Securityexploits – Explaining Security

New Wi-Fi attack found on WPA2 using PMKID

This could make many “thought safe” Wi-Fi routers not so

Here is where paying attention to new attacks is important.

hashcat.net has the information:

This attack does not even need a full EAPOL 4-way handshake, EAPOL stands for Extensible Authentication Protocol(EAP) over LAN. A simple 4-way handshake is shown pictorially below (from hitchhikersguidetolearning.com)

This means that in the past an attack on Wi-Fi would would need EAPOL 4-way handshake to be captured. Capturing the 4-way handshake is sometimes difficult to achieve.

Instead in this attack: ” We receive all the data we need in the first EAPOL frame from the AP.”

First one captures a sample initial Message from the ‘Authenticator’ which includes a PMKID (run hcxdumptool)

Second (run hcxpcaptool) to convert captured data from pcapng format to a hash format accepted by hashcat

Third (run hashcat) to crack the string of data.

So now no 4-way handshake is needed, only expertise to run a couple of scripts and to know how to set up the Wi-Fi capture by using the Wi-Fi network card.

The comments on the hashcat webpage do mention that your Wi-Fi network card must have the capability to capture wlan traffic.

So this requires more review and investigations.

Artificial Intelligence Cybersecurity

We as Cybersecurity practitioners must use the best tools we can find. So if AI(Artificial Intelligence) can help us we need to use them.

Of course we have to use real AI tools, not old tools renamed “AI” to sell more software for a little bit of time.

What is the definition of AI ? a machine software (i.e. no human modification) that imitates human behavior. Or a branch of computer science dealing with simulation of intelligent behavior in computers.

So a true AI Cybersecurity is a program running attack or defense for the network or computer without human interaction.

What in today’s environment shows small views of intelligence? Bots and viruses of course.

It is also my opinion that future AI will first come as more sophisticated “Bots” or infectious software:

SCMagazine story: “Cryptominer campaign leveraging Oracle bug spreads worldwide via multiple infection tactics”

Again this affected entities that did not patch their PeopleSoft HR and Oracle E-business Suite software.

NIST explanation of CVE-2017-10271:

What makes this vulnerability bad is that it is a remote execution vulnerability. “Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.” (from NIST link).

So if an AI program can program itself to infect and take over other machines to both infect other machines and perform other goals (like mine crypto currencies the latest actions in this exploit for example) then it is easily done when people find ways not to patch their software.

Image example of CVE-2017-10271 as it was found

The key is to patch your machines, and we have to develop “Blue team” AI first in this coming “AI war”

To be a bit clearer (as mud I am sure) As someone programs an attack program to do the 3 things mentioned:

Find vulnerability
Exploit vulnerability and make money with cryptocurrencies on your machines.
Propagate the program as much as possible

So the future in AI (the real scary part) is when a truly non-human fully automated attack program does all 3 items and improves. The danger in how it will act is still not fully realized yet. I.e. we are not sure how bad it will get.

The important piece of this puzzle is the exponential level of improvement a fully electronic AI could do.

Some people have talked about the ‘singularity’ moment when an AI will have more capabilities than a human brain(supposedly sometime in 2020s).

What about a Cybersecurity ‘singularity’ moment? When a improving attack program starts to improve so fast that it morphs into something that is difficult to stop.

Contact me to discuss

Cybersecurity, Solved in 1 hour? Nope takes at least 1 Season..

Yes we are a nation of television watchers and expect everything to be solved quickly, since all TV shows end in 1 hour.

In the online book (in books.google) of “Television and Politics”

The problems solved in our shows apparently are remembered with ‘calls for action’ are the ones solved by individuals.

So maybe after a lifetime of watching these shows we have a predisposed subconscious notion to assume 1 person can solve most problems in a reasonable amount of time (1 hour or 2 hours).

So when a complex issue is placed in front of us such as

Red vs Blue teams attackers vs defenders where a series of steps breach a server and then use more tools to keep access of the system without the defending teams knowledge. The solution to this issue is not obvious.

So Why am I beating this horse again? Because the principle will not go away. The attackers will find ways and use the systems we have to attack us.

For example… we want to defend our SQL servers, maybe by hiding them. But this will not work, as there are tools to ask our systems “what are the SQL servers”? And our computers dutifully answer this request.

Technical Example: Do you have a domain controller? Which is automatically running Active Directory? The program that runs your network and username and password authentication.

Then how do you defend against a user asking various questions to your DC(Domain Controller) with some commands?

You can access Powershell from a command line, and then ask various questions (execute commands) like get-service or get-process to find out what services and processes are running on the system.

Why is this important? Because you can pick a service running on the system and then try to see what users have access to this service with another tool PowerMemory for example (as the tool(RWMC) in this article is no longer supported)

Here is PowerMemory definition:

Exploit the credentials present in files and memory

PowerMemory levers Microsoft signed binaries to hack Microsoft operating systems.

So! you might say, how does one get command line access on a server?

Let’s say that you got the user to click on phishing malware and now a command line shell was opened, and connects back to one of the Command and Control servers. techtarget.com explains this phenomena

Once the hacker has a command line opened (however they did it). Now they will try and get more access – by obtaining the passwords for administrator accounts.

How to do that? Sean Metcalf in DEFCON 23 video discusses several methods.

Including using powershell tools created by hackers, tools like

PowerMemory Exploit the credentials present in files and memory

kerberoast a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does.

The method of obtaining passwords from places on the Microsoft server is also useful: “Finding Passwords in SYSVOL & exploiting Group Policy preferences” is a good article discussing the same topics as in the video.

The credentials can be taken from .xml files on any windows systems. If the system is in a domain then it will have a local user account and whoever logged into that particular system.

All domain Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\

So the hacker knows where to look and what to find… the .xml files with CPassword variable, which has the password stored in an encrypted format.

So now it only depends on how strong your password is…

What are your password schema characteristics? Do you require long passwords? more than 14 digits? Because if you have less than 14 digits the hackers will have an even easier time to get your passwords.

So is it still easy? Can you depend on only your defense team (Blue team) to keep all of your assets without unauthorized access? It will take more than a single episode, a season of episodes. It will take a marathon of binge watching to keep the hackers away. It will take red teams (ethical hackers) to attack.

we can help you with a plan of security policies and red team attacks.

Worried About 0Day Attacks? Take Care of 30day first!

I have been watching the Derbycon videos (put up by IronGeek) and I like Paul Coggin’s comment: Are you worried about Day zero attacks? You have to take care of 80 day first.

I have heard Paul’s talks before and this one in Derbycon is a bit different, but the theme is the same – do not forget the lvl2 OSI exploits and threats. This means that the Cisco devices can be attacked if not configured properly. This is obvious to him as he is the pentester versus Cisco routers.

Kind of funny as Paul says(as a side note) : “many companies are worried about Zero Day attacks but have not solved the 80 day attack”.

A Zero day attack is where an attack will succeed because the security problem has not been fixed yet. I have said this before in this post from Dec15 of last year: “Zero-Day Attacks and why patching means catching up“

It is a valid point Paul, if we do not have our patching process set up correctly we are not catching the 80 day old vulnerability not to even mention the Zero-day(we can’t catch that one) but important to note we should not focus on the Zero-day vulnerability since there is nothing to do about them.

Derbycon had a CTF (capture the flag) competition as well which means there was a contest that had a real life hackers riddle … and solution that shows you some of the thought processes when a hacker makes on a take over of a machine.

At Derbycon’s CTF event the test hack uses the same process as a criminal hacker would in the real world

“Hacker Process”: also called a Kill Chain – Recon – Analysis – Penetrate – Control we like to call it SVAPE&C.

Walking through the thought processes of the Hacker as they are performing their actions is important to design better defenses.

The red team (attackers) versus the blue team (defense) is the constant in the world of Computer security, so therefore there are these contests of CTF.

I don’t want to get into too many details, but a few are necessary:

In a capture the flag contest there is a lot of network traffic that the hacker (red team) has to digest and make sense of. Decide what traffic is useful and what system to review closer.

System HELPDESK was found(with wireshark trafficsniffing) and it had ports 139 /tcp and 3456/tcp open (means Microsoft share ports) with nmap scanner
Then a nbtscan was done to find out more information from the system
Then a ping was done – which also gives out information
the port 139 was Microsoft
Port 3456 was odd so ncat was run to probe the port
Here the CTF oddities response came just like the “War games ” movie in the 90’s “WOULD YOU LIKE TO PLAY A GAME?”
From here the hack is now in a different stage having done reconnaissance and found the system and ports open.

So as you see in the Tweet the next point was to give a programmatic response to the port 3456 (even the port number is funny as there is no port service with that name. As a hacker participating in the ctf once you saw that tweet now you know what to answer the question.

The issue now was how to penetrate the box.
The str$() response did not work correctly
Hackers do what they do – and “hack” i.e. try different things until succeeding
Through some tricks they were able to start a command.com dos command (after realizing this may be an old machine and the new hack tools do not work)
Once the hacker can execute commands on the remote system what happens next? It is the “control” piece.
Now the hacker downloads hacking tools needed to truly control the machine. (ncat and registry program)
From there they had to find the FlagMalwareBytes registry flag in the time allotted.

This particular team placed 3rd.

There is more to the CTF event but at this point I want to discuss the general nature of hacking. It is true in this case the hacker was trying to control an ancient machine (windows98 or 95 even) but the principles are the same. In fact due to the nature of the old machines the hackers had to use older tools.

The one thing that we need to take as a lesson (no matter the system) is that most attack hacks try to download tools and other items to the system to be compromised. And it usually will be with manual commands ftp or wget.

So if you can review any manual tool commands running in your network that would be good. Patching the local systems from all vulnerabilities gives you more defense against wily hackers.

Another Day More Attacks To Defend From

Why does it seem that we are always defending? Seemingly the same thing every day – every month, as the patches come out IT departments must patch consistently and without fail.

Because if not what happens? Such as from Fortinet’s¹ analysis 10% of all NFS servers in the world are vulnerable to a specific attack.

The Global heat-map shows the country most in danger is the USA, with China in 2nd place. Notice the largest economies have the highest vulnerabilities.

So what does 10% mean?

The solution here is to upgrade to a new version of NFS and enable encrypted authentication

Fortinet researchers used the database Shodan.io² for their data.

And if one goes to the site directly one can count 5 exploits, 4 remote, 2 DOS, and 1 local types under “NFS” for a total of 12.

there are 129 known CVE’s 7 in exploitdb and 5 known metasploit attacks.

To a hacker this is a known item.

So what can a hacker do this information?

Well they will do more research and find out where they actually are and whether they can hack or mine information from these NFS problems:

Thousands of the exposed servers were located in the U.S. (18,843 servers), China (11,608), France (10,744), Germany (7,188) and Russia (5,269), the firm reported. This part of the data from Shogun/Fortinet actually resides on the

Securityintelligence.com³ IT news site.

Now we know of 18,843+11608+10744+7188+5269 = 53652 servers are susceptible to some type of attack. This is an obvious goldmine for hackers. Imagine that 10% of these exposed servers can get hacked in such a way do that the hacker can run their own programs on them (i.e. root or admin privilege with command line access). So now what?

~5400 servers may get ransomware that could gross $300 – $500 for each system – which means that $1.6mil to $2.7mil payoff could be coming to the hackers.

What if all the servers were susceptible to ransomware? then the payoff is $16mil to $27mil.

Now do you see what the danger is from attacks? Every day brings new dangers – Don’t play Cyber roulette

Every day you have a chance of firing a 500 or 1000 barrel risk gun and it “goes off” thus The attacker finally made it in. The chance may be 1 in 500 every day, or 1 in a 1000.