Category Archives: bin

Get REKT – Win10 Edition 

WARNING: This post is for educational purposes only. Well, that and possibly to underscore the importance of full-disc encryption (FDE) of a machine in the event an adversary has physical access to the computer but not the account passwords. Play nice, kids.

As much as I want to get some of my fiction writing up here, far too many opportunities arise in the technology security arena. And … well, I can’t just leave a sleeping bear lie… I have to poke it several times with a sharp stick.

Let’s say you work in I.T. and need to gain access to a computer of an old employee but they disabled your admin and maintenance accounts in Win10.  Or, you only have a local account (good choice, you) on a Win10 machine and somehow forgot your login password (bad luck, you). Or you simply want to break into a Windows account on a computer you physically have (stolen, from your cheating spouse that ran off with Nigerian royalty to cash in a massive bank account … whatever – I’m not here to judge and this is supposed to be theoretical).

Breaking into a Windows computer without a password or password-reset disc should be difficult, right? Wrong. Five reboots and five tiny commands are all it takes. Let’s dive in:

First, you want to get a Command Prompt at the Windows login screen (you know, where you would normally enter the password that you obviously don’t have). This is primarily done by getting into the Recovery mode of the machine. Don’t have a Recovery Disc or similar? No problem… Windows 8 and 10 will automatically go into Recovery mode after three failed boot-up sequences. In other words, power on the computer, let the computer get somewhere in the boot-up process (but before the login screen appears) and pull the power plug. Sure, this is potentially damaging to the Operating System, but if you want to make an omelette you have to break a few eggs.

In the Recovery section, usually under Advanced Options, there should be a choice for Command Prompt. But alas, this terminal is locked to only the recovery partition (like the X: drive of the system). DOS commands to change directory (cd) will not work. Stuck like Chuck, right?

lolnope.

Not to worry – we are going to use this terminal window to change the Ease of Access shortcut available on the login screen (the Utility Manager) to a far more useful process – a terminal window for the C: drive with elevated privileges. Yes, that icon no one ever uses.

From your currently (fairly useless) Command Prompt at the X:, type the following two commands (the “move” command is one line, and the “copy” command is the other line, but the spacing of the page here may display those separate commands on two lines… just type the “move” and “copy” commands on one line before hitting Enter after each):

move c:\windows\system32\utilman.exe c:\windows\system32\utilman.exe.bak

copy c:\windows\system32\cmd.exe c:\windows\system32\utilman.exe

And voila, we have replaced the Ease of Access function on the login screen with cmd.exe. Next, type the following command into the (not so) useless X: terminal window to reboot:

wpeutil reboot

Upon reboot, click the following icon between the WiFi icon and Power icon (yeah, I never used this icon before either):

You should now be presented with a Command Prompt for C: overlaid on the login screen (no authentication or password necessary). From here, type the following two commands to add a new account to the machine (with no password), and then elevate that account into the administrators group:

net user username /add

net localgroup administrators username /add

Obviously the “username” above is your choice of a new user login (like GetRekt or something similarly clever and haxxorz). You can close the terminal window, reboot, and see your new admin account with no password allowing you entry to the computer.

pwnage and WEAK SAUCE.

It should also be noted that the (rather weak) security of this computer is now even more broken until the above steps are undone and the icon reverted back to its far less useful, albeit original, function.

Lesson for today boys and girls? Always use full-disc encryption to prevent kiddie level compromise like this. Any sort of FDE (BitLocker, VeraCrypt, TrueCrypt, et al) will prevent this exploit from being a possibility on your computer.

Featured image used under CC license from NASA.gov

The lowdown on encryption

We need to talk about encryption and data safety. Yes, encryption can be complicated at times. The effort is certainly worth it and, in today’s state of affairs with mass surveillance, the effort is almost mandatory. Hackers abound, alphabet agencies and First World governments are bulk collecting, and even for-profit companies are trading in consumer data and profiles like they are baseball cards.

This post isn’t going to go into the fathom depths of technicalities. Encryption is my job, however, and it has quickly become a hobby as I see data stolen, sifted and traded in the 21st Century. We are going to fracture the whole of encryption into three separate pieces in order to categorize and discuss them. These are proprietary, open-source , and end-to-end encryption. No, these categories aren’t on the same plane, nor are they mutually exclusive of each other. But they serve our discussion for today.

PROTIP: You never have, nor will you ever, read on this blog anything regarding “military-grade encryption.” The reason for this is elementary: it’s bullshit. There is no such thing as military-grade encryption – there are military standards for encryption levels, and those levels are available to everyone on the Internet. If you ever hear someone talk about it seriously, walk away. If you read about it online, close the tab and never go back. Military-grade encryption is not a special program or service available only to the military. Anyone that tries to sell products or services as such are either grossly inept at encryption or are not on the level about their products. I would insta-distrust someone if they used that term.

Encryption methods are either proprietary or open-source code. Proprietary means closed-source. That is, it is developed as copyrighted methods or products, and its code (or, source) is closed for inspection or public view. Think of KFC’s chicken recipe or Coke. You know what the product is and what it does, but you don’t and won’t ever know what exactly goes into making it. Microsoft’s BitLocker encryption that is part of Windows Professional operating systems or Enterprise editions is a prime example. Does BitLocker encryption work? Absolutely. Is it good enough to stop hackers if your computer is physically stolen? You bet. Good enough to be a safe harbor for HIPAA protection of Protected Health Information? Sure is. Able to stop the NSA? Not a chance.

It’s the last bit of the preceding paragraph that should grab you. It won’t stop a government from accessing your data. Microsoft builds the encryption into the operating system, and not around it as an outer shell. Microsoft may or may not have back doors built into it. The public won’t ever know, because the public can’t view the source to inspect with certainty for back doors. So if it can’t be proven no back doors exist, then the possibility (even if not probability) exists.

Is that to day proprietary encryption has no use? Certainly not. BitLocker is fast with little to no overhead on the computer’s boot times or resources. In many cases, it’s good enough. ProtonMail, encrypted email based in Switzerland, is the same. There are plenty of times when ProtonMail is sufficient for emailing colleagues.

security-265130_960_720

The converse to proprietary is open-source. By definition, open-source means the source code (or, recipe) is open for any and all to view, modify for their own use, or fork and make a branch to create their own version based on the original source (with some caveats like it has to stay open-source or you have to attribute the original code, etc.). The now-abandoned TrueCrypt is/was an open-source encryption program. VeraCrypt is a fork of TrueCrypt, and a current open-source encryption program still maintained and quite the successor. I have personally read through the source code of VeraCrypt version 1.16 as well as version 1.18a (as of this post, the current version). GPG encryption (for email, as well as data) is another open-source example

The benefit with open-source code is two-fold: the public at large can inspect it to look for holes or bugs; and the public’s scrutiny for bugs aids the developer and strengthens the code overall.

Finally, the discussion needs to include end-to-end encryption. This is when a message is encrypted by the sending party before transmission occurs, and is only decrypted after the recipient receives the message and has it on a device. The importance here is that no party in between the sender and recipient can open the encryption (telcomm, Internet Service Provider, software maker, etc.). Skype uses end-to-end encryption, as do many other messaging services like Wickr, WhatsApp, iMessage, Signal, ProtonMail and others.

So end-to-end encryption is the silver bullet, right? Unfortunately, no. End-to-end encryption can be susceptible to man-in-the-middle attacks, spoofing the sender or recipient, and a host of endpoint security issues (if the sending or receiving device has been compromised before the message was sent or received). But overall, end-to-end encryption can be very strong…

IF…

The main caveat to end-to-end encryption is one of the other fractions previously discussed: proprietary software. Skype is a messaging service with end-to-end encryption. But, what if Microsoft can open that message with a backdoor on a whim from an NSA request? End-to-end encryption means nothing at that point. Strong encryption uses open-source software with very long, random passwords to lock it. Strongly encrypted messages must further employ open-source encryption with end-to-end encryption. When emailing or instant messaging critical data, both end-to-end and open-source encryption must be used, along with good endpoint (device) security and strong security methods (no reuse of passwords, no sharing of passwords, no malware infections on the endpoint, etc.).

That means the strongest encrypted email would have to use open-source encryption and end-to-end methods. This is why GPG encryption methods are preferred for email. But, you have to have the technical know-how to generate your own private keys (to encrypt your data) and public keys (so others can encrypt data to send you). Both private and public keys are required to unlock GPG encryption emails. If a reader were to send me a GPG-encrypted email, they would have to use their private key and my public key to encrypt it. That way, only they and I can open or read it. No other private or public keys will work. Conversely, to send them a GPG-encrypted email, I would use my private key and their public key. What if I didn’t already have their public key? I couldn’t send them a GPG-encrypted email. Public key exchanges are a prerequisite to GPG-encrypted emails. This is why you see more and more journalists post their public keys in their signature lines of their online articles, to facilitate receiving truly encrypted emails from someone.

If you are interested in setting up your own GPG keys and encyrption, download GPG4Win (with Kleopatra already built in) to create your keys and Mozilla’s Thunderbird email client with the add-on EnigMail to send/receive and use GPG keys. Protip: when creating GPG keys, never forget to set an expiration date on the key (meaning, it’s good forever). EVER! And, don’t accidentally give out your private key when you mean to give out your public key. 

My public key for my email address of c [dot] robertson95 [at] gmail [dot] com is: 6894 4162 AD3B D3AF 43BD 37E7 CE20 34C2 0395 040F

No, you can’t have my primary secure email address(es) :p

Featured image used under CC license from Pixabay.com

Aircrack tutorial

Long awaited – here’s my down and dirty Aircrack tutorial.

DISCLAIMER: This information isn’t meant for anything other than education. The purpose of this tutorial is to show users how ridiculously unsafe wireless connections can be, even with a password. Yes, even with the most strong of protocols – WPA2. Don’t use this to do anything illegal. Don’t be cruel to animals. Don’t lie or cheat or steal or be a general douchebag. Consult your physician in the event of adverse side effects. Don’t eat directly before swimming. Only try this on your own network. Yada, yada.

This tutorial already presumes you have an appropriate version of Linux already installed, updated, and Aircrack-ng installed. It further presumes you have a wireless chipset capable of both monitoring and injections. These are usually external USB WiFi cards and adapters. Don’t assume you can get just any external USB WiFi stick and be off to the races. Also note WiFi adapter manufacturers will often rotate through different chipsets for their products depending what supply is available and at-the-time costs. When in doubt, search Aircrack-ng’s site for known chipsets compatible with the software and then do your research as to what USB adapters likely have those particular chipsets. Do your homework: measure twice, cut once. And don’t ask me if XYZ adapter will work… I’m giving you enough with this tutorial, so don’t be greedy. Also note the fonts here make the double-hyphen command look like a solid m-dash. Copy/Paste commands to Leafpad (or, Notepad) to avoid syntax error.

WPA2 uses a four-way handshake, giving Aircrack-ng the opportunity to check the MIC of the fourth frame of the handshake process (parsed), so long as the network is using a Pre-Shared Key (PSK). Only PSKs can be cracked by Aircrack, so if any wireless networks show up in Aircrack without PSK, they are of no use. Essentially the crack follows this process:

  1. Four-way handshake is parsed to get SP and STA (station) addresses, Access Point (AP) and STA nonces, and EAP exchange payload (EAPOL) and Message Integrity Code (MIC) from 4th frame;
  2. Candidate password is used to compute Pairwise Master Key (PMK);
  3. Pairwise Transient Key (PTK) is computed from PMK, AP and STA addresses and nonces;
  4. KCK (confirmation key) from computed PTK is used to compute MIC of the EAPOL payload obtained at #1;
  5. The computed MIC is compared to the MIC obtained at #1. If they match then candidate password is reported correct.

Got it? Good.

The first step is to determine what wireless driver you’re running (Broadcom, Atheros or Ralink). In Terminal, type the following to display driver results:

sudo airmon-ng

OR, go with this:

iwconfig

The next action is to stop all processes that will interfere with the wireless monitoring. Run this command in Terminal:

sudo airmon-ng check kill

Put the wireless card into monitoring mode:

sudo airmon-ng start NAMEofWIRELESS

An example of the above would be ( sudo airmon-ng start wlan1 ). Note the output, particularly the name of the interface now in monitoring mode (for example, wlan1mon). For the rest of this tutorial, you will need to use the mon name of the interface for all commands when referencing the wireless interface (i.e. wlan1mon in this example).

Now that the interface is monitoring, start the traffic collection:

sudo airodump-ng INTERFACE_NAME

The above example would be ( sudo airodump-ng wlan1mon). Collected access points will be displayed with BSSID address, power (helpful to know what is closer or farther away), ESSID common names, security encoding, what channels are being found, etc. At this point, start a new Terminal window and focus on the one particular AP you want to collect a handshake from:

sudo airodump-ng -c 1 --bssid 01:23:AB:34:56:CD -w NAMEofOUTPUT_FILE INTERFACE_NAME --ignore-negative-one

In the above, -c is used to indicate the channel to monitor. The –bssid is obviously the MAC address of the AP, the -w is to write the output file with the handshake authentication, and the “–ignore-negative-one” cleans up a lot of garbage from the output file by filtering out all the “fixed channel : -1” messages. The example case monitoring channel 3 on a MAC address of BA:13:E7:E8:11:FA would look like ( sudo airodump-ng -c 3 –bssid BA:13:E7:E8:11:FA -w Toast wlan1mon –ignore-negative-one ) written to output files called Toast.

From here, you can simply wait for a handshake to be captured (quickly indicated in the upper right text of the Terminal by HANDSHAKE and just as quickly disappears to other text). But impatient types can force a handshake opportunity by de-authenticating a client of the monitored AP, grabbing the authentication upon reconnection. To do this, target the AP and a specific client (particularly one with active frames) with the following in a new Terminal:

sudo aireplay-ng --deauth ### -a 01:23:AB:34:56:CD -c AA:BB:CC:DD:EE:FF INTERFACE_NAME --ignore-negative-one

Where in the above, –deauth ### is the number of deauthorization hits to send (5, 20, 99, 300, etc.), the -a is the MAC of the AP, and the -c is the MAC of the client of the AP. For our example, we would use ( sudo aireplay-ng –deauth 5 -a BA:13:E7:E8:11:FA -c AA:BB:CC:DD:EE:FF wlan1mon –ignore-negative-one ) to deauthenticate the device with a MAC of AA:BB:CC:DD:EE:FF five times in succession. Often, five is sufficient to capture a handshake. You may need to run the above deauth command several times in a row to hit the active channel for that AP and client.

Once a handshake authentication is captured (you can find this in the user’s folder), you can inspect the output capture file with Wireshark. But the point here is to crack the Pre-Shared Key. For this, point Aircrack-ng at a dictionary list as follows:

sudo aircrack-ng -w PASSWORD_LIST.dic -b 01:23:AB:34:56:CD NAMEofOUTPUT_FILE.cap

Here, -w indicates the dictionary or wordlist, -b indicates the MAC of the AP, and the final portion is the capture output file already taken. For this example, it would be ( aircrack-ng -w rockyou.dic -b BA:13:E7:E8:11:FA Toast.cap ), using the 2009 RockYou wordlist.

For particularly large wordlists, John the Ripper can be employed (especially if you need to pause/resume the crack process). To do this, use:

sudo john --session=SESSION_NAME --stdout --wordlist=PASSWORD_LIST.dic | aircrack-ng -w - -b 01:23:AB:34:56:CD NAMEofOUTPUT_FILE.cap

In the above, the session SESSION_NAME can be paused with Q or CTRL+C, and the resumed with the command:

sudo john --restore=SESSION_NAME | aircrack-ng -w - -b 01:23:AB:34:56:CD NAMEofOUTPUT_FILE.cap

Now listen away to everything on the network.

Thanks to [S]hellHacks and Aircrack-ng official for documentation of the process.

Debian 8 (jessie) sudo install

Recently installed Debian 8 VM gave me an error of “user not in the sudoers file. This incident will be reported.” The superuser (su) command does work by default. But, old habits and all… I wanted sudo on the machine.

To install sudo and add a user account to the sudo list of allowed users, perform the following in Terminal:

su (and enter password)

apt-get install sudo

adduser myusername sudo

nano /etc/sudoers

(scroll down to the line of "%sudo ALL=(ALL:ALL) ALL")

Just below the above line, type "myusername ALL=(ALL:ALL) ALL" without quotes

CTRL+X and then press Y, then ENTER to save

Exit and Exit

Nano gets around the issue of having to log out and back in to be in the sudoers group.

Wireshark on Debian with non-root account

Running Wireshark with a non-privileged user in Debian gives an error about permissions. The solution is to run the following:

sudo chgrp myusername /usr/bin/dumpcap
 sudo chmod 750 /usr/bin/dumpcap
 sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

Problem solved.