Microsoft LAPS – Unique passwords for your local Administrator accounts.

Managing local administrator passwords in the enterprise with ‘Microsoft LAPS Local Administrator Password Solution’.

When it was announed that CPasswords could be easily found and encrypted from the Groups.xml file created by Group Policy Preferences in May 2014 the enterprise needed a better solution to manage the local administrator accounts and more importantly the password being used. Commonly Group Policy Preferences were used to change the administrator account name and password across the enterprise workstations however the issue was two fold; the administrators password was written to a groups.xml file located in the sysvol directory (as well as locally) being written to the field ‘CPassword’ and also the same password would be used for all PC’s/laptops across the network. Should the password become compromised on one host an attacker could move laterally from one PC to another dumping creds. A better solution was required,  enter LAPS!  LAPS enables you to have a unique complex password for each domain joined machine (vista and above), the password being stored centrally in AD and restricted access to specific users (the helpdesk) via access control list. LAPS requires only .Net 4.0 and Powershell 2.0, however does require an AD schema update. LAPS is controlled from its own user interface and does require a small amount of GPO to be configured and client installed on the machine.

I’ll walk through setting up LAPS in a test lab and client setup in my next post.

Monitoring Domain Admins with PowerShell! Free and Easy

Free Active Directory Monitoring with PowerShell, keep an eye on those high privilege level groups!

Keeping an eye on privileged Active Directory groups is Important. We can do this by Monitoring Domain Admins with PowerShell. Groups such as ‘Domain Admins’ (DA) and ‘Enterprise Admins’ (EA) in Active Directory (AD) is vitally important within your IT shop. You need to be aware of any changes happening to high privilege level groups. Especially ones that have the level of access that DA and EA groups have. This of course also extends further than just administering AD privilege groups. In addition to these you may also want to monitor your high privilege level application groups. Such as Lync and SCCM. The worst case scenario is you find a username you not aware of has been dropped in your DA group. As soon as this happens you want to know and investigate immediately. You don’t need any fancy tools to monitor active directory groups. You just need a few lines of PowerShell coupled with the Send-MailMessage feature. Very quickly you have some powerful alerting.

Solution:

I’ve just pulled the below script  together in a few minutes which very simple pulls the DA group and emails the contents to the desired location in the script.

$EmailBody = "The Domain Admin group has the following members verify these are correct:
              $currentmembers "

$currentmembers = (Get-ADGroupMember -Identity "Domain Admins").name | out-file -filepath C:\temp\currentmembers.txt

$Email = @{ 
            'From' = 'Active Directory Administrator <admin@test.lab>' 
            'To' = 'adam@test.lab'
            'Subject' = 'Current Domain Admin Members' 
            'SmtpServer' = 'my.smtpserver' 
            'Body' = $EmailBody 
        } 
        Send-MailMessage @Email

This is just a simple script to query the contents of a group and mail it. What you would ideally want is a comparison of a before and after state. In addition some intelligence within the script. This would be to either; email you if any changes have been made including the additions. O alternatively do nothing if no changes have been made. Then schedule the script to run every 5 minutes with Task Scheduler. This allows you to have pretty good overview of your high privilege accounts.  Such a script thankfully already exists over at TechNet https://gallery.technet.microsoft.com/scriptcenter/Detect-Changes-to-AD-Group-012c3ffa

Alternative tools do exist such as SolarWinds LEM and ChangeAuditor. However using PowerShell is free after all and requires very little effort to implement! As a bonus you’ll boost your PowerShell skills.

Over the wire – bandit online terminal based war games delivered through SSH! Brilliant!

Over the wire – bandit – SSH War games!

I just thought I would share with you all Over the wire – bandit this is fun hacking practice game that you can play on online through SSH. It very addictive and once you start you will want to progress through the levels. Not stopping till you have finished. I started this and had to finish it. You can find it over at  http://overthewire.org/wargames/ I found this through ‘The hackers playbook 2’ book of pentesting tips and tricks found here http://thehackerplaybook.com/dashboard/

Over The Wire - Bandit

Over the wire is a set of text based games, brought to you in a ‘capture the flag’ type style game where you ssh into there servers and crack the puzzle or code. The first series called ‘bandit’ is relatively straight forward with 26 levels. You start the game with a username and password to login to their servers via SSH. You can move up a level each time cracking the puzzle and obtaining the password to the next level. The bandit series is a great intro in its own right to bash as you have to use and combine tools and functions like grep, sort, base64  etc in order to crack the code. Each level finds you figuring out how to view/capture a text string which is the password to the next level. Head over to http://overthewire.org/wargames/ and check it out.

Metasploit database cache not built

Fixing Metasploit database cache

Just a quick reminder to myself and others of how to fix the Metasploit database cache not built issue.  When we use Metasploit the search is super slow and returns the ‘slow search warning’ This where you find either the database isn’t connected or when you try to search for a vulnerability the return is ‘[!] Module database cache not built yet, using slow search’ due to the database not being connected like below: This doesn’t seem to be a huge issue and the search still works however its a fairly easy fix and makes the searching significantly quicker. I’ve posted this as I’m usually finding myself having forgotten the syntax to fix it after rebuilding a kali vm, and searching around various other posts on the internet for it, so here it is:

Module database cache not built yet, using slow search

If we check the database in Metasploit with db_status we find the below error:

Metasploit db_status

So to fix the issue:

Start the postgresql service and ensure it starts at startup:

Metasploit start service

Initialize the msf database with:

Metasploit initialize msf database

Load msfconsole and recheck the database you should find this is now connected:

Metasploit db_status connected

Finally rebuild the db cache, give it a few minutes and you should find the search instantaneous :

Metasploit db cache rebuild

et voila!

Cisco Access Control List Guidelines to follow when creating rules.

Cisco Access Control List Guidelines

Just a quick post to remind myself and others ofCisco Access Control List Guidelines. the following Cisco Access Control List Guidelines that we should be aware of. I thought this would be good to post as a quick reference/lookup. This just gives a basic run down of how ACL’s should be implemented as per Cisco CCNA Security.

  • Ensure the last ACE that is processed has a ‘deny any’ or ‘deny any any’
  • ACLs are processed top down, as soon as as an ACE is matched the processing is stopped.
  • Make sure the most specific ACEs are at the top of the list.
  • One ACL per interface, per protocol, per direction.
  • Any new ACE’s that are added to an ACL are added to the bottom by default, unless specified.
  • Router generated traffic is not filtered by outbound ACLs
  • Standard ACLs should be placed as close to the destination as possible.
  • Extended ACLs should be placed as close to the source as possible.

Cisco Router Password Recovery

Cisco Router Password Recovery Steps.

Cisco Router Password Recovery

As a mental note to myself more than anything however some one may also find this useful. These are the steps you need to take in order to recover or reset a Cisco Router Password. This was performed on 2800 series router. This may be different for other router models and the break key sequence may also be different for your favorite terminal software, however these are the outline steps required in order to re-gain access to you Cisco Router.

  1. Connect via the console port.
  2. Power cycle the router.
  3. Issue the break sequence command on startup within 60 seconds of power up to put into ROMmon – ‘Ctrl-Break’ or ‘Break’
  4. Change the config register with ‘confreg 0x2142’ command.
  5. Power cycle the router.
  6. skip the initial startup/setup procedure
  7. move into privilege EXEC mode.
  8. Copy the startup configuration to the running configuration.
  9. Check the config with a show run – and change the password.
  10. Change the config register back to the original setting (usually 0x2102) in Global Configuration mode with ‘config-register 0x2102’.
  11. Save your changes and reboot to set the new config register.

Issue a ‘Show version’ to verify you have the correct config register:

Router Configuration register 0x2102

Block and Stream Ciphers

Symmetric Encryption Techniques – Block and Stream Ciphers.

Symmetric Encryption Techniques - Block and Stream ciphers

Two types of symmetric encryption techniques that are used are Block and Stream Ciphers, in this post I will cover them both in a high level comparison.

Block Ciphers

Block ciphers take a section of plaintext (a block) and turns them into block of ciphertext of 64 or 128 bits. The block size is how much data is encrypted in one go.

The output from a block cipher is usually larger than the input data, due to the ciphertext being a multiple of the orginal block size.

Common modes of operation block ciphers are Cipher Block Chaining (CBC) and Electronic Codebook (ECB).  Block ciphers include DES with a 64-bit block size and AES with a 128-bit block size.

Stream Ciphers

Stream ciphers encrypt plaintext one byte or one bit at a time, as opposed to a block of data at a time  as with a block cipher. With a stream cipher, the conversion of these smaller plaintext sections of data can vary, depending on when they are viewed during the encryption process. Stream ciphers can be much faster than block ciphers, and usually do not increase the message size, because they can encrypt an any specific number of bits.

Stream ciphers include RC4 (and the RC series) ciphers. DES can also be used in stream cipher mode.

Mitigating VLAN Hopping Attacks

Ways to mitigate VLAN Hopping Attacks on a Cisco Switch.

Cisco Switch mitigating VLAN Hopping Attacks

The ways in which we can prevent basic vlan hopping attacks on a Cisco Switch are more best practice security configurations. Vlan hopping attacks can occur in one of two ways. The first by an attacker spoofing DTP messages directly to a switch, if the switchport has Dynamic Trunking Protocol (DTP) enabled it can then negotiate a vlan and receive tagged packets for that vlan. The second is by introducing a rogue switch and again taking advantage of DTP and negotiating a trunk with the switch and then allowing it to receive all vlans. Not good!

We can do the following to prevent this:

  • Disable Dynamic Trunking Protocol (DTP) for non-trunked ports with switchport mode access – this should always be done for all ports straight out of the box!
  • Disable Dynamic Trunking Protocol (DTP) for all trunked ports with switchport non-negotiate.
  • Manually enable trunk ports with switchport mode trunk.
  • Set the native vlan to an unused vlan rather than just leaving it on vlan1 with switchport trunk native vlan (your vlan number)
  • Put all unused ports into an unused vlan and then disable all unused ports – again disabling all unused ports should be done straight out the box.

Drown

‘Drown’ Vulnerability in SSLv2 and TLS.

Drown SSL TLSThis week sees a new vulnerability in SSLv2 and TLS. The ‘Drown’ vulnerability standing for “Decrypting RSA using Obsolete and Weakened eNcryption”, this is already sounds pretty harrowing to anyway in the security field, anything with RSA decryption and weakened encryption you know is not going to be good. Matthew Green does a great job in explaining all about this so I won’t attempt to regurgitate his excellent explanation, other than to highlight the issue and to say this doesn’t look good at all and I encourage you to read his blog and take note of this vulnerability:

http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html

This just highlights that fact that when a penetration tester tells you you still have SSL issues present on your sever you should definitely look into doing something about it as described by myself here: https://www.adamcouch.co.uk/2015/09/10/changing-ssl-tls-cipher-suites-in-windows-and-linux/

Information Security Defenders

We need more Information Security defenders!

InfoSec DefendersAs an industry we need more information security defenders to play the role of the blueteam in the Enterprise. All too often the IT Team receive a pentest report with a list of red criticals and are immediately overwhelmed with issues to fix. Whilst an organization has regular pentests it has the danger of lulling itself into a feeling of ‘doing the right thing’ however if all they are doing is getting a pentest and not re-mediating the issues then its a waste of time and money. This is a pessimistic view however it is usually the case that more vulnerabilities are released that the IT know what to do with. The IT team tend to either not have enough resource or they don’t have the skills to fix the issues, usually the first being being the case. Penetration testing needs to be more than just a test, it needs to be a more proactive engagement with after test help and support for the enterprise should they need it.

Its easy to criticise the IT department. As Information Security Professionals, we are doped daily with the next new exploit or zero day from the various blogs and podcasts that we listen to. This isn’t a small IT departments main concern or top of their list of to do tasks when they arrive at work, (although it could be argued it should be, with a little more security awareness training). The IT team tend to prioritise keeping those critical business apps or switches up and running (I’ve been that person).

As Information Security Professionals we need to be more involved in fixing and explaining the risks and supporting organisations so that they are better equipped to defend themselves.

The next new shiny security toy in the enterprise may not necessarily be the answer, the existing tools already installed around us could be better used and more creatively used to defend the enterprise.  Getting the latest IDS or implementing the next new NextGen Firewall can tend to be a distraction to getting down to what needs to be done i.e. Getting that MS08-067 patched on that business critical server that’s been there for years or tightening up the existing firewall. Hardening existing systems with group policy, tuning WSUS or SCCM to deploy timely updates and utilising windows logging to alert when a domain admin group is modified for example will generally go far further, and are free.

Hopefully sites like this will help contribute to securing enterprises, and assisting system administrators to better defend their existing environments. Enterprises don’t necessarily need to spend huge amounts of money on new technology, the answer could be in being more creative with what you already have.