PaulDotCom mailing list archives

Kon-Boot on a USB

From: dradapter at gmail.com (Dr Adapter)
Date: Wed, 8 Jul 2009 21:51:06 -0700

mOses,

What I found with Checkpoint/Pointsec FDE is that it does not work
regardless if WIL is enabled or not. I had originaly thought it did work
when WIL (auto pre-boot login - urg) was enabled but it acts differently
once the system is encrypted. Checkpoint FDE is reboot tolerant during its
encryption process so it worked fine up until it reached 100%.

My thought is that the tool may need to read the disk to determine what it
is going to load into memory, win xp, 7 or linux (i don't know enough about
how it works to know for sure) Once it is encrypted its a non starter.

Does LUKS encrypt the whole drive with a pre-boot auth or does it leave
enough behind unencrypted for kon-boot to determine what to load?

D

-----Original Message-----
From: mOses <trklisted at networksamurai.org>

Date: Wed, 08 Jul 2009 23:17:32
To: PaulDotCom Security Weekly Mailing List<pauldotcom at mail.pauldotcom.com

Subject: Re: [Pauldotcom] Kon-Boot on a USB


Well I can tell you that it will work again active directory accounts
HOWEVER when you read the documentation and in your testing what
you'll find is that since the credentials entered do not match the
active directory network credentials you don't have access to network
resources. It would seem to me that what this does is that it will
patch the system in memory in order to tell the local system service
(or winlogon) that your username did match what was in the LSASS
process (or something to that).

Now what I was trying to prove was that it will work when WIL (windows
integrated login; meaning no actual password prompt in the FDE/WDE in
pointsec is required).

now secondly and more interestingly I tested this on an encrypted
debian system by entering the decryption password (which is different
than root) and it worked! (kon-usr was able to login!).

So basically COLD-BOOT attack against LUKS + Kon-Boot on ubuntu/debian
will work.... scary.

M
On Jul 8, 2009, at 10:27 PM, PJ Velasco wrote:

I use PGP Desktop 9.10 full disk encryption on a Windows XP SP3 laptop
and it did not work because I got the PGP prompt to unlock the disk
after the initial KonBoot splash screen.  I entered my PGP password to
continue the boot process, but I had to enter my actual Windows
credentials at the Windows login screen to successfully log in, so no
go even if someone knows the PGP password.  I also have an Ubuntu 9.10
laptop running disk encryption and the result was just like the PGP
result.  I successfully got it to work on a Debian system (VMware
guest), but not my Fedora Core system (again VMWare guest).  Very
sweet tool.  I showed all the guys at work and they loved it.
Tomorrow we are going to see if it will work with an Active Directory
account.  I have only tested with local accounts.

On Wed, Jul 8, 2009 at 9:16 PM, mOses<trklisted at networksamurai.org>
wrote:

Just wanted to put my 2 cents on testing for everyone on the list
interested.

Kon-Boot on a Windows XP SP3 box w/ TrueCrypt WDE (FDE) did not work.
Gave me an error about the BIOS being to big and that it wanted me to
change the motherboard(?)

Kon-Boot on a Windows Vista Business running PointSec for PC (server/
client edition) with Windows Integrated Login (which I don't enjoy
having) did not work either. Dies right before the OS loads.

Irongeek USB Boot did not work at all on that box it hung at a place
before that (loading the Pointsec system).

Anyone else try with Bitlocker or another type of FDE/WDE like PGP
enterprise?

I think the author can fix these issues or if he opens the source
someone else may do it, although it was all written in TASM32 so
probably only those who remember what TSR programs were can do it :)

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090708/b98894a2/attachment.htm

Current thread:

Kon-Boot on a USB, (continued)
- - - Kon-Boot on a USB Adrian Crenshaw (Jul 08)
    - Kon-Boot on a USB Nils (Jul 08)
    - Kon-Boot on a USB Adrian Crenshaw (Jul 08)
    - Kon-Boot on a USB Nils (Jul 09)
    - Kon-Boot on a USB mOses (Jul 08)
    - Kon-Boot on a USB PJ Velasco (Jul 08)
    - Kon-Boot on a USB mOses (Jul 08)
    - Kon-Boot on a USB mOses (Jul 08)
    - Kon-Boot on a USB infolookup at gmail.com (Jul 07)
    - Kon-Boot on a USB John Navarro (Jul 07)
- Kon-Boot on a USB Dr Adapter (Jul 08)
  - Kon-Boot on a USB Adrian Crenshaw (Jul 09)