Delete Temporary Internet Files
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
Delete Form Data
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
Delete all files and settings stored by Add-ons
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351
Date and Time Properties
RunDll32.exe shell32.dll,Control_RunDLL timedate.cpl
RunDll32.exe devmgr.dll DeviceManager_Execute
Folder Options – General
RunDll32.exe shell32.dll,Options_RunDLL 0
Folder Options – Search
RunDll32.exe shell32.dll,Options_RunDLL 2
Folder Options – View
RunDll32.exe shell32.dll,Options_RunDLL 7
RunDll32.exe shell32.dll,Control_RunDLL main.cpl @1
Mouse Button – Swap left button to function as right
Map Network Drive Wizard
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL Connect
RunDll32.exe shell32.dll,Control_RunDLL ncpa.cpl
Organize IE Favourites
Open With Dialog Box
Rundll32 Shell32.dll,OpenAs_RunDLL File.ext
Plays a waveform sound
Printer User Interface
Printer Management Folder.
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder
RunDll32.exe Shell32.dll,Control_RunDLL powercfg.cpl
Stored Usernames and Passwords
Safely Remove Hardware Dialog Box
Rundll32 Shell32.dll,Control_RunDLL HotPlug.dll
RunDll32.exe shell32.dll,Options_RunDLL 1
RunDll32.exe shell32.dll,Control_RunDLL nusrmgr.cpl
Windows Security Center
RunDll32.exe shell32.dll,Control_RunDLL wscui.cpl
Windows Fonts Installation Folder
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL FontsFolder
RunDll32.exe shell32.dll,Control_RunDLL firewall.cpl
I’m heading to BSidesLV, DEFCON25, & Blackhat in Las Vegas this week. It’s going to be a great time and I’m really looking forward to it. Here’s some standard best practices I try to follow when attending a InfoSec related conference.
- Laptop Behavior
- Do not bring your laptop, unless specifically required. Try only using your your phone connected via VPN.
- Do not leave your laptop unattended at any time.
- Do not check-in your laptop as luggage.
- Turn off WiFi and Bluetooth.
- Printing, scanning, faxing
- Do not print from or scan to your laptops
- Internet access and connectivity
- Unless absolutely necessary for a job function, disable WiFi.
- Disable Bluetooth on your computer and phone.
- Disable NFS connectivity on your phone and computer.
- If Wifi is absolutely required, ONLY use your own provided wifi. I used a JetBack/MiFi and connect ONLY to that device.
- Always use a VPN as soon as you obtain WiFi access.
- Do NOT plug any network cable into the laptop.
- Do not plug any USB storage devices (hard drives, sticks, network adapters, Raspberry Pi’s, etc) into the laptop or phone.
- Document behavior
- Do not work on internal or sensitive documents in public.
I read up harmj0y’s blog over the weekend and he had some killer points I wanted to share with you all. More than anything, just some major takeaways from this.
KB2871997 – Microsoft’s attempt to block pass the hash. More than anything it just complicates it, but doesn’t resolve it. It does a lot of good things to help prevent, but doesn’t resolve the issue. The patch created two new SIDS that can be used with group policy to block local admin accounts from remote login (with one large exception). Any authenticated user to AD can enumerate policies to see if this is enabled on a client’s network. PTH for local accounts with the exception of the RID 500 (local built in administrator) account are blocked.
The whole point of the article is twofold:
- It’s not the group policy that’s actually blocking the PTH of local account(though the other stuff is good), but rather “token filtering”. This is applicable to all local admin accounts with the exception of the RID 500 (built in local admin) account is it runs in a non-filtered state. Meaning, you can still PTH with the built-in local admin account.
- The registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy (which doesn’t exist by default) set to 1 grants high-integrity sessions to all remote connections thus enabling PTH of all local accounts. MS actually suggests doing this in a number of times (which is really a bad idea):\
- “Disabling Remote UAC by changing the registry entry that controls Remote UAC is not recommended, but may be necessary…”
- “Set-ItemProperty –Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System –Name LocalAccountTokenFilterPolicy –Value 1 –Type DWord”
- “User Account Control (UAC) affects access to the WinRM service”
- “…you can use the LocalAccountTokenFilterPolicy registry entry to change the default behavior and allow remote users who are members of the Administrators group to run with Administrator privileges.”
- “How to disable UAC remote restrictions”
KB2871997 = Good
LocalAccountTokenFilterPolicy = Bad
Check for these things next time you’re dealing with a client.
Oh yeah, at the end, he states that unique creds render this whole point moot. He mentions LAPS, which is fine…but whatever…
What he doesn’t mention is that PTH is still a huge issue with DOMAIN accounts.
Yes, I do work for a Privileged Account Security Company, so I am biased here. As long as domain accounts are being managed in a responsible way, that’s all I care about. This is where pushing the functional model of privileged accounts really proves its value in preventing pass the hash attacks. I’ll probably go into further depth on that topic in a later blog post.
Also, harmj0y is the MAN. Main creator and contributor for Powershell Empire, Veil-Framework, and Bloodhound. The guy is a legend and deserves much respect.
Thanks and have a great week.
So when Tavis Ormandy from Google’s Project Zero called out cloudflare last week, it perked my interest. I knew SOMETHING what up. What exactly…no idea. I’m not a genius like Tavis. Tavis discovered a memory leak at cloudflare leaking information from all sites that use Cloudflare’s service. That’s over two million sites. Not two million passwords…two million websites!
Cloudflare has since fixed the problem…literally hours after the issue was disclosed. What concerns me is that this has been leaking information since September of last year. Cloudflare has made an official announcement and lessons learned. That’s great. However, what’s concerning is that it’s hasn’t, and probably won’t release a list of all the affected sites. I guarantee many of these sites won’t ever. Some of the more notable sites are:
and many many many more…
So what now? Really, it’s better to just go ahead and change all your passwords. That’s right…all of them. Make sure your passwords are UNIQUE and complex. Use a password manager like lastpass, keepass, or if you’re an enterprise organization I hear CyberArk is pretty good. 🙂
BSides Tampa, Feb 11, 2017. Advanced Targeted Attack; Golden Ticket attack proof of concept. My first time to Tampa, and first time speaking at a BSides conference. Overall I thought the talk was well received. I had some great questions afterwards and people really seemed to be entertained at least.
Anyways, an older version of the slide deck can be found here.
My buddy WhiskeyNeon asked that I sub in for Command OPSEC tonight for the CTF. It’s nowhere near complete or even GOOD for that matter, but this will give everyone a taste of things to come.
Simply use OpenVPN to connect to the CTF environment.
CTF VPN Config File is located here.
Once connected, hit http://10.0.0.1, register and you’re off to the races!
So I was planning on presenting my ProcDump password attack to DHA next week. However, my presence is required in San Antonio that afternoon and in Austin the following day. I’m a little frustrated, but I’ll keep that offline for now.
Anyways, with that said, I’ll go ahead and make the post public. See below.
Onward to my next project. I don’t know about anyone else, but I get a lot of scammers on Skype contacting me out of the blue wanting me to add them to my contact list. I typically just immediately block them and move on. This just keeps happening. I don’t think Skype is actually doing anything when you block and mark these accounts as spam. It’s time to fight back.
I won’t go into details just yet, but needless to say. This one should prove interesting.
For the longest time I’ve kept this domain as my personal repository for projects, files, and relics of time gone by. Since Infosec has taken over my time as a hobby and professionally, I figured I needed to resurrect my chunk of property online and start the blog back up.
Tinker was tweeting about manipulating memory dumps, and I mentioned I had a method to do a proc dump and extract passwords from it. The great thing is that you’re using Sysinternals Procdump to do so. Microsoft bought Sysinternals a few years ago, so almost always this method gets through AV scanners. Unless a system has some strict application control policies, this method will work to extract hashes. The key here is to offload the memory dump to another machine and run mimikatz on it.
There’s a lot of ways to clean this script up and actually automate it further. Originally, I had the file named the machine name and the date and time in which the dump was taken. That complicated things more than I wanted and kept messing things up. Perhaps the next person could improve on it some more.
I guess I’ll be presenting on this next DHA. Goal is to do a live demonstration of this. Youtube video to follow….
I’m back-filling the blog with some of my older content. This was a golden ticket kerberos attack to simulate a SWIFT back heist. I presented this at a customer event in Boston as well as the Dallas Hackers Association.
Here’s basically what happens in the attack (if I can remember it correctly):
- Victim is compromised via malicious excel macro.
- Reconnaissance occurs to find the machines required to grab a domain admin’s hash
- Pivot to machine with DA session and dump creds.
- Execute a DC sync in order to get KBRTGT ticket.
- Create Golden Ticket