archiveren

windows

A cool trick that was shown a couple of years ago, called BadUSB, turns random USB devices into possible snooping devices.

What if you plugin a USB-stick you found on the street and it turns out to open up an Internet Browser and steers you into a specific website, downloading and launching an application? USB has many profiles, so instead of a “mass storage device” (what you would expect from a USB drive that looks like an mass storage device) it imitates a HID device such as a keyboard or mouse… So your “drive” becomes a keyboard!
Automate some pre-defined keystrokes that randomly start after plugging in the USB device, like windows-logo+r, type https://mendelonline.be/temp/runme.exe, press enter a couple of times, and then run the same with %userprofile%\downloads\runme.exe and you’ll be pretty close running your executable without any user interaction!

Edit 26/05/2016: Exactly like this: https://www.informationsecurity.ws/2016/01/pwning-windows-7-with-avg-av/

Not that many technologies exist to prevent this from happening on Windows though… But I found some document on irongeek explaining how to block USB devices using Group :Policy. (local policy can also be used, you don’t need to have a domainjoined computer): http://www.irongeek.com/i.php?page=security/locking-down-windows-vista-and-windows-7-against-malicious-usb-devices

Open your local policy editor, open up “Computer Configuration->Administrative Templates->System->Device Installation->Device Installation Restrictions”, and start messing around πŸ™‚

Capture

local group policy settings

I started with checking which USB devices were already known on my computer… You can use, always awesome, nirsoft’s “USBDevview” to have a look at your USB history.

So, I deleted all history, with the idea to start clean.
After deleting everything, I let Windows re-discover all devices default to my laptop.
Next, I started plugging some USB devices I owned and let it register and install.

Then, the actual blocking policy was enabled.

Another USB-device I didn’t install for testing purposes was plugged into my computer. And nothing happened.
Perfect 😎

I still needed to install that device anyway, but starting device manager with administrative credentials, allowed me to overrule the blocking policy, and to install the USB device for future use…
(Note: once a USB device is “installed”/”registered” into windows, it can be plugged in an used anytime in the future without the admin-overrule technique…)
Or you can start defining classes of usb devices, manufacturers, etc… Just check irongeek’s page πŸ™‚

computermanagement

unrecognized

usbdevview

datatraveler not being used

computer

update driver as administrator

cptmgmtinstalled

good to go

installed

datatraveler active!

All official Belgium eID applications are eventually wrappers around the by FedICT provided eid-sdk, which on its turn is a Java applet… This Java applet has the possibility to authenticate any known Belgium eID against FedICT’s database. Even FedICT’s FAS service can be used as a saml-compatible authententication provider (adfs!)… But you don’t always want to use Java, or FAS…

Did you know, you can fully integrate the Belgium eID in a Windows environment?

Yes, ADFS, yes RDP, yes Windows logons, yes IIS… The fun part, it’s all built-in and you don’t need Java, and you don’t need FAS! ❀
Downside: you’ll need to do some user mapping yourself: your servers still need to map you to an account, and it still needs to authorize that account… So a little administrative overhead here (with FAS FedICT does this for you)

There are some other tricks needed, as for example to enable your client to read both certificates on the smartcard, and to map your eid to a “Windows” user account, but when that’s set-up, you’re good to go!

certlogon

The key to all this is the implicit certificate mapping feature of Active Directory Certificate Services working together with an enterprise PKI.

RDP/Windows

1

IIS

For IIS, the “SSLVerifyClient require” http specification is used to leverage cert-based client authentication. This should even work in other HTTP-servers, and in all major browsers.

http://wiki.cacert.org/ApacheServerClientCertificateAuthentication

Local auth

For the tricks above, you’ll need a functional Active Directory including integrated enterprise PKI environment.

Thanks to Vincent of mysmartcardlogon you can also run it stand-alone on your computer!
Unless you’re running Windows Enterprise, like me 😦
Plus, my laptop doesn’t has a built-in cardreader, so it’s ugly having to take an USB-cardreader to logon at mornings πŸ™‚

The why?

Strong “Multi-factor” authentication is strong.
A certificate in either a virtual or a physical smartcard is always a bunch more secure than a password you’ll have to remember as a simple human being.

And an eID is obligatory in Belgium, you have to buy it anyway, so why buy yet another token for Multifactor AuthN from a 3th party provider instead of the one you already have?

It’s not confidential or secret technology, so if you’re interested in the exact how and what, just leave a comment πŸ™‚

There are really some huge flaws in this system…

To bad actually, because it’s a nice thing!

Let’s show you my setup:

exe rules script rules

So everyone can run executables and scripts signed by my selfsigned codesigning certificate and the juniper ones.
Everyone can execute from %programfiles% and %windows (default rule) and Everyone from a safe directory called “epic tools” on my skydrive.
And 2 file-path exceptions for keepass and onecal…

Almost the same for powershell, with specific hash-rule for my powershellprofile (which can go now because it’s signed by the selfsigned cert)

Anyway, %desktop% is blocked for all normal users.

Bypass Applocker’s PowerShell policy

Let’s try to run a ps1 file located on the desktop.

weird
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\mendel\Desktop\applockertest\helloworld.ps1'"

I noticed this one when running a powershell script and invoking it from rightmouseclick (run with powershell) and used procmon to find the exact launch command…

(The rightmouseclick “run with powershell” is only available in the context menu if you have the “.ps1” extension associated with notepad… WTF)

And of course there are more: http://www.wilderssecurity.com/threads/windows-7-applocker-can-be-bypassed.321479/ , https://www.mountknowledge.nl/2011/01/28/bypassing-windows-applocker-using-vb-script-in-word-and-excel/ .
This one is also nice! http://baileysoriginalirishtech.blogspot.be/2015/06/applocker-schmapplocker.html

Bypass Applocker’s exe policy

Multiple bugs/exploits for this are known. As for example the ones from Casey Smith https://twitter.com/subtee/status/627904214451138560

CaptureI just used Case’s code to PoC this πŸ™‚ https://github.com/subTee/ShmooCon-2015/blob/master/POC.cs

Basically, just block everything!

Device Guard

A new feature in Windows 10 might be a solution for all of this πŸ™‚ http://www.malwaretech.com/2015/09/device-guard-beginning-of-end-for.html?m=1

We’ll see, we’ll see…

Ok, let’s get it over with. Once and for all a decent how-to to setup Authentication Mechanism Assurance (AMA) in Active Directory Domain Services…

The last time I talked about this, is when I just found out of it existence at techet, in a talk by Hasain Alshakarti and Marcus Murray .

It basically shows a difference in group memberships between logging in using a regular username/password , and logging in using smarcards. If you login with a password you’ll become a normal user, when you logon with a smartcard you’re an admin! πŸ™‚

The Microsoft step-by-step guide however is a bit long, and a bit clumsy… So here a quick rewrite πŸ™‚

➑ Required components: a Windows Server, a PKI (or the default one in ADDS whatever), and some time.

CA Templates

First, we’ll have to create a new certificate template.
Open the certificate template management console, and go to the templates.

Lets start by duplicating the “smartcard logon” one. Choose 2008R2 for everything.

dupl
This default template should be good, 1 little thing needs to change.

Open the template, go to the extensions tab. And you see the issuance policies. Here you’ll need to add a new one.

Give it some useful name, for example “server admin” or whatever.
issuancepolicy

This extra extension will now go into the actual enrolled certificate…

Mapping

Next we’ll need to teach the ADDS how to map that extension to an actual Security Group. This can be done using the weird PowerShell script provided by Microsoft, but let’s do it manually here (it goes way faster!)

The link between the OID we just created and a security group is a policy defined in the regular SYSTEM partition of ADDS. Open it either using ADSIEDIT or the Sites and Services mmc.

Ofcourse we’re working with the Public Key Services, OID config, and there are all the policies stored. We’re looking for the OID of the policy we created earlier (add the “displayname” to the mmc-colums to make your life easier).

If you’ve found the correct object, rightmouseclick it, open attributes, and search for the “msDS-OIDToGroupLink” attribute.

⭐ This is the magic attribute ⭐

Fill in the DN of the security group.
And you’re good to go!

sitesandservicesgrouplink

Next steps are of course the enrollment and issuance of the CA template to the correct users. But I hope you know how that works πŸ˜‰
From here on you can either put it in a Virtual Smart Card, and start using it!

 

More of those bloody scheduled tasks that get re-enabled when you disable them… 😦

UserTask
OfficeTelemetryAgentFallBack
Office 15 Subscription Heartbeat
Scheduled Start
Scheduled Start With Network
OfficeTelemetryAgentLogOn
SynchronizeTime
Microsoft Office 15 Sync Maintenance
.NET Framework NGEN v4.0.30319
SilentCleanup
CreateObjectTask
BackgroundUploadTask
Idle Sync Maintenance Task
Idle Maintenance
Routine Maintenance Task
Regular Maintenance
.NET Framework NGEN v4.0.30319 64

 

Anyway, thanks to my beloved search engine, i stumbled on yet another stackoverflow/superuser thread concerning this same issue: http://superuser.com/questions/497500/disable-automatic-maintenance-in-windows-8

Just disable that bloody “Maintenance Configurator” task using local system privileges

Result: no more fans spinning up when I lock my laptop! ❀

Remapping all the way!

So, this is another trick I learned at TechEd πŸ™‚
Basically, a registry key can be created in “image file execution options” , that changes Windows behaviour, and instead of starting any executable, launching a debugger of choice and attaching the executable to that debugger…

This means, you can also set any executable to be run whenever a certain executable is started. I noticed when running cmd this way, the original executable will be the argument passed to the “debugger”-executable.

Simply open the registry, browse to following location, set a key with the EXACT name (case sensitive) of the executable you want to replace, create a new string value named “debugger” and as value the executable of the debugger (or exe you want to run)
To prevent the argument of reaching debugger-exe, add “/z” to the end of the value.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VAIOCare.exe]
“debugger”=”\”C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\” /z”

WP_20141115_12_32_42_Pro

So, now for my VAIO’s assist button…
The laptop originally comes withΒ  bunch of bloatware installed, and when I reinstalled the OS the button became useless… It can only start Sony software…
So you’re going to need some of the original Sony tools for this as well…

Anyway, after installing Sony Care and the Shared Drivers pack, things got working, and on a press of the button the process “VAIOCare.exe” was launched.
Threw some sysinternals tools in the game to get some details and find the exact executable that starts.
Also found some other regkeys, but that was a dead end.
Applied the trick above on VAIOCare.exe, and replaced it with firefox /z =)
(don’t exactly know what the “/z” stands for, but it kills the argument it seems…)

Capturea

CapturlkjeCapture

Security note on all this: you can create a replacement of every file executable on your system by design. This also means you can let every executable start on boot. This registry-key can contain traces of malware, “Autoruns”Β  from Sysinternals also checks for this as “Image hijacks”.
This way, you can also add “sethc.exe” with debugger options. sethc is the thing that will run when you hit shift 5 times in a row πŸ™‚
So now, when I hit shift 5 times, a powershell window pops up πŸ™‚

Bigger Security note: this also works before you login (localmachine regkeys), so when you hit 5 times shift at the logonscreen, a powershell window pops up running as .\system πŸ™‚
After that, the only limit, is your own imagination…