Category: Security

Bypass chrome tls security checks

Normally things like invalid certificates throw an error within google chrome, and if the page has hsts in place, there is no way to bypass that.
For normal users this is a good thing, but if you’re the developer/admin and have logged out yourself because of a miss configured server or you’re a pentester and want to access the contents of a wrongly configured web server, this can be frustrating.

And there is a way to access the pages, even though it is not available in the normal google chrome version.
You need to use the selenium driver. Therefore in turn you need the WebDriver library and the chromedriver.

1. Download the latest WebDriver https://www.nuget.org/api/v2/package/Selenium.WebDriver/
2. Download the latest ChromeDriver https://chromedriver.storage.googleapis.com/index.html (Keep in mind, that Version 2.10 is higher than 2.9)
3. Open PowerShell and import the WebDriver using “Import-Module” (or more specifically the correct dll for your installed .net version)
4. Unzip the chromedriver and place it inside of “./bin/selenium.chromedriver/”
5. Use PowerShell or C# to launch a new browser instance

$options = [OpenQA.Selenium.Chrome.ChromeOptions]::new()
$options.setBinary('./bin/selenium.chromedriver')
[OpenQA.Selenium.Chrome.ChromeDriver]::new($options)

Or use this script to install it inside of your current directory:

function Install-PSArchive {
    param()
    $null = Install-PackageProvider -Name PowerShellGet -Force -Scope CurrentUser
    Install-Module -Name 'Microsoft.PowerShell.Archive' -Force -Repository PSGallery -Scope CurrentUser -WarningAction SilentlyContinue
}

function Install-Selenium {
    param($ChromeSeleniumVersion = '2.45')
    Invoke-WebRequest -Uri 'https://www.nuget.org/api/v2/package/Selenium.WebDriver/' -UseBasicParsing -OutFile './selenium.webDriver.nupkg.zip'
    Expand-Archive -Path ./selenium.webDriver.nupkg.zip -Force
    $null = New-Item -Name './lib/selenium.webDriver' -ItemType Directory -Force
    Copy-Item -Path ./selenium.webDriver.nupkg/lib/netstandard2.0/WebDriver.dll -Destination ./lib/selenium.webDriver -Force
    Copy-Item -Path ./selenium.webDriver.nupkg/lib/netstandard2.0/WebDriver.xml -Destination ./lib/selenium.webDriver -Force
    Remove-Item -Recurse -Force -Path './selenium.webDriver.nupkg'
    Remove-Item -Recurse -Force -Path './selenium.webDriver.nupkg.zip'

    $ChromeSeleniumURLLinux = 'https://chromedriver.storage.googleapis.com/{0}/chromedriver_linux64.zip' -f $ChromeSeleniumVersion
    $ChromeSeleniumURLMacOS = 'https://chromedriver.storage.googleapis.com/{0}/chromedriver_mac64.zip' -f $ChromeSeleniumVersion
    $ChromeSeleniumURLWindows = 'https://chromedriver.storage.googleapis.com/{0}/chromedriver_win32.zip' -f $ChromeSeleniumVersion
    If ($IsWindows) {
        Invoke-WebRequest -Uri $ChromeSeleniumURLWindows -OutFile 'chromedriver.zip'
    }
    elseif ($IsLinux) {
        Invoke-WebRequest -Uri $ChromeSeleniumURLLinux -OutFile 'chromedriver.zip'
    }
    elseif ($IsMacOS) {
        Invoke-WebRequest -Uri $ChromeSeleniumURLMacOS -OutFile 'chromedriver.zip'
    }
    else {
        Write-Error -Message 'Platform not supported.'
    }
    $null = New-Item -Name './bin/selenium.chromedriver' -Force -ItemType Directory
    Expand-Archive -Path 'chromedriver.zip' -Force -DestinationPath ./bin/selenium.chromedriver
    Remove-Item -Recurse -Force -Path './chromedriver.zip'
    If ($IsLinux -or $IsMacOS) {
        chmod a+x ./bin/selenium.chromedriver/chromedriver
    }
}

function Install-HtmlAgilityPack {
    param()
    Invoke-WebRequest -Uri 'https://www.nuget.org/api/v2/package/HtmlAgilityPack/' -OutFile ./HtmlAgilityPack.zip
    Expand-Archive -Path './HtmlAgilityPack.zip' -Force
    $null = New-Item -Name './lib/HtmlAgilityPack' -ItemType Directory -Force
    Copy-Item -Path ./HtmlAgilityPack/lib/netstandard2.0/HtmlAgilityPack.dll -Destination ./lib/HtmlAgilityPack -Force
    Copy-Item -Path ./HtmlAgilityPack/lib/netstandard2.0/HtmlAgilityPack.xml -Destination ./lib/HtmlAgilityPack -Force
    Remove-Item -Force -Recurse -Path './HtmlAgilityPack'
    Remove-Item -Force -Recurse -Path './HtmlAgilityPack.zip'
}

Install-PSArchive
Import-Module -Name 'Microsoft.PowerShell.Archive'
Install-Selenium
Import-Module './lib/selenium.webDriver/WebDriver.dll'

## If you need to parse some html inside of your scripts and want to have cross platform functionality (or if internet explorer is not enabled), you also need to install HtmlAgilityPack, as powershell on windows relies upon it for parsing html into objects.
Install-HtmlAgilityPack
Import-Module './lib/HtmlAgilityPack/HtmlAgilityPack.dll'

Hacking an SQL-Server

Basically if you’re admin you own everything.

So how would you access an SQL-Server if you don’t have SQL-Permissions but you’re administrator on the system the SQL-server is running on?

Basically you can abuse the fact, that the sql-server has to have at least one account with the necessary permissions. Often this is the local system user.

  1. So just become system using psexec (or anything else): psexec -s cmd.exe
  2. Search for your local SQL-Instance: osql -L
  3. Connect to your SQL-Server using your current (system) credentials: osql -S <InstanceName> -E
  4. If the connection is successful, just enable the sa account and set a new password for it. After that you can use the SQL-Management Studio to administer all permissions: 
    /* Enable SQL-User authentication and set sa password */
ALTER LOGIN sa ENABLE;
GO
/* Reset the password, requires CONTROL SERVER permission */
ALTER LOGIN sa WITH PASSWORD = '<newPassword>';
GO
/* just set sa password (alternative way)*/
sp_password NULL, '<newPassword>', 'sa';
GO

/* To add an windows user to the admins role do this */
CREATE LOGIN [DOMAIN\USER] FROM WINDOWS;
GO
EXEC sp_addsrvrolemember 'DOMAIN\USER', 'sysadmin';
GO

    If the above is throwing an access denied error for you try a different user for example the mssql service user use process hacker to run a cmd prompt in the context of that user and try again. If also that fails, check if there is any application accessing the database that could have an account with too much permissions e. g. Server Admin instead of db_owner and try that one.

  5. If that all does not help, you have one last way of getting into the database, but that causes a downtime.
  6. Stop your SQL-Server Services (Server, Browser, Agent, …) and open an elevated cmd.
  7. Navigate to the folder containing the executable of the service and start it with the parameter “-m” for single user mode without authentication. After the server is back up do Step 4 and after that stop the server and restart the services you stopped earlier.

WARNING: BY DOING STEP 7 EVERYBODY COULD GAIN FULL ACCESS TO YOUR SERVER, DEPENDING ON YOUR INFRASTRUCTURE YOU MAY WANT TO BLOCK REMOTE CONNECTIONS ON THE WINDOWS FIREWALL WHILE PERFORMING THIS STEP

Encrypted LVM remote unlock

Sometimes you want to have a strong Disk encryption but be still able to unlock it remotely. Sure, this is a compromise between security and usability, but here is what I come up with.
Before you follow my instructions, I allude you to carefully consider what that means for your thread model and system security.

0. You start with an normal lvm encrypted operating system.
1. Install dropbear and busybox
2. Edit the file /etc/initramfs-tools/initramfs.conf and add/modify Device and Network settings accordingly:
DROPBEAR=y
DEVICE=eth0
IP=192.168.2.19::192.168.2.1:255.255.255.0:PC-Name:eth0:off
The last line requires some explanation. It consists of:
Preboot-IPv4:rarp-Server:Gateway-IPv4:Subnetmask:Preboot-Hostname:Interface:autoconfigurationMethod
https://help.ubuntu.com/community/DisklessUbuntuHowto#Static_IP
To bypass the ssh host checks (which would fail, because effectively the preboot environment is an autonomous os, independent of the other), you should select a different IP than that of the fully booted system.
3. Place your ssh-public key into the initramf’s root users home directory
rm /etc/initramfs-tools/root/.ssh/*
vi /etc/initramfs-tools/root/.ssh/authorized_keys
For privacy reasons (if you don’t want someone to associate this device with you through the use of your public key) you may want to use a separate key-pare, as this public key.
4. After you’ve added your public key, you need to regenerate the initramfs image using:
update-initramfs -u
5. After that reboot using
systemctl reboot
6. Now while the System is waiting for you to enter the password, go to a different client and connect using your private key (User: root) and your predefined IP address.
7. To unlock your device and continue booting (which will uninitialize the initramfs leaving you within a shell without any mounted file systems or applications) you have to somehow insert the Plain-text password into /lib/cryptsetup/passfifo (without a line break at the end)
The easyest (but also unsafest) way is a simple echo:
echo -n "EncryptionKey" > /lib/cryptsetup/passfifo

iptables to rsyslog

log all dropped connections to syslog

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -j LOG --log-prefix "iptables: "
iptables -A LOGGING -j DROP

check that this line is in /etc/rsyslog.conf

$ModLoad imklog

after that create the file /etc/rsyslog.d/01-iptables.conf with the content:

:msg, startswith, "iptables: " -/var/log/iptables.log
& ~
:msg, regex, "^\[ *[0-9]*\.[0-9]*\] iptables: " -/var/log/iptables.log
& ~

line 1 and line 3 are filters and log file locations, if they match the log is written to the specified log file.
line 2 and 4 tell rsyslog “don’t process future rules (if the one before matches), it’s done for this log entry”

now the only thing left is to create a log rotation rule
create the file /etc/logrotate.d/iptables with this content:

/var/log/iptables.log {
	rotate 7
	daily
	missingok
	notifempty
	delaycompress
	compress
	postrotate
		invoke-rc.d rsyslog rotate > /dev/null
		iptables-save >> /var/log/iptables.log
	endscript
}

ntds.dit Auditing

By searching for a way to remotely force an Windows Update check, I accidentally found this: DSInternals
This looked very promising, so I checked out the linked blog and found this: Retrieving Active Directory Passwords Remotely

This might be useful in some disaster recovery scenarios (or for hackers to create Golden Tickets…) or to prevent the use of the “Reversible Encryption option” and push people to encrypt and prevent unauthorized physical access to there Domain Controllers (including backups).

Advice:
– On Domain Controllers use Bitlocker with a TPM
– Encrypt your Backups
– Physical access control (to dc and backups)

Note:
Golden Ticket attacks are no entry attacks. An attacker has to gain Administrative rights on a Domain Controller in order to apply this attack.

Centralized Windows Event Log

Another feature many administrators don’t know about, is the centralization of Windows Event Logs.
This allows you as administrator to view all related Event Log information on your Admin PC.
This is based on a documentation from Microsoft.

  1. Create a new Security Group (Domain Local) with the name “IT-RemoteManagement” and join all computer accounts that should be allowed to read the eventlog (not user accounts).
  2. Create a new GPO named “CentralizedEventLogClients” and bind it to all your clients (e. g. your domain)
    • Enable “Allow remote server management through WinRM” (Computer, Policies, Administrative Templates, Windows Components Windows Remote Management (WinRM), WinRM Service) and enter a “*” into the IPv4 and IPv6 filters.
    • Change the parameters of the “Windows Remote Management (WS-Management)” service to start automatically (Computer, Policies, Windows Settings, Security Settings, System Services)
    • Enable the Incoming Firewall Rule (Computer, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security, Windows Firewall with Advanced Security – LDAP*, Inbound Rule, Right-click and select “New Rule…”, Predefined: “Windows Remote Management”, the one where Profile equals “Domain, Private”, Allow the connection, Finish, Right-click the created rule and go to the “Advanced” tab in the Settings to remove the selection of “Private”)
    • Add “C:\Windows\System32\cmd.exe” with the Parameter “winrm quickconfig -q” as Startup script if the above didn’t work (sometimes the listener is not created…)
    • Add the IT-RemoteManagement Group to the local group “Event Log Readers Group” (Computer, Preferences, Control Panel Settings, Local Users and Groups, Right-click, New, Local Group, Groupname: “Event Log…”, check both check boxes to remove all existing members, add the Group “IT-Remote…”, in the other tab select “remove element if…”, select yes and close the dialog with OK)
  3. Create another Policy named “CentralizedEventLogIT” and assign it to the computers of your supporters
    • Startup script: “C:\Windows\System32\cmd.exe”, argument: “wecutil qc -q:True”
    • Set the Eventlog collection service to start automatically
  4. Now your supporters can create there subscriptions (watched events) by clicking on “Subscriptions” in there local Event Log viewer.

Status Monitoring

Here is a code sniped to monitor your servers. In the first example the result is simply written into a CSV-File, but in the second a e-mail is sent.

Import-Csv -Path ".\IP-List.txt" -Header ComputerName | Test-NetConnection | Select-Object ComputerName,PingSucceeded | Export-Csv -Path ".\Summary.csv" -Delimiter ";" -NoTypeInformation

$isOnline = Import-Csv -Path ".\IP-List.txt" -Header ComputerName | Test-NetConnection | Select-Object ComputerName,PingSucceeded | Where-Object -Property PingSucceeded -EQ -Value $True

$DNSHostName = (Get-WmiObject win32_computersystem).DNSHostName;
$DNSDomainName = (Get-WmiObject win32_computersystem).Domain;

$From = "PowerShellMonitoring@$DNSHostName+'.'+$DNSDomainName";
$To = "edv@$DNSHostName+'.'+$DNSDomainName";
$Subject = "Failure $(@($isOnline).Count) Hosts down";

$Body = $($isOnline | Format-Table | Out-String);
Send-MailMessage -From $From -Subject $Subject -To $To -Body $Body;