Rundll32 commands for Windows

Control Panel
RunDll32.exe shell32.dll,Control_RunDLL

Delete Temporary Internet Files
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8

Delete Cookies
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2

Delete History
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1

Delete Form Data
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16

Delete Passwords
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32

Delete All
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

Delete all files and settings stored by Add-ons
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351

Date and Time Properties
RunDll32.exe shell32.dll,Control_RunDLL timedate.cpl

Device Manager
RunDll32.exe devmgr.dll DeviceManager_Execute

Folder Options – General
RunDll32.exe shell32.dll,Options_RunDLL 0

Folder Options – Search
RunDll32.exe shell32.dll,Options_RunDLL 2

Folder Options – View
RunDll32.exe shell32.dll,Options_RunDLL 7

Hibernate
RunDll32.exe powrprof.dll,SetSuspendState

Keyboard Properties
RunDll32.exe shell32.dll,Control_RunDLL main.cpl @1

Lock Screen
RunDll32.exe user32.dll,LockWorkStation

Mouse Button – Swap left button to function as right
Rundll32 User32.dll,SwapMouseButton

Map Network Drive Wizard
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL Connect

Network Connections
RunDll32.exe shell32.dll,Control_RunDLL ncpa.cpl

Organize IE Favourites
Rundll32.exe shdocvw.dll,DoOrganizeFavDlg

Open With Dialog Box
Rundll32 Shell32.dll,OpenAs_RunDLL File.ext

Plays a waveform sound
rundll32.exe user32.dll,MessageBeep

Printer User Interface
Rundll32 Printui.dll,PrintUIEntry

Printer Management Folder.
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder

Power Options
RunDll32.exe Shell32.dll,Control_RunDLL powercfg.cpl

Stored Usernames and Passwords
RunDll32.exe keymgr.dll,KRShowKeyMgr

Safely Remove Hardware Dialog Box
Rundll32 Shell32.dll,Control_RunDLL HotPlug.dll

Taskbar Properties
RunDll32.exe shell32.dll,Options_RunDLL 1

User Accounts
RunDll32.exe shell32.dll,Control_RunDLL nusrmgr.cpl

Windows Security Center
RunDll32.exe shell32.dll,Control_RunDLL wscui.cpl

Windows Fonts Installation Folder
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL FontsFolder

Windows Firewall
RunDll32.exe shell32.dll,Control_RunDLL firewall.cpl

Hacker Conference Behavior

I’m heading to BSidesLV, DEFCON25, & Blackhat in Las Vegas this week. It’s going to be a great time and I’m really looking forward to it. Here’s some standard best practices I try to follow when attending a InfoSec related conference.

  1. Laptop Behavior
    1. Do not bring your laptop, unless specifically required. Try only using your your phone connected via VPN.
    2. Do not leave your laptop unattended at any time.
    3. Do not check-in your laptop as luggage.
    4. Turn off WiFi and Bluetooth.
  2. Printing, scanning, faxing
    1. Do not print from or scan to your laptops
  3. Internet access and connectivity
    1. Unless absolutely necessary for a job function, disable WiFi.
    2. Disable Bluetooth on your computer and phone.
    3. Disable NFS connectivity on your phone and computer.
    4. If Wifi is absolutely required, ONLY use your own provided wifi. I used a JetBack/MiFi and connect ONLY to that device.
    5. Always use a VPN as soon as you obtain WiFi access.
    6. Do NOT plug any network cable into the laptop.
    7. Do not plug any USB storage devices (hard drives, sticks, network adapters, Raspberry Pi’s, etc) into the laptop or phone.
  4. Document behavior
    1. Do not work on internal or sensitive documents in public.

 

Preventing PTH with Two Small Checks.

I read up harmj0y’s blog over the weekend and he had some killer points I wanted to share with you all. More than anything, just some major takeaways from this.

KB2871997 – Microsoft’s attempt to block pass the hash. More than anything it just complicates it, but doesn’t resolve it. It does a lot of good things to help prevent, but doesn’t resolve the issue.   The patch created two new SIDS that can be used with group policy to block local admin accounts from remote login (with one large exception). Any authenticated user to AD can enumerate policies to see if this is enabled on a client’s network.  PTH for local accounts with the exception of the RID 500 (local built in administrator) account are blocked.

The whole point of the article is twofold:

  1. It’s not the group policy that’s actually blocking the PTH of local account(though the other stuff is good), but rather “token filtering”. This is applicable to all local admin accounts with the exception of the RID 500 (built in local admin) account is it runs in a non-filtered state. Meaning, you can still PTH with the built-in local admin account.
  2. The registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy (which doesn’t exist by default) set to 1 grants high-integrity sessions to all remote connections thus enabling PTH of all local accounts. MS actually suggests doing this in a number of times (which is really a bad idea):\

So…..

KB2871997 = Good
LocalAccountTokenFilterPolicy = Bad

 

Check for these things next time you’re dealing with a client.

Oh yeah, at the end, he states that unique creds render this whole point moot. He mentions LAPS, which is fine…but whatever…

What he doesn’t mention is that PTH is still a huge issue with DOMAIN accounts.

Yes, I do work for a Privileged Account Security Company, so I am biased here. As long as domain accounts are being managed in a responsible way, that’s all I care about. This is where pushing the functional model of privileged accounts really proves its value in preventing pass the hash attacks.  I’ll probably go into further depth on that topic in a later blog post.

Also, harmj0y is the MAN. Main creator and contributor for Powershell Empire, Veil-Framework, and Bloodhound. The guy is a legend and deserves much respect.

Thanks and have a great week.

Cloudflare Leaks data from potentially millions of sites. #CloudBleed

 

So when Tavis Ormandy from Google’s Project Zero called out cloudflare last week, it perked my interest. I knew SOMETHING what up. What exactly…no idea. I’m not a genius like Tavis. Tavis discovered a memory leak at cloudflare leaking information  from all sites that use Cloudflare’s service. That’s over two million sites. Not two million passwords…two million websites!

Cloudflare has since fixed the problem…literally hours after the issue was disclosed. What concerns me is that this has been leaking information since September of last year.  Cloudflare has made an official announcement and lessons learned. That’s great. However, what’s concerning is that it’s hasn’t, and probably won’t release a list of all the affected sites. I guarantee many of these sites won’t ever. Some of the more notable sites are:

Uber.com
okcoupid.com
Authy.com
Fitbit.com
account.leagueoflegends.com
4chan.org
patreon.com
medium.com
coinbase.com
Glassdoor.com
Fiverr.com
Adafruit.com

and many many many more…

For a full list of all the compromised and potentially compromised sites, check out this github page or download the full list (22mb).

So what now? Really, it’s better to just go ahead and change all your passwords. That’s right…all of them. Make sure your passwords are UNIQUE and complex. Use a password manager like lastpass, keepass, or if you’re an enterprise organization I hear CyberArk is pretty good. 🙂

BSides Tampa 2017 – Golden Ticket Attack.

BSides Tampa, Feb 11, 2017. Advanced Targeted Attack; Golden Ticket attack proof of concept. My first time to Tampa, and first time speaking at a BSides conference. Overall I thought the talk was well received. I had some great questions afterwards and people really seemed to be entertained at least.

Anyways, an older version of the slide deck can be found here. 

New Project

Good afternoon,

So I was planning on presenting my ProcDump password attack to DHA next week. However, my presence is required in San Antonio that afternoon and in Austin the following day. I’m a little frustrated, but I’ll keep that offline for now.

Anyways, with that said, I’ll go ahead and make the post public. See below.

Onward to my next project. I don’t know about anyone else, but I get a lot of scammers on Skype contacting me out of the blue wanting me to add them to my contact list. I typically just immediately block them and move on. This just keeps happening. I don’t think Skype is actually doing anything when you block and mark these accounts as spam.  It’s time to fight back.

I won’t go into details just yet, but needless to say. This one should prove interesting.

evil

Stealing Credentials with ProcDump and MimiKatz

Hello World.

For the longest time I’ve kept this domain as my personal repository for projects, files, and relics of time gone by. Since Infosec has taken over my time as a hobby and professionally, I figured I needed to resurrect my chunk of property online and start the blog back up.

Tinker was tweeting about manipulating memory dumps, and I mentioned I had a method to do a proc dump and extract passwords from it. The great thing is that you’re using Sysinternals Procdump to do so. Microsoft bought Sysinternals a few years ago, so almost always this method gets through AV scanners. Unless a system has some strict application control policies, this method will work to extract hashes.  The key here is to offload the memory dump to another machine and run mimikatz on it.

There’s a lot of ways to clean this script up and actually automate it further. Originally, I had the file named the machine name and the date and time in which the dump was taken. That complicated things more than I wanted and kept messing things up. Perhaps the next person could improve on it some more.

I guess I’ll be presenting on this next DHA. Goal is to do a live demonstration of this. Youtube video to follow….

Read more “Stealing Credentials with ProcDump and MimiKatz”

Golden Ticket Attack with PowerShell Empire

I’m back-filling the blog with some of my older content. This was a golden ticket kerberos attack to simulate a SWIFT back heist. I presented this at a customer event in Boston as well as the Dallas Hackers Association.

Here’s basically what happens in the attack (if I can remember it correctly):

  • Victim is compromised via malicious excel macro.
  • Reconnaissance occurs to find the machines required to grab a domain admin’s hash
  • Pivot to machine with DA session and dump creds.
  • Execute a DC sync in order to get KBRTGT ticket.
  • Create Golden Ticket
  • Profit.

Read more “Golden Ticket Attack with PowerShell Empire”