Archive for the ‘Windows’ Category

Many companies spend a fortune on Next Generation anti-virus and Machine Learning “AI” tools to halt the spread of ransomware and although I strongly believe that user education and training plays a key part in this Windows does can help in a massive way. Windows File Services Resource Manager (FSRM) a resource already built into Windows can halt the spread and quarantine accounts that are affected.

This solution utilises PowerShell and Windows File Services Resource Manager to automatically lockout a user account when ransomware activities are detected.

Installing FSRM
First and foremost, you will need to set up FSRM on your file servers. This feature is part of the File Services Role and can be installed with the following PowerShell command (all one line).

Install-WindowsFeature –Name FS-Resource-Manager
–IncludeManagementTool

Take note, FSRM is only available on Windows Server. If you’re interested in workstation mitigation, comment below and I’ll get to writing!

Get Email Alerts
In order to be emailed of the action our killswitch takes, we will need to set up the SMTP Server settings within FSRM. We don’t necessarily have to do this right now, but it saves us from seeing annoying prompts in the future steps.

Open up Server Manager > File and Storage Services > Right-click on your server > File Server Resource Manager (this can also be accessed through Administrative Tools). Once opened, right-click “File Server Resource Manager (Local)” in the left pane and select “Configure Options…” Go ahead and set up all your email settings, similar to below.

Set up Killswitch Directory
In your corporate file share(s), set up a directory that begins with an underscore. If the ransomware is encrypting alphabetically, this will ensure that it is tripped as soon as possible. Within that directory, we will place a text file called killswitch.txt.

Set Up the Killswitch
Many variants of ransomware look to find mapped drives and will begin encrypting data in alphabetical order. Because of this, our killswitch is going to be a directory placed in the file shares that begins with an underscore.

Create a new File Group under File Screening Management that will look at all files except our killswitch.txt.

Next, we will create a File Screen Template utilizing the File Group we created called “All File Types”.

We will want to configure email alerts, so on the E-Mail Message tab, fill out the pertinent information.

We also want to automate the removal of the offending user in order to stop the ransomware from encrypting our entire file server. We will do this with some PowerShell. Copy the following and save it to your preferred location. In this example, I’m just saving it to C:\kickuser.ps1.

param( [string]$username = “” ) Get-SmbShare -Special $false | ForEach-Object { Block-SmbShareAccess -Name $_.Name -AccountName “$username” -Force }

On the Command-Tab, check “Run this command or script:” and the following:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

For the command arguments, insert the following:

-Command “& {C:\smbblock.ps1 -username ‘[Source Io Owner]’}”

Set it to run as Local System.

Apply the File Screen
From within FSRM, Select File Screening Management > File Screens and create a new File Screen. Set the path to your underscore directory and use the “Detect Ransomware” File Screen template that we created earlier.

kill_1

Testing
To test, I created a test account (test guy) and modified the file. I was instantly locked out of the share. The output of our PowerShell script, as well as the share permissions, show this:

testing 567

perm2

Wrapping Up
This methodology should help mitigate some risk around ransomware attacks. In the future, it may also be beneficial to make the following changes:

  1. Create a secondary killswitch in a ZZZ_Killswitch directory in case a ransomware-variant starts in reverse-alphabetical order.

I believe in using the resources we already have available to us in helping secure our organisations, and hopefully, this helps. Feel free to comment with any questions or suggestions.

 

he windows passwords can be accessed in a number of different ways. The most common way would be via accessing the Security Accounts Manager (SAM) file and obtaining the system passwords in their hashed form with a number of different tools. Alternatively passwords can be read from memory which has the added benefit of recovering the passwords in plain text and avoiding the cracking requirement. In order to understand the formats you’ll see when dumping Windows system hashes a brief overview of the different storage formats is required.

Lan Manager (LM) Hashes
Originally windows passwords shorter than 15 characters were stored in the Lan Manager (LM) hash format. Some OSes such as Windows 2000, XP and Server 2003 continue to use these hashes unless disabled. Occasionally an OS like Vista may store the LM hash for backwards compatibility with other systems. Due to numerous reasons this hash is simply terrible. It includes several poor design decisions from Microsoft such as splitting the password into two blocks and allowing each to be cracked independently. Through the use of rainbow tables which will be explained later it’s trivial to crack a password stored in a LM hash regardless of complexity. This hash is then stored with the same password calculated in the NT hash format in the following format: ::::::

An example of a dumped NTLM hash with the LM ant NT component. Administrator:500:611D6F6E763B902934544489FCC9192B:B71ED1E7F2B60ED5A2EDD28379D45C91:::

NT Hashes
Newer Windows operating systems use the NT hash. In simple terms there is no significant weakness in this hash that sets it apart from any other cryptographic hash function. Cracking methods such as brute force, rainbow tables or word lists are required to recover the password if it’s only stored in the NT format.

An example of a dumped NTLM hash with only the NT component (as seen on newer systems.
Administrator:500:NO PASSWORD*********************:EC054D40119570A46634350291AF0F72:::

It’s worth noting the “no password” string is variable based on the tool. Others may present this information as padded zeros, or commonly you may see the string “AAD3B435B51404EEAAD3B435B51404EE” in place of no password. This signifies that the LM hash is empty and not stored.

Location
The hashes are located in the Windows\System32\config directory using both the SAM and SYSTEM files. In addition it’s also located in the registry file HKEY_LOCAL_MACHINE\SAM which cannot be accessed during run time. Finally backup copies can be often found in Windows\Repair.

Tool – PwDump7 – http://www.tarasco.org/security/pwdump_7/
This tool can be executed on the system machine to recover the system hashes. Simply download the run the binary with at least administrator account privileges.

Tool – Windows Credential Editor – http://www.ampliasecurity.com/
Windows Credentials Editor (WCE) is great for dumping passwords that are in memory. Personally I typically use it with the -w flag to dump passwords in clear text. This can often net you passwords that are infeasible to get any other way.

Tool – Meterpreter
If you have a meterpreter shell on the system, often you can get the hashes by calling the hashdump command.

Method – Recovery Directory
Occasionally you may not have direct access to the file required, or perhaps even command line interaction with the victim. An example of this would be a local file inclusion attack on a web service. In those cases it’s recommended you try and recover the SYSTEM and SAM directories located in the Windows\Repair directory.

Method – Live CD
Sometimes you may have physical access to the computer but wish to dump the passwords for cracking later. Using a Live CD is a common method of being able to mount the Windows drive and recover the SYSTEM and SAM files from the System32/config directory since the OS isn’t preventing you access.

 

Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.

Included In

At its core, Inveigh is a .NET packet sniffer that listens for and responds to LLMNR/mDNS/NBNS requests while also capturing incoming NTLMv1/NTLMv2 authentication attempts over the Windows SMB service. The primary advantage of this packet sniffing method on Windows is that port conflicts with default running services are avoided. Inveigh also contains HTTP/HTTPS/Proxy listeners for capturing incoming authentication requests and performing attacks. Inveigh relies on creating multiple runspaces to load the sniffer, listeners, and control functions within a single shell and PowerShell process.

Inveigh running with elevated privilege

Inveigh

Since the .NET packet sniffer requires elevated privilege, Inveigh also contains UDP listener based LLMNR/mDNS/NBNS functions. These listeners can provide the ability to perform spoofing with only unprivileged access. Port conflicts can still be an issue with any running Windows listeners bound to 0.0.0.0. This generally impacts LLMNR. On a system with the Windows LLMNR service running, Inveigh’s unprivileged LLMNR spoofer will not be able to start. Inveigh can usually perform unprivileged NBNS spoofing on systems with the NBNS service already running since it’s often not bound to 0.0.0.0. Most of Inveigh’s other features, with the primary exceptions of the packet sniffer’s SMB capture and HTTPS (due to certificate install privilege requirements), do not require elevated privilege. Note that an enabled local firewall blocking all relevant ports, and without a listed service with open firewall access suitable for migration, can still prevent Inveigh from working with just unprivileged access since privileged access will likely be needed to modify the firewall settings.

By default, Inveigh will attempt to detect the privilege level and load the corresponding functions.

Inveigh running without elevated privilege

Unprivileged

Inveigh provides NTLMv1/NTLMv2 HTTP/HTTPS/Proxy to SMB1/SMB2 relay through the Inveigh-Relay module. This module does not require elevated privilege, again with the exception of HTTPS, on the Inveigh host. However, since the module currently only has a PSExec type command execution attack, the relayed challenge/response will need to be from an account that has remote command execution privilege on the target. The Inveigh host itself can be targeted for relay if the goal is local privilege escalation.

Inveigh and Inveigh-Relay running together to execute an Empire 2.0 launcher

Relay

Tutorials & Download

PowerMemory is a PowerShell based tool to exploit Windows credentials present in files and memory, it levers Microsoft signed binaries to hack Windows.

PowerMemory - Exploit Windows Credentials In Memory

The method is totally new. It proves that it can be extremely easy to get credentials or any other information from Windows memory without needing to code in C-type languages. In addition, with this method, we can modify the user-land and kernel land behaviour without being caught by antivirus or new defending techniques.

It can actually be done with 4GL language-type or with a scripting language like PowerShell which is installed everywhere.

With that being said, this technique implies that the detection is made hard due to the fact that we can do pretty much what we want by sending and receiving bytes.

Features

  • It’s fully written in PowerShell
  • It can work locally as well as remotely
  • It can get the passwords of virtual machines without having any access to them (works for Hyper-V and VMware)
  • It does not use the operating system .dll to locate credentials address in memory but a Microsoft Signed Debugger
  • PowerMemory maps the keys in the memory and cracks everything by itself (AES, TripleDES, DES-X)
  • It breaks undocumented Microsoft DES-X
  • It works even if you are on a different architecture than the target architecture
  • It leaves no trace in memory
  • It can manipulate memory to fool software and operating system
  • It can write the memory to execute shellcode without making any API call, it only sends bytes to write at specific addresses

You can use the module waiting to be integrated to leave Wonder Land and launch a crafted advanced attack with PowerShell Empire serving as the vector.

You can download PowerMemory here:

PowerMemory-master.zip

Or read more here.

Windows TVIf you have installed Windows 10 and agreed to its terms and conditions during installation then you are being spied on and this is not a conspiracy theory but a fact.

Here’s what’s going on and how you can prevent yourself from being spied on.

Microsoft’s new service agreement consists of about 12,000 words, which clearly states that the operating system will be invading your privacy like never before and if you haven’t read that then it’s not your mistake, we hardly read TOS (Terms Of Service) anyway.

So the Microsoft’s new service agreement states that,

WE WILL ACCESS, DISCLOSE AND PRESERVE PERSONAL DATA, INCLUDING YOUR CONTENT (SUCH AS THE CONTENT OF YOUR EMAILS, OTHER PRIVATE COMMUNICATIONS OR FILES IN PRIVATE FOLDERS), WHEN WE HAVE A GOOD FAITH BELIEF THAT DOING SO IS NECESSARY TO.”

Microsoft does, however, also gives you an option to opt-out of features that you think may be invading your privacy, but remember if you have installed Windows 10 you have opted-in for all features by default.

HOW TO STOP WINDOWS 10 FROM SPYING ON YOU

If you are reading this section because you are seriously worried about this, understand that opting out of Windows 10 is not so straightforward. However, if you follow each of the mentioned steps thoroughly then you will be able to prevent yourself from Windows 10 spying in no time.

NOTE: These steps will be appropriate in both cases, either you are about to install Windows 10 on your computer, or if you have already installed it without paying extra attention to the installation instructions. Depending on your situation, you might need to perform all of the following.

Here are 4 simple tasks you have to follow to stop Windows 10 from spying on you:

Task # 1: Go to ‘Settings’ -> ‘Privacy’. From there you will have to go through 13 different selection screens, turning everything of your concern to ‘off’. After that, you will find some of the most important setting under ‘General’ section, whereas the other setup screens will let you select whether you want specific Windows apps to access your messages, camera, calendar and other areas.

Task # 2: You might also want to change Cortana’s settings, turning every option to ‘off’. But your selections completely depends on whether you are finding this feature useful or not.

Task # 3: This one is an essential option that you have to turn off. And many are going to miss this one because these settings are only changeable through an external website. So head over tohttps://choice.microsoft.com/en-gb/opt-out, there you will find two selections i.e. “Personalized ads in this browser” and “Personalised ads wherever I use my Microsoft account”. Turn both of them to ‘off’.

Ms-personal-ad-preferences

Task # 4: To add another layer of privacy, you might also be interested in removing your Microsoft account from Windows 10, and use some local account instead. Doing this might take away some of the features like Synchronisation across other devices, OneDrive and Windows Store – won’t be a big deal for many! So to remove your Microsoft account, head over to ‘Settings’ -> ‘Accounts’ -> ‘Your Account within Windows 10’, and from there you will be able to remove the account.

Windows 10 will sync data and settings by default with its servers. That includes browser history, currently open web pages, favorites pages, websites, saved apps, Wi-Fi network names and passwords and mobile hotspot passwords.

We also advise you not to activate Cortana, Microsoft’s personal virtual assistant, but if you have already activated it here’s what you’ve allowed it to collect:

  • Your device location
  • Your email and text messages data
  • Your Calendar data
  • Apps you are using
  • Your contact list
  • Who’s calling you
  • With who you are in touch more often
  • Your alarm settings,
  • Your music on device
  • What you purchase
  • Your search history in case you’re using Bing search engine.

“TO ENABLE CORTANA TO PROVIDE PERSONALIZED EXPERIENCES AND RELEVANT SUGGESTIONS, MICROSOFT COLLECTS AND USES VARIOUS TYPES OF DATA, SUCH AS YOUR DEVICE LOCATION, DATA FROM YOUR CALENDAR, THE APPS YOU USE, DATA FROM YOUR EMAILS AND TEXT MESSAGES, WHO YOU CALL, YOUR CONTACTS AND HOW OFTEN YOU INTERACT WITH THEM ON YOUR DEVICE.”

This is not it,

“CORTANA ALSO LEARNS ABOUT YOU BY COLLECTING DATA ABOUT HOW YOU USE YOUR DEVICE AND OTHER MICROSOFT SERVICES, SUCH AS YOUR MUSIC, ALARM SETTINGS, WHETHER THE LOCK SCREEN IS ON, WHAT YOU VIEW AND PURCHASE, YOUR BROWSING AND BING SEARCH HISTORY, AND MORE.”

Windows 10 can also use you for marketing and advertising purposes as it generates a unique advertising ID for users on every device which can be further used to serve commercial content.

Though Windows 10 comes with default capability of automatically detecting malware on user’s PC, but when it’s collecting personal data as such a level you don’t need a malware.

So Windows 10 is spying on you, do opt-out from all such features you think are privacy invasion for you.

tv - programer

There is one key administrative feature that seems to be missing from Microsoft Office 365 – the “kill switch” that disables an Office 365 account and kills all active sessions (browser, ActiveSync, etc.).  Without official guidance from Microsoft, there has been speculation from Office 365 Admins on the best approach for disabling access to an Office 365 account in the event of a breach or security issue.

  • Change the password on the mailbox
  • Remove the mailbox using the “Remove-Mailbox” command
    • For example:
Remove-Mailbox -Identity "John Rodman"
  • Wait 15 minutes
  • Restore the mailbox

Restoring the mailbox is an important step in this process, since the mailbox will be automatically deleted if you do not restore it within 30 days.