Hello It appears that this works against Checkpoint FDE with WIL (windows integrated logon) enabled. I was hoping that the Pre-boot process of Checkpoint FDE would have wiped out whatever kon-boot was doing in memory but it appears that it doesn't and allows the kernel patch to go ahead. Using the pre-boot authentication mode does prevent it if you don't have an account to access the decryption keys.
I agree with Mick that this makes an amazing demo...especially when people make the trade off between usability and security. D > > > ---------- Forwarded message ---------- > From: Michael Douglas <[email protected]> > To: PaulDotCom Security Weekly Mailing List < > [email protected]> > Date: Tue, 07 Jul 2009 09:17:21 -0400 > Subject: Re: [Pauldotcom] Kon-Boot on a USB > KON can't do it all, and hard disk crypto seems to be the one thing > that stops this fun little tool cold. I think from a white hat > perspective, it makes for an amazing demo of why FDE is needed. > > > > I'll be at DEFCON tho! :D > > not that anyone cares ;) > > BS! we care! :-) be sure to look us up! > - Mick > > > On Mon, Jul 6, 2009 at 11:44 PM, John Navarro<[email protected]> wrote: > > That was one of the reasons I wanted to test Kon-boot, however I couldn't > > take it too far since I was testing it on a work laptop to see if I could > > defeat the partial disk encryption (with permission of course!). Of > course I > > could dump everything from linux anyways, but still couldn't gain access > to > > the one encrypted drive :( > > > > I'll be at DEFCON tho! :D > > not that anyone cares ;) > > > > On Mon, Jul 6, 2009 at 7:13 PM, Robin Wood <[email protected]> wrote: > >> > >> 2009/7/7 Adrian Crenshaw <[email protected]>: > >> > Ok, tested a few things on my Vista 32 box: > >> > >> > 1.Can't access network resources(prompted for password), but that's > >> > expected. > >> > 2. I Can dump the real password hashes. > >> > 3. EFS is not bypassed. > >> > 4. Could change my password, but had to use MMC because the default > user > >> > accounts interface was confused. > >> > 5. Rebooted into normal mode, logged in with new password but still > >> > could > >> > not get to the EFS files. > >> > 6. Change password back, logged in/out and then could get to my EFS > >> > file. > >> > >> That would be because the EFS couldn't be decrypted when you first > >> logged in so changing the password on it wasn't possible. > >> > >> Robin > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
