archiveren

software

Everyone is tracking everyone nowadays…

Yet, sometimes I really have trouble remembering what I did, and where I was…
The “what I did” is easily reproducable by using NirSoft’s LastActivityView, checking my send e-mails, and my browsing history… (But as I’m using 3 computers not in logical order, this is also not ideal)

The “where I was” is more difficult…

Enter tracks: https://mendelonline.be/tracks/

Clientside it’s built on top of Nokia’s SensorCore SDK example Tracks (yes, i stole the name, and the layout, and actually just about everything =) ) https://github.com/Microsoft/tracks
The only thing it does it getting all track points containing geographical information from the co-processor on my old but trustworty Nokia 930 running W10M, and posting it to some stupid php “api” putting it in a MSSQL db. (nope, no authN here…)

 

I build some stupid front-end for it, but for now, it looks something like this: https://mendelonline.be/tracks/share.php?accesskey=xqnmSI4vAEItrRaQKaiVnGTx

But you can do way cooler things with it! For example heatmaps! Where did I go most:

Next on the to-to list are statistics…

  • how much time in the car a week
  • how many km in a week
  • how much time in traffic
  • ..

Password Filter

A DLL that provides password policy enforcement and change notification. The functions implemented by password filters are called by the Local Security Authority. – http://msdn.microsoft.com/en-us/library/windows/desktop/ms721882%28v=vs.85%29.aspx 
The purpose for this hook into the LSA is to create custom filters when users change password. Want some specific “default for your company” password filtered out? Want a custom RegEx next to Microsoft’s Complexity Requirements? Want to setup a real ugly sync passwords to another database? Or do you just want access to plaintext passwords? Than this is the way to go…But you can also do other stuff with it, because: “hey! a cleartext pasword!” :-p

Next piece of code doesn’t work, but also talks about the idea: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
And this blogpost tries to fix what the previous one couldn’t do: http://www.phocean.net/2013/10/02/password-stealing-using-a-password-filter.html

Anyway, code is visualcpp,

Most code (pretty much everyting) came from devx, who did a great job with his article: http://www.devx.com/security/Article/21522 !

Next functions are called by the OS when a users changes a password:

BOOLEAN PasswordFilter(
  _In_  PUNICODE_STRING AccountName,
  _In_  PUNICODE_STRING FullName,
  _In_  PUNICODE_STRING Password,
  _In_  BOOLEAN SetOperation
);

NTSTATUS PasswordChangeNotify(
  _In_  PUNICODE_STRING UserName,
  _In_  ULONG RelativeId,
  _In_  PUNICODE_STRING NewPassword
);
BOOLEAN InitializeChangeNotify(void);

 

Visual studio 2013 project to download: https://www.mendelonline.be/downloader/?file=passwordfilterregex.zip

The only thing this code does, is write out the cleartext password to a textfile… Just a proof of concept of what you can do of course… Rest is for you guys to code 😉

So, model 2013 revealed some more secrets!

using Newtonsoft.Json;
using ManagedUPnP;

Finding all upnp services on the current network

Services lsServices = Discovery.FindServices(null,timeout, 0,out lbCompleted,AddressFamilyFlags.IPvBoth);

And filter out the ones being Sony.

foreach (Service IndividuallsService in lsServices)
{
if (IndividuallsService.Description().Actions.ContainsKey("X_SendIRCC"))
{
sony bravia television found! :-)
sonytv=IndividuallsService;
}
}

Register to the device by calling webservice (json) twice! Once without basic auth and once with basic auth and password the number shown on the television itself! Catch the cookie, because it contains the authentication key! (With expiration date 00-00-0000).
Using the same json.net library, you can easily serialize the cookiecontainer for later use.

string hostname = System.Windows.Forms.SystemInformation.ComputerName;
string jsontosend = "{\"id\":13,\"method\":\"actRegister\",\"version\":\"1.0\",\"params\":[{\"clientid\":\"" + hostname + ":11c43119-af3d-40e7-b1b2-743311375322c\",\"nickname\":\"" + hostname + " (Mendel's APP)\"},[{\"clientid\":\"" + hostname + ":11c43119-af3d-40e7-b1b2-743311375322c\",\"value\":\"yes\",\"nickname\":\"" + hostname + " (Mendel's APP)\",\"function\":\"WOL\"}]]}";


var httpWebRequest = (HttpWebRequest)WebRequest.Create("http://"+theipadres+"/sony/accessControl");
httpWebRequest.ContentType = "application/json";
httpWebRequest.Method = "POST";
httpWebRequest.AllowAutoRedirect = true;
httpWebRequest.CookieContainer = allcookies;


string authInfo = "" + ":" + pincode; #pincode shown on television
authInfo = Convert.ToBase64String(Encoding.Default.GetBytes(authInfo));
httpWebRequest.Headers["Authorization"] = "Basic " + authInfo;
(HttpWebResponse)httpWebRequest.GetResponse();

And you can send any command using upnp. The list of commands can be found grabbing the response from the correct request (click here for known requests)

sonytv.InvokeAction("X_SendIRCC", "AAAAAQAAAAEAAABgAw==");

Or the special commands using json

string jsontosend = "{\"id\":78,\"method\":\"setTextForm\",\"version\":\"1.0\",\"params\":[\"http://www.mendelonline.be\"]}";

sonybravia

Because there still is a huge lack of documentation about Microsoft AD RMS, here some hints and tricks to use!

  • First thing: irmcheck! Go use it!
  • Always check ntsf acl permissions on the server side files asmx-files.
  • ConnectionString for SQL is located in registry
    http://technet.microsoft.com/en-us/library/ff660033%28v=ws.10%29.aspx
  • MSIPC (RMS client 2.0 in windows 8 and office 2013) caches in registry and %localappdata%
  •  REGISTRY:\Software\Classes\Local Settings\Software\Microsoft\MSIPC\<Server Name> \Template (HKCU or HKLM)
  • %localappdata%\microsoft\msipc
    Hint: you can delete huge file names with  “rmdir MSIPC /s” in cmd (for some reason it doesn’t work in powershell)success
  • Advanced troubleshooting on OSI Layer 7: fiddler! (enable https decryption) Really, put it in between! You’ll get some far more usefull error messages then “cannot connect to the server”, or “cannot use this feature without credentials”…
    Even better, go Wireshark (note: ssl mitm here…)!
  • The older MSDRM (RMS Client 1) puts everything in your %localappdata%\Microsoft\DRM . There you can find your user- & machine certificates, and templates.
    Regkeys under REGISTRY:\software\microsoft\msdrm
  • always check the IIS certificates! If there’s something wrong, nothing will ever work!

Please, open them up, they’re just XML-based, and contain a lot of information! For example, in the GIC-file you can confirm your RMS-location. Don’t bother trying to modify them, they’re hashed… But you definitely should check them for having :443 in their url’s (check this article)
GIC (Group Identity Certificate) = RAC (Rights Account Certificate)
CLC (Client Licensor Certificate)
CERT-Machine = SPC (Security Processor Certificate)

More about those 3 files in here

  • When you need to go deeper, use debugview (or something new: Trace Spy). This works for bot MSDRM and MSIPC
    Server-side and Client-side
  • Go and check Windows Event Logs. RMS Client doesn’t actually logs something there, but it can be a source of good information anyway!

So, we’ve bought a nice Sony Bravia TV (W6), featuring the today’s “default networking” options.

But I want to control it from my Windows Phone 7 device 🙂
(ofcourse!)
The current sony bravia compatible apps, don’t actually work on the new generation… So, we’re figuring out how and what the 2013 models are actually capable off!

So, where to start…
Sony has it’s own official app for android, and everything works fine…
When you combine this with WireShark, or at least tcpdump, this gives a very nice insight in what happens.

So, after trying some things out on my tablet, I started analysing the results from tcpdump.

First results came out like this: http://mendelonline.be/sony/sony.txt

A rest interface listens on an http-webserver, while upnp-traffic goes on 52323.

Using a rest client, https://addons.mozilla.org/En-us/firefox/addon/restclient/, you can run some commands, and simulate the commands from above
restclient

Next in the house comes Intel’s Device Spy for UPnP technologies, or a more up to date versions from https://sites.google.com/site/opensoftwareprojects/dev-tools-for-upnp

upnpspyAnd there you notice the function “X_SendIRCC”.
This in combination with the commands we found above enables us to do what we want 🙂

For the moment I’ve teamed up with etrosce from BraviaControl and Falco from Sony Virtual Remote Control to figure out what’s going on!
Sony Virtual Remote Control actually works (it has a cached version of the earlier found commands),
So, if we can “port” it somehow to WP7, things would be cooool 🙂

Anyway, I’ll keep you posted!

Another story standing since November 2012 (lol 😀 ).
The only thing that has changed: ARR (read on) is now officially supported by Microsoft!
They’re even almost/perhaps/maybe/theoretical/optional considering it as a successor for TMG2010 😛

Anyway, this post is not entirely correct. What we were trying to do was reverse proxy to an sub-directory. That didn’t work…
But  you can get some feeling with the possibilities of IIS’s ARR .

3 days later, but I solved this terrible situation…

The story

Our current website http://www.smartsys.be runs on an asp-powered cms called “umbraco” (url).
So, that makes it needs IIS and MS SQL accordingly…

Second part of the story: we want to introduce a blog with our success stories!
Number one blog software of our choice: wordpress (ofcourse 🙂 )

But, as we all know, wordpress runs on php and not asp, and an accompanying database…

The options:

  1. install php/fastcgi on IIS, mess around with it’s config, use ms sql as backend db, and run everything in IIS…
  2. use apache for both reverse proxying and serving the wordpress pages
  3. let IIS serve our umbraco web pages and set it up as reverse proxy for apache!

So, in the end, we tried only both last options.
I didn’t actually want to try and install php in IIS and maybe mess up our actual web service…

The result

Apache as reverse proxy didn’t end very well…
Actually, it didn’t work at all…
No idea why, didn’t put much effort in it…

On the other hand, IIS as reverse proxy wasn’t easy as well…
It took almost 3 days to figure out what went wrong, how to avoid it from happening, and in the end: how to solve it!
note: not 3 full days, but “some time during 3 days” ^^

How!

So, a little how-to:

First of all, you need IIS, just enable the feature on your Windows or Windows Server.
Secondly, you need “Application Request Routing“. You can download and install this without taking down your website.
This module is officially supported by Microsoft!

So, when both are installed, you can start configuring…

Enable ARR for your site : select your server in IIS Manager, open Application Request Routing under IIS options, choose “Server Proxy Settings” from the actions tab, and mark “enable” and press apply.

Secondly, we can start reverse proxying!

Select your site, in our example the “default web site”, and open the “url rewrite” module.
Here is where the magic should happen!

You can easily add a new rule clicking “add rule(s)”. And in our case, we’re choosing for “reverse proxy”.

Next, choose the path for your destination server, in our case being “http://localhost:8080/test/&#8221; .
Also, in the case for wordpress (very important): enable outbound rules, these are the rewrite rules…

One of the main issues want took so long to understand was a redirection issue: wordpress itself tries to redirect your to its config page, and IIS trying to rewrite the request to the wordpress folder. Resulting in endless 301 redirections… So, watch out here!
At first, I believed I could fix it by changing the config in wordpress. And I took to long to try to fix it that way. In the end (and what we’re doing in this manual) letting IIS handle all this reverse proxy work does the job…

So after adding this rule, we need to correct it somehow.
The default settings are not really good enough (maybe in your case it is!)

So, let’s have a look at the Inbound rule. Just open it.
I’m going to change the “pattern” IIS filters on from “(.*)” to “^test/(.*)” . This makes only requests for “blog.smartsys.be/test/” to be accepted.

Secondly, you have to add {R:1} to the end of the “rewrite url”. Otherwise things as http://blog.smartsys.be/test/wordpress/wp-admin/index.php would never work. It’s just the argument from the initial request that’s forwarded to the rewritten url…

That’s it, apply and close, next we’ll have a look to the outbound rule.

So, the big problem with wordpress is something with redirection. So, in the end, I made it undectectable for wordpress it’s being reverse proxied. So, in wordpress its point of view, it’s just running on localhost:8080 .

This implies we need to rewrite localhost:8080 to something external available, in our case “blog.smartsys.be”…
This is where the “outbound rule” comes in!

I just modified some parts of the default configuration the “add reverse proxy” wizard from before created.

At first: match all content!
The pattern should be” ^http(s)?://localhost:8080/(.*)”
And action value becomes: “http://blog.smartsys.be/{R:2}”

So, I hope you don’t spend any time on trying to let wordpress fix it (because it won’t), just let IIS do all the work!

The interwebz is a complex wasteland.
Almost every websites requires a login. And I don’t want to use the same password everywhere!
I have some categories in my “default” passwords, the simple password (19bit) for the “one-time-use” websites , the more complex ones (still only max 65 bit) for the “special sites” like facebook, google, of my hr department…  Actually, my “toughest” password (my cronos admin password) only reaches 87 bits…

lotsofaccounts

only a couple of my accounts…

Anyway, when you’re on the internet for a couple of years, you gather some accounts.

Lots of them

LOTS OF THEM……

And in the beginning, it was fun.
You only have 1 computer, you only use 1 browser, you just store everything in there.

But then something new shows up.
You start experimenting with Firefox.
And you buy a laptop.
And you have a network profile at school, or at work.
Or you’re on a holiday and you need to login on your webmail.

You need something to sync all your information, and to make it all available wherever you are.
Same for bookmarks, but that’s another story…

The last couple of years I always made use of random sync tools. At first, the sync-tools from Mozillaphoto.jpg itself, later on some other 3th party tools, but the last tool I got stuck with was xmarks. But last year it was bought by lastpass. So all my passwords were suddenly in their hands…
I’m not sure I like that…

But I kept using it, because it comes in damn handy!
All your password perfectly in sync between devices, nice plugin’s for every browser, and even a nice web interface!

But, still, you trust your password with someone else…

Anyway, this week I started doing some consultancy (read, they’re teaching me) for another Cronos Group Company working on InfoSec (another blogpost about this will follow!). And the first thing that 6556_3b90_500happened when firing up my laptop in front of these guys, was firefox opening, and lastpass popping up…

fuck

10 seconds later, my new boss mentioned something like “goe bezig”, roughly translated to “nice going”

Anyway, today I present you: THE SOLUTION

You’re own sync tool build around keepass!

I’ve been using keepass as long as I can remember. It contains all my secrets, my passwords, my configs, my life. But I always used it off-line. I open it, copy paste something, close it and erase my clipboard.
Actually, it never occurred to me you can use it otherwise!

Until today, on my first hit on google: “keepass firefox” 😛

After trying out some random extensions, I kept using PassIFox. And it works! And it works gooood!

Just install the plugin for Firefox, you also need a plugin for lastpass (to enable an http web service), and you’re good to go! Uninstall lastpass, throw away all other 3th party related crap you don’t want to be associated with your passwords!
From now on, you only have 1 place you store your passwords in: your own aes-256 encrypted keepass db!

The really interested reader now wants to shout “you’re not syncing anything between computers!”.
But, then I would answer “you’re to soon with your remark” 😛

Put all of the above in a skydrive/dropbox/owncloud/anything, and you can run around using your passwords everywhere!

Jej!

————–

Some remarks on passifox: browse to any website with a login field, rmb -> fill user & pass. This is the ony known interface to the firefox plugin! Use this to setup the initial connect with lastpass (connect will appear).

Some remarks on the entire process: I always trusted sites like lastpass. I don’t know exactly why. But when you work for a InfoSec company, you can’t risk anything. Right? 🙂
Maybe it was of laziness, because lastpass just works that handy 😛 But in the end, so does passifox! So please, when you read this, thing twice about who you trust with what!

Remark on skydrive/dropbox/owncloud: even Microsoft’s skydrive can, in the end, leak information. Or I can forget to log off somewhere. Forget to logoff from any live-enable website and someone can have access to these files as well. Even when you run owncloud, your provider can be the target of an attack (happened in the Netherlands last week…). But hey, the only thing these “21the century burglars” can download, is an aes encrypted file! Good luck with that 🙂
Hell, with this setup you can even put an hidden truecrypt container in skydrive containing a portable firefox and keepass… But only, who’s that paranoid? 😛