Archive for the ‘Windows’ Category

he windows passwords can be accessed in a number of different ways. The most common way would be via accessing the Security Accounts Manager (SAM) file and obtaining the system passwords in their hashed form with a number of different tools. Alternatively passwords can be read from memory which has the added benefit of recovering the passwords in plain text and avoiding the cracking requirement. In order to understand the formats you’ll see when dumping Windows system hashes a brief overview of the different storage formats is required.

Lan Manager (LM) Hashes
Originally windows passwords shorter than 15 characters were stored in the Lan Manager (LM) hash format. Some OSes such as Windows 2000, XP and Server 2003 continue to use these hashes unless disabled. Occasionally an OS like Vista may store the LM hash for backwards compatibility with other systems. Due to numerous reasons this hash is simply terrible. It includes several poor design decisions from Microsoft such as splitting the password into two blocks and allowing each to be cracked independently. Through the use of rainbow tables which will be explained later it’s trivial to crack a password stored in a LM hash regardless of complexity. This hash is then stored with the same password calculated in the NT hash format in the following format: ::::::

An example of a dumped NTLM hash with the LM ant NT component. Administrator:500:611D6F6E763B902934544489FCC9192B:B71ED1E7F2B60ED5A2EDD28379D45C91:::

NT Hashes
Newer Windows operating systems use the NT hash. In simple terms there is no significant weakness in this hash that sets it apart from any other cryptographic hash function. Cracking methods such as brute force, rainbow tables or word lists are required to recover the password if it’s only stored in the NT format.

An example of a dumped NTLM hash with only the NT component (as seen on newer systems.
Administrator:500:NO PASSWORD*********************:EC054D40119570A46634350291AF0F72:::

It’s worth noting the “no password” string is variable based on the tool. Others may present this information as padded zeros, or commonly you may see the string “AAD3B435B51404EEAAD3B435B51404EE” in place of no password. This signifies that the LM hash is empty and not stored.

Location
The hashes are located in the Windows\System32\config directory using both the SAM and SYSTEM files. In addition it’s also located in the registry file HKEY_LOCAL_MACHINE\SAM which cannot be accessed during run time. Finally backup copies can be often found in Windows\Repair.

Tool – PwDump7 – http://www.tarasco.org/security/pwdump_7/
This tool can be executed on the system machine to recover the system hashes. Simply download the run the binary with at least administrator account privileges.

Tool – Windows Credential Editor – http://www.ampliasecurity.com/
Windows Credentials Editor (WCE) is great for dumping passwords that are in memory. Personally I typically use it with the -w flag to dump passwords in clear text. This can often net you passwords that are infeasible to get any other way.

Tool – Meterpreter
If you have a meterpreter shell on the system, often you can get the hashes by calling the hashdump command.

Method – Recovery Directory
Occasionally you may not have direct access to the file required, or perhaps even command line interaction with the victim. An example of this would be a local file inclusion attack on a web service. In those cases it’s recommended you try and recover the SYSTEM and SAM directories located in the Windows\Repair directory.

Method – Live CD
Sometimes you may have physical access to the computer but wish to dump the passwords for cracking later. Using a Live CD is a common method of being able to mount the Windows drive and recover the SYSTEM and SAM files from the System32/config directory since the OS isn’t preventing you access.

 

Advertisements

Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.

Included In

At its core, Inveigh is a .NET packet sniffer that listens for and responds to LLMNR/mDNS/NBNS requests while also capturing incoming NTLMv1/NTLMv2 authentication attempts over the Windows SMB service. The primary advantage of this packet sniffing method on Windows is that port conflicts with default running services are avoided. Inveigh also contains HTTP/HTTPS/Proxy listeners for capturing incoming authentication requests and performing attacks. Inveigh relies on creating multiple runspaces to load the sniffer, listeners, and control functions within a single shell and PowerShell process.

Inveigh running with elevated privilege

Inveigh

Since the .NET packet sniffer requires elevated privilege, Inveigh also contains UDP listener based LLMNR/mDNS/NBNS functions. These listeners can provide the ability to perform spoofing with only unprivileged access. Port conflicts can still be an issue with any running Windows listeners bound to 0.0.0.0. This generally impacts LLMNR. On a system with the Windows LLMNR service running, Inveigh’s unprivileged LLMNR spoofer will not be able to start. Inveigh can usually perform unprivileged NBNS spoofing on systems with the NBNS service already running since it’s often not bound to 0.0.0.0. Most of Inveigh’s other features, with the primary exceptions of the packet sniffer’s SMB capture and HTTPS (due to certificate install privilege requirements), do not require elevated privilege. Note that an enabled local firewall blocking all relevant ports, and without a listed service with open firewall access suitable for migration, can still prevent Inveigh from working with just unprivileged access since privileged access will likely be needed to modify the firewall settings.

By default, Inveigh will attempt to detect the privilege level and load the corresponding functions.

Inveigh running without elevated privilege

Unprivileged

Inveigh provides NTLMv1/NTLMv2 HTTP/HTTPS/Proxy to SMB1/SMB2 relay through the Inveigh-Relay module. This module does not require elevated privilege, again with the exception of HTTPS, on the Inveigh host. However, since the module currently only has a PSExec type command execution attack, the relayed challenge/response will need to be from an account that has remote command execution privilege on the target. The Inveigh host itself can be targeted for relay if the goal is local privilege escalation.

Inveigh and Inveigh-Relay running together to execute an Empire 2.0 launcher

Relay

Tutorials & Download

PowerMemory is a PowerShell based tool to exploit Windows credentials present in files and memory, it levers Microsoft signed binaries to hack Windows.

PowerMemory - Exploit Windows Credentials In Memory

The method is totally new. It proves that it can be extremely easy to get credentials or any other information from Windows memory without needing to code in C-type languages. In addition, with this method, we can modify the user-land and kernel land behaviour without being caught by antivirus or new defending techniques.

It can actually be done with 4GL language-type or with a scripting language like PowerShell which is installed everywhere.

With that being said, this technique implies that the detection is made hard due to the fact that we can do pretty much what we want by sending and receiving bytes.

Features

  • It’s fully written in PowerShell
  • It can work locally as well as remotely
  • It can get the passwords of virtual machines without having any access to them (works for Hyper-V and VMware)
  • It does not use the operating system .dll to locate credentials address in memory but a Microsoft Signed Debugger
  • PowerMemory maps the keys in the memory and cracks everything by itself (AES, TripleDES, DES-X)
  • It breaks undocumented Microsoft DES-X
  • It works even if you are on a different architecture than the target architecture
  • It leaves no trace in memory
  • It can manipulate memory to fool software and operating system
  • It can write the memory to execute shellcode without making any API call, it only sends bytes to write at specific addresses

You can use the module waiting to be integrated to leave Wonder Land and launch a crafted advanced attack with PowerShell Empire serving as the vector.

You can download PowerMemory here:

PowerMemory-master.zip

Or read more here.

Windows TVIf you have installed Windows 10 and agreed to its terms and conditions during installation then you are being spied on and this is not a conspiracy theory but a fact.

Here’s what’s going on and how you can prevent yourself from being spied on.

Microsoft’s new service agreement consists of about 12,000 words, which clearly states that the operating system will be invading your privacy like never before and if you haven’t read that then it’s not your mistake, we hardly read TOS (Terms Of Service) anyway.

So the Microsoft’s new service agreement states that,

WE WILL ACCESS, DISCLOSE AND PRESERVE PERSONAL DATA, INCLUDING YOUR CONTENT (SUCH AS THE CONTENT OF YOUR EMAILS, OTHER PRIVATE COMMUNICATIONS OR FILES IN PRIVATE FOLDERS), WHEN WE HAVE A GOOD FAITH BELIEF THAT DOING SO IS NECESSARY TO.”

Microsoft does, however, also gives you an option to opt-out of features that you think may be invading your privacy, but remember if you have installed Windows 10 you have opted-in for all features by default.

HOW TO STOP WINDOWS 10 FROM SPYING ON YOU

If you are reading this section because you are seriously worried about this, understand that opting out of Windows 10 is not so straightforward. However, if you follow each of the mentioned steps thoroughly then you will be able to prevent yourself from Windows 10 spying in no time.

NOTE: These steps will be appropriate in both cases, either you are about to install Windows 10 on your computer, or if you have already installed it without paying extra attention to the installation instructions. Depending on your situation, you might need to perform all of the following.

Here are 4 simple tasks you have to follow to stop Windows 10 from spying on you:

Task # 1: Go to ‘Settings’ -> ‘Privacy’. From there you will have to go through 13 different selection screens, turning everything of your concern to ‘off’. After that, you will find some of the most important setting under ‘General’ section, whereas the other setup screens will let you select whether you want specific Windows apps to access your messages, camera, calendar and other areas.

Task # 2: You might also want to change Cortana’s settings, turning every option to ‘off’. But your selections completely depends on whether you are finding this feature useful or not.

Task # 3: This one is an essential option that you have to turn off. And many are going to miss this one because these settings are only changeable through an external website. So head over tohttps://choice.microsoft.com/en-gb/opt-out, there you will find two selections i.e. “Personalized ads in this browser” and “Personalised ads wherever I use my Microsoft account”. Turn both of them to ‘off’.

Ms-personal-ad-preferences

Task # 4: To add another layer of privacy, you might also be interested in removing your Microsoft account from Windows 10, and use some local account instead. Doing this might take away some of the features like Synchronisation across other devices, OneDrive and Windows Store – won’t be a big deal for many! So to remove your Microsoft account, head over to ‘Settings’ -> ‘Accounts’ -> ‘Your Account within Windows 10’, and from there you will be able to remove the account.

Windows 10 will sync data and settings by default with its servers. That includes browser history, currently open web pages, favorites pages, websites, saved apps, Wi-Fi network names and passwords and mobile hotspot passwords.

We also advise you not to activate Cortana, Microsoft’s personal virtual assistant, but if you have already activated it here’s what you’ve allowed it to collect:

  • Your device location
  • Your email and text messages data
  • Your Calendar data
  • Apps you are using
  • Your contact list
  • Who’s calling you
  • With who you are in touch more often
  • Your alarm settings,
  • Your music on device
  • What you purchase
  • Your search history in case you’re using Bing search engine.

“TO ENABLE CORTANA TO PROVIDE PERSONALIZED EXPERIENCES AND RELEVANT SUGGESTIONS, MICROSOFT COLLECTS AND USES VARIOUS TYPES OF DATA, SUCH AS YOUR DEVICE LOCATION, DATA FROM YOUR CALENDAR, THE APPS YOU USE, DATA FROM YOUR EMAILS AND TEXT MESSAGES, WHO YOU CALL, YOUR CONTACTS AND HOW OFTEN YOU INTERACT WITH THEM ON YOUR DEVICE.”

This is not it,

“CORTANA ALSO LEARNS ABOUT YOU BY COLLECTING DATA ABOUT HOW YOU USE YOUR DEVICE AND OTHER MICROSOFT SERVICES, SUCH AS YOUR MUSIC, ALARM SETTINGS, WHETHER THE LOCK SCREEN IS ON, WHAT YOU VIEW AND PURCHASE, YOUR BROWSING AND BING SEARCH HISTORY, AND MORE.”

Windows 10 can also use you for marketing and advertising purposes as it generates a unique advertising ID for users on every device which can be further used to serve commercial content.

Though Windows 10 comes with default capability of automatically detecting malware on user’s PC, but when it’s collecting personal data as such a level you don’t need a malware.

So Windows 10 is spying on you, do opt-out from all such features you think are privacy invasion for you.

tv - programer

There is one key administrative feature that seems to be missing from Microsoft Office 365 – the “kill switch” that disables an Office 365 account and kills all active sessions (browser, ActiveSync, etc.).  Without official guidance from Microsoft, there has been speculation from Office 365 Admins on the best approach for disabling access to an Office 365 account in the event of a breach or security issue.

  • Change the password on the mailbox
  • Remove the mailbox using the “Remove-Mailbox” command
    • For example:
Remove-Mailbox -Identity "John Rodman"
  • Wait 15 minutes
  • Restore the mailbox

Restoring the mailbox is an important step in this process, since the mailbox will be automatically deleted if you do not restore it within 30 days.

TV failure
CVE number for this vulnerability  is CVE-2014-3566:

This is an industry-wide vulnerability affecting the SSL3.0 protocol itself and is not specific to the windows operating system. All supported version of Microsoft implement this protocol and are  affected by this vulnerability. Considering the attack scenario, this vulnerability is not considered as high risk.

 What is SSL? 
 Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security over the Internet. SSL encrypts the data transported over the network, using cryptography for privacy  and a keyed message authentication code for message reliability.

What is TLS?
Transport Layer Security (TLS) is a standard protocol that is used to provide secure web communications on the Internet or on intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest version of the Secure Sockets Layer (SSL) protocol.

What causes the vulnerability? 
The vulnerability is caused by a weakness in the CBC encryption algorithm used in SSL 3.0.

Impact:

The vulnerability In SSL3.0 allows attackers to decrypt encrypted website connections. The attackers can exploit a weakness in the protocol’s design to garb secret session cookies and can steal or tamper with your sensitive information while it’s in transit.

Mitigating Factor:

  • The attacker must make several hundred HTTPS requests before tha attack could be successful.
  • TSL 1.0, TLS1.1, TLS1.2 and all cipher suit that do not use CBC mode are not affected.

Affected Operating System:

Windows server 2003 service pack 2

Windows server 2003 x64 Edition service pack 2

Windows server 2003 with SP2 for Itanium-based system

Windows vista service pack 2

Windows vista x64 Edition service pack 2

Windows server 2008 for 32-bit system SP2

Windows server 2008 for x64-based system SP2

Windows server 2008 for Itanium-based system SP2

Windows 7 for 32-bit system SP1

Windows 7 for x64-based system SP1

Windows server 2008 R2 for x64-based system SP1

Windows server 2008 R2 for Itanium-based system SP1

Windows 8 for 32-bit system

Windows 8 for x64-based system

Windows 8.1 for 32-bit system

Windows 8.1 for x64-based system

Windows server 2012

Windows server 2012 R2

Windows RT

Windows RT 8.1

Resolution:

Microsoft is investigating on this vulnerability, and will take the appropriate action to help protect their customers. This may include providing a security update through monthly release process or providing an out-of-cycle security update. Microsoft has suggested a workaround to disable SSL3.0 to mitigate this vulnerability. This workaround will disable SSL3.0 for all server software installed on a system, Including IIS.

Workarounds:

1)    Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, TLS 1.2 in Internet Explorer.

You can disable the SSL 3.0 protocol in Internet Explorer by modifying the Advanced Security settings in Internet Explorer.

To change the default protocol version to be used for HTTPS requests, perform the following steps:

  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Advanced tab.
  3. In the Security category, uncheck Use SSL 3.0 and check Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2 (if available).
  4. Click OK.
  5. Exit and restart Internet Explorer.

Note:  After applying this workaround, Internet Explorer will fail to connect to Web servers that only support SSL up to 3.0 and don’t support TLS 1.0, TLS 1.1, and TLS 1.2.

2)    Disable SSL 3.0 and Enable TLS 1.0, TLS 1.1, TLS 1.2 in Internet Explorer in Group Policy.

You can disable support for the SSL 3.0 protocol in Internet Explorer via Group Policy by modifying the Turn Off Encryption Support Group Policy Object.

  1. Open Group Policy Management.
  2. Select the group policy object to modify, right click and select Edit.
  3. In the Group Policy Management Editor, browse to the following setting:

Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Turn off encryption support

  1. Double-click the Turn off Encryption Support setting to edit the setting.
  2. Click Enabled.
  3. In the Options window, change the Secure Protocol combinations setting to “Use TLS 1.0, TLS 1.1, and TLS 1.2“.
  4. Click OK.

Note Administrators should make sure this group policy is applied appropriately by linking the GPO to the appropriate OU in their environment.

Note After applying this workaround, Internet Explorer will fail to connect to Web servers that only support SSL up to 3.0 and don’t support TLS 1.0, TLS 1.1, and TLS 1.2.

3)    Disable SSL 3.0 in Windows.

You can disable support for the SSL 3.0 protocol on Windows by following these steps:

  1. Click Start, click Run, type regedt32or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server

Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.

  1. On the Editmenu, click Add Value.
  2. In the Data Typelist, click DWORD.
  3. In the Value Namebox, type Enabled, and then click OK.

Note If this value is present, double-click the value to edit its current value.

  1. Type 00000000in Binary Editor to set the value of the new key equal to “0”.
  2. Click OK. Restart the computer.

Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.

Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.