Archive
New Combinator Password Cracking Methods
While doing a security assessment a password hash was recovered using responder.py, we then attempted to crack the hash using Hashcat and the hate_crack script and failed to recover this hash. We were later successful in getting domain admin level access using another method and using CrackMapExec we were able to use Mimikatz to recover the clear text password from the memory of the user’s computer. We found that it consisted of two words separated by a number and was 12 characters long. It didn’t fit any of the Pathwell Top 100 Mask Brute Force Crack methods. The mask was ?u?u?d?l?l?l?l?l?l?l?l?l
This is a very common and logical pattern that many people use.
I could just add this mask to the existing Pathwell masks, and this would work taking about 3 days with 4 Nvidia Geforce GTX 1080s. But it would be more efficient to use a modified combinator attack, which would work in many more instances. Hashcat allows you to add a rule to each side of the combinator attack using the -j and -k flags, this allows you to append a character to each side of the combinator attack. As far as I can tell though there is no way to simulate a mask with one run, so I added two new methods to the hate_crack script. The first method I am calling the Middle combinator attack.It is simple:
Dict1 + masks + Dict2
Where the masks are: 2 4 <space> – _ , + . &
I chose these as I have found these are common characters to separate two words.
The second method I am calling the Thorough Combinator Attack. It runs through many different combinator attacks using different masks. Currently, it uses the following methods:
– Standard Combinator attack: rockyou.txt + rockyou.txt
– Middle Combinator attack: rockyou.txt + ?n + rockyou.txt
– Middle Combinator attack: rockyou.txt + ?s + rockyou.txt
– End Combinator attack: rockyou.txt + rockyou.txt + ?n
– End Combinator attack: rockyou.txt + rockyou.txt + ?s
– Hybrid middle/end attack: rockyou.txt + ?n + rockyou.txt + ?n
– Hybrid middle/end attack: rockyou.txt + ?s + rockyou.txt + ?s
I know I am most likely not the originator of this method, but I haven’t seen it described yet. I have the code working in my fork of the hate_crack tool and sent Trustedsec a pull request.
Security Matters: Password Security
Password. That’s a cringe-inducing word. What a pain; you constantly need to change your passwords. You have to use mental gymnastics to remember all of them, and don’t get me started on special characters. I hate passwords.
Yes, I am the Chief Information Security Officer of a large organization, and I can admit I hate passwords just as much as anyone else. Now, I know they are extremely important but, in my opinion, they are often mismanaged.
When IT administrators put so many restrictions on passwords, we actually drive people to even more dangerous practices—like writing down your passwords on a sticky note, and using the same password for all the things we log in to. Although often-hated passwords are a necessity, I would like to explore passwords and prove the pain can be eased.
Password vs. Passphrase
First, let’s take a look at password complexity. The default Microsoft Windows password policy requires eight characters, including one uppercase letter, one lowercase letter, one number and one special character. By this rule, “Password1!” is an acceptable password. Unfortunately, from past experience, this is exactly the kind of password I see being used. It follows the pattern: an English word, a number, and a special character, in that order.
Explaining the reasons why this approach is unsafe will be the subject of another article but rest assured, with this type of password, if there is a security compromise, the attacker can often get the plain-text password of a large majority of an organization.
A much better approach to ensuring password security is to remove the complexity requirements and instead require much longer passwords called “passphrases”. I know what you are saying. “I have to remember a longer password and that is better!?!?” Hear me out: Yes, it is. A passphrase is easier to remember.
Think about it. Which would be easier to remember, the password, “HaRdS1#!”, or the passphrase, “I like the flowers in the springtime?” I think we can all agree the second one is much easier to remember, because this is how our brains are wired. A plain-English phrase is something we have been memorizing since childhood.
Something that is not obvious unless you are a mathematician is that the passphrase is also much more secure. It is harder to break once the password is scrambled into the form it is stored on the computer. An attacker can brute force an eight-character password in just about a day, but a 15-character passphrase would take a near infinite time with the computer power available today.
Passwords In Practice
Now, let’s take a look at password re-use. I know it is tempting to come up with a good password and use it on all the websites we use. This is a dangerous practice because websites are being breached on a daily basis, and passwords are not always stored securely. There have been many large sites that have had breaches with all their user accounts compromised and publicly posted on the web.
Take a look at the website haveibeenpwned.com. This site will show you if your account has been compromised by some of the more recent public breaches. The danger is that once your email address and password are exposed, criminals can use it to try to log in to other sites. For example, if your Dropbox password is the same one you use for online banking then you should change it immediately, as Dropbox had a breach back in 2012 that has just now been discovered.
This is why I recommend the use of a password manager. The one I use is LastPass but there are several excellent ones out there. The idea of a password manager is that it will generate a unique random password for each website that you need to log in to. There is one master password that you need to remember to unlock all the other passwords. This password is used to encrypt all the passwords so they are only ever useable once you have unlocked them with your master password.
Therefore, a password manager lets you have unique passwords for each site while only needing to remember one password. If one of your accounts is ever compromised, the attacker won’t be able to use your password on another site to perform some nefarious activity. All you have to do is visit the site that was compromised and use the password manager to create a new secure, random password.
Two Steps Are Better Than One
Finally, let’s look at two-factor authentication. Two-factor authentication uses something you have, which can be a device you plug in to your computer, a text message that is sent to your phone, or an application on your phone, to authenticate.
This, in my opinion, is the ultimate solution. You can let everyone use a much easier-to-remember shorter password, and if it is ever compromised the attacker still can’t get into a system without the device that you carry with you.
For example, someone gets your username and password for your bank account, but you have two-factor authentication set up. So, now when the attacker tries to log in to your bank account, you get a notification on your phone that someone is trying to log in to your bank account, and the mobile app asks you to press the “Confirm login button” to allow the login to continue.
Since you are not trying to log in to your bank account, you would just click “No” on an app, and go change your bank password. With the disaster averted, you can now contact your bank and report the incident, knowing your hard-earned money is still safe.
Intro To CIS Critical Controls
I have been asked many times, “What are reasonable security controls?” This is a hard question to answer, as what I consider to be reasonable isn’t what others would. As an information security officer, I tend to be very risk-averse.
After all, information security is what I refer to as a “weak link” problem. What I mean by that is it only takes one weak link for an attacker to be able to gain a foothold into a network.
Until recently, there were no California-specific regulations or legal opinions to be able to point to about how to prevent network attacks. There are of course the California data security breach notification laws—the first of their kind in the nation—that explain what an institution has to do after a breach occurs. However, there was nothing that said how you should be protecting the data that you are collecting in the first place.
That finally changed this year when the State Attorney General of California published the 2016 California Data Breach Report. In the report, Attorney General Kamala Harris gives a set of five recommendations to prevent the most common breaches, thus finally giving us a legal definition of “reasonable security controls.”
First Line Of Cyber Defense
The attorney general’s first recommendation is to implement the Center for Information Security’s Controls for Effective Cyber Defense, also known as the CIS Critical Controls. The CIS Critical Controls consist of 20 control categories, each with a subset of controls. They are very straightforward and easy to follow. I would encourage everyone to download and read them.
These controls really do work and this should now be the standard that you are working on implementing at your college. The controls are prioritized in order of importance, and if you are implementing them you should start with number one and work your way down.
You will quickly realize that, to be able to implement these controls properly and still maintain the openness of a college campus, you may need to do some re-architecting. Take for example the first control, “Inventory of Authorized and Unauthorized Devices”: If you look at a typical college campus, there are many hundreds if not thousands of devices that come and go in a single day. It is nearly impossible to be able to know what every device is and who is using it.
However, if your network is properly segmented into different trust levels then the problem becomes a lot easier to tackle. You should be able to securely configure your network to disable free access in the most secure segments, where each device needs to be registered and tightly controlled, and block access to outside devices.
New Legal Security Standard
There could also be added liability if your institution isn’t at the very least working toward implementing the CIS Critical Controls. This will now become the gold security standard for the state of California, and in effect becomes the de facto civil law of California, until such time as the state legislature decides to formally weigh in on this subject.
If the California Data Security Breach Reporting law is any indication, other states attorneys general may follow suit and release similar opinions on data breach prevention. So if your institution is breached in the future and the CIS Controls are not in place, a resulting lawsuit could bring the possibility of increased civil fines. The judge may see the lack of implementing the CIS controls as negligent. I do not claim to be a lawyer and you should ask your district’s general counsel for their take on the liability aspect of not implementing the attorney general’s recommendations.
Hostapd Backtrack 5r3
So I am setting up a Backtrack 5r3 system to do some mobile app assessment. I want to set up the system as a wireless access point and be able to capture all the traffic. To do this I am using hostapd. Backtrack has this as a standard package available via: apt-get install hostapd
Unfortunately this is an older version of the program, 0.6.9 I believe, and it would not work with the ath9k I have in this system. The program threw an error each time I tried to run it. The latest stable build of hostapd is 1.0 and is available to download here. The problem is that you need to install the libnl-dev package in Backtrack before it will cleanly compile. After downloading and compiling hostapd 1.0 everything was good to go. So here are the commands to run for all you script kiddies out there.
apt-get install libnl-dev
wget http://hostap.epitest.fi/releases/hostapd-1.0.tar.gz
tar –xzvf hostapd-1.0.tar.gz
cd hostapd-1.0/hostapd
cp defconfig .config
make
for i in hostapd hostapd_cli; do cp -f $i /usr/local/bin/$i; done
Congratulations you now have a fully functioning hostapd 1.0 install that will work with the ath9k wireless chipset on Backtrack 5r3.
Konboot
I am playing around with konboot after first hearing about it on the Hak5 podcast. If you haven’t heard about it, it is a boot disk you can create on a floppy, CD or USB drive (see Irongeek’s site for USB instructions). The disk changes the windows or Linux kernel on the fly while booting to allow you to bypass the login password. In windows you just use any valid user name and a blank or garbage password, you will then be logged in as that user and can access all their files. So naturally you will probably want to try the local administrator user which will allow you to access all files on the computer. In Linux you will use the user name kon-usr and no password. This will give you full root access on the Linux machine.
I have found it works well if the system is not muti-boot. On my systems which are all multi-boot it would only work on one system and only on one OS which happen to be EEEbuntu. My other laptop gave me error about the cylinder number being too high like the old school days of LILO where the boot image had to be below cylinder 1024. I am assuming this is the same issue as the days of old. Also a caveat don’t use Konboot to login to a domain account on a computer that is connected to the network. This will disable the account on the domain and won’t allow you to login. In most environments user credentials are cached in case the network goes down. So air gap the computer before using a domain account.
Remediation steps are fairly simple. Lock the bios with a password and only allow the system to boot from the hard drive. This should already be in the check list of task to perform when deploying a new PC. Since this type of threat isn’t new kon-boot just make it a little simpler to access the PC than loading up a live linux distro like knopix. If there is any sensitive information on the hard drive encryption should be used of course since if someone steals the computer or hard drive its game over. With the breach notification laws in most states that is not a fun proposition.
Open Source Asset Tracking software
The University of Washington has released a free and open source system for tracking computers called Adeona. I have installed it on my work laptop and it gets the job done. This is a great solution for home users as it works on Linux, Mac, and PC and doesn’t require anything else from the user as far as a server or service fee to use it. There are some defiant short comings though.
- First as with all non BIOS tracking software this won’t work if a thief wipes the drive without booting up.
- Second it sends the location data pseudo randomly every half hour, so if a thief boots a laptop and sees a login screen and shuts it down, it probably won’t be recorded.
- Third would be a nightmare to mass deploy. I have thousands of computers I would want to install this on. To do this I would have to manually install it on everyone since it asks questions during the install and you have to copy a file to a central server that you have to have to check on the location data.
- Fourth it uses OpenDHT to store the location information. I don’t trust the stability of an open source distributed storage system that anyone can use for distributed storage. Its only a matter of time before this starts to be used to distribute illegal material or the popularity of it cripples it. I am all for open access to things but time and time again a few people always ruin it.
For my purposes I think it would be better just to write a program that posts the computer name and IP address to web server that stores the information in a MySQL database.
Linux Cisco VPN
The Linux Cisco VPN client seems to try the first avalable interface to make a connection. In my case this was eth0 which is my wired port which isn’t connected to anything. In order to get it to work I had to down the interface with ifconfig eth- down then it would connect fine with my wireless interface eth1. I haven’t seen any documentation to see if there is a way to manually bind it to a specific interface, and there is no MAN page installed. At least –help gives some usage, which is heads and shoulders over the tsmc tivoli command line I was using today what a royal PITA. Just encase anyone needs it the command to restore a previous version of a file is “tsmc restore -todate=yyyy-mm-dd -inactive /path/to/file” the documentation gave the format for the date as mm/dd/yyyy and the command would just come back and say -todate not recognized. Not wrong date format no that would have saved Jeff an hour of goggling.
PCI, Why store Credit Card Numbers?
Well it has been a while since I have posted anything. I have been really busy this past month. I was promoted to the IT security manager at my current employer. I am now dealing with IT security almost full time, they still need to fill my vacant position. So I am much happier now not having to deal with a lot of the boring mundane task, and now instead get to do what I love, security.
I was reading another blog security blog entry and it got me thinking. Why do POS systems have to store credit card numbers? There really is no rational reason that I can think of. I have had quite a bit of experience with a POS POS system (note that isn’t a mistake only 1 POS means Point of Sales). The way credit card transactions work is that the stores POS system calls a card processing system. The stores computer then asks the card processors computer if this credit card has enough money to cover this purchase. If it does then it “reserves” these funds for the store for some time period and gives the store a magic approval number, no actual money is taken at that time. I don’t know exactly why they do this, my guess is that they reserve a slightly higher amount of money than is actually needed so that it can be adjusted down if the transaction needs to be modified, IE you give the waiter a tip or you decide you really don’t want to buy that Iphone.
The store will then within a day or two do a batch settlement transaction where the store goes back to the card processor and says yes all these transactions really did happen so send us money.
So the only point in that process where the store actually needs the credit card number is the first transaction to the card processor. After that the store could just use the unique authorization number to identify the transaction. So now a hacker could still get credit card numbers but only in real time sniffing all the transactions as they go instead of the cue de gra 18 months or more that they currently can get if they hack into a POS system.
Electronic voting reform
I live in California where the Secretary of State Debra Bowen has allowed The University of California to test the E-Voting systems used in here in California. What they found was that all of them are hackable. I find the preliminary findings very scary but not at all surprising. The legislature of California are not Computer Security Experts but they should have consulted with and let Security Professionals verify that they were secure before Certifying the systems. It is inexcusable to allow what is arguably the most important Computer System in the country to be so insecure. These machines are what decide our election. If you could modify the election results you could execute a bloodless coup and no one would be the wiser. No one could prove that an election had been stolen if there is no paper trail.
I will give you one scenario. All the electronic voting machines are stored in some medium security warehouse with a few guards and 1 or 2 cameras. A disgruntled technician from company XYZ that makes $20,000 a year maintains voting machines is payed some large sum to hack the companies voting machines. He is admitted entry into the facility do do “maintenance” He turns them all on and one by one inserts a USB thumb drive that installs a virus on each machine. He also updates the BIOS and changes the checksum check that is used to verify that the operating system is certified, just like he has to do when he installs any patch. This virus will change the vote on 41% of the votes in the favor of candidate FOO. Thus virtually insuring victory. This virus then removes all traces of itself and restores the correct checksum back into the BIOS at 7:55PM on election day. With the current systems that have no paper trail and no one would find out unless someone starts looking at the technicians large bank account.
I am not saying to go back to all paper ballets, to me this is even more error prone and hackable than E-voting. Just make up some ballet boxes and switch them in transit to the registrars office. No to me the problem is fairly trivial technologically speaking. The solution is 3 fold. First and most simple a paper copy must be printed out and verified correct by the voter. Thus ensuring a backup in case the electronic version is lost or tampered with.
The second part of my proposed solution is PKI (Public Key Infrastructure). Each voter should be assigned a private key, a 3D bar code would work nicely. This key should be assigned completely at random and only good for 1 election so that voting patterns couldn’t be data mined and somehow connect to an individual, there should also be no record kept of the voters private key only their public key should be kept. This private key should be encrypted with a master public key so that there is no way a voters private key and identity could be obtained by coping it in transit unless the person also had the master private key. The voter then would then scan their bar code and the voting machine would verify that it is a legitimate key by decrypting the key with the master private key. The voter would then vote and the results would be signed with the users private key, and also be printed out. If the results were tampered with the signature would not match and it would be obvious that the results were tampered with. If two different votes were signed with the same private key you would also know that the user voted twice and to trow out all other votes signed with the same signature. The public keys and paper copies should be escrowed so that recounts could be done for some defined time.
The last and most important is both the physical security and openness of the system. The inputs should be protected with 3DES encryption so that only certified devices could be plugged in. No uncertified devices should be allowed on the system. No one should be able to plug a key board in. The case should be wielded shut and painted with a heat sensitive paint so any attempted tampering would be apparent. The system should be completely open source from the OS to the voting software so that all code can be freely audited. It someone did manage to hack the system the paper backup should throw up the red flag that the system was compromised. The system should also be on an encrypted EEPROM so that even if you get into the case you can’t modify the EEPROM with out the key. The key should be on a physically separate dongle that is locked up separate from the voting machine and must be present when booting the machine and removed thereafter. If any dongle is lost then all the dongles will have to be replaced and the EEPROM reprogrammed so it is very important that they don’t go missing. The systems should never be plugged into an open network. The system that collects the votes should also have a certificate assigned to it and stored on the voting machines so that the voting machines don’t disclose voting results to an unauthorized system.
All of this technology is common and in use today. We need to reform the voting system so that we implement this as soon as possible. If we don’t we may soon find our country not in our control anymore. I don’t go into all the details about the system but I would love feedback, what are the weaknesses in the system I described. If done correct E-Voting is both more efficient and more secure than paper based voting alone.
CISSP
I just got the email I passed the CISSP exam that I took July 7th. I just have to get my endorsement letter signed by my boss and send in my resume to ISC2. I am glad I passed especially since it cost $500.00 of my own money. Hopefully this will open up some doors professionally. I studied off and on for 2 months and crammed like crazy the last week. I used the official ISC2 CISP book to do most of my studying but also took some practice tests that I found, and reviewed Shon Harris’s CISSP All in one Exam Guide book for some of my weaker areas.
Jeffh.net 