Rainmaker’s Book Recommendations

So before sobering up and leaving Dallas Hackers last night, I did a quick (and inebriated) firetalk on some of the books I’ve read recently and my thoughts. I will update this blog post with a summary of each book and my thoughts on them. However I wanted to get this post up before I hop this flight to Tel Aviv, Israel for a week. Here’s the list. Enjoy!

 


Time Management for Systems Administrators by – Thomas A Limoncelli.

The Sales Bible – by Jeffrey Gitomer

Tools of Titans by Tim Ferriss

The Art of Intrusion by Kevin Mitnick

Technocreep by Thomas P. Keenan

RTFM by Ben Clark

Fatal System Error by Joseph Menn

The Phoenix Project by Gene Kim, Kevin Behr, and George Spafford

The Challenger Sale by Matthew Dixon and Brent Adamson

Zone to Win by Geoffrey A Moore

Infosec Rock Star by Ted Demopoulos

Upcoming Speaking Engagements!

It’s that time of year again! Andy’s running around like crazy. In the course of 8 days I’ll be doing 4 different talks in 3 different states. Looks like we’re closing out the year with a bang!

I’ve got some surprises in store for everyone. Stay tuned!

Hacking RDP with a MitM Password Attack

The other day, my friend and co-worker clued me in on a new attack he found. It worked so well, we had to share it.
As it says on their GitHub page,

Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH).

Take a look how simple it is to steal an RDP credential off the network without ever having to touch the victim’s machine. Things like certificates and network level access are important security controls you should implement to protect from attacks like this.

Business Travel (aka Road Warrior) Packing List.

So I’m about to embark on another trip across the US to discuss Cyber Security controls with a bunch of different companies across the West Coast. I’m looking forward to it. However, I absolutely hate packing for trips like this. You never know what exactly life has in store for you, if the weather will cooperate, or if you might spill a ramekin of cocktail sauce down the back of your last nice shirt (true story). So anyways, I’m trying to make it easier on myself by keeping a “living packing list”. I’ll continue to update this list as time goes on with whatever need-to-have items I require while traveling. Anyways, here’s the list so far.
Clothing
[ ] Dress Shirts
[ ] Slacks
[ ] Dress shoes
[ ] Belt
[ ] Underwear
[ ] Undershirts
[ ] Socks
[ ] Swimsuit
[ ] Shorts
[ ] T-Shirts
[ ] Running Shoes
[ ] Baseball Cap

Toiletries
[ ] Toothbrush/Toothpaste/Floss/Mouthwash
[ ] Shaving Razor/Shaving Cream/Blades
[ ] Comb/Hairbrush
[ ] Hair gel/hairspray
[ ] Nail Clippers
[ ] Deodorant
[ ] Talcum Powder
[ ] Ear Plugs
[ ] Sleep Mask
[ ] Tweezers
[ ] Hand Sanitizer
[ ] Aspirin/Tylenol
[ ] Afrin Nose Spray
[ ] Benadryl

Business
[ ] Pens & Notepad
[ ] Laptop Charger
[ ] Laptop
[ ] Hacking Toolkit
[ ] Business Cards
[ ] Breath Mints
[ ] Dry Erase Markers
[ ] Wireless Mouse (Purposely Vulnerable)
[ ] VGA to HDMI Adapter

Misc
[ ] Sunglasses
[ ] Phone Charger
[ ] HooToo Travel Mate
[ ] Roku Stick
[ ] Amazon Dot
[ ] VR Headset
[ ] WifI Hotspot
[ ] Noise-Canceling Headphones.
[ ] Wired Headphones
[ ] Kindle
[ ] iPad
[ ] Watch Charger
[ ] Flashlight
[ ] Umbrella
[ ] USB Battery Pack
[ ] HDMI Cable

It’s a lot, but I’m able to typically carry this all in an average carry on and a brief-case or backpack. Free free to print this packing list as a PDF out as well for your own use.

Equihax…I mean Equifax

What Happened

I know I’m a little late to the game, but I figured I’d share my .02 regarding the most recent, and largest to date data breach…Equifax.

On September 7th, Chairman and and CEO Rick Smith of Equifax had the following video announcement. They discovered “unauthorized access” on July 29th, hired Mandiant, and now are disclosing that the breach jeopardized the personal information of 143 million American consumers’ data…potentially more than half of all Americans. Not good at all. To be specific, they also outlined that 209,000 credit cards were exposed as well as 182,000 people’s Personal Identifiable Information such as names, address, phone numbers, email addresses, etc for example). These were part of their ‘dispute documents’ which were leaked. All we know for sure is that Equifax stated “PII”. This was specific to US, Canadian, and UK consumers.

What makes this worse is that the CFO and two presidents of Equifax’s business units sold share between 3 and four days after the breach was discovered. Equifax reported that these people had no knowledge of the breach and were not subject to insider trading laws. At the same time, SEC filings show the sales worth 1.8 million were not pre-planned. Working for a publically traded company, General rule of thumb, is not to trade when the company creates a blackout period. In the event there is some non-public information they become subject to said blackout period until the announcement is made public. I can’t believe that a breach was detected, Mandiant was contracted, and at no time the CFO wasn’t made aware of this. Incident Response plans almost always notify HR, Finance, Payroll, Legal, and Marketing in the event of a serious incident. Either this is gross negligence or insider trading. Pick one.

An additional note: At this time there is no attribution as to who the attacker(s) are.

 

From left: Equifax executives John Gamble, Rodolfo Ploder and Joseph Loughran.

Read more “Equihax…I mean Equifax”

New Script! – RDP Proxy Link Builder

Most of you know I work for a particular Privileged Account Security company. It’s sort of hard to unplug for your job when you really love what you do. With that said, sometimes when I’m off the clock, I’ll still work on some pet projects. This is one of them. In CyberArk’s Enterprise Password Vault version 9.7, they introduced a really cool new feature. Privilege Session Manager Remote Desktop Proxy. SysAdmins typically push back on any security control because they tend to introduce hurdles in their day to day operations. Security shouldn’t hinder operations as they’ll tend to be avoided or even worse yet, circumvented.  So PSMRDPP was developed to allow for Privilege Sessions to be initiated without having to authenticate and logon to the web interface. Using native RDP tools, you can access your privileged accounts. It’s really cool!

Anyways, I developed a script to build out the RDP links automatically that interface with the PSM Proxy server. It also works with Devolutions Remote Desktop Manager Sorry, only works in the paid version. They crippled the powershell functionality in the free version. Anyways, I’ve put the script up on GitHub. I’m going to continue to improve on the script, but for now you’re welcome to use it. It works great!

https://github.com/BinaryWasp/RDPProxyLinkBuilder

 

Rundll32 commands for Windows

Control Panel
RunDll32.exe shell32.dll,Control_RunDLL

Delete Temporary Internet Files
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8

Delete Cookies
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2

Delete History
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1

Delete Form Data
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16

Delete Passwords
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32

Delete All
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

Delete all files and settings stored by Add-ons
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351

Date and Time Properties
RunDll32.exe shell32.dll,Control_RunDLL timedate.cpl

Device Manager
RunDll32.exe devmgr.dll DeviceManager_Execute

Folder Options – General
RunDll32.exe shell32.dll,Options_RunDLL 0

Folder Options – Search
RunDll32.exe shell32.dll,Options_RunDLL 2

Folder Options – View
RunDll32.exe shell32.dll,Options_RunDLL 7

Hibernate
RunDll32.exe powrprof.dll,SetSuspendState

Keyboard Properties
RunDll32.exe shell32.dll,Control_RunDLL main.cpl @1

Lock Screen
RunDll32.exe user32.dll,LockWorkStation

Mouse Button – Swap left button to function as right
Rundll32 User32.dll,SwapMouseButton

Map Network Drive Wizard
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL Connect

Network Connections
RunDll32.exe shell32.dll,Control_RunDLL ncpa.cpl

Organize IE Favourites
Rundll32.exe shdocvw.dll,DoOrganizeFavDlg

Open With Dialog Box
Rundll32 Shell32.dll,OpenAs_RunDLL File.ext

Plays a waveform sound
rundll32.exe user32.dll,MessageBeep

Printer User Interface
Rundll32 Printui.dll,PrintUIEntry

Printer Management Folder.
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder

Power Options
RunDll32.exe Shell32.dll,Control_RunDLL powercfg.cpl

Stored Usernames and Passwords
RunDll32.exe keymgr.dll,KRShowKeyMgr

Safely Remove Hardware Dialog Box
Rundll32 Shell32.dll,Control_RunDLL HotPlug.dll

Taskbar Properties
RunDll32.exe shell32.dll,Options_RunDLL 1

User Accounts
RunDll32.exe shell32.dll,Control_RunDLL nusrmgr.cpl

Windows Security Center
RunDll32.exe shell32.dll,Control_RunDLL wscui.cpl

Windows Fonts Installation Folder
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL FontsFolder

Windows Firewall
RunDll32.exe shell32.dll,Control_RunDLL firewall.cpl

Hacker Conference Behavior

I’m heading to BSidesLV, DEFCON25, & Blackhat in Las Vegas this week. It’s going to be a great time and I’m really looking forward to it. Here’s some standard best practices I try to follow when attending a InfoSec related conference.

  1. Laptop Behavior
    1. Do not bring your laptop, unless specifically required. Try only using your your phone connected via VPN.
    2. Do not leave your laptop unattended at any time.
    3. Do not check-in your laptop as luggage.
    4. Turn off WiFi and Bluetooth.
  2. Printing, scanning, faxing
    1. Do not print from or scan to your laptops
  3. Internet access and connectivity
    1. Unless absolutely necessary for a job function, disable WiFi.
    2. Disable Bluetooth on your computer and phone.
    3. Disable NFS connectivity on your phone and computer.
    4. If Wifi is absolutely required, ONLY use your own provided wifi. I used a JetBack/MiFi and connect ONLY to that device.
    5. Always use a VPN as soon as you obtain WiFi access.
    6. Do NOT plug any network cable into the laptop.
    7. Do not plug any USB storage devices (hard drives, sticks, network adapters, Raspberry Pi’s, etc) into the laptop or phone.
  4. Document behavior
    1. Do not work on internal or sensitive documents in public.