Archive for the ‘Security’ Category

New Combinator Password Cracking Methods

April 26, 2018 Leave a comment

While doing a security assessment a password hash was recovered using, we then attempted to crack the hash using Hashcat and the hate_crack script and failed to recover this hash. We were later successful in getting domain admin level access using another method and using CrackMapExec we were able to use Mimikatz to recover the clear text password from the memory of the user’s computer. We found that it consisted of two words separated by a number and was 12 characters long. It didn’t fit any of the Pathwell Top 100 Mask Brute Force Crack methods. The mask was ?u?u?d?l?l?l?l?l?l?l?l?l 

This is a very common and logical pattern that many people use.

I could just add this mask to the existing Pathwell masks, and this would work taking about 3 days with 4 Nvidia Geforce GTX 1080s. But it would be more efficient to use a modified combinator attack, which would work in many more instances. Hashcat allows you to add a rule to each side of the combinator attack using the -j and -k flags, this allows you to append a character to each side of the combinator attack. As far as I can tell though there is no way to simulate a mask with one run, so I added two new methods to the hate_crack script. The first method I am calling the Middle combinator attack.It is simple:

Dict1 + masks + Dict2

Where the masks are: 2 4 <space> – _ , + . &

I chose these as I have found these are common characters to separate two words.

The second method I am calling the Thorough Combinator Attack. It runs through many different combinator attacks using different masks. Currently, it uses the following methods:

– Standard Combinator attack: rockyou.txt + rockyou.txt
– Middle Combinator attack: rockyou.txt + ?n + rockyou.txt
– Middle Combinator attack: rockyou.txt + ?s + rockyou.txt
– End Combinator attack: rockyou.txt + rockyou.txt + ?n
– End Combinator attack: rockyou.txt + rockyou.txt + ?s
– Hybrid middle/end attack: rockyou.txt + ?n + rockyou.txt + ?n
– Hybrid middle/end attack: rockyou.txt + ?s + rockyou.txt + ?s

I know I am most likely not the originator of this method, but I haven’t seen it described yet. I have the code working in my fork of the hate_crack tool and sent Trustedsec a pull request.


Categories: Geeky stuff, howto, Security

Security Matters: Password Security

September 24, 2016 Leave a comment

Password. That’s a cringe-inducing word. What a pain; you constantly need to change your passwords. You have to use mental gymnastics to remember all of them, and don’t get me started on special characters. I hate passwords.

Yes, I am the Chief Information Security Officer of a large organization, and I can admit I hate passwords just as much as anyone else. Now, I know they are extremely important but, in my opinion, they are often mismanaged.

When IT administrators put so many restrictions on passwords, we actually drive people to even more dangerous practices—like writing down your passwords on a sticky note, and using the same password for all the things we log in to. Although often-hated passwords are a necessity, I would like to explore passwords and prove the pain can be eased.

Password vs. Passphrase

First, let’s take a look at password complexity. The default Microsoft Windows password policy requires eight characters, including one uppercase letter, one lowercase letter, one number and one special character. By this rule, “Password1!” is an acceptable password. Unfortunately, from past experience, this is exactly the kind of password I see being used. It follows the pattern: an English word, a number, and a special character, in that order.

Explaining the reasons why this approach is unsafe will be the subject of another article but rest assured, with this type of password, if there is a security compromise, the attacker can often get the plain-text password of a large majority of an organization.

A much better approach to ensuring password security is to remove the complexity requirements and instead require much longer passwords called “passphrases”. I know what you are saying. “I have to remember a longer password and that is better!?!?” Hear me out: Yes, it is. A passphrase is easier to remember.

Think about it. Which would be easier to remember, the password, “HaRdS1#!”, or the passphrase, “I like the flowers in the springtime?” I think we can all agree the second one is much easier to remember, because this is how our brains are wired. A plain-English phrase is something we have been memorizing since childhood.

Something that is not obvious unless you are a mathematician is that the passphrase is also much more secure. It is harder to break once the password is scrambled into the form it is stored on the computer. An attacker can brute force an eight-character password in just about a day, but a 15-character passphrase would take a near infinite time with the computer power available today.

Passwords In Practice

Now, let’s take a look at password re-use. I know it is tempting to come up with a good password and use it on all the websites we use. This is a dangerous practice because websites are being breached on a daily basis, and passwords are not always stored securely. There have been many large sites that have had breaches with all their user accounts compromised and publicly posted on the web.

Take a look at the website This site will show you if your account has been compromised by some of the more recent public breaches. The danger is that once your email address and password are exposed, criminals can use it to try to log in to other sites. For example, if your Dropbox password is the same one you use for online banking then you should change it immediately, as Dropbox had a breach back in 2012 that has just now been discovered.

This is why I recommend the use of a password manager. The one I use is LastPass but there are several excellent ones out there. The idea of a password manager is that it will generate a unique random password for each website that you need to log in to. There is one master password that you need to remember to unlock all the other passwords. This password is used to encrypt all the passwords so they are only ever useable once you have unlocked them with your master password.

Therefore, a password manager lets you have unique passwords for each site while only needing to remember one password. If one of your accounts is ever compromised, the attacker won’t be able to use your password on another site to perform some nefarious activity. All you have to do is visit the site that was compromised and use the password manager to create a new secure, random password.

Two Steps Are Better Than One

Finally, let’s look at two-factor authentication. Two-factor authentication uses something you have, which can be a device you plug in to your computer, a text message that is sent to your phone, or an application on your phone, to authenticate.

This, in my opinion, is the ultimate solution. You can let everyone use a much easier-to-remember shorter password, and if it is ever compromised the attacker still can’t get into a system without the device that you carry with you.

For example, someone gets your username and password for your bank account, but you have two-factor authentication set up. So, now when the attacker tries to log in to your bank account, you get a notification on your phone that someone is trying to log in to your bank account, and the mobile app asks you to press the “Confirm login button” to allow the login to continue.

Since you are not trying to log in to your bank account, you would just click “No” on an app, and go change your bank password. With the disaster averted, you can now contact your bank and report the incident, knowing your hard-earned money is still safe.

Intro To CIS Critical Controls

August 25, 2016 Leave a comment

I have been asked many times, “What are reasonable security controls?” This is a hard question to answer, as what I consider to be reasonable isn’t what others would. As an information security officer, I tend to be very risk-averse.

After all, information security is what I refer to as a “weak link” problem. What I mean by that is it only takes one weak link for an attacker to be able to gain a foothold into a network.

Until recently, there were no California-specific regulations or legal opinions to be able to point to about how to prevent network attacks. There are of course the California data security breach notification laws—the first of their kind in the nation—that explain what an institution has to do after a breach occurs. However, there was nothing that said how you should be protecting the data that you are collecting in the first place.

That finally changed this year when the State Attorney General of California published the 2016 California Data Breach Report. In the report, Attorney General Kamala Harris gives a set of five recommendations to prevent the most common breaches, thus finally giving us a legal definition of “reasonable security controls.”

First Line Of Cyber Defense

The attorney general’s first recommendation is to implement the Center for Information Security’s Controls for Effective Cyber Defense, also known as the CIS Critical Controls. The CIS Critical Controls consist of 20 control categories, each with a subset of controls. They are very straightforward and easy to follow. I would encourage everyone to download and read them.

These controls really do work and this should now be the standard that you are working on implementing at your college. The controls are prioritized in order of importance, and if you are implementing them you should start with number one and work your way down.

You will quickly realize that, to be able to implement these controls properly and still maintain the openness of a college campus, you may need to do some re-architecting. Take for example the first control, “Inventory of Authorized and Unauthorized Devices”: If you look at a typical college campus, there are many hundreds if not thousands of devices that come and go in a single day. It is nearly impossible to be able to know what every device is and who is using it.

However, if your network is properly segmented into different trust levels then the problem becomes a lot easier to tackle. You should be able to securely configure your network to disable free access in the most secure segments, where each device needs to be registered and tightly controlled, and block access to outside devices.

New Legal Security Standard

There could also be added liability if your institution isn’t at the very least working toward implementing the CIS Critical Controls. This will now become the gold security standard for the state of California, and in effect becomes the de facto civil law of California, until such time as the state legislature decides to formally weigh in on this subject.

If the California Data Security Breach Reporting law is any indication, other states attorneys general may follow suit and release similar opinions on data breach prevention. So if your institution is breached in the future and the CIS Controls are not in place, a resulting lawsuit could bring the possibility of increased civil fines. The judge may see the lack of implementing the CIS controls as negligent. I do not claim to be a lawyer and you should ask your district’s general counsel for their take on the liability aspect of not implementing the attorney general’s recommendations.

Hostapd Backtrack 5r3

August 29, 2012 1 comment

So I am setting up a Backtrack 5r3 system to do some mobile app assessment.  I want to set up the system as a wireless access point and be able to capture all the traffic.  To do this I am using hostapd.  Backtrack has this as a standard package available via:   apt-get install hostapd

Unfortunately this is an older version of the program, 0.6.9 I believe, and it would not work with the ath9k I have in this system.  The program threw an error each time I tried to run it.  The latest stable build of hostapd is 1.0 and is available to download here.  The problem is that you need to install the libnl-dev package in Backtrack before it will cleanly compile. After downloading and compiling hostapd 1.0 everything was good to go.  So here are the commands to run for all you script kiddies out there.


apt-get install libnl-dev


tar –xzvf hostapd-1.0.tar.gz

cd hostapd-1.0/hostapd

cp defconfig .config


for i in hostapd hostapd_cli; do cp -f $i /usr/local/bin/$i; done


Congratulations you now have a fully functioning hostapd 1.0 install that will work with the ath9k wireless chipset on Backtrack 5r3.

Categories: backtrack


July 22, 2009 Leave a comment

I am playing around with konboot after first hearing about it on the Hak5 podcast.  If you haven’t heard about it, it is a boot disk you can create on a floppy, CD or USB drive (see Irongeek’s site for USB instructions). The disk changes the windows or Linux kernel on the fly while booting to allow you to bypass the login password.  In windows you just use any valid user name and a blank or garbage password, you will then be logged in as that user and can access all their files.  So naturally you will probably want to try the local administrator user which will allow you to access all files on the computer.  In Linux you will use the user name kon-usr and no password.  This will give you full root access on the Linux machine.

I have found it works well if the system is not muti-boot.   On my systems which are all multi-boot it would only work on one system and only on one OS which happen to be EEEbuntu.  My other laptop gave me error about the cylinder number being too high like the old school days of LILO where the boot image had to be below cylinder 1024. I am assuming this is the same issue as the days of old.  Also a caveat don’t use Konboot to login to a domain account on a computer that is connected to the network.  This will disable the account on the domain and won’t allow you to login.  In most environments user credentials are cached in case the network goes down.  So air gap the computer before using a domain account.

Remediation steps are fairly simple.  Lock the bios with a password and only allow the system to boot from the hard drive.  This should already be in the check list of task to perform when deploying a new PC. Since this type of threat isn’t new kon-boot just make it a little simpler to access the PC than loading up a live linux distro like knopix.  If there is any sensitive information on the hard drive encryption should be used of course since if someone steals the computer or hard drive its game over.  With the breach notification laws in most states that is not a fun proposition.

Categories: Geeky stuff, Security

Open Source Asset Tracking software

July 17, 2008 Leave a comment

The University of Washington has released a free and open source system for tracking computers called Adeona.  I have installed it on my work laptop and it gets the job done.  This is a great solution for home users as it works on Linux, Mac, and PC and doesn’t require anything else from the user as far as a server or service fee to use it.  There are some defiant short comings though.

  • First as with all non BIOS tracking software this won’t work if a thief wipes the drive without booting up.
  • Second it sends the location data pseudo randomly every half hour, so if a thief boots a laptop and sees a login screen and shuts it down, it probably won’t be recorded.
  • Third would be a nightmare to mass deploy.  I have thousands of computers I would want to install this on.  To do this I would have to manually install it on everyone since it asks questions during the install and you have to copy a file to a central server that you have to have to check on the location data.
  • Fourth it uses OpenDHT to store the location information.  I don’t trust the stability of an open source distributed storage system that anyone can use for distributed storage.  Its only a matter of time before this starts to be used to distribute illegal material or the popularity of it cripples it.  I am all for open access to things but time and time again a few people always ruin it.

For my purposes I think it would be better just to write a program that posts the computer name and IP address to web server that stores the information in a MySQL database.

Categories: Security

Linux Cisco VPN

April 11, 2008 Leave a comment

The Linux Cisco VPN client seems to try the first avalable interface to make a connection. In my case this was eth0 which is my wired port which isn’t connected to anything. In order to get it to work I had to down the interface with ifconfig eth- down then it would connect fine with my wireless interface eth1. I haven’t seen any documentation to see if there is a way to manually bind it to a specific interface, and there is no MAN page installed. At least –help gives some usage, which is heads and shoulders over the tsmc tivoli command line I was using today what a royal PITA. Just encase anyone needs it the command to restore a previous version of a file is “tsmc restore -todate=yyyy-mm-dd -inactive /path/to/file” the documentation gave the format for the date as mm/dd/yyyy and the command would just come back and say -todate not recognized. Not wrong date format no that would have saved Jeff an hour of goggling.

Categories: Geeky stuff, Security