KB3201860 Adobe Flash?

So I did not install Adobe Flash, it is not in my add remove programs, nor is it any active plugin for my installed web browsers.

On this machine, I have Windows 8.1, the Flash options in control panel, but no Add/Remove for flash. I was legit baffled seeing this update pop up, as I didn’t install the software, because I feel it is more harm than good, as a security exploit vector.

KB3201860 details @ Microsoft. I am still digging around but I am really concerned how something I didn’t install is on here. I guess it will be an interesting weekend, finding this and gutting it out of this system. I also see no Adobe windows services installed.

I have heard and seen Google Chrome has it’s own version of Flash. But it adds extra concern it’s escaping the Chrome ‘sandbox’ because if you can make a call to it, it can be exploited. IMO and all of that.

Oh wow, the plot thickens. Thanks to adobe’s link, it is rolled in with Windows 8.
Checking with this Installed Flash web tool, Chrome of course has Flash baked in, as it’s baked into Chrome. My installed Mozilla based browsers fail the test (yay). IE 11 on Windows 8.1 also has it’s baked in Flash. It looks like that is what this update is for. Now of course, is the quest to eviscerate it from being able to execute or be invoked.

… So then I checked again and saw Shockwave Flash Object in Internet Explorer Add-onsand was able to disable the plugin, then the ‘Is this installed’ check failed.

Computer news recap

So everyone has been foaming at the mouth about the Dyn DNS attack / mirai botnet theory on how some large sites had been down over last Friday (10/21/2016) into the weekend for some folks. There were heat maps of areas in the USA hit, and laughably common, Russia was the 1st to blame. That of course turned into more competent speculation that the attack came from a botnet of devices, such as cameras and other Internet of Things (trash) with default passwords, or worse yet hard-coded passwords.

Pardon the cynicism, but I am waiting for this coffee to cool down and it’s the morning. I would also make a list of major websites that had their user databases taken, but that would be a huge and no where near complete list. When that happens, the obfuscated passwords are run against some cracking methods to get the raw ASCII value.  Hashcat is something I do not yet have experience with, but would like to setup a test windows domain to reverse the AD password obfuscation, for sake of seeing it run and deliver personally.  I enjoy projects.

Notable sites where the user data got popped are (with some speculation on my part, perhaps):

  • Yahoo
  • Hotmail
  • LinkedIn
  • AshleyMadison
  • MySpace
  • Twitter (~2014)
  • Facebook (~2013)

 

Please note that Twitter and Facebook are speculation on my part and that is why I put the projected date next to it.  At this point honestly, I give consideration that every site has potentially been popped for their user databases.  Salting and Hashing your user passwords will get you so far, but like encryption, if you leave the keys with the protected data… you are not really gaining any benefit because you gave away the key to the puzzle.  We can call this security nihilism, but seriously this is worth restating.  Do not store private keys with your data, if you salt and hash method are in that production database, you are going to have a bad time.

*Sips Coffee* There is no such thing as perfection, so do not worry about chasing that dragon.  The moral of the story above however, is to not re-use passwords.  Do you have the same password for your email, bank, work, and social network sites? Please don’t do that.  It makes being a victim way easier, especially after a data breach / password dump from a major site.  Let me assure you I’m not spouting this out from my ivory tower, because I had some shared passwords between services too.  Fortunately I seem to have changed those before the accounts could get popped.

Granted, depending on how bad a network gets run, authentication could be irrelevant because an attacker had full access to the site by side-stepping authentication completely.  Another one of those theories, but yeah you have to do what you can.  I spend a formidable amount of time reading about security news and researching myself.  A few years ago I dorked around pretty heavy on facebook, laughed at the perceived privacy controls, and got put in ‘Facebook Jail’ a few times for abusing features.  That taught me the humor of what privacy means, to a site that really wants to sell me t-shirts and crawl the search history on my mobile phone to schlep advertisements, if I use their mobile application.

Wrapping this up with some dystopian nightmare, I see more and more corporations are merging on up into massive conglomerates.  It feels like only yesterday Time Warner and Comcast merged, yet AT&T is preparing to buy Time Warner.  By Time Warner I mean more than just the cable services as well.  So much for reasonable internet prices.  I mean it’s pretty clear that balanced media reporting is a relic of the past, short of some slivers of the internet and print sources.  Complaining about the media, I reference the fault that comes from major networks only reporting from one perspective, so conservative hones in on their pitch, while moderate or whatever you call Fox and not CNN, also ignored highly relevant details, so they can pitch their sponsors agenda.  Worst of all, leading people to argue about disinformation they get from controlled outlets, instead of combining multiple resources and trying to come to their own conclusion.

For what it is worth, hopefully instead of trying to support broken infrastructures, global society rolls up it’s sleeves and looks to put in new solutions, instead of band-aids for flawed infrastructure.  In this case I mean things like replacing DNS and core network topology with a new back end, at least designed with some concepts of preventing major issues from being so detrimental.  Granted, Global Society applying similar methods to non-technical processes would be great too.  I hope you enjoyed the rant :bunny:

Firewall Log Fun

This thread is ongoing, but let me start with the results I have from a year worth of dropped firewall connections.

  • 228376
    January 2016
  • 253698
    February 2016
  • 244374
    March 2016
  • 494842
    April 2016
  • 611021
    May 2016
  • 259013
    June 2016
  • 529243
    July 2016
  • 406937
    August 2016
  • 2096766
    September
  • 264421
    October

Let’s jump back a minute. I am importing firewall logs for dropped connections into a MS SQL Database. September as you can see is a fun month with 2,096,766 records.
Since my firewall is a Zyxel device, I gave a look at the .csv delimited log output. Easily enough you can use a Data Import Wizard to spin the logs into some tables. Rough table to log structure is as such:

CREATE TABLE zy_2016-09 (
  time VARCHAR(50) NULL,
  source VARCHAR(50) NULL,
  destination VARCHAR(50) NULL,
  priority VARCHAR(50) NULL,
  category VARCHAR(50) NULL,
  note VARCHAR(50) NULL,
  sour_interface VARCHAR(50) NULL,
  dest_interface VARCHAR(50) NULL,
  protocol VARCHAR(50) NULL,
  message VARCHAR(250) NULL,
  col00 VARCHAR(250) NULL,

I am having fun crawling some output. Typically it’s some sort of fancy OpSec to not say your type of network gear, but this is meant to be informative and hopefully helpful.
So let’s crawl some queries and output in the next post.

Extra posts

Hello.  Below I added 60 other posts relating to computer projects and threads from the Break Fix forum.  Hopefully some of the information is helpful.  I like to keep exploring and sharing what I believe to make sense.  Thank you for visiting and reading.
whois funtimebliss.com
* since 2002 :) first time I typed the command for that, instead of using a webpage lookup

Active Directory re-design in production

The topic hook here, is redesigning the Active Directory Object Units of an existing network. Really, OUs are like Subfolders of a Windows User and Computer tree / list. I am working with a live domain structure, so more important before making any changes, is knowing and documenting how it was / currently is. This being in case you move something and it breaks.
Especially 3rd party applications linked into Active Directory, and the OU path is like a network or folder path, if the lookup is where it assigns user permissions via the AD / LDAP (Lightweight Directory Access Protocol) / Windows Challenge/Response (NTLM) mechanisms. Point here being, if you assign permissions to a user as below, moving them to a new OU and not updating that lookup in an app can break it, unless it verifies the current path of that user account in its NTLM-esc lookup.

DomainTree.localOU_NameObject_UserAccount

Point being, if I move the Object_UserAccount into a different OU or a deeper subfolder / OU on that domain, that lookup may very well be broken for the 3rd party app, using AD for it’s lookup.

That is kind of long in the teeth, but in Windows land, especially when changing domain structure around, you can get some nasty snags. Documenting is as it was, lets you see if the old path is defined in whatever 3rd party app or device you are working with.  Also applicable, are Group Policies and where they apply.  Group Policy Editor on a domain controller will let you see what ones are applied and what OU they are nested under.  Group Policies are a step of this, but I am not focusing on these for this thread.  Knowing the old policies they apply to, will be helpful on your rollout, as in my case, some departments have printers autoinstall, based on their location.  I note this to troubleshoot or recreate that behavior on the new side of domain OUs.

Tools:
csvde.exe: This C(ommand L(ine) I(nterface) tool will let you connect to your domain.local, while picking a root OU, to then export all those details to a CSV file.  Along with some screenshots of the tree structure, this is a great method to know what OU path a user was in, before you redesigned the trees and moved users around.  This in especially the case, of someone’s windows or other app, stopping to work, upon you moving their account or machine around in the domain tree.

Excel or Libre based office spreadsheet program:  I use these especially in migrating a live domain to a new server.  You have to clean the AD export up to 8 relevant columns, as the rest of the data is made by the new domain controller, thus importing the old stuff will just fail.  Rambling point here, is that when you import a new domain controller to an existing domain, it will inherit the security level of the prior domain.  Server 2012 running on a Windows 2003 Domain Forrest level?  No thank you, please don’t even.
You can and likely will use the spreadsheet program for reference in the future, either to make sure you moved the user from old to new, correct path, or to debug why an app may have stopped working, and trend a fix for anyone else who may have the same issue.

Great.  We have a dump of users with their original path (in my case, over 100 sub-OUs for maybe 20 different business units.).  Sometimes, people over-design systems.  It can be intentionally confusing to dissuade others from making changes, or simply be over-designed for some fantasy scope projection of future growth, instead of something that works with their current, yet is still scaleable for later add-ons.  In my opinion, empty folders are a BAD design call, especially in OUs.  Sometimes the path is limited to a certain amount of characters, so 50 of them characters being empty sub-folder paths, is just a shitty design call.

Logo clean

Pardon the prior header image. I had it up from prior years. I like to think I have normalized some progress and a smidge of coherence, at times.
Explore every day for those of us who are no longer with us. Respect and salute to them. That is my opinion on resolve.

Attached Thumbnails

  • JoeDirtSnowden.jpg

Flashback topic

Thanks again to everyone who came out to the Open House @ Philly Secure Shell.  I handed out some stickers with the BlissPC.com address, so I wanted to share a 2014 thread about Bitcoin Miner Malware.  A random note, is to use google and type ‘bitcoin miner site:funtimebliss.com’.  You will get the 1st result, but it looks like there is some redirection poisoning going on there.  It bounces to a URL4SHORT_info page.  I have to explore that some more.

 

A friendly reminder that I do not do the advertisers thing on the site, as I believe in sharing information and not exposing people to advertiser traffic and potential infection by way of poorly moderated advertising networks.  I have had the forums up for about 13 years now and plan to keep doing so.  When I jump into hardware or software reviews, I do so of my own opinion and observations.  No one has, nor ever will send me a free product to view, without that being clearly defined as the scenario.  Even if that were to occur, I would also remain to be critical.

Pardon the blurb, but I really felt this needed to be a front-page post and known reminder.  I have purchased products and services before with known issues, that were never shared at launch, due to review deals and all sorts of other anti-consumer deals.  There is no support for that here, nor will there ever be.  I’m into this for sharing information and learning more from people I chat with and meet.  Now that I shared some of my ethos, allow me to drop a link for our Hackerspace in South Philadelphia, PA.
http://www.secshell.com/

I speak as me, a real person who is occasionally (to often) grumpy.  I do try to be nice though :bunny:

 

Cisco Noob Guide

Especially on old-school devices, you might find no one logged  any of the network topology and config details.  If you are lucky (depends on your outlook) there is no password for the console connection.  To connect over console, you will need an ethernet cable that plugs into a serial port on your config machine.  If you do have a password on console port, hopefully it’s something from your list of other device passwords.  Probably a Level-15 account.

We will be in the CLI, so all those nice GUI configs you are used to with newer devices, are not at your disposal.  So we have this guide for logging in, going into enable mode, then showing certain configurations.  This can help you map a network out, especially if you inherited it and want to document and know how it really functions.

Starting out: (Run a cable from the console port on said switch, to your machine Serial port.)

  • Use PUTTY or a similar application to connect to COM1
  • Press Enter 2x.  You should then see Console of some sort
  • Login when prompted for a password (or if none)
  • type ‘en‘ without the quotes.  This will take you to config / enable mode.
  • show ? will give you a list of available commands.
  • Start with show version to get an idea what platform and version of iOS (or PiX) you are dealing with.
  • show running-config will show you the currently running device configuration.  Feel free to archive this into a flat file for reference later.
  • show vlan is huge if you need to know the VLANs defined on the network.
    Note: Your core switch will have them defined, then other devices can reference those VLANs and route accordingly.  IF you do not have a VLAN defined somewhere, it will be useless to use as a target.

 
 

That’s my primer on dorking your way though some older cisco devices.  Granted these methods will work or be very similar in current, CLI based cisco sessions.  Happy explorations.

VMWare ESXi on Gaming PC

Good morning.  I took on an attempt to install ESXi 6.0 onto a hard drive in my gaming PC.  I ran into a few modifications I needed to make, but luckily nothing too intense.

Starting out, I will rattle off my relevant PC specifications:

  • Intel i5-4690k @ 3.5 GHz
  • Asus Maximus Hero VII BIOS (3103)
  • 32 GB Corsair Vengeance DDR3 1600
  • 500 GB SATA WD Hard Drive (Non-SSD)

 
OK, so we’ll get started with an EXSi Install CD.  Upon boot up, I did not see any drives I could install to.  At first I thought I had to mark the drive active, since I did a 3-pass wipe of it prior, but that was not the case.  Turns out I had to jump into my BIOS and set my Drive Mode to RAID, instead of SATA that I had it set at.
There is no need to build a RAID array (and in my case, I’m using the Intel Z97 chipset that is the onboard SATA controller on my motherboard).  I am running a test build, otherwise a redundant RAID set should be a priority.

Once the RAID mode is set for your SATA Mode Selection (Under: AdvancedPCH Storage Configuration in my BIOS), you should now see a drive you can install ESXi to.  Also in your BIOS, if you have not already turned on Intel VT-x virtualization support, enable that as well.

Now that we have an install going, set your root password and when the install finishes, reboot.  On my 1st boot up without a network cable plugged in, I got the following message as it stuck in the boot process:
 

dvfilter-generic-fastpath: loaded successfully

 
I started to research this and was going to splunk the log files, but I rebooted and it loaded successfully.  As I have experience with supporting and deploying fresh Xen Server installs, this Hypervisor looks nearly identical in ESXi.

Once it boots up, connect to the IP Address by web browser to install the client tools, if you have not done so already.  The tools are sadly, confined to working best in a windows environment for your client software, but there is a web interface as well.  I am currently putting a Kali Linux install on via the Web Interface for EXSi, from my Mac.

That concludes my start to hypervisor online install of EXSi.  My gaming computer picked up another skill as a virtualization server.  I also have a Core 2 Duo refurb I will try the same for, but since that one is an OEM HP Machine, the BIOS features for Hyper-V and RAID support may be absent.

South Philly Hackerspace

Since I have been fairly light on the forums, I wanted to make a thread about our new Philly Secure Shell hackerspace.  I have been helping setup the location, while Leo has been doing all the coordination, paperwork and intricate work.

We are in the Bok building so you can also checkout Hive 76 (different space – same building), a hardware hackerspace in the building that has been around for some time now.  As for Secure Shell, we just got into the building this month and had a local CTF trial this weekend.

 

https://twitter.com/SecShellPhilly <-+ Twitter page for our group.  We have been around for just over a year now and made the jump to getting a space as well.  Feel free to come check us out, we have a meetup page too for month meets and events as they pop up.

http://www.meetup.com/Philly-Shell-info-sec-meetup/ <-+  MeetUp page.

Personally, I’m into hardware, data recovery and log crawling with SQL database log data archiving & trending.  I’m a fan of chatting and sharing ideas, so this space will be an excellent venue for that.  Shameless plug for 2600 First Fridays as well.  I tend to make most all of the local meetups @ 30th Street Station by the Taco Bell near Bridgewater’s bar.  It’s a really fun time to get out IRL and chat IT or just crack some jokes.  Highly advised, especially if you thought about it but never got around to it yet.