You’ve probably heard of social engineering attacks (and have of course read Bright Hub’s articles on how to avoid them). One of the most common kinds of social engineering attacks is a physical access attack.
Once anyone has attained physical access to your computer, you have only one last line of defense: your password. This assumes that you don’t have a finger print scanner (and is one more reason why owning one would be a good investment). Local passwords are however, quite easy to recover.
Note: This article applies to local accounts only, not server accounts. Also it is specific to Windows
XP.
An attacker would start by mounting your drive using a linux live-cd (for instance the security distro Backtrack 3). To gain read write access they would use ntfsmount. Assuming your disk was at /dev/hda1 they would use this command:
ntfsmount /dev/sda1 /mnt/hda1
Passwords on your computer are stored in the form of encrypted hashes. The attacker would use two commands to dump these hashes to their disk.
bkhive /mnt/sda1/WINNT/system32/config/system systemKey.txt
This dumps the computers boot key to ‘systemKey.txt’.
samdump2 /mnt/sda1/system32/config/SAM userHashes.txt
This dumps the password hashes to ‘userHashes.txt’.
The attacker can then crack these password hashes at their leisure on their own machines using tools like Cain and Abel, John the Ripper or Rainbow Tables. To finish our example using John the Ripper, the attacker would use:
john userHashes.txt
The user then has access to all of the local accounts on the machine. Easy wasn’t it?
What can you do to protect yourself from physical access attacks? On the technology end, the best thing you could possibly do is invest in a fingerprint scanner and setup your account to work only with the scanner (to not accept passwords). This, however, is expensive, especially if you want to protect multiple machines.
The best way to prevent physical access attacks is to keep attackers away from your
machine. This is as simple as locking your office when you leave it and telling staff to report anyone suspicious approaching machines (including employees accessing machines that they don’t regularly use).
Creating a culture of security in your workplace will help you avoid the irrevocable damage that physical access attacks can cause.