Post-Tour Cool-Down

I survived the crazy 10 day, 6 city, 6 speaking engagement whirl-wind. Honestly, it really wasn’t that bad. I got to hang out with some really cool people. I got to see some really neat places, and I got to learn a bunch of crazy new things. You pick up a lot when you hang out at 6 different security conferences in rapid succession.

Here’s the PDF from the
LIVE HACKING DEMOS Presentation

One of the unfortunate things I struggle with is keeping a good work/home life balance. It’s a struggle I think I’ll honestly have to deal with my entire life. I tend to excel in one area of my life and drop the ball in others. I still struggle with this as I do have a tend to be pretty stubborn and I don’t accept failure in myself.  When I see this happening in other people, I tell them to check their priorities and to prioritize family over work. I tend to neglect my own advise. When that happens, I come back to this commencement speech from Shonda Rhimes. She’s a very strong and power-player in Hollywood. Her words in her commencement speech really struck a chord with me.

“Wherever you see me succeeding in one area of my life, that almost certainly means I’m failing in another area of my life.”

With all that said, I’m going to cut back a little on the travel, prioritize myself and my family and work on a few pet projects I’ve been thinking about. Looking forward to it.

NTXISSA March 2018 Monthly Meeting – The Hackers Toolkit

I’m excited to announce that I’ll be speaking at the March 2018 North Texas ISSA chapter meeting. I’m planning on presenting the “Hacker Carpet Bomb” aka “Hacker’s Bag of Tricks” aka “Hackers Tooklit” presentation. This talk consists of nothing but live demos. Anyone who’s done IT presentations can tell you, live demos are dangerous. They rarely go right. Having a talk that consists of nothing but live demos is straight up insane. I’ve done this talk a handful of times. Not once has it ever gone perfectly, but that’s also the charm behind it. Exploits, even in perfect environments, sometimes fail. That’s part of it.  Here’s the demo’s I’m planning to present

Between now and then I need to find a device I can destroy on stage. If you have something you don’t mind literally going up in smoke, please let me know.

So please come out March 15th at 11:00AM. I’m sure it’ll be a fun and eye-opening event.

https://ntxissa.org/event/ntxissa-march-2018-monthly-meeting/

 

 

Q&A on SQL Injection ‘ or 1=1; —

from XKCD

Every once in a while I get an email from either a friend, client, mentor, etc that I really want to share with the community as a whole. Typically after I respond to the email, I try and get permission from the second party and include it on my blog (which I’m still fairly sure nobody actually reads).  Anyways, this was a really good question about SQL injection, so enjoy!

Hey Andy, I’ve got a question. In my courses I’ve been learning SQL. I’m trying to also look at it with a security perspective in defending from SQL injection attacks. Do you know of any good ways to actually practice or solid resources to learn. I’m half tempted to start running some queries on shoddy looking websites, but I really I wouldn’t do that. I’ve seen some Youtube videos and some stuff on W3, but thought I’d ask you what you think. How big of a vulnerability is SQL injection or how big of a priority is it to businesses now?

First off, I’m honored anyone emails me asking for my thoughts or opinions on a topic, so thank you. SQL injection has been an issue since it was first discussed around 1998 on Phrack.

Take a look at the OWASP Top 10 – 2017 (most recent copy at the time of writing this). The ten most critical web application security risks demonstrate that SQL Injection has been the top dog risks for quite some time. Things like cross-site-scripting, and cross-site forgery are up-and coming risks, but SQL Injection is king.

As for running queries or something like SQLmap against any website, I strongly recommend you do NOT giving away free pen-tests. That’s a quick way to get in trouble with the feds. What you want to do is test in your home-lab or find a purposely vulnerable site to hone your SQL injection skills. There’s a lot of blog posts out there already covering this content so check out this article about 40+ Intentionally Vulnerable Websites to (legally) practice your Hacking Skills. Additionally, if you’re looking to focus specifically on SQL injection, you should also check out Hack.me. They have a whole section specifically focused on SQL injection. Also, I’d be remiss if I didn’t bring up Metasploitable too. This is an amazing VM that is purposely vulnerable in many different ways. I haven’t checked personally, but I’d be shocked if there wasn’t a SQL injection vuln somewhere on there. Recently Rapid7 released Metasploitable 3. The setup is a pain. I’d recommend you check out the Metasploitable 2 VM first before embarking on MS3

Now the second question about how big of a priority is it to businesses is a very interesting question. I think it all depends on the business and the vertical. There are many exceptions to this, but many businesses that do not develop applications or websites, in my opinion, do not prioritize SQL injection as a viable risk to their organization. To them, the risk solely lies on the developer of the service, website, or software. They think they’re covered. To take this type of stance is foolish and irresponsible. Patches roll out monthly, if not more, remediating vulnerabilities in production code all the time. The vendor shares partial responsibility, but the client holds the majority of the risk relative to data breach. Solutions such as Web Application Firewalls do a good job in preventing and detection of SQL injections, however this is not enough. I’m personally fond of aggressive least privilege as well as heuristic behavior monitoring, risk-based policies, masking of sensitive information, and regular auditing of use and access…but yeah, that’s just me. 😉

Other industries and verticals that have more at stake with application development tend to rightfully prioritize SQL injection more so than others. To which degree however ranges from extremely aggressive to hardly not at all. The goal here is not to detect and respond but to prevent altogether. Several defence strategies would be to have multiple DB users and demonstrate the concept of Least Privilege. Also you would want to implement aggressive input validation and escaping all user-supplied input. If you’d like to know more, I strongly recommend you check out the OWASP recommendations for SQL prevention cheat sheet.

Oh yeah, be sure to check out Bobby-Tables.com. It’s a great resource for learning more and how to prevent SQL Injection.

Hacking RDP with a MitM Password Attack

The other day, my friend and co-worker clued me in on a new attack he found. It worked so well, we had to share it.
As it says on their GitHub page,

Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH).

Take a look how simple it is to steal an RDP credential off the network without ever having to touch the victim’s machine. Things like certificates and network level access are important security controls you should implement to protect from attacks like this.

Rundll32 commands for Windows

Control Panel
RunDll32.exe shell32.dll,Control_RunDLL

Delete Temporary Internet Files
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8

Delete Cookies
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2

Delete History
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1

Delete Form Data
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16

Delete Passwords
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32

Delete All
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

Delete all files and settings stored by Add-ons
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351

Date and Time Properties
RunDll32.exe shell32.dll,Control_RunDLL timedate.cpl

Device Manager
RunDll32.exe devmgr.dll DeviceManager_Execute

Folder Options – General
RunDll32.exe shell32.dll,Options_RunDLL 0

Folder Options – Search
RunDll32.exe shell32.dll,Options_RunDLL 2

Folder Options – View
RunDll32.exe shell32.dll,Options_RunDLL 7

Hibernate
RunDll32.exe powrprof.dll,SetSuspendState

Keyboard Properties
RunDll32.exe shell32.dll,Control_RunDLL main.cpl @1

Lock Screen
RunDll32.exe user32.dll,LockWorkStation

Mouse Button – Swap left button to function as right
Rundll32 User32.dll,SwapMouseButton

Map Network Drive Wizard
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL Connect

Network Connections
RunDll32.exe shell32.dll,Control_RunDLL ncpa.cpl

Organize IE Favourites
Rundll32.exe shdocvw.dll,DoOrganizeFavDlg

Open With Dialog Box
Rundll32 Shell32.dll,OpenAs_RunDLL File.ext

Plays a waveform sound
rundll32.exe user32.dll,MessageBeep

Printer User Interface
Rundll32 Printui.dll,PrintUIEntry

Printer Management Folder.
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder

Power Options
RunDll32.exe Shell32.dll,Control_RunDLL powercfg.cpl

Stored Usernames and Passwords
RunDll32.exe keymgr.dll,KRShowKeyMgr

Safely Remove Hardware Dialog Box
Rundll32 Shell32.dll,Control_RunDLL HotPlug.dll

Taskbar Properties
RunDll32.exe shell32.dll,Options_RunDLL 1

User Accounts
RunDll32.exe shell32.dll,Control_RunDLL nusrmgr.cpl

Windows Security Center
RunDll32.exe shell32.dll,Control_RunDLL wscui.cpl

Windows Fonts Installation Folder
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL FontsFolder

Windows Firewall
RunDll32.exe shell32.dll,Control_RunDLL firewall.cpl

Hacker Conference Behavior

I’m heading to BSidesLV, DEFCON25, & Blackhat in Las Vegas this week. It’s going to be a great time and I’m really looking forward to it. Here’s some standard best practices I try to follow when attending a InfoSec related conference.

  1. Laptop Behavior
    1. Do not bring your laptop, unless specifically required. Try only using your your phone connected via VPN.
    2. Do not leave your laptop unattended at any time.
    3. Do not check-in your laptop as luggage.
    4. Turn off WiFi and Bluetooth.
  2. Printing, scanning, faxing
    1. Do not print from or scan to your laptops
  3. Internet access and connectivity
    1. Unless absolutely necessary for a job function, disable WiFi.
    2. Disable Bluetooth on your computer and phone.
    3. Disable NFS connectivity on your phone and computer.
    4. If Wifi is absolutely required, ONLY use your own provided wifi. I used a JetBack/MiFi and connect ONLY to that device.
    5. Always use a VPN as soon as you obtain WiFi access.
    6. Do NOT plug any network cable into the laptop.
    7. Do not plug any USB storage devices (hard drives, sticks, network adapters, Raspberry Pi’s, etc) into the laptop or phone.
  4. Document behavior
    1. Do not work on internal or sensitive documents in public.

 

Preventing PTH with Two Small Checks.

I read up harmj0y’s blog over the weekend and he had some killer points I wanted to share with you all. More than anything, just some major takeaways from this.

KB2871997 – Microsoft’s attempt to block pass the hash. More than anything it just complicates it, but doesn’t resolve it. It does a lot of good things to help prevent, but doesn’t resolve the issue.   The patch created two new SIDS that can be used with group policy to block local admin accounts from remote login (with one large exception). Any authenticated user to AD can enumerate policies to see if this is enabled on a client’s network.  PTH for local accounts with the exception of the RID 500 (local built in administrator) account are blocked.

The whole point of the article is twofold:

  1. It’s not the group policy that’s actually blocking the PTH of local account(though the other stuff is good), but rather “token filtering”. This is applicable to all local admin accounts with the exception of the RID 500 (built in local admin) account is it runs in a non-filtered state. Meaning, you can still PTH with the built-in local admin account.
  2. The registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy (which doesn’t exist by default) set to 1 grants high-integrity sessions to all remote connections thus enabling PTH of all local accounts. MS actually suggests doing this in a number of times (which is really a bad idea):\

So…..

KB2871997 = Good
LocalAccountTokenFilterPolicy = Bad

 

Check for these things next time you’re dealing with a client.

Oh yeah, at the end, he states that unique creds render this whole point moot. He mentions LAPS, which is fine…but whatever…

What he doesn’t mention is that PTH is still a huge issue with DOMAIN accounts.

Yes, I do work for a Privileged Account Security Company, so I am biased here. As long as domain accounts are being managed in a responsible way, that’s all I care about. This is where pushing the functional model of privileged accounts really proves its value in preventing pass the hash attacks.  I’ll probably go into further depth on that topic in a later blog post.

Also, harmj0y is the MAN. Main creator and contributor for Powershell Empire, Veil-Framework, and Bloodhound. The guy is a legend and deserves much respect.

Thanks and have a great week.

Cloudflare Leaks data from potentially millions of sites. #CloudBleed

 

So when Tavis Ormandy from Google’s Project Zero called out cloudflare last week, it perked my interest. I knew SOMETHING what up. What exactly…no idea. I’m not a genius like Tavis. Tavis discovered a memory leak at cloudflare leaking information  from all sites that use Cloudflare’s service. That’s over two million sites. Not two million passwords…two million websites!

Cloudflare has since fixed the problem…literally hours after the issue was disclosed. What concerns me is that this has been leaking information since September of last year.  Cloudflare has made an official announcement and lessons learned. That’s great. However, what’s concerning is that it’s hasn’t, and probably won’t release a list of all the affected sites. I guarantee many of these sites won’t ever. Some of the more notable sites are:

Uber.com
okcoupid.com
Authy.com
Fitbit.com
account.leagueoflegends.com
4chan.org
patreon.com
medium.com
coinbase.com
Glassdoor.com
Fiverr.com
Adafruit.com

and many many many more…

For a full list of all the compromised and potentially compromised sites, check out this github page or download the full list (22mb).

So what now? Really, it’s better to just go ahead and change all your passwords. That’s right…all of them. Make sure your passwords are UNIQUE and complex. Use a password manager like lastpass, keepass, or if you’re an enterprise organization I hear CyberArk is pretty good. 🙂