Jan 27 2015

Enabling Windows 8 Hyper-V for a Portable Lab

Installing Hyper-V:

  • Requirement: Windows 8 Pro or Windows 8 Enterprise which include Client Hyper-V.
  • Requirement: Your computer processor must support virtualization technology (VT), though most processors in the past 5 years support VT (pretty much all Intel i-series processors, i3, i5, i7).
  • Enable virtualization technology (VT) on your computer’s processor by editing the BIOS settings at boot-up (many computer BIOS have VT disabled).
  • Open the Start Screen, also referred to as Metro, (press the Windows Key) and search for “Windows Feature”. Open “Turn Windows Features on or off” and scroll down to “Hyper-V”.
  • Expand and Check the box next to Hyper-V. Ensure there is a check box. If there isn’t processor visualization technology, you won’t be able to check the box and enable install of “Hyper-V Platform”.
  • Restart the computer when prompted.

Note: It can take a while for Hyper-V to install – expect it to take 30 – 45 minutes.

 

Jan 23 2015

Shmoocon 2015 FireTalks Videos

The ShmooCon 2015 Presentation Videos are posted.

The ShmooCon Firetalks (2015) are posted:

Videos courtesy of IronGeek.com (Adrian Crenshaw)

Jan 22 2015

Group Policy Settings Reference for Windows 8.1 and Windows Server 2012 R2

 

These spreadsheets list the policy settings for computer and user configurations that are included in the Administrative template files delivered with the Windows operating systems specified. You can configure these policy settings when you edit Group Policy Objects.

The Group Policy Settings reference for Windows & Windows Server can be downloaded here.

Here are the key new Windows 8.1 & Windows Server 2012 R2 Group Policy Settings:
Continue reading

Jan 19 2015

Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest

Once an attacker has gained Domain Admin rights to your Active Directory environment, there are several methods for keeping privileged access. Skeleton Key is an ideal persistence method for the modern attacker. More information on Skeleton Key is in my earlier post.

Note that the behavior documented in this post was observed in a lab environment using the version of Mimikatz shown in the screenshot. There are likely differences in the Skeleton Key malware documented by Dell SecureWorks and the Mimikatz skeleton key functionality. Mimikatz effectively “patches” LSASS to enable use of a master password with any valid domain user. Rebooting the DC refreshes the memory which removes the “patch”.

Implanting the Mimikatz Skeleton Key on one or multiple Domain Controllers:

Mimikatz can now inject a skeleton key into LSASS on the Domain Controller by running the following command on the DC:

mimikatz.exe “privilege::debug” “misc::skeleton” exit

Mimikatz-Skeleton-Implant

When there are multiple Domain Controllers in an Active Directory site, all of them need the Skeleton Key implant to ensure the skeleton key master password is accepted as the user’s valid password.. Since the client discovers a Domain Controller using DCLocator, the DC the client selects is effectively random. If all the DCs don’t have skeleton key configured, the master password won’t work when the client authenticates to a DC without skeleton key.

Scenario:

Continue reading

Jan 16 2015

Active Directory Domain Controller Skeleton Key Malware & Mimikatz

Dell SecureWorks posted about the Skeleton Key malware discovered at a customer site.

The Skeleton Key malware is installed on one or multiple Domain Controllers running a supported 64bit OS.
The malware “patches” the security system enabling a new master password to be accepted for any domain user, including admins.

This enables the attacker to logon as any user they want with the master password (skeleton key) configured in the malware.
“Joe User” logs in using his usual password with no changes to his account.  The attacker can log in as Joe using the skeleton key password and it is seen as a valid logon…

Key Points:

  • Requires domain-level admin rights (and debug rights which admins have by default) to “patch” LSASS on a Domain Controller.
  • All existing user account passwords continue working as normal.
  • Adds a new password that enables the attacker to log on as any user with this password – this is the “skeleton key”.
  • Active Directory Domain Controllers may experience replication issues.
  • User accounts that require a smart card for authentication are not affected.
  • The Skeleton Key malware currently doesn’t remain active after a reboot – rebooting the DCs removes the in-memory patch. Note that DCs are typically only rebooted about once a month.
  • The Skeleton Key malware only works on the following 64-bit systems: Windows Server 2008, Windows Server 2008 R2, and Windows Server 2003 R2.
  • Performs Kerberos encryption downgrade to RC4_HMAC_MD5
  • Mimikatz now has skeleton key functionality and seems to work on all versions of Windows Server…
  • Protect your Active Directory admin accounts and don’t let untrusted code run on Domain Controllers.

Skeleton Key Malware Actions:

Continue reading

Jan 14 2015

Windows Server 2012 & Windows Server 2012 R2 Complete Documentation

Microsoft took all the Windows Server 2012 (& 2012 R2) documentation and posted it as a single PDF!

Version: 1.0
File Name:  WS12_R2_and_WS12_TechNet.pdf
Date Published: 2/18/2014
File Size: 125.9 MB

This download is an Adobe® PDF of the entire contents of the Windows Server 2012 R2 and Windows Server 2012 section of the Microsoft TechNet Library, for the convenience of Windows Server users who have limited Internet access, or require a portable version of the Windows Server 2012 R2 and Windows Server 2012 documentation.

The PDF is 8,709 pages in length.

Highlights of the PDF include the following.
What’s New in Windows Server 2012 R2
What’s New in Windows Server 2012
Technical Scenarios
Install and Deploy Windows Server
Migrate Roles and Features to Windows Server
Secure Windows Server
Manage Privacy in Windows Server
Support and Troubleshoot Windows Server
Server Roles and Technologies
Management and Tools for Windows Server

Download Link:
http://www.microsoft.com/en-us/download/details.aspx?id=41182

 

 

Jan 13 2015

“Hacker” Movies to Watch before the Blackhat Movie

Over the years, there have been lots of “hacker” movies of varying quality.

Here are some good ones to watch before the movie “Blackhat” is out starring Chris Hemsworth. My favorites in bold.

Bonus:
Movie code tumblr

Blackhat-trailer-movie-code-screenshot

HACK THE PLANET!

Jan 07 2015

PowerShell Security: Execution Policy is Not An Effective Security Strategy – How to Bypass the PowerShell Execution Policy

If you have worked with PowerShell recently, you may have run into an Execution Policy message:

c:\temp\Find-PSServiceAccounts.ps1 : File C:\temp\Find-PSServiceAccounts.ps1 cannot be loaded because running scripts
is disabled on this system. For more information, see about_Execution_Policies at
http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ c:\temp\Find-PSServiceAccounts.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess

It’s likely that Microsoft was concerned about another scripting environment where scripts run automatically without built-in controls.
However, any teeth the PowerShell execution policy may have had was significantly reduced during the development process.

From Microsoft TechNet:

It may seem odd to permit users to override an administrator-established value for the execution policy, but remember that the execution policy is intended to help stop unintended script execution. It is not intended to stop skilled users from executing scripts at all, merely to ensure that they do not do so without knowing what they are doing.

The result of this is that the Execution Policy does not provide effective security against a determined attacker with access to computers on your network.

Microsoft TechNet decribes the different options for the PowerShell Execution Policy:

The following execution policies govern scripting in Windows PowerShell:

  • Restricted. Permits interactive commands only (no scripts). This is the default.
  • AllSigned. Permits scripts, but requires a digital signature from a trusted publisher for all scripts and configuration files, including scripts that you write on the local computer.
  • RemoteSigned. Permits scripts, but requires a digital signature from a trusted publisher for all scripts and configuration files that are downloaded from the Internet, including e-mail. A digital signature is not required for scripts that you create on the local computer.
  • Unrestricted. Permits scripts, including unsigned scripts.

By default, the PowerShell exeuction policy is set to Restricted which means no script will run. Technically this is true, but it is trivial to bypass this “protection”.
Continue reading

Dec 31 2014

Thunderstrike: EFI bootkits for Apple MacBooks via Thunderbolt & Option ROMs

Trammell Hudson (@qrs) developed the Thunderstrike exploit based on inherent security issues with the way Apple validates, updates, and boots from the boot ROM. The exploit takes advantage of the fact that Apple allows secure booting without hardware (software checks the ROM, but doesn’t perform a checksum!). Since the Thunderbolt port provides a way to get code running when the system boots, it is possible to modify the boot ROM code.

Update 1/27/2015: Looks like Apple is patching the Boot ROM issue that Thunderstrike exploits in Mac OS X 10.10.2 (Yosemite). When 10.10.2 is available, update ASAP!

Trammell Hudson also did quite a bit of work on Canon camera firmware which led to him releasing Magic Lantern in 2009 which adds additional functionality to Canon cameras. Certainly, he has with a bit of experience with  hardware hacking. 🙂
“Magic Lantern is not a “hack”, or a modified firmware, it is an independent program that runs alongside Canon’s own software. Each time you start your camera, Magic Lantern is loaded from your memory card. Our only modification was to enable the ability to run software from the memory card.”

Trammell’s presentation is fantastic! Watch the video.

He describes Thunderstrike on his website:

Thunderstrike is the name for the Apple EFI firmware security vulnerability that allows a malicious Thunderbolt device to flash untrusted code to the boot ROM. It was presented at 31c3 and the you can read an annotated version of the presentation or watch the hour long video.

Thunderstrike is worse than BadUSB and affects Apple MacBooks (Pro/Air/Retina) with Thunderbolt ports.

Thunderstrike in its current form has been effective against every MacBook Pro/Air/Retina with Thunderbolt that I’ve tested, which is most models since 2011. The proof of concept is hardcoded for the 10,1 system, but the underlying vulnerability seems to be present and is independent of OS X version. Weaponization to attack all the different models is within the means of a dedicated attacker.


Thunderstrike Key Points:

  • Exploiting a Mac with Thunderstrike requires momentary physical access to plug a specially designed dongle into the Thunderbolt port. Think “evil maid” cleaning your hotel room while you are at breakfast.
  • You can have an encrypted hard drive and a boot up password as well as other best practice security methods in place. Thunderstrike bypasses all of these.
  • It can infect Thunderbolt devices in order to propagate. This is one measure that could be leveraged to attack air-gapped networks.
    The Thunderstrike bootkit is also in a position to be able to flash new Option ROMs into attached Thunderbolt devices with its own exploit. Like Stuxnet, this capability allows it to spread virally across air-gap security perimeters through shared peripheral devices. Since so few users need the Option ROMs, the device remains fully functional, despite carrying the malicious payload. Implementing this functionality would need a minor amount of work to weaponize and port to various devices, but an attacker of modest means could easily do so.
  • FileVault keys and passwords for encrypted boot volumes can be extracted.
  • This exploit can install an undetectable and unremovable bootkit that persists through hard drive replacement and OS reinstall.
  • RSA public keys are changed in the boot ROM preventing replacement by Apple’s firmware update programs. Apple software updates can’t remove it.
  • Since it modifies code used to boot the system, every method used to detect it at or after boot time can be subverted.
  • One installed, the Thunderstrike bootkit can not be removed by software. A hardware in-system-programming device is the only way to restore the stock firmware.
  • There is no cryptographic check of the boot ROM (and no hardware TPM chip), only a software-based boot-time crc32. This does not provide security validation only verifies successful flashing of the ROM.
  • This is not a DMA attack – it uses a PCIe Option ROM at boot time to launch the attack against the firmware update system.
  • This is not the “Option ROM” attack, but Thunderbolt Option ROMs can help in flashing new firmware of the attacker’s choosing by circumventing flash security.
    “The Option ROM attacks works like this: a Thunderbolt device that has been flashed with the exploit is plugged in and the system booted. The attacker’s code can hook any EFI or OS functions and do things like bypass firmware passwords, log keystrokes, install kernel backdoors, etc. This is the evil-maid attack described by Snare over two years ago, although this is not Thunderstrike: while an attacker can install a root kit to the drive, the Option ROM was loaded too late from the external device to be able to rewrite the ROM.”
  • Supply chain attack – every MacBook your company purchases could be compromised and you would never know it.

Thunderstrike Overview:

Continue reading

Dec 26 2014

Interesting Windows Computer & Active Directory Well-Known Security Identifiers (SIDs)

The Microsoft Knowledge Base article KB243330 lists the well-known security identifiers in Windows operating systems 

Listed here are the more interesting ones from the article as well as some additional ones.

Local Computer SIDs

SID: S-1-5-2
Name: Network
Description: A group that includes all users that have logged on through a network connection. Membership is controlled by the operating system.

SID: S-1-5-6
Name: Service
Description: A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.

SID: S-1-5-9
Name: Enterprise Domain Controllers
Description: A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system.

SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.

SID: S-1-5-18
Name: Local System
Description: A service account that is used by the operating system.

SID: S-1-5-19
Name: NT Authority
Description: Local Service

SID: S-1-5-20
Name: NT Authority
Description: Network Service

New Local Computer SIDs in Windows 8.1, Windows 2012 R2, and earlier operating systems (with KB2871997):

LOCAL_ACCOUNT (S-1-5-113) – any local account
LOCAL_ACCOUNT_AND_MEMBER_OF_ADMINISTRATORS_GROUP (S-1-5-114)

 

Active Directory Domain SIDs’

Continue reading