Archive
New Combinator Password Cracking Methods
While doing a security assessment a password hash was recovered using responder.py, we then attempted to crack the hash using Hashcat and the hate_crack script and failed to recover this hash. We were later successful in getting domain admin level access using another method and using CrackMapExec we were able to use Mimikatz to recover the clear text password from the memory of the user’s computer. We found that it consisted of two words separated by a number and was 12 characters long. It didn’t fit any of the Pathwell Top 100 Mask Brute Force Crack methods. The mask was ?u?u?d?l?l?l?l?l?l?l?l?l
This is a very common and logical pattern that many people use.
I could just add this mask to the existing Pathwell masks, and this would work taking about 3 days with 4 Nvidia Geforce GTX 1080s. But it would be more efficient to use a modified combinator attack, which would work in many more instances. Hashcat allows you to add a rule to each side of the combinator attack using the -j and -k flags, this allows you to append a character to each side of the combinator attack. As far as I can tell though there is no way to simulate a mask with one run, so I added two new methods to the hate_crack script. The first method I am calling the Middle combinator attack.It is simple:
Dict1 + masks + Dict2
Where the masks are: 2 4 <space> – _ , + . &
I chose these as I have found these are common characters to separate two words.
The second method I am calling the Thorough Combinator Attack. It runs through many different combinator attacks using different masks. Currently, it uses the following methods:
– Standard Combinator attack: rockyou.txt + rockyou.txt
– Middle Combinator attack: rockyou.txt + ?n + rockyou.txt
– Middle Combinator attack: rockyou.txt + ?s + rockyou.txt
– End Combinator attack: rockyou.txt + rockyou.txt + ?n
– End Combinator attack: rockyou.txt + rockyou.txt + ?s
– Hybrid middle/end attack: rockyou.txt + ?n + rockyou.txt + ?n
– Hybrid middle/end attack: rockyou.txt + ?s + rockyou.txt + ?s
I know I am most likely not the originator of this method, but I haven’t seen it described yet. I have the code working in my fork of the hate_crack tool and sent Trustedsec a pull request.
Security Matters: Ransomware
Ransomware has been in the news lately, with one of California’s community colleges having recently fallen victim to it. If you are not familiar with the term, ransomware is a type of malicious malware.
It encrypts the content of your hard drive and demands that you pay a ransom to regain access to your data. If you don’t contact the criminals and pay the ransom within a set time period, your files are lost forever.
Ransomware uses extremely strong, unbreakable encryption and there is no getting around it – you either pay the ransom or you can write off your files.
The first modern ransomware malware was released in 2006 and since then the occurrences of malware has exploded. There are many reasons for this but chief among them is the rise of anonymous currency, such as bitcoin.
In the beginning criminals used credit card processors and wire transfers to get the ransoms from victims, but this put them at a bigger risk of getting caught and the banks would frequently seize their ill-gotten loot. With bitcoin it is much harder to stop the criminals as there is no central bank that can freeze the payments and assets of the criminals.
Big Business
Ransomware is big business. A CNN report estimates that ransomware was on pace to have earned criminals $1 billion last year.
These criminal organizations are run like a real business. Some will go so far as to provide 800 numbers where victims can both negotiate the ransom and get tech support on how to pay the criminals with bitcoin. They will base their ransom on what they think the victim can pay. So a family computer may face a ransom of a few hundred dollars while a large business may face a multi-thousand dollar ransom. The criminals also have automated systems that will automatically send the victims the decryption key and instructions after paying the ransom.
Prevention Is Best Defense
So how do you prevent being the victim of ransomware? By taking the same precautions you would take to prevent regular malware.
The criminals will usually use social engineering to get you to open a file – typically in the form of phishing. They will send you an email with a believable story about why they are contacting you, and instruct you to look at an attachment for further information. This type of phishing attack can take many forms and you can read more in our previous article.
The other vectors of infection are through un-patched internet browsers and plug-ins such as Flash and Adobe Acrobat Reader. It is important to keep all of your software up to date as new security vulnerabilities are discovered every day.
Ransomware can spread through a network as well, so it is important if you have an administrative-privileged account that you don’t use this account to browse the internet. You should have a separate, unprivileged account that you use on a daily bases, and only use the administrative account when doing tasks that require it.
Backup Your Data
The main takeaway is you should always backup your important files, with at least one backup being an offline backup. For example, if you have an external hard drive that you regularly use to backup your data and you get ransomware, chances are the external drive will also be impacted.
If you backup to both a hard drive and an online backup service such as Backblaze or CrashPlan then you will be in much better shape as the online services support what is called versioning. Versioning keeps multiple copies of the data when files change. Also, as of now there isn’t any known strain of ransomware that attempts to delete third-party online backups.
The safest method, by far, is doing a weekly backup to an external hard drive that you keep disconnected from your computer when not in use. This drive should only be attached as long as needed to backup your files.
Following these precautions should save you the painful decision of whether or not to pay a ransom to get access to all of your precious, and often irreplaceable, files.
Security Matters: How To Protect Yourself Online
The internet is a wide open space and, much like the real world, contains the greatest and the darkest of things. This blog will focus on the best browsing practices to protect yourself on the internet.
There are a thousand and one products out there that promise to keep you safe online, and they all work to varying extents, but the best protection is situational awareness and best practices. Much like you wouldn’t walk down a dark alley at midnight in the highest crime area of a city, you shouldn’t go wandering into the dark depths of the internet.
Be Safe On Social Media
Let’s start with best social media practices. It is best practice to not publicly post your information, but if you do, following these guidelines will help keep you safe:
- Double check your privacy settings. Are you sharing more than you think?
- Think before you post: Would you be embarrassed if this picture or post was viewed by your mother or your boss? If so, you probably shouldn’t post it.
- If you are going to be leaving on vacation, don’t post this type of information publicly. Criminals have been known to search social media to find targets to burglarize.
- Don’t “friend” strangers. Criminals have been known to friend people so they can view the information they post on social media. This information can help them steal accounts with easily guessed password-recovery questions.
- Be guarded with the information you post. If you see a survey full of personal questions like your mother’s maiden name, first pet, first car, street you grew up on, first job, etc., don’t fill these out. These are all common questions used for password resets.
- If you are doing online dating, pick a random handle, not one you use anyplace else – and not your real name. You should also not post pictures with identifiable places where you commonly hang out. The internet has its share of creeps and this information can help them find you, especially in smaller communities.
- Talk to your kids about the safe use of social media. In this day and age it is important that they know how to stay safe online.
Avoid Downloads
Another big one is, don’t download software from peer-to-peer or other dodgy sites. Software can be expensive but illegally downloading is not only illegal, it’s dangerous.
It is easy to add Trojan virus and malware to seemingly legitimate software. Sure, the latest version of Photoshop may work just fine when you install it after downloading it off the Pirate Bay but it is very likely you also just installed ransomware, and it will cost you more in the long run. Only purchase your software from legitimate sources.
Don’t open documents in an email, instant messenger or text message, unless you are expecting them, even if it is from someone you know. This is another large vector for malware infection.
Word documents, Excel files, PDFs and other files can contain what is called a macro virus. These are programs inside the files that can be used to install malware on your computer. Once an attacker infects a computer they will send out messages to everyone in the person’s contact list with a virus attached. These have even been seen on mobile phones, mainly on Android devices, which for a variety of reasons tend to be the least secure.
Browse Safely
Keep your browsing software up to date. Browsers have become much better at this, with Firefox and Chrome automatically updating themselves. To be on the safe side, go into the menu option and check to see if your browser is up to date. If you are an Internet Explorer or Safari user, be sure that you are installing all the latest patches from Apple and Microsoft. Older browsers often have vulnerabilities that can be exploited just by visiting a malicious website.
Use an ad blocker. There is a large overlap with ad networks and malware. This is often called malvertising. Malicious code finds its way into ad sites on a regular basis because criminals know that by compromising an ad site they will be able to infect a large number of browsers. If you block these sites you avoid the ads, and the risk.
Phishing
If you’re not familiar with the term phishing, it is an attempt to fraudulently obtain sensitive information such as account login and passwords, Social Security numbers, credit card numbers, account numbers, etc.
The most common form of phishing is through the use of email, but it can also happen over the phone. Phishing has become one of the most – if not the most – common ways criminals obtain sensitive information. As IT departments have locked down computer systems, attackers have found that humans are often the weakest link in the security chain. Why spend hours trying to find a way to break into a computer when you can just ask the human using it to provide the information you want?
The common thread in phishing is the attackers will try and come up with a believable scenario and ask you to do something. This may be as simple as them emailing you a link asking you to reset your email password, and when you click on the link you go to a website that looks just like the real one. Except it isn’t.
Cloning a website has become an easy process for an attacker to do. There are easily obtainable tools to copy websites, for example gmail.com. Some techniques even forward you on to the real website so you don’t become suspicious when your login doesn’t work.
Sophisticated Attacks
Unfortunately, there isn’t an easy solution to this problem. As time has gone on the attacks have become more and more sophisticated. Long gone are the days when phishing attempts used poor grammar and punctuation, which served as a red flag to alert you that something wasn’t quite right about that email asking you to reset your bank account password.
Now, we see ever more sophisticated and pointed attacks, often referred to as spear phishing. The attacker will find out the names of the most important individuals, the college president for example. They will then find who reports to these executives and impersonate them with requests.
An example of a college that fell prey to this scheme involved an attacker that impersonated the president. They asked an employee in payroll to send them the W2s of the college’s employees so they could review them. The employee, not wanting to question or upset who they perceived as their superior, complied with the request, and sent the attacker copies of the employees’ W2s.
Security Awareness Training
There is help. The California Community Colleges (CCC) Information Security Center offers free online Security Awareness Training for all employees of the CCC, and phishing awareness is part of this training. You can sign up for the training at our website.
In general, though, here are some tips to avoid being the victim of phishing scams:
- An IT department should never ask you to reset your password through email.
- An IT department should never ask you for your password over the phone.
- You should never send any sensitive information through regular email. This includes Social Security numbers, credit card numbers, account numbers, and any documents that include these. Email is not encrypted and should never be used to send and receive such sensitive information.
- Don’t open documents you are not expecting to receive, and if you are ever asked to enable macros after opening a document don’t do it. This is a common way an attacker will try and infect your computer with malware.
- Never go to your bank’s website by clicking on a link from an email, as it may be fraudulent.
- If you receive a message that doesn’t look right to you, report it to your local IT department.
Security Matters: Password Security
Password. That’s a cringe-inducing word. What a pain; you constantly need to change your passwords. You have to use mental gymnastics to remember all of them, and don’t get me started on special characters. I hate passwords.
Yes, I am the Chief Information Security Officer of a large organization, and I can admit I hate passwords just as much as anyone else. Now, I know they are extremely important but, in my opinion, they are often mismanaged.
When IT administrators put so many restrictions on passwords, we actually drive people to even more dangerous practices—like writing down your passwords on a sticky note, and using the same password for all the things we log in to. Although often-hated passwords are a necessity, I would like to explore passwords and prove the pain can be eased.
Password vs. Passphrase
First, let’s take a look at password complexity. The default Microsoft Windows password policy requires eight characters, including one uppercase letter, one lowercase letter, one number and one special character. By this rule, “Password1!” is an acceptable password. Unfortunately, from past experience, this is exactly the kind of password I see being used. It follows the pattern: an English word, a number, and a special character, in that order.
Explaining the reasons why this approach is unsafe will be the subject of another article but rest assured, with this type of password, if there is a security compromise, the attacker can often get the plain-text password of a large majority of an organization.
A much better approach to ensuring password security is to remove the complexity requirements and instead require much longer passwords called “passphrases”. I know what you are saying. “I have to remember a longer password and that is better!?!?” Hear me out: Yes, it is. A passphrase is easier to remember.
Think about it. Which would be easier to remember, the password, “HaRdS1#!”, or the passphrase, “I like the flowers in the springtime?” I think we can all agree the second one is much easier to remember, because this is how our brains are wired. A plain-English phrase is something we have been memorizing since childhood.
Something that is not obvious unless you are a mathematician is that the passphrase is also much more secure. It is harder to break once the password is scrambled into the form it is stored on the computer. An attacker can brute force an eight-character password in just about a day, but a 15-character passphrase would take a near infinite time with the computer power available today.
Passwords In Practice
Now, let’s take a look at password re-use. I know it is tempting to come up with a good password and use it on all the websites we use. This is a dangerous practice because websites are being breached on a daily basis, and passwords are not always stored securely. There have been many large sites that have had breaches with all their user accounts compromised and publicly posted on the web.
Take a look at the website haveibeenpwned.com. This site will show you if your account has been compromised by some of the more recent public breaches. The danger is that once your email address and password are exposed, criminals can use it to try to log in to other sites. For example, if your Dropbox password is the same one you use for online banking then you should change it immediately, as Dropbox had a breach back in 2012 that has just now been discovered.
This is why I recommend the use of a password manager. The one I use is LastPass but there are several excellent ones out there. The idea of a password manager is that it will generate a unique random password for each website that you need to log in to. There is one master password that you need to remember to unlock all the other passwords. This password is used to encrypt all the passwords so they are only ever useable once you have unlocked them with your master password.
Therefore, a password manager lets you have unique passwords for each site while only needing to remember one password. If one of your accounts is ever compromised, the attacker won’t be able to use your password on another site to perform some nefarious activity. All you have to do is visit the site that was compromised and use the password manager to create a new secure, random password.
Two Steps Are Better Than One
Finally, let’s look at two-factor authentication. Two-factor authentication uses something you have, which can be a device you plug in to your computer, a text message that is sent to your phone, or an application on your phone, to authenticate.
This, in my opinion, is the ultimate solution. You can let everyone use a much easier-to-remember shorter password, and if it is ever compromised the attacker still can’t get into a system without the device that you carry with you.
For example, someone gets your username and password for your bank account, but you have two-factor authentication set up. So, now when the attacker tries to log in to your bank account, you get a notification on your phone that someone is trying to log in to your bank account, and the mobile app asks you to press the “Confirm login button” to allow the login to continue.
Since you are not trying to log in to your bank account, you would just click “No” on an app, and go change your bank password. With the disaster averted, you can now contact your bank and report the incident, knowing your hard-earned money is still safe.
Intro To CIS Critical Controls
I have been asked many times, “What are reasonable security controls?” This is a hard question to answer, as what I consider to be reasonable isn’t what others would. As an information security officer, I tend to be very risk-averse.
After all, information security is what I refer to as a “weak link” problem. What I mean by that is it only takes one weak link for an attacker to be able to gain a foothold into a network.
Until recently, there were no California-specific regulations or legal opinions to be able to point to about how to prevent network attacks. There are of course the California data security breach notification laws—the first of their kind in the nation—that explain what an institution has to do after a breach occurs. However, there was nothing that said how you should be protecting the data that you are collecting in the first place.
That finally changed this year when the State Attorney General of California published the 2016 California Data Breach Report. In the report, Attorney General Kamala Harris gives a set of five recommendations to prevent the most common breaches, thus finally giving us a legal definition of “reasonable security controls.”
First Line Of Cyber Defense
The attorney general’s first recommendation is to implement the Center for Information Security’s Controls for Effective Cyber Defense, also known as the CIS Critical Controls. The CIS Critical Controls consist of 20 control categories, each with a subset of controls. They are very straightforward and easy to follow. I would encourage everyone to download and read them.
These controls really do work and this should now be the standard that you are working on implementing at your college. The controls are prioritized in order of importance, and if you are implementing them you should start with number one and work your way down.
You will quickly realize that, to be able to implement these controls properly and still maintain the openness of a college campus, you may need to do some re-architecting. Take for example the first control, “Inventory of Authorized and Unauthorized Devices”: If you look at a typical college campus, there are many hundreds if not thousands of devices that come and go in a single day. It is nearly impossible to be able to know what every device is and who is using it.
However, if your network is properly segmented into different trust levels then the problem becomes a lot easier to tackle. You should be able to securely configure your network to disable free access in the most secure segments, where each device needs to be registered and tightly controlled, and block access to outside devices.
New Legal Security Standard
There could also be added liability if your institution isn’t at the very least working toward implementing the CIS Critical Controls. This will now become the gold security standard for the state of California, and in effect becomes the de facto civil law of California, until such time as the state legislature decides to formally weigh in on this subject.
If the California Data Security Breach Reporting law is any indication, other states attorneys general may follow suit and release similar opinions on data breach prevention. So if your institution is breached in the future and the CIS Controls are not in place, a resulting lawsuit could bring the possibility of increased civil fines. The judge may see the lack of implementing the CIS controls as negligent. I do not claim to be a lawyer and you should ask your district’s general counsel for their take on the liability aspect of not implementing the attorney general’s recommendations.
Virtual Host Enumeration for fun and profit
The following will allow you do virtual host discovery using the bing API
Step 1: Find the web servers you are interested in using NMAP
nmap -PN -p 80 –open -oG – 192.168.1.0/24 | awk ‘$NF~/http/{print $2}’ > webservers
Subsitute the IP address range you want in the above command and whatever you want the file name to be
Step 2: If you don’t already have a bing API key get one. The free API key allows you to do 5,000 transactions per month. If you need to do more there are paid tiers.
https://datamarket.azure.com/dataset/bing/search#
Step 3: I found a python script that works, its usage is a little bit funky, so I will be modifing it when I find some time.
https://bitbucket.org/holiman/ipsearch/downloads
Step 4: Create a text file and put your API key into it. IE VI key.txt
Step 5: Run the following command to search bing for the IP addresses in the file you created in step 1, this will output a text file called URLS that can then be used with eyewitness
cat webservers | python bingIP.py -b key.txt | awk ‘{ print $3 }’ > URLS
Step 6: If you don’t already have Eyewitness to capture screen shots down load it
git clone https://github.com/ChrisTruncer/EyeWitness.git
Step 6: Run eyewitness to get screen captures of all the virtual hosts
./EyeWitness.py –web -f URLS
Hostapd Backtrack 5r3
So I am setting up a Backtrack 5r3 system to do some mobile app assessment. I want to set up the system as a wireless access point and be able to capture all the traffic. To do this I am using hostapd. Backtrack has this as a standard package available via: apt-get install hostapd
Unfortunately this is an older version of the program, 0.6.9 I believe, and it would not work with the ath9k I have in this system. The program threw an error each time I tried to run it. The latest stable build of hostapd is 1.0 and is available to download here. The problem is that you need to install the libnl-dev package in Backtrack before it will cleanly compile. After downloading and compiling hostapd 1.0 everything was good to go. So here are the commands to run for all you script kiddies out there.
apt-get install libnl-dev
wget http://hostap.epitest.fi/releases/hostapd-1.0.tar.gz
tar –xzvf hostapd-1.0.tar.gz
cd hostapd-1.0/hostapd
cp defconfig .config
make
for i in hostapd hostapd_cli; do cp -f $i /usr/local/bin/$i; done
Congratulations you now have a fully functioning hostapd 1.0 install that will work with the ath9k wireless chipset on Backtrack 5r3.
Konboot
I am playing around with konboot after first hearing about it on the Hak5 podcast. If you haven’t heard about it, it is a boot disk you can create on a floppy, CD or USB drive (see Irongeek’s site for USB instructions). The disk changes the windows or Linux kernel on the fly while booting to allow you to bypass the login password. In windows you just use any valid user name and a blank or garbage password, you will then be logged in as that user and can access all their files. So naturally you will probably want to try the local administrator user which will allow you to access all files on the computer. In Linux you will use the user name kon-usr and no password. This will give you full root access on the Linux machine.
I have found it works well if the system is not muti-boot. On my systems which are all multi-boot it would only work on one system and only on one OS which happen to be EEEbuntu. My other laptop gave me error about the cylinder number being too high like the old school days of LILO where the boot image had to be below cylinder 1024. I am assuming this is the same issue as the days of old. Also a caveat don’t use Konboot to login to a domain account on a computer that is connected to the network. This will disable the account on the domain and won’t allow you to login. In most environments user credentials are cached in case the network goes down. So air gap the computer before using a domain account.
Remediation steps are fairly simple. Lock the bios with a password and only allow the system to boot from the hard drive. This should already be in the check list of task to perform when deploying a new PC. Since this type of threat isn’t new kon-boot just make it a little simpler to access the PC than loading up a live linux distro like knopix. If there is any sensitive information on the hard drive encryption should be used of course since if someone steals the computer or hard drive its game over. With the breach notification laws in most states that is not a fun proposition.
Getting rid of volume group that doesn’t exist in linux
I was setting up a test VM with 4 one TB SAN LUNS. After successfully creating and testing the VMware image I blew it away without touching the LVM. After greating the production image I tried to add the LUNS back to the LVM and I of course got errors when adding the LUNS to the LVM. The meta data for the old volume group was still there and the OS refused to add the LUNS to the existing volume group. I then tried to remove the volume group with the vgremove but since the devices with the UUIDs themselfs were long gone I could not do it.
I finally found a very simple solution just DD the damn things with zeros. That will blow out all the metadata. So for each lun I ran
if=/dev/zero of=/dev/XXX bs=512 count=5
Probably only needed a count=1 but what the hell I don’t care I didn’t have anydata on the LUNS anyways. After that running lvscan came back clean with no orphaned UUID’s and I was able to initialize the LUNS again and add them to the new volume group.
Jeffh.net 