Soon after I blogged about the “Snagging Creds from Locked Machines” and it went a bit viral for a day, Pierluigi Paganini from SecurityAffairs.co asked me some great questions, that I failed to answer in a timely manner. They are probably a lot less useful to him now (8 months late), but I thought I would answer them anyways. You are one of the most respected experts on cyber security.
“Secure” DNS updates is the default in Windows, but there is an option to allow “Nonsecure” updates. I have seen this changed when non-Windows DHCP servers are used (eg Access Points), this opens a network up to some pretty nifty attacks that a Metasploit module just hit the ground for. The module was originally written by King Sabri, with many touch ups and the spoofing capability by busterbcook
Image showing how to allow users to be able to reset user passwords Disclaimer: If you are here because you are a helpdesk person, this is a pentest blog, so it’s coming from the mindset of a pentester, but this could just as easily be used for legitmate purposes. There are a great many things you can do with rpcclient for examples outside of this blog post see these posts by Chris Gates:
LanManager passwords (“LM”) is a very old and well known password hashing function. Used way back in OS/2 Warp and MS-Net (networking for MS-DOS). It was great in it’s day, however how it worked was not sustainable. The hashing was performed only haver uppercasing and splitting the password into two 7 character chunks. This meant that even if your password was 14 characters long, it was still technically only two 7 character passwords, that could be cracked separately.
Created the 2017 UNOFFICIAL ShmooCon Hiring List. To get on the list is even easier now! Just complete the following form: https://goo.gl/forms/egx5Iw7M6gI67yh02 (One small tip, first come first serve, so if you want to be on the top of the list it’s best to submit the best info you have vs waiting on anyone, I don’t change the list order for anyone.) Direct Link to Google Doc: https://docs.google.com/spreadsheets/d/1yzL7Y7TAP-b4Bu9j2pYsaB2VyTXEK0C_NJ19aezIFms/
NOTE: I DID NOT ATTEMPT ANYTHING MORE THAN LOGGING AGAINST ANY OF THE DOMAINS I REGISTERED FOR THIS RESEARCH For anyone who knows me, they know that I’ve been obsessed with DNS for a long time. However, in this post I will show results of something I can’t quite explain. It all started with the following hypothesis: Windows systems make DNS/NetBIOS/LLMNR requests to find the domain controllers they logged into even when they are no longer attached to the domain.
Ever have one of those topics that you know you’ve looked up 100 times but never can remember the answer? I was having one of those moments in a recent conversation on the NoVA Hackers mailing list (If you want to join please read the instructions before requesting to join) The question came up as to what effect “Password Required: No” means in a net user UserName is. As usual, MSDN isn’t very helpful:
With all of the scanning / noise on the Internet, it’s nice to get rid of a large chunk of it simply by blocking an entire country’s worth of IP space. To do that you can simply use a kernel module for iptables called “xtables-addons”. On Debian/Ubuntu it’s pretty easy to get going, just apt-get install the needed perl library and the addons themselves: apt-get install libtext-csv-xs-perl xtables-addons-common !Warning: This does require proper linux headers to be available to compile the kernel module.
First off, this is dead simple and shouldn’t work, but it does. Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true) TL;DR USB Ethernet + DHCP + Responder == Creds Thesis: If I plug in a device that masquerades as a USB Ethernet adapter and has a computer on the other end, can I capture credentials from a system, even when locked out (yes, logged in, just locked).
Created the 2016 UNOFFICIAL DerbyCon Hiring List. To get on the list is even easier now! Just complete the following form: https://goo.gl/forms/LW5b1xo4O9D8eVZU2 (One small tip, first come first serve, so if you want to be on the top of the list it’s best to submit the best info you have vs waiting on anyone, I don’t change the list order for anyone.) Direct Link to Google Doc: https://docs.google.com/spreadsheets/d/1qlJYhdxljG4f1vHhj5-Vyj5wiRb3YBjQJU4Cqh2cT6k/edit?usp=sharing