blogs.technet.com/b/plwit/archive/2010/05/08/visual-studio-2010-community-launch-i-demo.aspx. Scripting Language is everywhere the same so don't worry about the Polish content of the blogpost ;)

Enjoy!

Summary (1): Demo shows the possibility of the system crash with unapprorpiate AppLocker configuration. Then demo shows how to recover from this situation by editing the registry offline – the purpose is to show that it is possible to bypass the security mechanisms in the O.S. I will NOT be playing with the ACL’s.

Action:

1. Start the Application Identity service. Make sure that it has the Automatic start.

2. Create the AppLocker rule without the default rules è Click „No” at the end of the wizard for the first rule.

3. Wait one minute. See how AppLocker with no default rules works.

4. Logoff. Logon. See the result.

5. Boot from the Windows 7/2008R2/Vista/2008 CD. Go to the Repair mode and run the cmd.

6. Type „regedit”. Select Local Machine Key. From the file menu, click Load Hive and load the registry in the offline mode from: %SystemDrive%\Windows\System32\config è SYSTEM.

7. Go to the Select key and check which set of controls is the „Current”

8. Go to the ControlSet00X \Services\AppIDSvc and change the Start key value to 4.

9. Reboot. See the result.

Why 4? See the start values below:

0x0 Boot
0x1 System
0x2 Automatic
0x3 Manual
0x4 Disabled

Summary (2): I used the custom DLL that intercepts user’s password. This and any other DLL can be added here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa è Notification Packages. The feature is called PASSFILT.

Autor: Paula Januszkiewicz [MVP]

Comments

  • Anonymous
    January 01, 2003
    @Stephen - Are you sure that service is running on the user account? Are you running the console with SYSTEM privileges? Use psexec -s -i -d cmd.exe and then try.

  • Anonymous
    January 01, 2003
    Thank you Paulo! Hmm, interesting... It should be working, in my demo I used it on W2k8 R2 (only x64) and it worked. Regarding 2003, I will test and let you know! :) Remember to run SAPD tool with SYSTEM privileges! What is the message while you try to run SAPD?

  • Anonymous
    January 01, 2003
    Hi Paula, That was a very interesting and funny session. One question though - what is the name of the utility you used to extract the service account password, and where can we get it? Thank you!

  • Anonymous
    January 01, 2003
    Thank you! :) DLL is mine - you won't find it on the web, but you will find other libraries for Notification Package.

  • Anonymous
    January 01, 2003
    @Anatoly Ivanov probably (I don't see Paula's session)   zine.net.pl/.../SAPD.zip described in that post: zine.net.pl/.../retrieve-services-user-account-password.aspx

  • Anonymous
    January 01, 2003
    Hi All! The name of the tool that I used during my presentation is SAPD. It was created by 'mgrzeg' (my friend developer) and can be downloaded here:  zine.net.pl/.../SAPD.zip Use with psexec tool (-s -i -d parameters!) to run the cmd on the SYSTEM account! Good luck and thank you for attending my session! Take care!

  • Anonymous
    January 01, 2003
    This was the best session I've attended so far.  It was informative and entertaining.  And since it came from a fellow 'WIT' it made it even better.  Totally Awesome! Thanks Paula!

  • Anonymous
    June 08, 2010
    Nice session today! Thanks you, it was very cool!

  • Anonymous
    June 08, 2010
    Hi Paula I was at your session, but where can I find the sapd.exe? or the getif tool? greets Patrick

  • Anonymous
    June 09, 2010
    Hejka, super sesja... Zawsze to milo, ze mamy takich reprezentatow na swiecie jak ty :-) Pozdrowienia

  • Anonymous
    June 11, 2010
    Great session Paula, very informative and entertaining as well!  I am getting my bachelors degree in Internet System Security and found your session invaluable.  Thanks again!

  • Anonymous
    July 15, 2010
    Loved your presentation. Wonderful. You feed my belief about more work to come.

  • Anonymous
    August 28, 2010
    Hi Paula, first I want to say, great session!! I did as you said and tested the SAPD tool, it seems it doesn´t work on x64 architetures, specifically Windows Server 2003. Am I correct? Regards, Paulo Oliveira.

  • Anonymous
    December 27, 2010
    I like this session because specially your comment in the between session. Lot of technical things I learn from this session.

  • Anonymous
    December 27, 2010
    I like this session because specially your comment in the between session. Lot of technical things I learn from this session.

  • Anonymous
    March 14, 2011
    Hi Paula, That was a fantastic session you presented, I might of missed something, but where did you get the .dll you put on the DC from?

  • Anonymous
    April 29, 2011
    When I try to run the SAPD tool on a 2003 server I get the following error: "Secret for this service doesn't exist in the registry!" The tool does work on windows 7 and 2008 server. Please advise, thank you!

  • Anonymous
    June 13, 2011
    The comment has been removed