March is Pass-the-Hash Awareness Month! It’s not as simple as you might think, but to break it down, I did a guest post on the passing-the-hash blog: http://passing-the-hash.blogspot.com/2014/03/guest-post-lets-talk-about-pass-hash-by.html
As you may know, I run the Red Team for the Collegiate Cyber Defense Competition (CCDC) in the southwest region. One of the more interesting things I put together for the regional competitions this year was a way to install Linux remotely over a command-line interface (such as meterpreter). I actually originally wrote it for […]
Let’s face it, if you are using passwords on your web site or application, you are part of the problem. It doesn’t matter if you’re using bcrypt or scrypt, or all the salt in the world, you’re still perpetuating these 11 password problems and pains. But client certificate authentication and even issuance is actually easy with modern browsers. Want to see how easy it can be? Check out the example below.
One common technique used by a lot of exploits, malware, and obfuscated software is to dynamically generate or download an executable or DLL file, run it or load it, then delete it. I frequently catch even legitimate software doing this, but I am always curious as to what executable code the authors are trying to hide. Saving those automatically generated files is a core feature of any decent sandbox out there, but in many cases, you see this activity on a production system and don’t know where the file is coming from. Especially if it only happens infrequently, it often doesn’t make sense to try to put the whole system in a sandbox. So instead, I just use a simple trick with NTFS file permissions.
DerbyCon this year was awesome as usual. I presented “The Infosec Revival: Why owning a typical network is so easy, and how to build a secure one.” The video is here on Youtube: Or you can check out the slides here: The RDP video is here: And the VM isolation video is here: I should […]
Unless you have not patched your domain controller in the past five years, chances are, if an intruder gets domain admin or enterprise admin level access, they probably did it through credential theft. One of the biggest recurring themes of countless intrusion and pentest reports is that to accomplish lateral movement and privilege escalation to […]
Ideally you never use a password, but sometimes, you have to anyway. One very common scenario is in signing up for a web application. Such passwords can be stored on the server, hashed with a fast algorithm such as MD5, and over which you have no control. You do not want your password to be […]
Ambush was designed in a server-client architecture to make it easy to deploy to lots of systems, but sometimes you just want to get it running on a single system, without the hassle of requiring a custom server setup or signature creation.
A combined solution to 15 different serious problems with password-based authentication, including the Pass-The-Hash (PTH) attack. No other measures come close to solving all these problems, and for many of the problems, I am unaware of any other solution at all. Sadly, both Microsoft and other security researchers did not really consider this solution or discounted it as unrealistic. The objections either showed flaws with only implementating half a solution or assuming legacy equipment or implementation difficulties will doom the project, due to a focus on what a large enterprise would be likely to implement with minimal effort right now. It reminds me of an immigration debate that focuses on people who are already here, paying less attention to future immigrants only to find that 30 years later, what happened to the future immigrants is all that mattered. Here are the objections, and why they should not stop you.