Upcoming Speaking Engagements!

It’s that time of year again! Andy’s running around like crazy. In the course of 8 days I’ll be doing 4 different talks in 3 different states. Looks like we’re closing out the year with a bang!

I’ve got some surprises in store for everyone. Stay tuned!

Hacking RDP with a MitM Password Attack

The other day, my friend and co-worker clued me in on a new attack he found. It worked so well, we had to share it.
As it says on their GitHub page,

Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH).

Take a look how simple it is to steal an RDP credential off the network without ever having to touch the victim’s machine. Things like certificates and network level access are important security controls you should implement to protect from attacks like this.

Business Travel (aka Road Warrior) Packing List.

So I’m about to embark on another trip across the US to discuss Cyber Security controls with a bunch of different companies across the West Coast. I’m looking forward to it. However, I absolutely hate packing for trips like this. You never know what exactly life has in store for you, if the weather will cooperate, or if you might spill a ramekin of cocktail sauce down the back of your last nice shirt (true story). So anyways, I’m trying to make it easier on myself by keeping a “living packing list”. I’ll continue to update this list as time goes on with whatever need-to-have items I require while traveling. Anyways, here’s the list so far.
Clothing
[ ] Dress Shirts
[ ] Slacks
[ ] Dress shoes
[ ] Belt
[ ] Underwear
[ ] Undershirts
[ ] Socks
[ ] Swimsuit
[ ] Shorts
[ ] T-Shirts
[ ] Running Shoes
[ ] Baseball Cap

Toiletries
[ ] Toothbrush/Toothpaste/Floss/Mouthwash
[ ] Shaving Razor/Shaving Cream/Blades
[ ] Comb/Hairbrush
[ ] Hair gel/hairspray
[ ] Nail Clippers
[ ] Deodorant
[ ] Talcum Powder
[ ] Ear Plugs
[ ] Sleep Mask
[ ] Tweezers
[ ] Hand Sanitizer
[ ] Aspirin/Tylenol
[ ] Afrin Nose Spray
[ ] Benadryl

Business
[ ] Pens & Notepad
[ ] Laptop Charger
[ ] Laptop
[ ] Hacking Toolkit
[ ] Business Cards
[ ] Breath Mints
[ ] Dry Erase Markers
[ ] Wireless Mouse (Purposely Vulnerable)
[ ] VGA to HDMI Adapter

Misc
[ ] Sunglasses
[ ] Phone Charger
[ ] HooToo Travel Mate
[ ] Roku Stick
[ ] Amazon Dot
[ ] VR Headset
[ ] WifI Hotspot
[ ] Noise-Canceling Headphones.
[ ] Wired Headphones
[ ] Kindle
[ ] iPad
[ ] Watch Charger
[ ] Flashlight
[ ] Umbrella
[ ] USB Battery Pack
[ ] HDMI Cable

It’s a lot, but I’m able to typically carry this all in an average carry on and a brief-case or backpack. Free free to print this packing list as a PDF out as well for your own use.

Equihax…I mean Equifax

What Happened

I know I’m a little late to the game, but I figured I’d share my .02 regarding the most recent, and largest to date data breach…Equifax.

On September 7th, Chairman and and CEO Rick Smith of Equifax had the following video announcement. They discovered “unauthorized access” on July 29th, hired Mandiant, and now are disclosing that the breach jeopardized the personal information of 143 million American consumers’ data…potentially more than half of all Americans. Not good at all. To be specific, they also outlined that 209,000 credit cards were exposed as well as 182,000 people’s Personal Identifiable Information such as names, address, phone numbers, email addresses, etc for example). These were part of their ‘dispute documents’ which were leaked. All we know for sure is that Equifax stated “PII”. This was specific to US, Canadian, and UK consumers.

What makes this worse is that the CFO and two presidents of Equifax’s business units sold share between 3 and four days after the breach was discovered. Equifax reported that these people had no knowledge of the breach and were not subject to insider trading laws. At the same time, SEC filings show the sales worth 1.8 million were not pre-planned. Working for a publically traded company, General rule of thumb, is not to trade when the company creates a blackout period. In the event there is some non-public information they become subject to said blackout period until the announcement is made public. I can’t believe that a breach was detected, Mandiant was contracted, and at no time the CFO wasn’t made aware of this. Incident Response plans almost always notify HR, Finance, Payroll, Legal, and Marketing in the event of a serious incident. Either this is gross negligence or insider trading. Pick one.

An additional note: At this time there is no attribution as to who the attacker(s) are.

 

From left: Equifax executives John Gamble, Rodolfo Ploder and Joseph Loughran.

Read more “Equihax…I mean Equifax”

New Script! – RDP Proxy Link Builder

Most of you know I work for a particular Privileged Account Security company. It’s sort of hard to unplug for your job when you really love what you do. With that said, sometimes when I’m off the clock, I’ll still work on some pet projects. This is one of them. In CyberArk’s Enterprise Password Vault version 9.7, they introduced a really cool new feature. Privilege Session Manager Remote Desktop Proxy. SysAdmins typically push back on any security control because they tend to introduce hurdles in their day to day operations. Security shouldn’t hinder operations as they’ll tend to be avoided or even worse yet, circumvented.  So PSMRDPP was developed to allow for Privilege Sessions to be initiated without having to authenticate and logon to the web interface. Using native RDP tools, you can access your privileged accounts. It’s really cool!

Anyways, I developed a script to build out the RDP links automatically that interface with the PSM Proxy server. It also works with Devolutions Remote Desktop Manager Sorry, only works in the paid version. They crippled the powershell functionality in the free version. Anyways, I’ve put the script up on GitHub. I’m going to continue to improve on the script, but for now you’re welcome to use it. It works great!

https://github.com/BinaryWasp/RDPProxyLinkBuilder

 

Rundll32 commands for Windows

Control Panel
RunDll32.exe shell32.dll,Control_RunDLL

Delete Temporary Internet Files
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8

Delete Cookies
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2

Delete History
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1

Delete Form Data
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16

Delete Passwords
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32

Delete All
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

Delete all files and settings stored by Add-ons
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351

Date and Time Properties
RunDll32.exe shell32.dll,Control_RunDLL timedate.cpl

Device Manager
RunDll32.exe devmgr.dll DeviceManager_Execute

Folder Options – General
RunDll32.exe shell32.dll,Options_RunDLL 0

Folder Options – Search
RunDll32.exe shell32.dll,Options_RunDLL 2

Folder Options – View
RunDll32.exe shell32.dll,Options_RunDLL 7

Hibernate
RunDll32.exe powrprof.dll,SetSuspendState

Keyboard Properties
RunDll32.exe shell32.dll,Control_RunDLL main.cpl @1

Lock Screen
RunDll32.exe user32.dll,LockWorkStation

Mouse Button – Swap left button to function as right
Rundll32 User32.dll,SwapMouseButton

Map Network Drive Wizard
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL Connect

Network Connections
RunDll32.exe shell32.dll,Control_RunDLL ncpa.cpl

Organize IE Favourites
Rundll32.exe shdocvw.dll,DoOrganizeFavDlg

Open With Dialog Box
Rundll32 Shell32.dll,OpenAs_RunDLL File.ext

Plays a waveform sound
rundll32.exe user32.dll,MessageBeep

Printer User Interface
Rundll32 Printui.dll,PrintUIEntry

Printer Management Folder.
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder

Power Options
RunDll32.exe Shell32.dll,Control_RunDLL powercfg.cpl

Stored Usernames and Passwords
RunDll32.exe keymgr.dll,KRShowKeyMgr

Safely Remove Hardware Dialog Box
Rundll32 Shell32.dll,Control_RunDLL HotPlug.dll

Taskbar Properties
RunDll32.exe shell32.dll,Options_RunDLL 1

User Accounts
RunDll32.exe shell32.dll,Control_RunDLL nusrmgr.cpl

Windows Security Center
RunDll32.exe shell32.dll,Control_RunDLL wscui.cpl

Windows Fonts Installation Folder
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL FontsFolder

Windows Firewall
RunDll32.exe shell32.dll,Control_RunDLL firewall.cpl

Hacker Conference Behavior

I’m heading to BSidesLV, DEFCON25, & Blackhat in Las Vegas this week. It’s going to be a great time and I’m really looking forward to it. Here’s some standard best practices I try to follow when attending a InfoSec related conference.

  1. Laptop Behavior
    1. Do not bring your laptop, unless specifically required. Try only using your your phone connected via VPN.
    2. Do not leave your laptop unattended at any time.
    3. Do not check-in your laptop as luggage.
    4. Turn off WiFi and Bluetooth.
  2. Printing, scanning, faxing
    1. Do not print from or scan to your laptops
  3. Internet access and connectivity
    1. Unless absolutely necessary for a job function, disable WiFi.
    2. Disable Bluetooth on your computer and phone.
    3. Disable NFS connectivity on your phone and computer.
    4. If Wifi is absolutely required, ONLY use your own provided wifi. I used a JetBack/MiFi and connect ONLY to that device.
    5. Always use a VPN as soon as you obtain WiFi access.
    6. Do NOT plug any network cable into the laptop.
    7. Do not plug any USB storage devices (hard drives, sticks, network adapters, Raspberry Pi’s, etc) into the laptop or phone.
  4. Document behavior
    1. Do not work on internal or sensitive documents in public.

 

Okay, break’s over. Back to work!

So I took a little vacation to a tiny little rock out in the middle of the South Pacific. Isla de Pascua, Rapa Nui, Easter Island…whatever you want to call it, it was amazing. What an incredible time I will never forget. It was a little odd not having phone, internet, or any sort of tether back to society. At the same time, it was really nice to literally be off the grid for some time. However. It’s all done. Break’s over. It’s time to get back in the swing of things.

A day after getting back, I packed up and headed to Denver at the Optiv ES3 summit to do a brand new talk on insider threat. I love the city of Denver, so I’m always happy to get invited back out there. The talk, despite being my first presentation on the topic, went really well. The talk was well attended, and well received. Plus, at the end of the day I got to hang out and talk with Brian Krebs. That was great! I’m planning on heading back out to Denver sometime in August, but until then…there’s a LOT more to be done. (btw – the goatee got a good trip shortly after this picture.)

There’s a lot going on between now and even August. First off, I’ve got to make it out to Phoenix for a few client visits and prep for a round of forums I’m presenting later in Q3. I’ll fly back late Friday night. Then it’s up to Boston this coming Sunday. I’m presenting two new presentations at the CyberArk 2017 Impact Summit in Boston. I’ll be talking on Ransomware. The goal is to focus particularly on the WannaCry and NotPetya ransomworms and defensive strategies to address the next generation of Ransomware.  The next talk, is what I’m REALLY excited about. My good buddy Len Noe and I are basically going to carpet-bomb the audience with live demos of real penetration testing tools. A few of the things we plan to demo are the PoisonTap, BashBunny, Inveigh and Responder, the Wifi Pineapple, and my favorite live demo…MouseJack (code injection on a machine not even connected to the network).  It’s going to be a lot of fun. I also built one hell of a powerpoint presentation to go along with it. Something like 7 slides and 2.9GB. I rendered the slides as video and have scenes from Hackers playing silently in the background. Whichever breakout presentation gets the highest marks gets to present to the mainstage. Either way, it’s gonna be off the chain!

After Impact, we’ve got the CyberArk Midyear Sales Kickoff. I don’t have any expectations there, other than it’s going to be a lot of work while we’re up there.  After that, I have one week back in Dallas (unless something comes up, which it typically does). After that…it’s off to Vegas for Hacker Summer Camp! Woo hoo!  For Blackhat, I don’t get to attend, but I actually have to work the event. I absolutely love Blackhat. You get to meet a lot of great and interesting people. After that it’s onward to BSides and DEFCON 25. I’ve been waiting all year for this.  As soon as I heard it was at Caesar’s this year, I made sure my room was reserved. Due to my wife’s travel hacking, I have status at Caesars. I get a nice big room (photo below was the last time I stayed at Caesar’s Palace earlier this year at Gartner), access to free services, and the VIP lounge. So…now I have 3 friends staying with me in the room and live video feeds of the talks downstairs if they’re too packed. I’m really looking forward to it.

So yeah, that’s just July. August is gonna be crazy too!

Taking a break…

So I just wrapped up yesterday BSides Cincinnati. It was a great event. Great folks, great weather, great venue…just great all around. Anyways, I’ve been working, traveling, speaking a lot more than I had originally anticipated the last six months. I’m going to take a break from the travel/conference stuff for just a couple months and slow things down some. I’ve recently taken on a large amount of responsibility at work that needs my full attention. The kids are about to be on Summer vacation and I’m looking forward to spending a little more time with Mrs. Rainmaker. We’ve got an insane vacation planned sometime in June. CyberArk has an amazing customer conference coming up in July. And I couldn’t forget about Hacker Summer camp! Blackhat, BSides Vegas, and DEFCON 25 are all going down in July/August. I’ve got status with Caesar’s so I’m planning on getting a killer room, living the VIP life, and enjoying the trip to the fullest extent. Even without traveling for work and conferences, that’s still a lot of travel planned.

Again, this is only a small break. I already have a new deck prepared on Insider Threat. I’m going to pick that back up in September along with the others. Knowing me, I’ll probably have more time to work on projects at home and maybe update my blog from time to time. 🙂