Archive

Archive for the ‘Work related’ Category

Exploits are Everywhere

October 15, 2016 2 comments

I recently went through and completed, what I consider to be the hardest and most informative technical course and examination out there, the GIAC Exploit Researcher and Advanced Penetration Tester known as GPXN. What I learned was that there is a lot of opportunity for the bad guys to get control.

As a White hat hacker, I am asked to engage in a variety of activities, most of which are network related. For some of the hackers out there, your goal is to utilize a wide variety of tools to identify weaknesses in the defenses and/or the applications that are running and to overcome the controls in place to protect the data.

To some of the security researchers out there, Exploit writing is the next logical step to transition. As an attacker, if you are fixated on a target and you have exhausted all of your tools and tricks, you are left with little else but to find some type of vulnerability and write an exploit for it. As we purchase and add more and more items to our digital world, the odds are stacked in favour of the bad guy.

Many people have surmised that we are finding so many bugs now because programmers are making so many mistakes but I disagree. I feel that we are finding so many bugs because there ARE so many bugs. Some of us just got better at finding them.

Lets take the recent SSL vulnerability that was exposed for many of the Internet of Things (IoT) devices ( https://www.wired.com/2016/10/akamai-finds-longtime-security-flaw-2-million-devices/). Akamai researchers would have you believe that this is somehow a recent find but there are references to the dangers of ssh port forwarding over a decade ago ( http://www.informit.com/articles/article.aspx?p=602977 ).

Earlier in 2016 we have reports that Gnu Lib C share library has a critical vulnerability ( https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html). Admittedly this is very hard to exploit but as more and more people learn how to looks for these types of bugs, we are going to find out about them.

My recently certification has taught me that bugs are everywhere, in the mobile devices we carry, in our cars, in our thermostats. We just have to get better at looking for them.

A word to wise, learn about all the electronics you own, keep them up to date if they are recent purchases and be prepared to give them up if they are not. As a pentester, I  am looking for older vulnerable devices that are connected to your Wi-Fi or cabled networks at home or in the office as a bulkhead to allow me to get a foothold. There has never been a better time to discard those older routers and VoIP phones.

 

Categories: Work related Tags:

Computer Breach and what you can do about it

May 18, 2015 Leave a comment

Security Breach can happen to you

Experts agree that 2015 will be a tipping point for most small to medium sized businesses when it comes to computer security. The average organization cost of data breach is now over 6 million dollars. For most of my clients their loss won’t be anywhere near those numbers but to understand the cost to you or your organization that is over $200 per record. Maybe it’s a list of your clients or your employee wages or perhaps it’s usernames and passwords for your organization. Do the math – these can add up to large scale loss for everyone.

Among the top 5 threats for computer networks today are;

  1. IoT – The Internet of things brings along convenience but those IP enabled devices are not without risk. As you purchase Wi-Fi enabled security systems, TVs, media devices, Network Area Storage, etc. we are seeing an increase in vulnerabilities that expose your network and help to increase your attack surface. They need to be monitored and maintained because they are not as secure as a computer or a server.
  2. DDoS – The abilty to overwhelm your network with traffic is quite common and can easily be done by most consumers with a home network connection. If you require the Internet to do business you should evaluate whether you can operate without it. If not then you should consider protecting yourself against the real possibility that it could happen to you.
  3. Social Media Attacks – If your business uses any cloud based or social media application you should review your authentication and user management policies to avoid a potential breach of your accounts. Hackers are now targeting online applications in order to infect your users and gain access to your networks through the use of Cross Site scripting vulnerabilities. All it takes to be infected is for an email to be clicked on and you can no longer rely that your AntiVirus will prevent any Trojans from getting through.
  4. Mobile Malware – The volume of mobile devices beginning to enter your workplace and the ability to use your internet connection add a very large possibility that malware on a mobile device can get access to your corporate network. If you already allow users to have access to your network with any computerized devices you are probably at risk. You should consider controlling the access or monitor all of the devices by using a Mobile Device Management platform or you risk a possible breach to continue without your knowledge.
  5. Third party Attacks – Many companies allow third party applications to connect with their own network assets but how safe are they? Large scale breaches have been shown to be caused by third party vulnerabilities and these occupy a ‘grey area’ when it comes to management (who is responsible to keep all applications up to date on those systems?). Many user agreements do not cover damages that can be caused by a lack of security practices and once the vulnerabilities have been exploited, hackers use those systems to pivot onto your networks and wreak havoc on your networks.

There are several methods you can implement that can help mitigate the risks.

  1. Implement Monitoring – It is no longer safe practice to just implement a firewall you need to monitor all traffic coming into and out of your network. Hundreds of breaches in any network design have been traced to a failure to see IOC (Indicators of compromise). Not only do you need to record reams of data but you need to review them in order to determine what is normal behavior and what indicates a potential breach. There are devices available that can help you do that and although they can be complicated to implement, once properly deployed they can help you become aware of details that help you find attacks before they become too big.
  2. End User security awareness – If you don’t already have a program in place you should consider a large scale awareness campaign surrounding security at your organization. It can be as simple as a regular talk over lunch or it  can involve testing to be sure that your employees have taken the necessary steps and understand your policies. You need to train your users about the do’s and don’ts of all aspects of your security. Physical security, passwords, email questions, sharing account credentials, staffing questions, etc. You need to protect all aspects of information leakage whereas hackers only need one of them.
  3. Inventory all equipment – If you do not have an active list of your equipment, anything that is or was connected to your network, then take the time to make one and keep it up to date. Many organizations are leaking information that can be critical to your operations. Network devices that no longer are connected should be properly disposed of and /or their configurations need to be wiped. Improperly configured devices and anything with wireless access remain the largest risk to any organization – all of these devices need to be audited on an regular basis to manage the risk.
  4. Review your Protection – Make sure that you update ALL software (this includes Operating systems and any third party applications) that are actively used on all networked computers. Update any firmware on devices that connect to your networks. Implement and maintain Antivirus software on any computer that is actively used to open emails or browse the Internet.

There are many different ways you can help protect yourself from attack but I wanted to point out the clear methods to avoid them. If you are aware of all of the different methods that can be used to gain access to your company or it’s information then you can help manage them. A failure to see them coming is a sure fire way to enable the attack over an over again.

Categories: Work related Tags:

Imagine a single tool that hackers could use to break into your network…

March 12, 2015 2 comments

…and you are probably thinking about Metasploit.

As a security specialist I am saddened to think how easy it is to break into what was once considered a pretty safe way to conduct your business online. Years and years ago we all touted the necessity of a firewall with it’s ‘allow nothing in – allow everything out’ stance. Most sysadmins believed that if you had a crunchy outer shell it would be enough to protect you from the bad guys outside of your organization who are knocking on your proverbial door. We, as sysadmins then debated about the merits of network segmentation and egress filtering and a lot of us agreed that it would be a lot of work to implement and administrate compared to the risks associated with simply leaving the network topology flat and open. Then came along WiFi and for most of the users – it made connectivity easier but as sysadmins we knew that it would require some additional brain power to make it work securely. First WEP got cracked and when WPA-Personal and -Enterprise was introduced and at that time, it represented a pretty safe and uncrackable method to secure the wireless network. WPS made it easy to setup but we found shortly after that WPS has it’s flaws.

Today any user with a computer and extremely fast graphic card could crush a short password in a matter of hours. Now we tell users to make their password longer and to choose better passwords. Then would-be hackers build faster computers to crack longer passwords in a shorter period of time. It all begins to seem to me more like when the bad guys get in rather than if they get in.

It’s time to ask yourself about how well your assets are protected? Does your network topology resemble a cookie (hard on the outside and soft on the inside) or have you taken steps to limit the damage that can be done once your walls fall? It’s hard to believe that you could come in one Monday morning and find out that your network is having a really bad day; all the result of a little tool like Metasploit in the hands of a few skilled people. There are literally thousands of known vulnerabilities, at least one for any number of hardware devices that make up your network and they are all contained in and ready to be unleashed on all of your devices by this tool once they get in. Network switches, IP phones and phone systems, routers and firewalls, printers, etc. Lets not forget the laptops, workstations, servers, tablets, ipads and oh yes the smart phones that we all know and love?

You home users are just as vulnerable with your Thermostats, IP cameras, wifi adapters, home alarm systems, all web enabled. Every day we hear about some vendor that has IP enabled another appliance in your home and do you think they are worried about the safety of the device while you own it? As a consumer I am pleased when my new fridge can show me a picture on my cell phone of what is inside while I am standing in my local super market but as a security researcher – I am horrified of all the possibilities that could happen as a result of poor security. On the flipside and as a white hat (someone who hacks stuff to make it better) I am thrilled that there will soon be more things to test and ensure that the vendor has created a safe secure product for my fellow users to enjoy. The question that is raised in my mind by these likely events is just who is quality controlling these devices – them or you?

Categories: Work related Tags: ,

Still using short passwords in your organization…

February 5, 2015 Leave a comment

With email turning 40 years old recently we though it was a good time to visit ‘password length’ and how choosing one factor above all can make the difference in your online security for you and your organization.

There are very few applications left that require short eight character passwords (known as legacy apps) so you should be thinking of different ways to create and recall your passwords. There are several methods I have heard over the years and whichever method or combinations you choose to employ, security experts all agree, length is the most important one of all  (at least that what the ladies are saying :-))

I wanted to show how anyone who plays games on a computer can use that graphics card to guess your password. Typically it is the main Central Processing Unit (CPU) that is responsible for the ‘heavy lifting’ in your computer but for our purposes we need a Graphics Processing Unit (GPU) to do the tedious task of computing.

Now typically password guessing has involved a wordlist, a list of common passwords that is used to compare against what your password *might* be. This was necessary because of the permutations of each place holder. If we wanted to check every combination of upper case, lower case, number or special character in each of the 6 positions it would take an enormous amount of time. You could thwart the risk of someone guessing your password with a good password rotation policy but as processor power increased this is quickly becoming a concern.

Password-guessing-6      Here we show how fast we can brute force any password to a length of 6 characters. This is the default password length of a windows password. In as little as 2 minutes someone with about a $1000.00 computer can crack your password files on your computer or in your organization.

Here we see how easy it is for that same person to try every possible combination of characters if you change the minimum length to 7.

Password-guessing-7In as little as 3 1/2 hours we can use the power of a single video card to examine every combination of characters you can possible use to create a password of 7 characters or less.

How about 8 characters? This same user would take approx. 2 days to try all possible passwords and compare them with the password file that stores your hashes. All anyone needs to do is run a tool on your computer or on your domain controller to exfiltrate your password hashes and they can use the power of the GPU to guess your passwords. How about 9 characters? Well the amount of time it takes for a single medium priced GPU to tackle 9 characters is quite high (almost 4 years). So why not just make the minimum length of passwords to be 9 characters? Well these results were derived using a single $400.00 video card. We can buy a more expensive card and increase our processing power another 20%. We could even buy a more expensive computer that is capable of running 4 or even 8 video cards in the same system! A machine like this would probably reduce the amount of time it takes to brute force 10 character passwords to a few hours (this is an estimate – YMMV).

The days of simple dictionary passwords may not be here anymore and you might feel that it is impossible to remember all of these long passwords so I wanted to point out a few methods you should adopt that can help you. I hope I have shown you how trivial it is to guess your password and failure to adopt a longer password could result in compromise of your accounts. All it would take for a hacker to get access to your information is to use a ‘free’ wifi hotspot and your computer could be owned.

1. Use a longer password – add dots, dashes, your phone number, anything that will take your password length beyond 12 character Security professionals have forecasted that 12 characters is the minimum length we should be using with todays technology.

2. Use an online password manager – these systems can generate random passwords of various lengths and you only need to remember one password (the password to log you in).

If you are interested in finding out just how easy it could be to guess your current password you can visit https://www.grc.com/haystack.htm

Categories: Work related Tags:

I am betting that 2015 will be the year of security…

January 31, 2015 Leave a comment

Last year was a banner year for old school hacks – remember HeartBleed and ShellShock – those were missed by a lot of us because it was stable code (or so we thought). Hundreds of thousands of us just focused on the newest apps and how we could exploit them. A few researchers went back over some of the mainstream code that we all used for years and found some ‘features’ that we added a while back that could be exploited today. I am willing to bet that more and more people are taking the gloves off and trying all sorts of applications to find that 0-day that will make them famous.

As a self proclaimed whitehat, I am interested in find flaws for profit. Let me be clear, I am not interested in exploiting them or selling them to blackhats – no, for I am a security researcher. My intention is to help users identify weakness in the communication devices we use on a daily basis so that we can feel safe. There are a myriad of individuals who would love to collect anything about you from advertisers who want to sell you things to our governments who want to monitor what you do with your time. When you add to that the kids that come home after school and just want something to do along with the legitimate users who hack for profit you have a lot of reasons to protect your online privacy.

Recently I put together a small computer that could be used to identify weak passwords by scanning your wireless networks. First we were able to install Linux on a single board computer and connect a wifi adapter that is used to ‘listen’ to your wireless. After a short amount of time (minutes if you have active traffic) we collect the traffic from your wireless network and package it up to be sent to our master server.

[0:08:20] starting wpa handshake capture on “BELLxxx”
[0:08:18] new client found: C4:62:EA:xx:xx:xx
[0:08:08] new client found: E8:61:7E:xx:xx:xx
[0:07:58] listening for handshake…
[0:00:22] handshake captured! saved as “hs/BELLxxx_34-8A-AE-xx-xx-xx.cap”

After approx. 10 minutes I was able to capture traffic from this WiFi AP that contains the pairwise transient key (PTK) that are exchanged when you authenticate using WPA2. If you are busy using your wireless we can capture it even faster!

Next we use GPUs (not CPUs) to check the passwords against a large database of millions of passwords. Normally this process would take days and days but by using the large processing power of video cards we are able to shorten that time frame to mere hours. When used together on one computer, multiple GPUs would take just minutes to try every possible combination.

Now with just one computer and an expensive video card we can test the combinations of pairwise master keys (known as PMKs) at an astounding rate…

Connecting to storage at ‘sqlite:///WPAcrack.db’… connected.
Parsing file ‘Xxxxx_20-AA-4B-xx-xx-xx.cap’ (1/1)…
Parsed 13 packets (13 802.11-packets), got 1 AP(s)

Attacking handshake with station e4:ce:8f:xx:xx:xx
Tried 144668765 PMKs so far (12.7%); 62770 PMKs per second.

At a speed of approx. 4 million per minute I can compare your authentication passphrase against my database of WPA passphrases. If you are not careful, someone just like me could guess your passphrase and connect to your network and you may not ever know it!

Now how important is it for you to patch your laptop, download new updates for your routers or cell phones or even verify that all your devices have the latest code (called firmware)? You have all of these devices that you need to make sure are patched, updated and not vulnerable to attack and all the hackers have to do is compromise just one of them!

Gives you a whole new lookout on ‘The Internet of Things’ doesn’t it?

Most of you might be asking yourselves ‘what can we do to protect ourselves’ right about now. There is a nice campaign put forth by the folks at SANS to help ‘secure the human’. (http://www.securingthehuman.org/)

There is also a nice poster that you can print and pass along to your family and friends – http://www.securingthehuman.org/media/resources/STH-Poster-CyberSecureHome-Print.pdf

For those of you who are serious about security (physical or virtual) you can hire a professional, we can help you evaluate your risk and then make suggestions on how best to focus your efforts to help remove it from your homes or offices.

Let’s hope 2015 isn’t the year you get hacked…

Categories: General, Work related Tags: ,

Hey dude – pass the hash…

May 27, 2014 Leave a comment

I wanted to share my experience with a client recently and mention a great tool that helped us resolve an issue that many IT admins probably face on a regular basis. It is my hope that it can help someone as it has helped me and my client.

We recently took on a client who has a Windows 2003 SBS server and did not have the current password for the Administrator user. We used several methods to try and crack the existing password and they were all failing. I even used a method to remove the SAM and system registry to begin to crack it offline (a process that took almost 8 hours to setup). After an hour or two of running a tool to try and brute force the password I thought I would try to ‘pass the hash’ (a method that windows uses when a password is used to access resources across the network on remote shares).

Image

Mimikatz in action

Mimikatz is a tool written by Benjamin DELPY who also goes by Gentle Kiwi (https://github.com/gentilkiwi/mimikatz) and this tool can setup and impersonate a session that can be used to authenticate to your system. All you need is the ntlm hash, the domain (which is found on the login screen) and the username (also found in the hash – usually ‘Administrator’). When used correctly it can setup a session that will impersonate the user and the password without knowing what the password is!

Image

PsExec in action

Once you open a new command prompt you can use another fantastic tool from Mark Russinovich called PsExec (http://msdn.microsoft.com/en-us/library/bb897553.aspx) to connect using the authenticated command window to your target machine as if you have a local login with those credentials and run a remote command window on your target – viola.

Now we have a remote shell on the target we can add a new user and make them administrator.

We have installed our remote software and all completed before the second hour of cracking the password has begun.

Categories: Work related Tags: ,

Kaseya and Safe mode

November 19, 2013 1 comment

One of the things that I have always loved is playing with computers, I love to fix them and figure out what is wrong with them and sometimes you need to use safe mode to do it.

Boot-to-Safe-Mode-Windows-7

Well working with Windows 7 is no different but for those of us who use Kaseya to manage our client sites that usually means a truck roll. Well thanks to a little registry magic – you don’t need to run out to the site any more (DANGER – WILL ROBINSON – DANGER, this is not for the faint at heart).

I wrote a couple of little procedures that can be used to change the boot editor on your Vista/7/2008 system to boot into safe mode. The trick was to add the remote control service to start while in safe mode (a clever little registry hack).

image

You can reboot your machine with the procedure to start in safe mode, do what you need to do like remove drivers, etc. and then run another procedure to run it again in normal mode. 

image

Drop me a line and I can share how I did it with you.

Categories: Work related Tags:

Using Kaseya to deploy LogMeIn

September 15, 2013 Leave a comment

Sometimes the VNC connection with Liveconnect just won’t work – probably due to poor bandwidth or maybe a plugin issue so I wanted to document a simple process of using Kaseya to deploy the free/paid version of LogMeIn to your agents so you have another method of connecting remotely.

I created a script that will download a customized version of LogMeIn and run it as the system to silently install. You can run it as a procedure to install on your agents which can run on the bandwidth challenged systems.

image

First you have to create a customized package using your LogMeIn account and download the executable version (this process is outside the scope of this document).

image

Next you use the script (above) to send the file, wait for it to be downloaded, run the installer, delete the install file and update the procedure log (we added a pause to wait for the installer to complete before we try to delete the file).

Finally you upload it to your Kaseya server and modify the script to pull the new customized LogMeIn file down to your agents and that is it. No more asking clients to run remote control programs so you can connect – if the machine has a Kasey agent on it then you can run this procedure to install LogMeIn.

You can use Kaseya procedures to so almost anything – we run SQL scripts, batchfiles, WMI scripts, the list is almost endless. If you have an idea for a script or have other scripts that you would like to share – feel free to comment below.

I hope you find Kaseya as powerful as I do and learn how to make the power of Kaseya work for you.

Categories: Work related Tags: , ,

Using VPro with the Kaseya Portal

June 4, 2013 Leave a comment

My Observations of the VPro feature in Kaseya. If you have a machine and would like to enable the VPro feature then review my musings and follow the steps at the end of my post. If you need some help you can contact me and I will review it with you.

(You must be onsite in order to activate this – you will also need a USB key)

 I wanted to detail my experience with Kaseya and the VPro feature within it. If you are like me, you might have heard of the feature that Intel has put into their CPUs but that might be all.

 I am familiar with remote features like Drac, ILO, etc. in servers but the idea of remote controlling a workstation is so exciting that it opens all sorts of thoughts surrounding management without having to be in front of the keyboard. I especially love the ability of running a disk management tool to help maintain or even fix hard drives that are about to go bad. These tools can run for days and arriving to load it once and asking a local user to tell you when it finishes isn’t always convenient.

 Starting with version 6.x, VPro has VNC based firmware installed in the chip – it only needs to be activated in the BIOS or by a special thumb drive – This is where the Intel Activator Wizard comes in. You can configure a standalone password for the AMT to be used by remote control and for any other AMT events. Failing to do so will allow you to connect but the screen is prompting the user for a code that is not visible when you are remoted in. In some cases I have seen versions that cannot be enabled remotely when you detect and then try to enable VPro on certain versions.

 You need to have the Intel Management drivers loaded on a machine that has the Kaseya agent installed to be able to detect/enable VPro and it comes from the factory disabled. If the drivers are loaded on an OS and it is running then you can detect and perhaps enable it remotely using Kaseya. The connection topology starts by setting up a vpro proxy (this should be a publically available IP – maybe even one to one NAT) that should be available on the same subnet as the machines you are using with vpro. You map a port through to that vpro proxy machine and it then tries to open the connection to the VPro system on your behalf. You can use any port number you wish – it only requires one however you can only remote one machine at a time.

 If you are able to connect through your proxy you may get a screen that asks for a 6 digit passcode. This is the user consent page – it will be asking the user for his/her consent while you try 3 times to ‘guess’ the password. This can be disabled when you use the SCS from above. If you have mistakenly provisioned it using the Kaseya portal you cannot use the AMT configuration utility again – it will state nothing to do. You must disable it in the Kaseya portal and then run the AMT program on a thumb drive on the machine you wish to reprovision in order to have control again.

VNC-Plus

Picture 1

 You can download a program called VNC Viewer Plus to verify the connection to the AMT. You should be able to login as admin and use the password you set in the AMT configuration like the picture (attached picture 1).

You must have the ME drivers already installed to use this utility. If you need the Management drivers (your OS did not already have them installed) you should download them from Intel.

 The steps I used to activate VPro are as follows;

  •  Use Cntrl + P to access the MEBX bios when booting up your PC.
  •  The default password is admin – Set the password to something you can use (you must use a complex password and the remote KVM will only accept 8 characters so please use something similar to p&ssw0rd)
  • Boot the computer and insert the thumb drive with the AMT utility expanded onto the drive (http://software.intel.com/sites/default/files/m/d/4/1/d/8/IntelAMT_config_utility_Rev0.5.0.3.zip)

    AMT-config

    Picture 2

  • Run the Activatorscript as Admin and set the password (again if you do not want/need to change it) then enable the following (see attached picture 2)
  •  After you save the config onto the thumb drive you can reboot the machine with the drive still in it. You should see a screen asking if you want to update the provisioning of the ME (or something similar)
  • After choosing ‘Yes’ your AMT should now be enabled in the Kaseya portal.

 

Categories: Work related Tags: ,

Backing up with Hyperoo 2 is better than ever

January 7, 2013 Leave a comment

 

I wanted to start the new year off by checking out my backup solution options. I have a license for Hyperoo and was able to contact support to get that license upgraded for the new version 2.0.

 image

I love the new interface – it allows the user to connect to the client as well as the server component. (The server component is used to take the backup and the client version is used to send the backup). It is the same component that is started on the Hyper-V core OS from the “C:\Program Files (x86)\HyperooSoftware\Hyperoo 2.0\” directory using the command HyperooServerManager.exe (so be sure to also install the Manager component on your Hyper-V hosts).

You can now open the client console on your server without needing to open a remote desktop session to your Hyper-V server. You type the remote name of your server and click on the backup task that is active. When you click on the console tab you can choose ‘Backup Status’ to see a progress bar. (It would be nice to be able to see a projected finish time based on how many files are left). imageI don’t like the fact that when you click off of the status window and return after viewing other options that it only shows the current item.

Restoring a vm is now easier by connecting to the client and using the restore applet.

I would like to try the Live version to see how much easier it is to restore Clustered files but that will have to wait.

Categories: Work related Tags: