archiveren

Tagarchief: security

A cool trick that was shown a couple of years ago, called BadUSB, turns random USB devices into possible snooping devices.

What if you plugin a USB-stick you found on the street and it turns out to open up an Internet Browser and steers you into a specific website, downloading and launching an application? USB has many profiles, so instead of a “mass storage device” (what you would expect from a USB drive that looks like an mass storage device) it imitates a HID device such as a keyboard or mouse… So your “drive” becomes a keyboard!
Automate some pre-defined keystrokes that randomly start after plugging in the USB device, like windows-logo+r, type https://mendelonline.be/temp/runme.exe, press enter a couple of times, and then run the same with %userprofile%\downloads\runme.exe and you’ll be pretty close running your executable without any user interaction!

Edit 26/05/2016: Exactly like this: https://www.informationsecurity.ws/2016/01/pwning-windows-7-with-avg-av/

Not that many technologies exist to prevent this from happening on Windows though… But I found some document on irongeek explaining how to block USB devices using Group :Policy. (local policy can also be used, you don’t need to have a domainjoined computer): http://www.irongeek.com/i.php?page=security/locking-down-windows-vista-and-windows-7-against-malicious-usb-devices

Open your local policy editor, open up “Computer Configuration->Administrative Templates->System->Device Installation->Device Installation Restrictions”, and start messing around 🙂

Capture

local group policy settings

I started with checking which USB devices were already known on my computer… You can use, always awesome, nirsoft’s “USBDevview” to have a look at your USB history.

So, I deleted all history, with the idea to start clean.
After deleting everything, I let Windows re-discover all devices default to my laptop.
Next, I started plugging some USB devices I owned and let it register and install.

Then, the actual blocking policy was enabled.

Another USB-device I didn’t install for testing purposes was plugged into my computer. And nothing happened.
Perfect 😎

I still needed to install that device anyway, but starting device manager with administrative credentials, allowed me to overrule the blocking policy, and to install the USB device for future use…
(Note: once a USB device is “installed”/”registered” into windows, it can be plugged in an used anytime in the future without the admin-overrule technique…)
Or you can start defining classes of usb devices, manufacturers, etc… Just check irongeek’s page 🙂

computermanagement

unrecognized

usbdevview

datatraveler not being used

computer

update driver as administrator

cptmgmtinstalled

good to go

installed

datatraveler active!

One of the recent security “packs” in the Microsoft ecosystem is LAPS, Local Administrator Password Solution (https://technet.microsoft.com/library/security/3062591). It tries to solve one of the ancient issues regarding the local administrator account on a Windows machine. It needs to exists, and it needs to have , preferably, secure and unique password. Yet, in many organizations, the default administrator account is enabled, with the exact same password on every machine…
Result: once you know the password, you’re an admin on every workstation! (latteral movement) 🙂
The idea of LAPS is to randomize each password of each workstation, and store it in the Active Directory as an confidential attribute of the computer object.

LAPS can be configured to manage the local administrator account, .\administrator, or another, configurable and existing, account.

Suprise!

Enter MS14-025.
MS14-025 disables the usage of CPasswords in Group Policy https://support.microsoft.com/en-us/kb/2962486 .

This is a good thing!

CPasswords allowed unsuspicious administrators to put plaintext password in publicly-readable group policy xml-files!
(almost plaintext as the passwords are encrypted with a known password).

Here is the password btw (https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx#endNote2):

 4e 99 06 e8  fc b6 6c c9  fa f4 93 10  62 0f fe e8
 f4 96 e8 06  cc 05 79 90  20 9b 09 a4  33 b6 6c 1b

Yet, this also means you cannot create a new account using Group Policy anymore.
Little “forgotten” side-effect…

And there is no real alternative to actually create a local account on a domain member…
(At installation of LAPS clientside-MSI, an argument can be set to actually create a new account…)

One way to solve this is to create a new local user is using a startup script!
The script below was tested on Windows 10, some things did break between 8.1 and 10!
Deploy it using SCCM or GPO startupscripts!

It creates an account and LAPS will change its password on first gpupdate

Note, another point of discussion is the fact whether the .\administrator should be used or not. There are a lot of different opinions here…
For LAPS, some people at Microsoft advise to “just use the .\administrator account, because you know it will always be there”. (note: account is prone to bruteforce attacks as a lockoutpolicy never applies to the rid500)
In other cases (src1, src2, src3), Microsoft advises to disable the .\administrator account, create another administrator account and use that one…
Point is, when you’re not using bitlocker, there is a tool called “Offline Windows Password & Registry Editor” by pogostick which can always enable and reset the .\administrator account’s password.
So, the choice is up to you! My humble opinion is to use another account 🙂 (otherwise I wouldn’t be going through all this trouble to get another one 🙂 )

See https://gist.github.com/mendel129/59a175e49c57b8ef9847

#https://gist.github.com/mendel129
function create-localaccount ([string]$accountName = "testuser", [string]$Computer = "localhost") {   
   $comp = [ADSI]"WinNT://$Computer"  
   $user = $comp.Create("User", $accountName)  
   $user.SetPassword(([char[]](50..150) + 0..9 | sort {get-random})[0..18] -join '') # set a random password, let it be changed by LAPS afterwards
   $user.SetInfo()   
}

function get-currentlocaladministrators([string]$Computer = "localhost"){
   $obj_group = [ADSI]"WinNT://$Computer/Administrators,group"
   $members= @($obj_group.psbase.Invoke("Members")) | foreach{([ADSI]$_).InvokeGet("Name")}
   $members
}

function add-localadministrators([string]$accountName = "testuser", [string]$Computer = "localhost"){
   $AdminGroup = [ADSI]"WinNT://$Computer/Administrators,group"
   #$User = [ADSI]"WinNT://$hostname/$accountName,user" #something broke on windows 10
   #$AdminGroup.Add($User.Path) #something broke on windows 10
   $objUser = [ADSI]("WinNT://$accountName")
   $AdminGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
}

get-currentlocaladministrators -Computer "localhost"
create-localaccount -Computer "localhost" -accountName "testuser"
add-localadministrators -Computer "localhost" -accountName "testuser"
get-currentlocaladministrators -Computer "localhost"

Some good LAPS references:

Quick version to improve client-side browser behaviour… (client-side best effort, so nothing is enforced…)

  • remove asp info
  • enforce https
  • specify thumbprint of known expected certificates and intermediate, and root for website
  • whitelist content security sources
  • set x-frame, aka preventing your site can be used in an iframe
  • enable xss protection
  • disable content type niffing

Add the following to your website’s web.config
(yes, web.config needs that ‘"’ around the thumbprints…)


 <httpProtocol>
  <customHeaders>
   <remove name="X-Powered-By" />
   <add name="Strict-Transport-Security" value="max-age=31536000" />
   <add name="Public-Key-Pins" value="pin-sha256=&quot;thumbprintofcertificate1&quot;; pin-sha256=&quot;thumbprintofcertificate2-intermediate&quot;; pin-sha256=&quot;thumbprintofcertificate3-rootcert&quot;; max-age=31536000" />
   <add name="Content-Security-Policy" value="default-src https: data: 'unsafe-inline' 'unsafe-eval'" />
   <add name="X-Frame-Options" value="DENY" />
   <add name="X-Xss-Protection" value="1; mode=block" />
   <add name="X-Content-Type-Options" value="nosniff" />
   </customHeaders>
  </httpProtocol>
 

Long version: https://scotthelme.co.uk/hardening-your-http-response-headers/

Check via https://securityheaders.io/?q=https%3A%2F%2Fhome.mendelonline.be&hide=on

 

 

There are really some huge flaws in this system…

To bad actually, because it’s a nice thing!

Let’s show you my setup:

exe rules script rules

So everyone can run executables and scripts signed by my selfsigned codesigning certificate and the juniper ones.
Everyone can execute from %programfiles% and %windows (default rule) and Everyone from a safe directory called “epic tools” on my skydrive.
And 2 file-path exceptions for keepass and onecal…

Almost the same for powershell, with specific hash-rule for my powershellprofile (which can go now because it’s signed by the selfsigned cert)

Anyway, %desktop% is blocked for all normal users.

Bypass Applocker’s PowerShell policy

Let’s try to run a ps1 file located on the desktop.

weird
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\mendel\Desktop\applockertest\helloworld.ps1'"

I noticed this one when running a powershell script and invoking it from rightmouseclick (run with powershell) and used procmon to find the exact launch command…

(The rightmouseclick “run with powershell” is only available in the context menu if you have the “.ps1” extension associated with notepad… WTF)

And of course there are more: http://www.wilderssecurity.com/threads/windows-7-applocker-can-be-bypassed.321479/ , https://www.mountknowledge.nl/2011/01/28/bypassing-windows-applocker-using-vb-script-in-word-and-excel/ .
This one is also nice! http://baileysoriginalirishtech.blogspot.be/2015/06/applocker-schmapplocker.html

Bypass Applocker’s exe policy

Multiple bugs/exploits for this are known. As for example the ones from Casey Smith https://twitter.com/subtee/status/627904214451138560

CaptureI just used Case’s code to PoC this 🙂 https://github.com/subTee/ShmooCon-2015/blob/master/POC.cs

Basically, just block everything!

Device Guard

A new feature in Windows 10 might be a solution for all of this 🙂 http://www.malwaretech.com/2015/09/device-guard-beginning-of-end-for.html?m=1

We’ll see, we’ll see…

Ok, let’s get it over with. Once and for all a decent how-to to setup Authentication Mechanism Assurance (AMA) in Active Directory Domain Services…

The last time I talked about this, is when I just found out of it existence at techet, in a talk by Hasain Alshakarti and Marcus Murray .

It basically shows a difference in group memberships between logging in using a regular username/password , and logging in using smarcards. If you login with a password you’ll become a normal user, when you logon with a smartcard you’re an admin! 🙂

The Microsoft step-by-step guide however is a bit long, and a bit clumsy… So here a quick rewrite 🙂

➡ Required components: a Windows Server, a PKI (or the default one in ADDS whatever), and some time.

CA Templates

First, we’ll have to create a new certificate template.
Open the certificate template management console, and go to the templates.

Lets start by duplicating the “smartcard logon” one. Choose 2008R2 for everything.

dupl
This default template should be good, 1 little thing needs to change.

Open the template, go to the extensions tab. And you see the issuance policies. Here you’ll need to add a new one.

Give it some useful name, for example “server admin” or whatever.
issuancepolicy

This extra extension will now go into the actual enrolled certificate…

Mapping

Next we’ll need to teach the ADDS how to map that extension to an actual Security Group. This can be done using the weird PowerShell script provided by Microsoft, but let’s do it manually here (it goes way faster!)

The link between the OID we just created and a security group is a policy defined in the regular SYSTEM partition of ADDS. Open it either using ADSIEDIT or the Sites and Services mmc.

Ofcourse we’re working with the Public Key Services, OID config, and there are all the policies stored. We’re looking for the OID of the policy we created earlier (add the “displayname” to the mmc-colums to make your life easier).

If you’ve found the correct object, rightmouseclick it, open attributes, and search for the “msDS-OIDToGroupLink” attribute.

⭐ This is the magic attribute ⭐

Fill in the DN of the security group.
And you’re good to go!

sitesandservicesgrouplink

Next steps are of course the enrollment and issuance of the CA template to the correct users. But I hope you know how that works 😉
From here on you can either put it in a Virtual Smart Card, and start using it!

 

Password Filter

A DLL that provides password policy enforcement and change notification. The functions implemented by password filters are called by the Local Security Authority. – http://msdn.microsoft.com/en-us/library/windows/desktop/ms721882%28v=vs.85%29.aspx 
The purpose for this hook into the LSA is to create custom filters when users change password. Want some specific “default for your company” password filtered out? Want a custom RegEx next to Microsoft’s Complexity Requirements? Want to setup a real ugly sync passwords to another database? Or do you just want access to plaintext passwords? Than this is the way to go…But you can also do other stuff with it, because: “hey! a cleartext pasword!” :-p

Next piece of code doesn’t work, but also talks about the idea: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
And this blogpost tries to fix what the previous one couldn’t do: http://www.phocean.net/2013/10/02/password-stealing-using-a-password-filter.html

Anyway, code is visualcpp,

Most code (pretty much everyting) came from devx, who did a great job with his article: http://www.devx.com/security/Article/21522 !

Next functions are called by the OS when a users changes a password:

BOOLEAN PasswordFilter(
  _In_  PUNICODE_STRING AccountName,
  _In_  PUNICODE_STRING FullName,
  _In_  PUNICODE_STRING Password,
  _In_  BOOLEAN SetOperation
);

NTSTATUS PasswordChangeNotify(
  _In_  PUNICODE_STRING UserName,
  _In_  ULONG RelativeId,
  _In_  PUNICODE_STRING NewPassword
);
BOOLEAN InitializeChangeNotify(void);

 

Visual studio 2013 project to download: https://www.mendelonline.be/downloader/?file=passwordfilterregex.zip

The only thing this code does, is write out the cleartext password to a textfile… Just a proof of concept of what you can do of course… Rest is for you guys to code 😉

BitLocker_icon

Bitlocker is that often forgotten FDE tool from Microsoft.
It basically gives you the ability to encrypt your entire hard drive (or any external device), and roam safely around the globe without fear.

Default setting is AES with a 128 bit key with diffuser.

There are some powershell commands in windows with kernel 6.2+ and two bde-commands for other windowses 🙂
And the console of course…

Most configuration is done using Local Group Policies. Some of those changes must be made BEFORE encrypting your disk…
So check out the options before encrypting everything!

bitlocker components_2

To quickly check your current status (and which encryption type you’re using):

PS C:\Windows\system32> manage-bde -status
 BitLocker Drive Encryption: Configuration Tool version 6.3.9600
 Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
 BitLocker Drive Encryption:
 Volume C: []
 [OS Volume]
Size: 237,96 GB
 BitLocker Version: 2.0
 Conversion Status: Used Space Only Encrypted
 Percentage Encrypted: 100,0%
 Encryption Method: AES 128
 Protection Status: Protection On
 Lock Status: Unlocked
 Identification Field: Unknown
 Key Protectors:
 TPM
 Numerical Password

Sidenote on this subject

AES 256 isn’t safer then AES with an 128 bit key length.

Choose the encryption strength

BitLocker supports two levels of cipher strength for BitLocker: 128-bit and 256-bit. Both use the Advanced Encryption Standard (AES) to perform encryption. Longer encryption keys provide an enhanced level of security and are less likely to be successfully attacked by the use of brute-force methods. However, longer keys can cause slower encryption and decryption of data. On some computers, using longer keys might result in noticeable performance degradation. You can use Group Policy to change the length of the encryption key used by BitLocker.

In addition, BitLocker supports a Diffuser algorithm to help protect against ciphertext manipulation attacks, a class of attacks in which changes are made to the encrypted data in an attempt to discover patterns or weaknesses. By default, BitLocker uses AES encryption with 128-bit encryption keys and Diffuser. You can also select encryption without Diffuser by using Group Policy if your organization is Federal Information Processing Standard (FIPS) compliant.

It is recommended that most organizations use AES 128-bit with Diffuser. For organizations that are required to use 256-bit encryption, the AES 256-bit with Diffuser option can be enabled by using Group Policy. => howto

http://lukenotricks.blogspot.be/2010/04/aes-128-versus-aes-256-encryption.html

http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit

http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149

https://www.schneier.com/blog/archives/2009/07/another_new_aes.html

http://www.bolehvpn.net/blog/2013/10/what-data-encryption-algorithm-should-we-use/

http://collaboration.cmc.ec.gc.ca/science/rpn/biblio/ddj/Website/articles/DDJ/2007/0710/070901me01/070901me01.html

http://technet.microsoft.com/en-us/library/ee706531%28v=ws.10%29.aspx

 

Sidenote on recovery key

Keep that key somewhere quickly accessible. Especially with windows 8…
On your phone, a hardcopy in your wallet, a tattoo on your arm…

When Windows 8 detects something has gone wrong booting itself, it will try to recovery.
But it can’t recover without the partition unlocked. So you’ll need to enter the key.
When you cannot unlock it, and reboot again, it’s just going to try to recover again.
And you’re looping forever…

Damn windows 8!

The interwebz is a complex wasteland.
Almost every websites requires a login. And I don’t want to use the same password everywhere!
I have some categories in my “default” passwords, the simple password (19bit) for the “one-time-use” websites , the more complex ones (still only max 65 bit) for the “special sites” like facebook, google, of my hr department…  Actually, my “toughest” password (my cronos admin password) only reaches 87 bits…

lotsofaccounts

only a couple of my accounts…

Anyway, when you’re on the internet for a couple of years, you gather some accounts.

Lots of them

LOTS OF THEM……

And in the beginning, it was fun.
You only have 1 computer, you only use 1 browser, you just store everything in there.

But then something new shows up.
You start experimenting with Firefox.
And you buy a laptop.
And you have a network profile at school, or at work.
Or you’re on a holiday and you need to login on your webmail.

You need something to sync all your information, and to make it all available wherever you are.
Same for bookmarks, but that’s another story…

The last couple of years I always made use of random sync tools. At first, the sync-tools from Mozillaphoto.jpg itself, later on some other 3th party tools, but the last tool I got stuck with was xmarks. But last year it was bought by lastpass. So all my passwords were suddenly in their hands…
I’m not sure I like that…

But I kept using it, because it comes in damn handy!
All your password perfectly in sync between devices, nice plugin’s for every browser, and even a nice web interface!

But, still, you trust your password with someone else…

Anyway, this week I started doing some consultancy (read, they’re teaching me) for another Cronos Group Company working on InfoSec (another blogpost about this will follow!). And the first thing that 6556_3b90_500happened when firing up my laptop in front of these guys, was firefox opening, and lastpass popping up…

fuck

10 seconds later, my new boss mentioned something like “goe bezig”, roughly translated to “nice going”

Anyway, today I present you: THE SOLUTION

You’re own sync tool build around keepass!

I’ve been using keepass as long as I can remember. It contains all my secrets, my passwords, my configs, my life. But I always used it off-line. I open it, copy paste something, close it and erase my clipboard.
Actually, it never occurred to me you can use it otherwise!

Until today, on my first hit on google: “keepass firefox” 😛

After trying out some random extensions, I kept using PassIFox. And it works! And it works gooood!

Just install the plugin for Firefox, you also need a plugin for lastpass (to enable an http web service), and you’re good to go! Uninstall lastpass, throw away all other 3th party related crap you don’t want to be associated with your passwords!
From now on, you only have 1 place you store your passwords in: your own aes-256 encrypted keepass db!

The really interested reader now wants to shout “you’re not syncing anything between computers!”.
But, then I would answer “you’re to soon with your remark” 😛

Put all of the above in a skydrive/dropbox/owncloud/anything, and you can run around using your passwords everywhere!

Jej!

————–

Some remarks on passifox: browse to any website with a login field, rmb -> fill user & pass. This is the ony known interface to the firefox plugin! Use this to setup the initial connect with lastpass (connect will appear).

Some remarks on the entire process: I always trusted sites like lastpass. I don’t know exactly why. But when you work for a InfoSec company, you can’t risk anything. Right? 🙂
Maybe it was of laziness, because lastpass just works that handy 😛 But in the end, so does passifox! So please, when you read this, thing twice about who you trust with what!

Remark on skydrive/dropbox/owncloud: even Microsoft’s skydrive can, in the end, leak information. Or I can forget to log off somewhere. Forget to logoff from any live-enable website and someone can have access to these files as well. Even when you run owncloud, your provider can be the target of an attack (happened in the Netherlands last week…). But hey, the only thing these “21the century burglars” can download, is an aes encrypted file! Good luck with that 🙂
Hell, with this setup you can even put an hidden truecrypt container in skydrive containing a portable firefox and keepass… But only, who’s that paranoid? 😛

In this first part, in a series of posts, I want to talk about obfuscation.

This pretty hard to pronounce word actually means “the art to make things difficult”.
Google translates this word in Dutch as “verduisteren”, to darken/occult or something like that.

In the IT world, it’s a technique to make code or information unreadable by humans, which on its turn makes it almost impossible to analyse…

This can be done because of multiple reasons.

  1. a software developer doesn’t want his code to be read (think of RSA, iTunes’ DRM fairplay, copy protection like StarForce or SecuROM)
  2. virus writers trying to hide malicious code, making it harder detect by anti-virus software
  3. defense contractors making sure not a single terrorist can find a hole in mission control software of a missile

So, any programming language (or even hardware designs!) can be obfuscated (yep, even javascript).
It transforms your initial source code, to something.

A nice example.

void main(){
   string name="mendel";
   int age=24;
}

could make

void main(){
   string a = function1("mendel","24",1);
   int b = convert.toint32(function1("mendel","24",2));
}
string void function1(string a, int b, int c){
   if(c==1)
      return a;
   if(c==2)
      return b
}

(or something like that ^^)
The result is 100% the same, but the first part gives away a lot more information about what this function does.!

An even funnier example:

void function2()
{
   for(int i=0; i<5; i++)
   {
      if(i>3)
         x=4;
      else
         i++;
   }
}

which actually just sets the variable x=4;

The idea behind all this, is when you as a reader, analyse the code, you would not be able to figure out what is does 🙂
It just doesn’t make sense..

These obfuscation translations can go pretty far.
Take a look on the annual IOCCC contest, which results in really crazy stuff!

There are a lot of obfuscators written for IDE’s like visual studio (dotfuscator), java (proguard), and many, many others… All with one reason in mind: protect (or just hide) your code!
If you want to read more code obfuscation, this series is a very good start!
But you’ll find a whoooole lot more on google!

There is no actually reason for this post. But sometimes you come across this kind of code. And I wanted to share this out-of-your-mind subject with you 🙂
I just hope you’re as intrigued with it as I was when I first saw it 🙂

javascript code from the “runforestrun” infection

My first introduction with this subject was at Ghent University.
Next, I stumbled upon more obfuscated code when Stuxnet appeared.
After that,  a virus infected a website of a customer at work (screenshot above), also pretty weird.
And even more recently in a DLL originating from a WP7 app.

More on that dll later! 😉