security

Post exploitation tools: Lazagne

lasagnaOften, after a compromise of a machine, red teams / adversaries search for certificates or credentials to hop to other machines, often referred to as “lateral movement”. When doing so, many use Mimikatz, a tool that extracts credentials, PIN codes and kerberos tickets from memory. There are countless blog articles about how to detect it, and hide it from AV, etc.

But another nifty tool, that many don’t know about is Lazagne. It searches for credentials in files and registry. Not just your windows credentials, but things you save in your browsers, mail clients, FTP clients, keyrings etc.

security sysadmin

Quick SSH security tips

Just a quick post about a page I stumbled across, and I merely want to keep it in bookmarks. I was talking to some people to secure public facing SSH servers; and while we have the obvious:

  • Only allows SSH2
  • Disable root logins
  • Use keypairs instead of passwords
  • Implement fail2ban

When researching to make internet exposed SSH boxes more secure, I’ve been implementing recently MFA (Multi Factor Authentication). Usually found when you use something you know (password, PIN, …) and something you have (smartcard, keyfob, mobile, mobile app, …). In SSH, this can be achieved with the following; it forces you to authenticate with your keypair AND your password.

Match User johndoe
    AuthenticationMethods publickey,keyboard-interactive

This, and more tips were found on https://sysconfig.org.uk/two-factor-authentication-with-ssh.html, so check it out.

security

Testing phishing scenario’s

fishWhen I joined my company, I was asked to perform a few social engineering assessments for private and government customers alike. Previously, the assessment being done were more testing the amount of people that would click a link in a spoofed e-mail, regardless of the damage. But I wanted to step things up a bit, as I believe that phishing is often a very underrated risk, which seems to be quite effective.

Although “social engineering” is much more than phishing, we are generally asked to keep it to phishing attacks alone. We use following scenario’s to quantify the risk:
read more »

security

Cross Window Redirect slides

Khaled and I just gave a talk in Owasp Qatar about tricks you can do with the Cross Window Redirect, and how it can help you in phishing attacks. I few people asked for the slides, so I though I’ll link to them here.

The PoC links are:

I also gave an update of my social engineering talk which I gave a few months ago.

misc security

The fake CC conversation

During social engineering exercises, one of the difficulties we face is to get a person to click a link or open an attachment. For the past few decades, we haven’t seen much changes in it. A rather, *sad* part even, a few days ago; Cisco researchers wrote about a quite aggressive malware; Rombertik. While being relatively technically advanced (uncalled functions, anti debugging techniques, etc), one of the modes of distribution is through phishing emails, and quite bad one at that:

email-screenshot-watermarked

A better way is to do targeted attacks; i.e: spear phishing attacks, where you focus your attack on a few people, rather than just casting a net and seeing what sticks.

For this, during social engineering engagements, we often like to use the following 2 techniques:

  • Fake CC
  • Fake email thread

read more »

misc

Filtering password lists due to policies

passwordsSometimes if you’re performing a password bruteforce attack, either against local hashes or remotely against a service, you could use password lists rather than a pure bruteforce (incremental) one. People are most likely to use dictionary words, names, keyboard combinations or anything related to it. These passwords lists can be found anywhere online.

The problem sometimes happens that when you *know* the password policy, but your password list holds a lot of combinations that you know won’t work; simply passwords that are too short or don’t have a number in them or so.
For example, a service requires at least 6 characters, and have one of them being a digit; so you know that entries such as “jesus”, “satan” and “password” won’t work. Still, they are being tried.

For an audit on a company, I ran into that problem – so I wrote a quick and dirty perl script to take a large password list, and only output passwords that adhere to a certain policy. These include minimum and maximum length, as well as password complexity (has to have a digit, uppercase, …)

You can find it on my GitHub.

Enjoy!
-mh

security

KeyWalking: pattern based passwords

keywalkingTL,DR; download the script here.

In security audits, when we get a password file we -even though we may have admin or root access on the target already- usually grab the password file for offline cracking, just to see if there’s any passwords that users re-use, which would give us more access to other systems.

Doing so, we sometimes find passwords such as “cft6&YGVbhu8“, which by the looks of it seem secure; they have uppercase characters, special characters and numbers. When typing them, you’ll notice that they are keyboard patterns.

For this, I was wondering if it was possible to generate a list of all/many keyboard pattern based passwords, a technique referred to as “key walking“. Some tools exist already, but are often based on predefined patterns (“qwe”, “asdf”, “1qaz”, …). I wanted to make something based on a keyboard layout, so it could be extended. This is KeyWalker; a ruby script that generates keyboard pattern based passwords.
read more »

misc

MS15-034 online checking tool

lockA friend and colleague of mine, Bhadresh, made a quick page to check whether your IIS site is vulnerable to the MS15-034 (CVE-2015-1635), the HTTP.sys remote code execution vulnerability. Check now, and make sure you don’t fall into the hands of blackhats.

You can test it at: http://sys.flurk.org/ms15-034/

security

The need for emergency access codes

dauod“I have nothing to hide.” is one of the more recent empty responses when conversing about privacy. We’re not all criminals, but we all have something to hide.

Whether it’s a snoopy spouse, an unfair employer or a threatening government cellphones are now -more than ever- secure from physical access. Having a pin code on your old nokia phone little over a decade ago labeled you as “paranoid”. Since smartphones are the equivalent of our parallel lives, they have more access to our information and thus are a much more sought after target to untangle ones “secrets”.

Recently, Time magazine published an article how iPhone’s fingerprint reader does not protect you against the 5th amendment, the protection against self incrimination. Key codes, luckily, do.

This would bare the question to allow multiple keycodes; one to unlock your data. One to censor it, and optionally to remove it. Say you have a smarthphone, and it’s code is 1111. You use it every day to access your contacts, emails and other data. You should be able to set up a 2nd passcode, say 1234 that would purge a certain set of data. In a riot, if the police asks for you to unlock your phone, you type 1234, and it shows a clean phone, filters out some of the questionable text and phone records you have.

code security

Brocade brute forcer

During a pentest, I needed to test a Brocade SAN Switch. Since the Java webstart was quite slow, and I couldn’t find another script – I quickly coded this together to brute force passwords:

brocade_brute.rb