Password dump from a Hyper-V Virtual Machine´s memory

So earlier this week the twitter flow went bananas when Remko did a blog about how to extract the password in clear text from a VMware vmem file with the add-on from Benjamin, Mimikatz that extends the windebug.

I wanted to test if it works also in Hyper-V and it is not so much difference, the main difference is how to create the dump file and here I use the vm2dmp (thanks to Yusuf for supplying me with a vm2dmp.exe that works with 2012!!) with the right switches, in this case the VM is in saved state but you can also use snapshots or just the vsv and bin file.

Screen Shot 2013-11-29 at 16.33.16

And then when importing the dump into the windbg I can with the commands get the password for the user that was logged in on the Win 7 VM

Screen Shot 2013-11-29 at 15.26.19

I have tested this on a Windows 7 virtual machine and also on a Windows Server 2012 R2 virtual machine both running on Hyper-V 2012. This highlights the importance once more that it is crucial to make sure that only the right people have access to the virtualization hosts and the storage where the VM´s resides!

OS X Lion reset password and how to protect yourselves

Today i realized that i was kind of vulnerable with my Mac. Of course if anyone get the hands on your computer that is not good. Todays post will give you a little heads up and  some of you will secure your MacBooks from immediate access. There are always ways to get hold of your data but don´t do it to easy.

I had totally missed the firmware password, which is used as a security add-on that prevents any user to take your Mac and boot into rescue mode and then reset your password.

So how do you reset password on someones computer then,

Reboot the Macbook and press the “Option + R” , then you will get the recover boot

As you can see in the Utilities menu list there are some different tools, the one we want is the Terminal, and there you type “resetpassword”, without any cd or external osx media you get a root terminal to use..

You will get a fine graphical dialog asking what volume and what account you want to reset password on!

So how can we make it a bit more difficult to do this then? Still not impossible but at least more difficult and time consuming 🙂

The highlighted menu option in the first picture “Firmware Password Utility” is the one we want and set a password that is going to be asked for every time we want to do some alternative booting (Recover mode, usb hdd, DVD )

So now i have activated this and how does it work, if i boot ordinary i will not get any log in promt at boot asking me to enter firmware password, but if hold down the “option” key i will get a password prompt asking me for the firmware password, the following image shows how this looks like.

This is of course no security for your data that you store on your drive, if the evil forces want your data they can take out the hdd and connect it to another computer to get data. If you are running around with sensetive data you should also enable filevault and encrypt your profile and files. In System Preferences under Security and Privacy you can enable the FileVault. As it clearly says in the warning, if you loose your password and recovery key your data is gone! And it has to be the password that you set it up with, it will not work with a reset password.

Described in several google hits there are ways to reset the firmware password also, I have not tried those yet but i will..

I also use TrueCrypt to save files and stuff on encrypted volumes.

Warning! Social hacking using the phone now in Sweden

Yesterday i heard from a colleague that he had been exposed to a hack attack that is very sophisticated and probably could have been successful if not my colleague had worked in IT.

What happened was that he got a call and the other party asked for his wife (this means that they in some way have target their attacks as they said her name), he said that she was not there and asked if he could be in assistans, the one on the phone informed my colleague that he was calling from Microsoft and that they had noticed that his computer was reporting lots of errors and that they could help him fix it. As he is working as an IT professional he became interested and let the man on the phone explain, which he did and told my colleague to open the event viewer and directed him to some common errors through filtering. When they found the errors the “Microsoft” represenative said that he could help him to fix this and directed him to a remote desktop software site ( a real website that had been copied and changed url by one character ), this evil site installed a Java tunneling trojan which his antivirus software did not find with the real time scan, after this my colleague said thank you and hung up and disconnected his laptop and investigated it.

Today he heard of an 80 year old lady that had been attacked using the same technique.

I can safely say that Microsoft will never ever call you and tell you stuff about your computer and ask to remote administer it!! AND FOR GOOD SAKE DO NOT ACCEPT JAVA OR ACTIVEX plugins/programs that does not come from a legitimate site

watch this youtube clip and get scared about how easy anyone can get hold of your computer. Also look at the follow up clip that shows when he set up an account and run RDP to that session..