Windows 8 Security in Action
Is Windows 8 the next operating system for your enterprise? In this article, we will take a quick look at Microsoft’s new OS – Windows 8. We will see some of the new security features that make it more
secure than its predecessor Windows 7. We will also run the security through the paces and see some of the possible issues that are new to the OS and some that have carried over from previous versions of Windows.
The much anticipated (and debated) next version of Windows software is set to be released on October 26, 2012. Several prerelease versions were made available, and just recently Microsoft released a 90 Day Windows 8 Enterprise RTM (Release to Manufacturer) evaluation copy.
In this article we briefly cover the new look of Windows 8, which has caused some complaints
from Enterprise entities and the media alike. We will then highlight some of the new security features, and finally, put them to the test.
From the Backtrack 5 r3 security testing platform, use the Metasploit Framework and Social
Engineering Toolkit to see how Windows 8 stands up to the most common internet based threats, also cover credential harvesting, Man-in-the-Middle and physical attacks against Microsoft’s latest OS.
Windows 8 Overview
The first thing you will notice is the desktop change (Figure 1), you’re not in Kansas anymore Dorothy.Catering to the mobile touchscreen users, Microsoft has switched the desktop to this new tiled interface.This has caused a split amongst enterprise users; some seem too really like it, others
want the standard desktop back.
Don’t get me wrong, the desktop we know and love is still there (Figure 2).
But if you notice, the start button is gone. If you move the cursor to the side of the screen the new
“start menu” will appear (Figure 3).
Yes, it looks different doesn’t it? Clicking the Start button on this menu takes you back to
the Metro interface. Apparently Microsoft wanted a consistent look across their product platform.
Phones, tablets and desktops would all have the same “Metro” interface.
It is nice to know though that some things still look the same in Windows 8. The Control Panel
looks pretty familiar (Figure 4).
Changes have been made on the server side also. The new Server 2012 has a GUI interface, but
Microsoft is really pushing the use of Server Core edition that is configured by command line only. So if you do server work, it is time to brush up on your PowerShell.
In essence, Windows 8 really seems to be an enhanced Windows 7, with a new interface. Everything
that you could do in Windows 7 is there, somewhere, it is just a matter of finding its new location.
The New Security Features
Several security improvements have been made to Windows 8, a brief list of some of the new features
include:
• Windows Defender comes pre-installed
• Application download screening with Smart- Screen
• Protection against buffer overflow and memory corruption/ modification attacks
• UEFI / secure boot to help prevent rootkits and bootkits
• New password options
Let’s take a closer look at the password options and some changes in the way Microsoft handles
passwords.
Password Options
You now have a couple choices for login security options (Figure 5). You can use a password like always, but there are two new options, pin and picture password. The PIN option is not new to some users; just select a 4 number pin and that’s it. When you go to login the next time you will now have a choice to login via PIN number (Figure 6) or your password:
The interesting one is the Picture Password (Figure 7). It requires a touchscreen interface, but with it
you get to pick a picture and create a special password all your own. Once you choose the picture you
want, you then record a series of finger swipes, circles and taps that make the final password.
Changes in Microsoft’s Password Policy
Noticed some changes in the way Microsoft handles their different service account passwords
over the past few weeks. It first started a while back when using Microsoft Live mail. One day when I
typed in my legitimate password to my e-mail account, received this error message (Figure 8).
But that is not all.
Recently went to login to my Microsoft mail and got the good old “It’s time to change your password” message. No problem!
Well, yes there was. use several special characters and when tried to use some of them (which were in my existing password!) received this message (Figure 9). It seemed to accept some of the
special characters, but didn’t like others that have used since created the Hotmail Live account!
Wondered what was going on, and then remembered, Windows 8 is being released and they
want you to tie it in to an email address/ Microsoft account. As you can see in the Windows 8 install
(Figure 10).
Sure you can use a different e-mail account, or even log in with a local password but they still want
you to connect in to a Microsoft account (Xbox, Live, etc.) for Windows 8′s other features. And of course don’t forget the new Microsoft Marketplace…
What then is the reason for shortening the passwords? Looks like Windows 8 is capped at a 16
character limit for compatibility with existing Microsoft services. But is that long enough for secured
passwords?
Let’s check Microsoft’s FAQ for strong passwords [1]:
Okay, we are good there, but what should our password look like? Well, here are some of the
password examples from Microsoft’s strong password FAQ (Figure 11). Wait a minute… They are
all over 16 characters long!
As length increases so does the cracking time. Passwords longer than 10 characters take an exponentially longer time to crack. So in all reality, 16 really shouldn’t be a problem. But all of my passwords are longer than that. And with the decrease of the character set, by limiting special characters for compatibility with Microsoft’s other services, the passwords are less secure than they were before.
Curious if Microsoft will change this in the future. Microsoft trying to tie all their services together
in the cloud is an interesting concept though.With doing this, no matter where you log in, you
will get a consistent look and feel, with all of your data available. All right, enough of an overview,
let’s see Windows 8 security in action!
Testing Windows 8 Security
Took Windows 8 and ran a couple common security tests against it to see how well it would hold
up. used the Backtrack platform, SET and the Metasploit Framework. As a straight test from a security tester’s point of view, did not use any modified payloads, uncommon techniques or exploits
that were not included with the Metasploit platform.
My goal was to test to see how the new security features make the system more secure than previous
versions of Windows.
The Windows 8 Enterprise VM was tested as installed with no additional security programs or antivirus running except the included Microsoft Windows Defender. Also the latest version of Java was installed (version 7 update 7).
Malicious Shell Code verses Windows 8
Let’s take a look at a standard Java attack against Windows 8. I created a test page using the Social
Engineering Toolkit (SET) in Backtrack 5, so that when a user connects, it displays an obviously
bogus “Letter from the CEO” page, and it offers a backdoored Java applet to the visitor. If the user allows the Java app to run, we get a remote session.
As you can see form the screenshot above (Figure 12), you see a security warning explaining, “This
application runs with unrestricted access which may put your computer and personal information at risk.” If we click the box to accept the risks, and run the malicious Java We instantly receive a Windows Defender pop-up warning (Figure 13) that Malware was detected and it stopped the attack.
Okay, that was an easy one; next tried SET’s Alphanumeric shell code attack. This one is a little
sneakier and can still bypass some AVs. When pulled up the test CEO webpage on the SET machine, didn’t get a Malware warning like did with the earlier attack.
When ran the attack, got a shell!
Okay, just a shell notification (Figure 14) on the
Backtrack side…
But once tried to connect to the shell in Backtrack couldn’t run any commands. It may have
been able to create a channel to the Windows 8 machine, but the security features of 8 stopped
it (Notice the Timeout errors) so could not get a working remote shell.
Okay, impressed yet at the new security features? No, not really. A Windows 7 system running
a good up to date AV/ Internet security solution will give similar results to what we have experienced
so far. But for an out of the box install, it is not bad at all.
SET PowerShell Attack
Next tried the SET PowerShell attack [2]. This attack has worked in all previous versions of Windows that have tested, including Windows 7. SET creates a PowerShell command that includes an encrypted shell. Once the script is executed in PowerShell on the target system, it connects out
to the remote system.
Ran the program creating the PowerShell script,and started the listener service on the Backtrack
system, then ran the script and… Nothing!
The Backtrack system did not detect any connection attempts and the Windows 8 PowerShell
threw out a “Program has stopped running” error and closed. The PowerShell script that SET
creates runs in a hidden Window so you can’t see what it is doing. When ran the shell again with the
hidden feature turned off, got this screen of errors in PowerShell (Figure 15).
“Arithmetic operation resulted in an overflow.” –Windows 8 did not allow the malicious code to connect out to the attacker system completely thwarting the attack.
So far, Windows 8 is batting a thousand; none of the attacks have been successful!
Windows 8 against the latest Flash Threats
Recently a Computerworld article [3] stated that Windows 8 was vulnerable to a new Flash exploit
that was just discovered, and apparently will not be patched until October due to the way that Flash is
integrated into the new Internet Explorer.Just today (September 12th) Computerworld announced
that Microsoft changed their minds and will release a security patch right away:
“In light of Adobe’s recently released security updates for its Flash Player, Microsoft is working
closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers,”
Yunsun Wee, director of the company’s Trustworthy Computing Group, said in a Tuesday statement.
“This update will be available shortly.”
Actually tried a couple of the earlier Flash attacks against Windows 8. Not the one mentioned
in the Computerworld article, but one that was only a few weeks old (Mid-August). Windows Defender caught it and stopped it (Figure 16). Overall the new Windows seems very good at
standing up to common online script based attacks.
Credential Harvesting Attacks
Next ran credential harvesting attacks against the Windows 8 machine. This creates a bogus website
that looks like a regular webpage, like G-Mail or Facebook. Then when someone tries to enter their
credentials it takes and stores the user’s login information and forwards them to the real page.
Windows 8 was able to block all of the Java based harvesters that tried. But on a harvesting page that did not use Java, it worked flawlessly and was able to recover any credentials that were typed into the bogus webpage.
Though not really a security fault of Windows 8’s – the user is entering their credentials on a bogus
webpage – but with the tight integration of Windows 8 with Microsoft Account numbers and Live
E-mail, this could be an issue.
Man-in-the-Middle Attacks
Tried running a Man-in-the-Middle (MitM) attack against the system. A MitM attack goes after the
underlying TCP/IP communication stack and modifies the target’s ARP table. The Address Resolution Protocol table simply maps IP Addresses to network card physical MAC addresses. A system running the MitM attack inserts itself into the communication path between a system and the gateway/ router by telling the target system that it is the gateway and the gateway that it is the target
system. Any information transferred in or out of the system can be monitored and stored.
Surprisingly the MitM attack attempted worked flawlessly, was able to watch what websites the
Windows 8 system went to from my attacking system and was able to view communication data.
Thought this type of attack would be addressed in Windows 8, but as in Windows 7 and previous
versions, this still seems to work.
Physical Attacks
As mentioned earlier, Windows 8 now comes with a new boot method, called Unified Extensible Firmware Interface (UEFI). This helps protect against malware boot attacks and root kits, and some other common attempts at modifying the boot process. This is a huge improvement over previous
versions of Windows.
But it is not perfect, let explain.
Even Windows 7 included a feature that recovers system files that are changed while the computer
is running. So if you tried to change certain system files, it would revert back the next time the system rebooted.
But there is a file modification process that has been around a very long time that attacks the system
files by booting from another OS, like Linux. This file modification attack allows a System level
command prompt that can be opened at the login screen. The System level credential is the highest
level of authority on a Windows box. It is higher than the “Administrator” user and is similar to Root
access on a Unix/Linux box.
And this system level terminal runs without anyone physically logged onto the machine! This entire
process was actually explained on a Microsoft TechNet Forum on Windows Server back in 2009
as a way to get into your server if you lost the Admin login credentials: http://social.technet.microsoft. com/Forums/en-US/windowsserver2008r2general/
thread/11facbbf-d7c5-4507-89ae-d828d11eaa73.
But what has been allowed to remain in Windows (it works in all versions of Windows including
Desktops), could also be used by a bad guy in a physical attack.
It only takes a few seconds to perform this attack using a Linux boot disk. Basically you boot the
Windows box with a Linux Boot disk, modify a couple executable files in the system32 directory and
reboot. Then on reboot, at the main login screen, you hit a key combination and up pops a System
level command prompt!
At this point you can run any system commands, including adding users or whatever you want to do.
In the image below just created a user named “Fred” with the ultra-secure password of “fred” (no
one would ever guess that!), then reboot and we now have two users on this system: Figure 19.
And of course can now login to the system with our new user Fred. Don’t get me wrong, this isn’t some high level hack. It is a valid way to legitimately get access to a system where someone has forgotten the password. We have used it in a corporate environment before where users have left and did not leave their current password. The systems were not network attached and unfortunately an administrator did not create an account on them. And of course the systems had data on them so the machines could not be wiped.
But as mentioned before, malicious users could also use the same tactic if they have physical access
to the machine.
Conclusion
Again, just used standard testing tools in the creation of this article. There are several ways to bypass
anti-virus on older versions of Windows by modifying the payloads in Metasploit, did not do
this; just wanted to test it using some of the most common security techniques that are in use today.
My intent on writing this article was not to show how to bypass Window 8 security, but how the out of-the-box features stood up to average internet attacks, which it did extremely well.
Able to get an initial remote shell with the Alphanumeric shell attack. And though it was not
completely functional, a version could possibly be made in the future to bypass Windows 8 security
features. Flash vulnerabilities still seem to be a concern according to the Computerworld article.
One credential harvesting attack also worked, and so did the physical login prompt trick.
Hopefully this article demonstrates to you that Windows 8 security is indeed better than Windows
7. But user training about online threats and phishing defense needs to remain in place. The standard
advice of not running unknown or unsolicited attachments, or visiting suspicious websites, and
all the normal Social Engineering defense training remains the same.
Running a script blocker program like FireFox’s “NoScript” is still highly recommended to stop
scripts from automatically running.
Also physical security of systems is still very important. Keep important servers and workstations
in a secured area. Do not allow other people to access your system. Always verify the identity of service personal who want to perform maintenance on your system.
Will Windows 8 sweep the enterprise world by swarm? not sure. The security features (especially
the increased memory protection) are a big boost and are needed. But the switch to the new
interface may be a turn off to many overtaxed IT departments that do not have the time to help users
through the learning curve of a new desktop.
Many corporate users still are using Windows XP believe it or not. Will they switch to Windows 7 or
jump to the more secure Windows 8?
Only time will tell.
Is Windows 8 the next operating system for your enterprise? In this article, we will take a quick look at Microsoft’s new OS – Windows 8. We will see some of the new security features that make it more
secure than its predecessor Windows 7. We will also run the security through the paces and see some of the possible issues that are new to the OS and some that have carried over from previous versions of Windows.
The much anticipated (and debated) next version of Windows software is set to be released on October 26, 2012. Several prerelease versions were made available, and just recently Microsoft released a 90 Day Windows 8 Enterprise RTM (Release to Manufacturer) evaluation copy.
In this article we briefly cover the new look of Windows 8, which has caused some complaints
from Enterprise entities and the media alike. We will then highlight some of the new security features, and finally, put them to the test.
From the Backtrack 5 r3 security testing platform, use the Metasploit Framework and Social
Engineering Toolkit to see how Windows 8 stands up to the most common internet based threats, also cover credential harvesting, Man-in-the-Middle and physical attacks against Microsoft’s latest OS.
Windows 8 Overview
The first thing you will notice is the desktop change (Figure 1), you’re not in Kansas anymore Dorothy.Catering to the mobile touchscreen users, Microsoft has switched the desktop to this new tiled interface.This has caused a split amongst enterprise users; some seem too really like it, others
want the standard desktop back.
Don’t get me wrong, the desktop we know and love is still there (Figure 2).
But if you notice, the start button is gone. If you move the cursor to the side of the screen the new
“start menu” will appear (Figure 3).
Yes, it looks different doesn’t it? Clicking the Start button on this menu takes you back to
the Metro interface. Apparently Microsoft wanted a consistent look across their product platform.
Phones, tablets and desktops would all have the same “Metro” interface.
It is nice to know though that some things still look the same in Windows 8. The Control Panel
looks pretty familiar (Figure 4).
Changes have been made on the server side also. The new Server 2012 has a GUI interface, but
Microsoft is really pushing the use of Server Core edition that is configured by command line only. So if you do server work, it is time to brush up on your PowerShell.
In essence, Windows 8 really seems to be an enhanced Windows 7, with a new interface. Everything
that you could do in Windows 7 is there, somewhere, it is just a matter of finding its new location.
The New Security Features
Several security improvements have been made to Windows 8, a brief list of some of the new features
include:
• Windows Defender comes pre-installed
• Application download screening with Smart- Screen
• Protection against buffer overflow and memory corruption/ modification attacks
• UEFI / secure boot to help prevent rootkits and bootkits
• New password options
Let’s take a closer look at the password options and some changes in the way Microsoft handles
passwords.
Password Options
You now have a couple choices for login security options (Figure 5). You can use a password like always, but there are two new options, pin and picture password. The PIN option is not new to some users; just select a 4 number pin and that’s it. When you go to login the next time you will now have a choice to login via PIN number (Figure 6) or your password:
The interesting one is the Picture Password (Figure 7). It requires a touchscreen interface, but with it
you get to pick a picture and create a special password all your own. Once you choose the picture you
want, you then record a series of finger swipes, circles and taps that make the final password.
Changes in Microsoft’s Password Policy
Noticed some changes in the way Microsoft handles their different service account passwords
over the past few weeks. It first started a while back when using Microsoft Live mail. One day when I
typed in my legitimate password to my e-mail account, received this error message (Figure 8).
“If you have been using password longer than 16
characters, please enter the first 16”?
Sure enough, put in the first 16 characters of the password and was in. So in effect, it looks like
they just went through their password database and truncated all the passwords down to 16.But that is not all.
Recently went to login to my Microsoft mail and got the good old “It’s time to change your password” message. No problem!
Well, yes there was. use several special characters and when tried to use some of them (which were in my existing password!) received this message (Figure 9). It seemed to accept some of the
special characters, but didn’t like others that have used since created the Hotmail Live account!
Wondered what was going on, and then remembered, Windows 8 is being released and they
want you to tie it in to an email address/ Microsoft account. As you can see in the Windows 8 install
(Figure 10).
Sure you can use a different e-mail account, or even log in with a local password but they still want
you to connect in to a Microsoft account (Xbox, Live, etc.) for Windows 8′s other features. And of course don’t forget the new Microsoft Marketplace…
What then is the reason for shortening the passwords? Looks like Windows 8 is capped at a 16
character limit for compatibility with existing Microsoft services. But is that long enough for secured
passwords?
Let’s check Microsoft’s FAQ for strong passwords [1]:
“Length. Make your passwords long with eight or
more characters.”
password examples from Microsoft’s strong password FAQ (Figure 11). Wait a minute… They are
all over 16 characters long!
As length increases so does the cracking time. Passwords longer than 10 characters take an exponentially longer time to crack. So in all reality, 16 really shouldn’t be a problem. But all of my passwords are longer than that. And with the decrease of the character set, by limiting special characters for compatibility with Microsoft’s other services, the passwords are less secure than they were before.
Curious if Microsoft will change this in the future. Microsoft trying to tie all their services together
in the cloud is an interesting concept though.With doing this, no matter where you log in, you
will get a consistent look and feel, with all of your data available. All right, enough of an overview,
let’s see Windows 8 security in action!
Testing Windows 8 Security
Took Windows 8 and ran a couple common security tests against it to see how well it would hold
up. used the Backtrack platform, SET and the Metasploit Framework. As a straight test from a security tester’s point of view, did not use any modified payloads, uncommon techniques or exploits
that were not included with the Metasploit platform.
My goal was to test to see how the new security features make the system more secure than previous
versions of Windows.
The Windows 8 Enterprise VM was tested as installed with no additional security programs or antivirus running except the included Microsoft Windows Defender. Also the latest version of Java was installed (version 7 update 7).
Malicious Shell Code verses Windows 8
Let’s take a look at a standard Java attack against Windows 8. I created a test page using the Social
Engineering Toolkit (SET) in Backtrack 5, so that when a user connects, it displays an obviously
bogus “Letter from the CEO” page, and it offers a backdoored Java applet to the visitor. If the user allows the Java app to run, we get a remote session.
As you can see form the screenshot above (Figure 12), you see a security warning explaining, “This
application runs with unrestricted access which may put your computer and personal information at risk.” If we click the box to accept the risks, and run the malicious Java We instantly receive a Windows Defender pop-up warning (Figure 13) that Malware was detected and it stopped the attack.
Okay, that was an easy one; next tried SET’s Alphanumeric shell code attack. This one is a little
sneakier and can still bypass some AVs. When pulled up the test CEO webpage on the SET machine, didn’t get a Malware warning like did with the earlier attack.
When ran the attack, got a shell!
Okay, just a shell notification (Figure 14) on the
Backtrack side…
But once tried to connect to the shell in Backtrack couldn’t run any commands. It may have
been able to create a channel to the Windows 8 machine, but the security features of 8 stopped
it (Notice the Timeout errors) so could not get a working remote shell.
Okay, impressed yet at the new security features? No, not really. A Windows 7 system running
a good up to date AV/ Internet security solution will give similar results to what we have experienced
so far. But for an out of the box install, it is not bad at all.
SET PowerShell Attack
Next tried the SET PowerShell attack [2]. This attack has worked in all previous versions of Windows that have tested, including Windows 7. SET creates a PowerShell command that includes an encrypted shell. Once the script is executed in PowerShell on the target system, it connects out
to the remote system.
Ran the program creating the PowerShell script,and started the listener service on the Backtrack
system, then ran the script and… Nothing!
The Backtrack system did not detect any connection attempts and the Windows 8 PowerShell
threw out a “Program has stopped running” error and closed. The PowerShell script that SET
creates runs in a hidden Window so you can’t see what it is doing. When ran the shell again with the
hidden feature turned off, got this screen of errors in PowerShell (Figure 15).
“Arithmetic operation resulted in an overflow.” –Windows 8 did not allow the malicious code to connect out to the attacker system completely thwarting the attack.
So far, Windows 8 is batting a thousand; none of the attacks have been successful!
Windows 8 against the latest Flash Threats
Recently a Computerworld article [3] stated that Windows 8 was vulnerable to a new Flash exploit
that was just discovered, and apparently will not be patched until October due to the way that Flash is
integrated into the new Internet Explorer.Just today (September 12th) Computerworld announced
that Microsoft changed their minds and will release a security patch right away:
“In light of Adobe’s recently released security updates for its Flash Player, Microsoft is working
closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers,”
Yunsun Wee, director of the company’s Trustworthy Computing Group, said in a Tuesday statement.
“This update will be available shortly.”
Actually tried a couple of the earlier Flash attacks against Windows 8. Not the one mentioned
in the Computerworld article, but one that was only a few weeks old (Mid-August). Windows Defender caught it and stopped it (Figure 16). Overall the new Windows seems very good at
standing up to common online script based attacks.
Credential Harvesting Attacks
Next ran credential harvesting attacks against the Windows 8 machine. This creates a bogus website
that looks like a regular webpage, like G-Mail or Facebook. Then when someone tries to enter their
credentials it takes and stores the user’s login information and forwards them to the real page.
Windows 8 was able to block all of the Java based harvesters that tried. But on a harvesting page that did not use Java, it worked flawlessly and was able to recover any credentials that were typed into the bogus webpage.
Though not really a security fault of Windows 8’s – the user is entering their credentials on a bogus
webpage – but with the tight integration of Windows 8 with Microsoft Account numbers and Live
E-mail, this could be an issue.
Man-in-the-Middle Attacks
Tried running a Man-in-the-Middle (MitM) attack against the system. A MitM attack goes after the
underlying TCP/IP communication stack and modifies the target’s ARP table. The Address Resolution Protocol table simply maps IP Addresses to network card physical MAC addresses. A system running the MitM attack inserts itself into the communication path between a system and the gateway/ router by telling the target system that it is the gateway and the gateway that it is the target
system. Any information transferred in or out of the system can be monitored and stored.
Surprisingly the MitM attack attempted worked flawlessly, was able to watch what websites the
Windows 8 system went to from my attacking system and was able to view communication data.
Thought this type of attack would be addressed in Windows 8, but as in Windows 7 and previous
versions, this still seems to work.
Physical Attacks
As mentioned earlier, Windows 8 now comes with a new boot method, called Unified Extensible Firmware Interface (UEFI). This helps protect against malware boot attacks and root kits, and some other common attempts at modifying the boot process. This is a huge improvement over previous
versions of Windows.
But it is not perfect, let explain.
Even Windows 7 included a feature that recovers system files that are changed while the computer
is running. So if you tried to change certain system files, it would revert back the next time the system rebooted.
But there is a file modification process that has been around a very long time that attacks the system
files by booting from another OS, like Linux. This file modification attack allows a System level
command prompt that can be opened at the login screen. The System level credential is the highest
level of authority on a Windows box. It is higher than the “Administrator” user and is similar to Root
access on a Unix/Linux box.
And this system level terminal runs without anyone physically logged onto the machine! This entire
process was actually explained on a Microsoft TechNet Forum on Windows Server back in 2009
as a way to get into your server if you lost the Admin login credentials: http://social.technet.microsoft. com/Forums/en-US/windowsserver2008r2general/
thread/11facbbf-d7c5-4507-89ae-d828d11eaa73.
But what has been allowed to remain in Windows (it works in all versions of Windows including
Desktops), could also be used by a bad guy in a physical attack.
It only takes a few seconds to perform this attack using a Linux boot disk. Basically you boot the
Windows box with a Linux Boot disk, modify a couple executable files in the system32 directory and
reboot. Then on reboot, at the main login screen, you hit a key combination and up pops a System
level command prompt!
At this point you can run any system commands, including adding users or whatever you want to do.
In the image below just created a user named “Fred” with the ultra-secure password of “fred” (no
one would ever guess that!), then reboot and we now have two users on this system: Figure 19.
And of course can now login to the system with our new user Fred. Don’t get me wrong, this isn’t some high level hack. It is a valid way to legitimately get access to a system where someone has forgotten the password. We have used it in a corporate environment before where users have left and did not leave their current password. The systems were not network attached and unfortunately an administrator did not create an account on them. And of course the systems had data on them so the machines could not be wiped.
But as mentioned before, malicious users could also use the same tactic if they have physical access
to the machine.
Conclusion
Again, just used standard testing tools in the creation of this article. There are several ways to bypass
anti-virus on older versions of Windows by modifying the payloads in Metasploit, did not do
this; just wanted to test it using some of the most common security techniques that are in use today.
My intent on writing this article was not to show how to bypass Window 8 security, but how the out of-the-box features stood up to average internet attacks, which it did extremely well.
Able to get an initial remote shell with the Alphanumeric shell attack. And though it was not
completely functional, a version could possibly be made in the future to bypass Windows 8 security
features. Flash vulnerabilities still seem to be a concern according to the Computerworld article.
One credential harvesting attack also worked, and so did the physical login prompt trick.
Hopefully this article demonstrates to you that Windows 8 security is indeed better than Windows
7. But user training about online threats and phishing defense needs to remain in place. The standard
advice of not running unknown or unsolicited attachments, or visiting suspicious websites, and
all the normal Social Engineering defense training remains the same.
Running a script blocker program like FireFox’s “NoScript” is still highly recommended to stop
scripts from automatically running.
Also physical security of systems is still very important. Keep important servers and workstations
in a secured area. Do not allow other people to access your system. Always verify the identity of service personal who want to perform maintenance on your system.
Will Windows 8 sweep the enterprise world by swarm? not sure. The security features (especially
the increased memory protection) are a big boost and are needed. But the switch to the new
interface may be a turn off to many overtaxed IT departments that do not have the time to help users
through the learning curve of a new desktop.
Many corporate users still are using Windows XP believe it or not. Will they switch to Windows 7 or
jump to the more secure Windows 8?
Only time will tell.