Infosanity's Blog

I’m running behind the curve on this one, but after several of my usual sources suggesting KonBoot as a useful addition to any security toolkit. The premise of Kon-Boot is simple, by modifying the system kernel (Windows or Linux) upon boot there is no need to know the users password to access the system.

Kon-Boot is designed to boot via either floppy or CD, but thanks to the work of IronGeek it is relatively painless to get Kon-Boot running from USB.

Unetbootin continues to be a powerful tool, using which you create a bootable USB drive from the KonBoot floppy drive image. Raymond.cc has a great guide for the process, but ends with the limitation that KonBoot won’t function from USB; until IronGeek steps into the ring with a patch. Simply extract the archive to the root of the USB drive to update chain.c32 and syslinux.cfg then you’re good to go.

There are plenty of videos showing Kon-Boot in action, for example this one. I’ve successfully compromised a Windows 7 host, both local and domain acount, but it can only compromise domain accounts that have previously logged onto the physical machine. Discussing the issue with a Windows admin there have been a couple of potential mitigations developed, but at this point these have yet to be put to the test.

Linux compromise seems to be less powerful as you log in as a new kon-usr user, albeit with UID 0 for superuser privs. Full authentication doesn’t seem available however; the kon-usr drops in at the command line but KDE kicks up an authentication error when trying to start a GUI session.

I still intend to test my Kon-Boot drive against a machine with an encrypted hard drive, I’m not convinced it will work as my current hypothesis is that the Kon-Boot Kernel modifications will be attempted before the drive is unencrypted. I’ll update once I’ve been able to put the hypothesis to the test in a lab.

For the time being Kon-Boot is a permenant addition to my tool-kit, as there are plenty of scenarios that make KonBoot a legitimate tool for both security and non-security techies alike. Thanks to www.piotrbania.com for development and release.

– Andrew Waite

Several months ago I was involved in a discussion focusing on steps taken to secure information systems, and came to the realisation that all the counter measures and protections where network and system based. As a joke I asked what was the point if someone could pick the building locks and walk out with the hard drives. Surprisingly to me, everyone stop talking and looked slightly concerned. Since then I’ve been toying with the same question: “What is the point of firewalls, IDS, patches etc. if the data isn’t physically protected?”

After doing some research I decided to put the theory to the test and find out how effective common physical security actually is. My first set of tools and training material arrived today, a set of 20 lockpicks and tension tools, a beginners instruction guide and a see-through lock for practice from Southord. The delivery impressed me for speed, at point of purchase Southord stated a three to five week delivery time to Europe, in practice delivery was less than a week; thank you Southord (and Dale Pearson for recommending the set)

Whilst waiting I have been researching the topic quite heavily and have found the forums at lockpicking 101 to be invaluable and need to say thank you to those who have freely contributed information. Hopefully I’ll be able to contribute back to the community once I gain some ability and knowledge.

It’s going to take a lot of practice and persistence before I’m anywhere close to proficient, but ask yourself the same question: Why spend thousands on information security if the physical protection isn’t up to the job?

– Andrew Waite