PaulDotCom mailing list archives

Re: Locked down laptop help

From: Tim Krabec <tkrabec () gmail com>
Date: Wed, 30 Mar 2011 13:35:55 -0400

it looks like there is a "feature" called bit locker to go.  I'd image the
drive(writeblocker blah blah blah), then try to mount the imaged drive as a
removable drive off a usb converter on a different machine.

I've not played with bitlocker yet, but you should not screw up the
origional if you've imaged it and only play with the image

On Wed, Mar 30, 2011 at 1:20 PM, Jason Jarvis <k41zen () me com> wrote:

 Thought you needed the Bitlocker recovery key for that which I don't
have?



On 30 Mar 2011, at 16:03, Tim Krabec <tkrabec () gmail com> wrote:

 Can you move the drive to another machine with bitlocker then unlock the
data & copy what you need?


On Wed, Mar 30, 2011 at 10:17 AM, k41zen Me <k41zen () me com> wrote:

Jim,

Only allows outbound 53 which is fine. Won't be allowed to execute the
.exe though or am I missing something?

k41zen

On 30 Mar 2011, at 12:47, Jim Halfpenny wrote:

Hi,
Does the firewall do packet inspection on DNS traffic or is it just a
rule to allow port 53 outbound? You can shovel the data over netcat if
you can connect to a remote system on which you've put a listener on a
permitted port.

Regards,
Jim

On 30 March 2011 07:44, k41zen Me <k41zen () me com> wrote:

I need to get some user data of a laptop. I have written permission to

do whats necessary. What I don't have is a lot of time.


Laptop is running Vista SP1 fully patched up to Jan 2011. System is

bitlockered. I have the users cached creds and the bitlocker PIN so logging
in as the user is not a problem. System has a software VPN solution on it
but certificate has failed rendering the NIC useless and removing a whole
heap of remote options.


System is locked down so that:

   1) 3rd party app stops devices from being attached to the laptop

(USB, Expresscard, PCI, serial & parallel ports, firewire)

   2) User has CD/DVD read but not write
   3) user account rights are very limited
   4) whitelist in place with mixture of GPO's and 3rd party app to

limit what the user can run and from where on the system

   5) cannot stop services
   6) cannot delete files to break security apps or stop services
   7) local admin account has been disabled
   8) FW configured to only allow out DNS and VPN traffic to establish

session

   9) user cannot renew VPN cert

I dont have bitlocker recovery PIN so booting into safe mode or placing

drive into another machine is a no go. Also not stored in AD.


I can't see any other ways to extend to functionality of the laptop so

am now into privilege escalation. With all the meassures in place anyone
know of anything that would work?


TIA

k41zen
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




--
Tim Krabec
Kracomp
772-597-2349
www.kracomp.com
www.smbminute.com (podcast)
tkrabec.com

 _______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 
Tim Krabec
Kracomp
772-597-2349
www.kracomp.com
www.smbminute.com (podcast)
tkrabec.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Locked down laptop help k41zen Me (Mar 30)
- Re: Locked down laptop help Jim Halfpenny (Mar 30)
  - Re: Locked down laptop help Craig Freyman (Mar 30)
  - Re: Locked down laptop help k41zen Me (Mar 30)
    - Re: Locked down laptop help Tim Krabec (Mar 30)
    - Re: Locked down laptop help Jason Jarvis (Mar 30)
    - Re: Locked down laptop help Tim Krabec (Mar 30)