Laptop Penetration Test
Service Overview ⫘
The objective of a Laptop Penetration Test is to demonstrate if and/or how a laptop can be compromised. This test starts with a corporate-issued laptop image; the Secureworks Adversary Group works to compromise the device and any sensitive information on it; testing can include activities such as Bitlocker / Full-Disk Encryption bypassing, cold-boot memory attacks, QuickCreds attacks, USB HID, and image configuration abuse.
Service Methodology ⫘
This scenario-based engagement explores what would happen if a company-issued laptop was lost or stolen, and a skilled attacker had ample hands-on time with the laptop. When a laptop is lost/stolen, it is usually in one of three states:
- Powered On and logged into the desktop.
- Powered On but Locked (same as powered on but lid closed. It usually locks when the screen is opened again.)
- Powered Off.
Secureworks conducts testing from all three scenarios and breaks up the narrative to demonstrate what an attacker could do to compromise the laptop from each state.
Powered Off Testing:
Testers attempt to compromise the laptop through the use of a Direct Memory Access (DMA) peripheral (e.g. hook up an external card to their laptop and try to hotpatch memory to bypass the login screen/find the bitlocker decryption key)
If the laptop hard drive is encrypted, attempt to decrypt the contents and create a local administrator account.
Powered On but Locked:
Utilize a Bash Bunny to spin up a fake USB "Network Interface Card" and try to trick the computer into sending the logged in user's Net-NTLMv2 password hash.
If successful and a hash is obtained, attempt to crack it. If its recovered, login to the device.
Powered On to Desktop:
Testers have access to the laptop with regular user credentials. See what security controls are in place and what can be bypassed (e.g. endpoint protection/DLP protections).
Try to find sensitive information stored on the laptop locally including saved Wi-Fi passwords and other documents of interest. Some clients hide easter eggs or "flags" for the testers to find.
After compromising the laptop, testers attempt to leverage the VPN with pre-signed in credentials/guessed credentials to gain access to the internal corporate network. Testers ask customer permission before testing continues across the VPN to the internal network.
If we are able to gain VPN access, we usually spin up an AWS instance and proxy traffic from the AWS instance through the laptop and into their corporate network.
Customer Requests
To make this test more realistic, customers should consider the following:
-
Ensure that a "realistic" password, one that meets their password policy when provisioning the account, is used to sign into the laptop (e.g. WordNumberSymbol). Most users will not remember a randomly generated 25+ character password and using a randomly generated password will not reflect typical user credentials found in their environment.
-
Ensure that credentials are provided for testing so we can properly test each of the states of the laptop (e.g. powered off, lid closed, logged into desktop). This should be the same account that the laptop was configured with.
Note: these credentials will only be used to sign into the laptop. Testers will be targeting other user accounts within the organization with weak credentials when attempting to authenticate to the VPN.
Outcome ⫘
Presentation of findings and deliverables compiled by Secureworks will be provided to you in the form of a report. The report will include the following:
- Executive summary
- Methods, detailed findings, narratives, and recommendations if any
- Attachments as needed for relevant details and supporting data
Customer shall have one (1) week from delivery of the report to provide comments to be included in the final report. If there are no comments received from Customer before the expiration of the review period, the report will be deemed final. Upon completion of the Services, the Customer-designated contact will receive a secure/encrypted email confirmation from Secureworks. Unless otherwise notified in writing to the contrary by the Customer designated contact, within five (5) business days of such email confirmation, the Services and this SOW shall be deemed complete.
Scoping information ⫘
Laptop Penetration Test ⫘
| Scope | Description |
|---|---|
| Laptop Penetration Test - Small | 1 laptop image, configured and shipped to Secureworks. |
Scheduling and Booking Information ⫘
See Service Scheduling for information about scheduling this service.