Thank you for attending my session! Please remember to do the evaluation - it is extremly important for me! π
Here is the summary for the Offline Access Demo. In the blog you will also find the PowerShell scripts I was using: http://blogs.technet.com/b/plwit/archive/2010/05/08/visual-studio-2010-community-launch-i-demo.aspx. Scripting Language is everywhere the same so don't worry about the Polish content of the blogpost π
Enjoy!
Summary (1): Demo shows the possibility of the system crash with unapprorpiate AppLocker configuration. Then demo shows how to recover from this situation by editing the registry offline – the purpose is to show that it is possible to bypass the security mechanisms in the O.S. I will NOT be playing with the ACL’s.
Action:
1. Start the Application Identity service. Make sure that it has the Automatic start.
2. Create the AppLocker rule without the default rules è Click „No” at the end of the wizard for the first rule.
3. Wait one minute. See how AppLocker with no default rules works.
4. Logoff. Logon. See the result.
5. Boot from the Windows 7/2008R2/Vista/2008 CD. Go to the Repair mode and run the cmd.
6. Type „regedit”. Select Local Machine Key. From the file menu, click Load Hive and load the registry in the offline mode from: %SystemDrive%\Windows\System32\config è SYSTEM.
7. Go to the Select key and check which set of controls is the „Current”
8. Go to the ControlSet00X \Services\AppIDSvc and change the Start key value to 4.
9. Reboot. See the result.
Why 4? See the start values below:
0x0 Boot
0x1 System
0x2 Automatic
0x3 Manual
0x4 Disabled
Summary (2): I used the custom DLL that intercepts user’s password. This and any other DLL can be added here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa è Notification Packages. The feature is called PASSFILT.
Autor: Paula Januszkiewicz [MVP]
@Stephen – Are you sure that service is running on the user account? Are you running the console with SYSTEM privileges? Use psexec -s -i -d cmd.exe and then try.
Thank you Paulo!
Hmm, interesting… It should be working, in my demo I used it on W2k8 R2 (only x64) and it worked. Regarding 2003, I will test and let you know! π
Remember to run SAPD tool with SYSTEM privileges!
What is the message while you try to run SAPD?
Hi Paula,
That was a very interesting and funny session.
One question though – what is the name of the utility you used to extract the service account password, and where can we get it?
Thank you!
Thank you! π
DLL is mine – you won't find it on the web, but you will find other libraries for Notification Package.
@Anatoly Ivanov probably (I don't see Paula's session)
zine.net.pl/…/SAPD.zip described in that post: zine.net.pl/…/retrieve-services-user-account-password.aspx
Hi All!
The name of the tool that I used during my presentation is SAPD. It was created by 'mgrzeg' (my friend developer) and can be downloaded here: zine.net.pl/…/SAPD.zip
Use with psexec tool (-s -i -d parameters!) to run the cmd on the SYSTEM account!
Good luck and thank you for attending my session! Take care!
This was the best session I've attended so far. It was informative and entertaining. And since it came from a fellow 'WIT' it made it even better. Totally Awesome! Thanks Paula!
Nice session today! Thanks you, it was very cool!
Hi Paula
I was at your session, but where can I find the sapd.exe?
or the getif tool?
greets
Patrick
Hejka,
super sesja…
Zawsze to milo, ze mamy takich reprezentatow na swiecie jak ty π
Pozdrowienia
Great session Paula, very informative and entertaining as well! I am getting my bachelors degree in Internet System Security and found your session invaluable. Thanks again!
Loved your presentation. Wonderful. You feed my belief about more work to come.
Hi Paula,
first I want to say, great session!! I did as you said and tested the SAPD tool, it seems it doesnΒ΄t work on x64 architetures, specifically Windows Server 2003.
Am I correct?
Regards,
Paulo Oliveira.
I like this session because specially your comment in the between session. Lot of technical things I learn from this session.
I like this session because specially your comment in the between session. Lot of technical things I learn from this session.
Hi Paula,
That was a fantastic session you presented, I might of missed something, but where did you get the .dll you put on the DC from?
When I try to run the SAPD tool on a 2003 server I get the following error:
"Secret for this service doesn't exist in the registry!"
The tool does work on windows 7 and 2008 server.
Please advise, thank you!
Wtf r u all talking about, people? What sessions did these people attend, Paula?
Sorin.