Cloudflare Leaks data from potentially millions of sites. #CloudBleed

 

So when Tavis Ormandy from Google’s Project Zero called out cloudflare last week, it perked my interest. I knew SOMETHING what up. What exactly…no idea. I’m not a genius like Tavis. Tavis discovered a memory leak at cloudflare leaking information  from all sites that use Cloudflare’s service. That’s over two million sites. Not two million passwords…two million websites!

Cloudflare has since fixed the problem…literally hours after the issue was disclosed. What concerns me is that this has been leaking information since September of last year.  Cloudflare has made an official announcement and lessons learned. That’s great. However, what’s concerning is that it’s hasn’t, and probably won’t release a list of all the affected sites. I guarantee many of these sites won’t ever. Some of the more notable sites are:

Uber.com
okcoupid.com
Authy.com
Fitbit.com
account.leagueoflegends.com
4chan.org
patreon.com
medium.com
coinbase.com
Glassdoor.com
Fiverr.com
Adafruit.com

and many many many more…

For a full list of all the compromised and potentially compromised sites, check out this github page or download the full list (22mb).

So what now? Really, it’s better to just go ahead and change all your passwords. That’s right…all of them. Make sure your passwords are UNIQUE and complex. Use a password manager like lastpass, keepass, or if you’re an enterprise organization I hear CyberArk is pretty good. 🙂

BSides Tampa 2017 – Golden Ticket Attack.

BSides Tampa, Feb 11, 2017. Advanced Targeted Attack; Golden Ticket attack proof of concept. My first time to Tampa, and first time speaking at a BSides conference. Overall I thought the talk was well received. I had some great questions afterwards and people really seemed to be entertained at least.

Anyways, an older version of the slide deck can be found here. 

New Project

Good afternoon,

So I was planning on presenting my ProcDump password attack to DHA next week. However, my presence is required in San Antonio that afternoon and in Austin the following day. I’m a little frustrated, but I’ll keep that offline for now.

Anyways, with that said, I’ll go ahead and make the post public. See below.

Onward to my next project. I don’t know about anyone else, but I get a lot of scammers on Skype contacting me out of the blue wanting me to add them to my contact list. I typically just immediately block them and move on. This just keeps happening. I don’t think Skype is actually doing anything when you block and mark these accounts as spam.  It’s time to fight back.

I won’t go into details just yet, but needless to say. This one should prove interesting.

evil

Stealing Credentials with ProcDump and MimiKatz

Hello World.

For the longest time I’ve kept this domain as my personal repository for projects, files, and relics of time gone by. Since Infosec has taken over my time as a hobby and professionally, I figured I needed to resurrect my chunk of property online and start the blog back up.

Tinker was tweeting about manipulating memory dumps, and I mentioned I had a method to do a proc dump and extract passwords from it. The great thing is that you’re using Sysinternals Procdump to do so. Microsoft bought Sysinternals a few years ago, so almost always this method gets through AV scanners. Unless a system has some strict application control policies, this method will work to extract hashes.  The key here is to offload the memory dump to another machine and run mimikatz on it.

There’s a lot of ways to clean this script up and actually automate it further. Originally, I had the file named the machine name and the date and time in which the dump was taken. That complicated things more than I wanted and kept messing things up. Perhaps the next person could improve on it some more.

I guess I’ll be presenting on this next DHA. Goal is to do a live demonstration of this. Youtube video to follow….

Read more “Stealing Credentials with ProcDump and MimiKatz”

Golden Ticket Attack with PowerShell Empire

I’m back-filling the blog with some of my older content. This was a golden ticket kerberos attack to simulate a SWIFT back heist. I presented this at a customer event in Boston as well as the Dallas Hackers Association.

Here’s basically what happens in the attack (if I can remember it correctly):

  • Victim is compromised via malicious excel macro.
  • Reconnaissance occurs to find the machines required to grab a domain admin’s hash
  • Pivot to machine with DA session and dump creds.
  • Execute a DC sync in order to get KBRTGT ticket.
  • Create Golden Ticket
  • Profit.

Read more “Golden Ticket Attack with PowerShell Empire”

Ransomware: History, Analysis, & Mitigation

This is a little dated now, but this was my original slide deck for my ransomware presentation. I’ve presented this all over the nation from Infragard in Little Rock, AR to the Dallas Hackers Association. An updated version of this will be presented to a large group of Law Enforcement sometime in October.

It’s full of good info about the history of ransomware as well as how it works, and where I see ransomware evolving. I’ve already been proven right with ransomware moving into the realm of IoT. I’m curious to see where things go next. Read more “Ransomware: History, Analysis, & Mitigation”