Jump to content
Hak5 Forums


Active Members
  • Content count

  • Joined

  • Last visited

  • Days Won


About IDNeon

  • Rank
    Hak5 Fan +
  1. Bind two or more wifi networks

    Just curious but you have two independent wifi adapters for your host?
  2. Mimikatz Hosting

    Lol this gives me the strange idea. Can you use virustotal as your host since apparently they let you download content that's been uploaded?
  3. Network of Compromise

    There's a question in there somewhere for anyone interested in discussing. This isn't really a thread about networking. The question is based on the assumptions of APT activity within a compromised network does the remediation logically address the issue such that the defender can say they have effectively wiped out the network of compromise such that an attacker has to essentially start over from scratch. I think the methodology is on the right track and believe that subnetting and disabling certain services, remote features, etc, will box in the attacker so that their lateral movement is hindered significantly. Also is "network of compromise" a reasonable and effective way of defining attacker activity such that it can be effectively targeted. Afterall language precedes action and if the activity is not accurately defined then the action to remediate it will be the wrong action.
  4. Network of Compromise

    I can't go into explicit details but would like some feedback on a concept Im working on as part of the security architecture document Ive also created a thread about. The network of compromise represents all the compromised machines in your network. The idea is that if you wipe one compromised machine, the command and control within this network of compromise can recapture the wiped machine. If the command and control machine is wiped, then any other machine in the network of compromise can be promoted to a command and control device. Because the network of compromise may consist of different agents and back ends, you may find some compromised machines, wipe them, but leave others that were not known and then restore the network of compromise. The security architecture I'm currently researching to combat this functionality of the network of compromise are subnets and vlans. Ideally preventing any compromised machine from compromising other machines laterally. Assuming the network/server core which must be visible to all machines, has been secured by other means and won't be laterally compromised. If you can narrow how many machines can be visible latterally, ideally to one machine, then you can wipe all machines that are part of that subnetwork when one of those machines is foundto be compromised. Theoretically this would nuke the entire network of compromise. Doing this will preventthe network from being able to be restored and would return an APT to having to compromise a machine again through whatever other methods which are more difficult than relying upon a command and control and other back doors.
  5. Security Architecture

    Update: some areas of focus have emerged. The goal continues to compartmentalize authenticated users so that a compromise in one compartment does not compromise the other. This leads to the concept of the server compartment being the core, while the other compartment or compartments (note the multitude) is for the endpoints. The problems here to be addressed is what happens to the compartmentalization when IT employee Bob tries to login to a workstation with a server-admin credentials. Through various technical controls I've narrowed it down to as far as the authentication request is sent but not validated and no session key is returned. However, is this enough? From that compromised workstation the attacker now has half of the key. The authentication request. Can they pass this to another computer where server-admin is allowed a logon? Or is there specifics to each request that prevents this pass? Depending on that answer, compartmentalization may be achieved. As for another issue. Compromised endpoints may make-up a network of compromised devices with a command and control link. You may wipe one or several devices, even the current c&c, but as long as one compromised endpoint exists to take over as c&c then the attacker can continue to operate and expand in your network. To isolate this potential may require extreme subnetting. In a subnet with proper access control. Where each endpoint only communicates outside of that subnet through its core. Then it is possible to isolate this network of compromise to just that subnet. In which case you can wipe all the endpoints in the subnet to nuke any c&c that would restore the network-of-compromise. That concept is only starting to be developed but I think it's a step in the right direction.
  6. Security Architecture

    So I have begun building the outline for this comprehensive topic. The paper as im currently working on includes: Logical controls. Control mechanisms. Technical controls. These 3 things describe the intention of your controls (logical controls) the bridge between your intentions and how to achieve those intentions (control mechanisms) and the controls as actually applied in a system suchas GPOs. (Technical controls). Similar to programming, you have a problem, pseudo code to describe how to solve the problem and then the actual code that solves the problem. Logical controls, continually asks the question, does my technical controls meet the obejctive? And the logical control should be an effective objective. In the paper I begin to identify logical controls and attempt to briefly explain why they are effective, using citation to source material. For instance. Logical control - limit users to workstations only. Reason? Pass the hash and other lateral attack methods. Control mechanism - deny local logon, gpo controlling RDP, AD property logon computer. Technical Controls - these would be the exact procedure to implement (for instance) Deny/Allow local logon with the intended outcome (user cannot log into server locally, but admins can). This method can be expanded to all strategic objectives, described in this manner, then drilled down individually with citations for each methof and discussions how each method is effective.
  7. Security Architecture

    Something Im working on while desperately trying to avoid "reinventing the wheel" is Security Architecture. And what that entails is building a network so that all its components are secure. But not with the frame of mind that vulnerabilities are patched and best practices are implemented. But from the frame of mind that attacks work on certain strategic principles and to prevent those principles from ever being exploited in the first place. For instance in the most basic sense: an attacker controls a workstation and seeks privilege escalation or other credentials. In most networks this workstation might have an administrator profile that was once logged in. Theoretically an attacker could use the credentials of that account to access other parts of the network. Security Architecture attempts to implement compartmentalization completely, so that this is not the case. The problems I run into is effectiveness. For instance enforcing compliance so that the implementation cannot simply be bypassed. That's where my skill as a technical hacker is limited, and where I tend to do better with theoretical. If all good soldiers made good generals then all soldiers would be generals. That maxim simply illustrates that a strategist need not necessarily be a good tactician or technician. But it would greatly help for me to have some pool of talent who are technically competent to help see the areas they would attack, that I can integrate a proper implementation of a technical control to prevent the purpose of the explout from ever existing. The problem gets deeper and deeper as you explore each part. For instance if the goal is to isolate admin credentials so workstations compromised won't also compromise servers. But then you have to enforce policies that limit domain users from logging onto servers at all. If so then what servers? Because those users may need some servers to be accessible. Then how to prevent all sorts of other pathways of attack. What about hash passing? Man in the middle during remote logins? Basically the architecture would have to isolate each facet while keeping the intended purpose working properly. For instance if servers and workstations are on the same subnet then theoretically an attacker could packet capture and determine credentials or posion packets intended for servers. So part of the architecture must include proper subnetting for that reason. On that note, I'll leave it there for now. I have been drawing out a high level diagram to help me sort out the many parts. When it's complete I can possibly share it with the intention of drilling down deeper to each element.
  8. What types of Hackers?

    I'm just writing this as a general fun topic to enumerate all the facets of this gem, each person inputting whatever comes to mind. I do know there are defined stages of hacking and a more or less defined tool set, this isn't so much about that as it is about the philosophy of the whole matter. That is, how you approach the problem? I hope this would be more for a beginner to just come into this thread and read and get an idea of what to expect on their own journey. Nothing really fancy. I don't know what category I fall into anymore, I always consider myself a problem solver more than anything. And the most recent problem I had to solve was uninstalling an AV locked with password protection but unable to authenticate home and riddled with errors (missing folder structures, non-standard install paths, corrupted files). I did it...and that got me to thinking well what kind of hackers are there? Because it seems HAK5 seems to specialize mostly in the network CnC side of things, can you recon an environment and take control of a machine. That seems to be where most of the posts focus. And to be honest, I'd love to get more into that but have very little time involved in that. I find myself more often "reverse engineering" systems. Not even code, for instance in the above scenario I thought about using a debugger to examine the code of the program but in the end figured that was too involved for the task at hand. It was much easier to just follow the errors and rebuild the damaged product that way. I suppose there are the hackers which do reverse engineer code, I've only just started getting into debugging, but as I mentioned above, it seems debugging often is a little too overkill for reverse engineering a system. Systems often have warnings and errors and logs to tell you what's going on and you can determine a lot from fiddling or breaking those. So far that would seem there are two main branches: Network and Systems, and Coding which leads to the actual exploits. And tools like Metasploit to give a networker the leverage needed to exploit a system. So maybe instead of those categories, instead, there are two types of Hackers. The methodical, and the problem solver. They aren't mutually exclusive. Rather it's just the approach you may take, I can see a methodical person excelling at using the tool sets in Kali, have a system in place, going through check lists. But then there's always the problem solver which is the end goal anyway (whether the problem be a business related task, personal achievements, etc.) and that one just works on the solution like water flows down hill, going where the path takes and using the tools that come to mind for each situation. I often find myself with no method, but intuitively seeking out a solution, adding tools as necessary on the fly, and sometimes creating my own tools when needed. Like a program writes a function when needing a task completed.
  9. Networking stuff on plane

    Or Mad-Eye Moody as being impersonated by Bartley Crouch Jr. "You have a wand".
  10. Best way to destroy HDD?

    I don't know if I made a thread about this before, but this has always been a pet peeve of mine that I've never tested or built but kinda wish soooooommmmeonnneee else would (long lazy sigh). We all ought to know that Force Microscopy can be used to examine a disk at its atomic scale and basically rebuild data that has been overwritten. Therefore there's some debate as to how many "passes" are enough, and to whether or not degaussing is sufficient. And you can buy degaussers for such a purpose. I believe the evidence suggests degaussing is sufficient but we CAN GO FURTHER! I give to you the Induction Heater! https://youtu.be/VydPQuLyEns Behold! Aluminum being melted in about 1 minute. Imagine the FBI raiding your apt and you flip the switch and that puppy already installed around your external drives (or whatever set-up) turns on and just melts your harddrive. The first nano-second is going to blast the harddrive in a powerful alternating magnetic field anyway, but just to be sure. Ya know...melted slag in 1 minute tops. Hillary Clinton's Bleach Bit theoretically has nothing on this. In all seriousness though, induction heaters are easy to build, easier to buy, run on about 3kw, and will degauss AND physically destroy your harddrives at the same time. Not sure what its effect would be on a SSD other than that it would most certainly melt those too (if they are using any kind of metallic case). Induction heaters work on any metal as far as I am aware, magnetic properties of metals come from the ability to align all the magnetic fields in that metal, which non-magnetic metals are resistant to but are not themselves "without" magnetism. Induction heaters simply oscillate between polarities so that these fields are constantly shifting creating friction and thus heat. So would work on any substance that responds to magnetism, not just magnetic materials.
  11. Manual file work?

    He's probably finding walkthroughs for the specific virus that usually tells you which regkeys and files belong to that virus and just manually removes them. Windows Passwords are (off the top of my head) stored in a file as cyphertext, not plain text, you would have to be able to decrypt the file to examine the password. There's easier methods to breech passwords if you have access to the machine such as "Windows NT Offline Registry Editor" which will allow you to just remove a password associated with an account so you can reset it to something you know. Being a PC repair, I would think things like "Registry Editor" and some other goods like HiRens might be quite useful.
  12. WireShark and monitor mode

    This seems to be the most authoritative answer: wlan host 08:00:08:15:ca:fe While not exactly the channel you can narrow it down to the channel you want by selecting the APs in that band I suppose?
  13. I may have glossed over what you were getting at, been a busy day, and thought you were referring to the time frame in which that task could be performed.
  14. Well to clarify your statement a little bit. The only reason GPUs don't help for "OWA" is because of other limiting factors like how fast you send attempts at the OWA, etc. All of it still depends upon speed, it's just what's bottlenecking you and reduce that. I'm sure there's a laundry list of optimizations for OWA/firewall account cracking where accounts don't have lockout policies and etc.
  15. Not sure why no one has pointed this out but there's a whole market for this exact thing in the GPU industry which is why you find better performing GPUs for this task that are not as good for gaming. I am sure GPU manufacturers actually have a sales team devoted to explaining what's best for this.