Forbes Cracked Passwords from Feb 2014

Did a really quick analysis of the Forbes password hashes leaked by the Syrian Electronic Army earlier. From the 1,071,734 password hashes that hashcat recognised as WordPress, 2713 were cracked in about 30 minutes.

There were no switches, GPUs, rules or anything used.. I just used the unedited top 25 passwords taken from the top 10,000 list published by Mark Burnett (xato.net). -> blog post here

The results show that 975 people have 123456 as a password.. some things never change! Top 25 cracked hashes follow:

fully@SQ:~/hc$ cat forbescracked.txt|cut -d : -f 2| sort|uniq -c|sort -r -n
    975 123456
    534 password
    159 qwerty
    147 12345678
    146 abc123
    111 111111
     75 letmein
     66 monkey
     64 baseball
     62 1234567
     50 shadow
     35 michael
     32 jordan
     31 dragon
     29 superman
     29 master
     28 mustang
     28 football
     25 harley
     23 jennifer
     22 696969
     21 12345
     18 1234
      2 2000
      1 pussy

Microsoft Windows Unquoted Service Path Exploit

It's been over a year since this Windows issue has had credentialed checks available in Nessus and it showed up again on a recent test. If you're not aware of the issue http://www.commonexploits.com/unquoted-service-paths/ has a great writeup and is referenced in the associated Nessus plugin (Nessus plugin ID 63155)

In a nutshell this vulnerability is due to some Windows paths for services in the registry not being "enclosed with quotes". Believe it or not but when Windows sees the following: C:\Program Files\Test App\app.exe it tries to run the executable like this:

C:\Program.exe
C:\Program Files\Test.exe
C:\Program Files\Test App\app.exe

On the Common Exploits blog Daniel has given us a handy command to check for vulnerable services:

C:\>wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\windows\\" | findstr /i /v """

I ran that on a system and got the following results:

CorsairSSDTool  CorsairSSDToolBox  C:\Program Files\Corsair SSD Toolbox\CSSDT Service.exe  Auto
Internet Pass-Through Service  PassThru Service  C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe Auto

Metasploit has a privilege escalation module to take advantage of this but I couldn't find a simple standalone way of showing a proof of concept for this issue.  Taking the easy option and copying cmd.exe to the path fails to execute as it is not a proper Windows service application, we decided to write our own service to demo this!

Facebook Badness

As an infosec company we don't tend to blog about Facebook scams such as "Free £100 Tesco voucher" or "Apple is giving away 1000 iPads because the boxes are scuffed" - surely a new box is cheaper + we'd be here all day tracing them!

However, this one peaked our interest as it is something that could just as well affect a company as an individual. This is pretty much a classic phishing exercise with a bit of social engineering thrown in for good measure, it's quite well executed though so on with the details..

I had a private Facebook message from a family member come through which cc'd a number of other family members/friends. This is what the message looked like (blurred to protect the innocent!):

Alarm bells started ringing; a PM with a generic message along with a URL shortened using "t.co" which is a classic obfuscation technique.  The "Facebooky" looking thumbs up adds a certain amount of credibility as it was posted by another family member, surely they can be trusted, right?

44Con - Cracking Lotus Domino Passwords

Following my presentation on penetration testing in a Notes/Domino environment (slides will be uploaded soon!) I had a couple of queries about the software used in the Notes ID file password cracking demo & where to download the local access protection tool.

The software was Passware's latest and greatest "Passware Password Recovery Kit Forensic V12" which their marketing manager, Nataly, had been kind enough to allow us to use a beta version for 44Con.

The difference between this software and any of the others that we've tried is that this allows multiple ID files to be loaded in and cracked in a batch along with other file types!

SmartScreen Filter Revisited

Following up on the blog post last year about Microsoft downloading potentially private/sensitive files due to SmartScreen filter we thought that we'd take a look at IE10 on Windows 8. Files used in testing were old versions of cmd.exe so should be "known good" on any whitelists.

Yet again we found that files that you download are hoovered up by Microsoft servers a short time after!

Bsides London Challenge 6 Solution

As it's the day after Bsides London which was excellent with some talented presenters I thought I'd post my solution to challenge 6 - Finding Nero.

Linky --> Bsides_Walkthrough.pdf

Enjoy!
Fully

Foxconn Lotus Domino Breakdown

Following Swagg Security's release of some Foxconn info (http://pastebin.com/DbHu7xCQ) I thought I'd take a quick look at the Lotus Notes stuff they posted whilst munching my sarnies. Please note that this is a quick (20 minute) crack/breakdown and not a week of real research!

The leaked "MailUsers.txt" file in the torrent contained two types of Domino hash formats; weak/unsalted (user1) and salted (user2)

user1:D3D44EED37928E47777F1B6C937F4068
user2:(GcE5LxKhZO5riNHlvasU)