|
Are you sure it doesn't work in Remote Assistance? Our help desk guys use that and we obviously have UAC enabled, and there has never been a problem. Are you doing something weird or wrong? Echoing do not disable UAC, do not do not do not
|
#
?
Jun 9, 2017 19:48
|
|
|
|
| # ? May 12, 2024 19:55 |
|
|
Speaking of UAC, I today ran into the fact that starting a WinRM remote session in under some circumstances rejects you if you are a local admin that is not the Administrator user. The internet says to disable something called LocalAccountTokenFilterPolicy and then it works. Yep, sure does. What is this policy, though? Even Microsoft's own documentation tends to leave it implicit on the pages where it is mentioned. I get the feeling it is somehow related to UAC but what exactly is this setting that I am disabling?
|
|
#
?
Jun 9, 2017 20:11
|
|
|
UAC introduces a split token scheme for local execution so by default even if you are in the local administrators group the programs you execute run with the permissions of a standard user, unless you force it through an elevation prompt. The problem is only the locally executed programs are aware of this UAC restriction, so LocalAccountTokenFilterPolicy also filters outbound remote management requests to drop the built-in administrators group token as well so if there are other systems exposed to you that you also have admin rights on you can elevate/compromise that system and then jump back or to other systems. Disabling the filtering makes that attack model possible. There are other ways to work around UAC and elevate, but having to modify that setting generally means you are doing something fundamentally wrong.
|
|
#
?
Jun 9, 2017 20:45
|
|
|
Furism posted:Talking about Veracrypt... Is it just me or is it less stable than TrueCrypt? I've had crashes, volumes that don't mount until a reboot, or the GUI sometimes getting stuck (not hanging, just not being able to minimize it away) and I could swear it's a bit longer than TC to mount a drive. It's much slower to mount in my experience (reasons? I dunno), and if you keep trying to interact with the window when it's mounting, Windows might think it's not responding. I've had it crash only when I'm being impatient and repeatedly trying to bring it up. I've also had issues with automatically remounting when restoring from standby, so I just manually remount stuff now.
|
|
#
?
Jun 9, 2017 21:55
|
|
|
CLAM DOWN posted:Are you sure it doesn't work in Remote Assistance? Our help desk guys use that and we obviously have UAC enabled, and there has never been a problem. Are you doing something weird or wrong? I thought it worked, but the helpdesk people claim it doesn't. Based on Google it looks like UAC prompts only showing on the user's side is the expected behaviour, or at least a very common problem. As far as I know they're just plugging the PC name into remote assistance and using default settings. I gave that guy an earful this morning but I still don't think he understands why UAC is such a big deal. I'm not planning on turning off UAC, even if my manager tries to get me to do it. Fake edit: I just remembered some people around here call the remote access tool in Altiris 6.9 remote assistance. I'll have to double check on Monday.
|
|
#
?
Jun 10, 2017 00:59
|
|
|
doctorfrog posted:It's much slower to mount in my experience (reasons? I dunno), and if you keep trying to interact with the window when it's mounting, Windows might think it's not responding. I've had it crash only when I'm being impatient and repeatedly trying to bring it up. I've also had issues with automatically remounting when restoring from standby, so I just manually remount stuff now. Is there any downside to using TrueCrypt over Veracrypt?
|
|
#
?
Jun 10, 2017 07:42
|
|
|
Furism posted:Is there any downside to using TrueCrypt over Veracrypt? The very first thing on the TrueCrypt project homepage sums it up: quote:WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues VeraCrypt was forked from TrueCrypt, and is still actively developed and tested. TrueCrypt's encryption isn't horribly broken (as far as anyone knows and has publicly disclosed), but there's a known privilege-escalation issue in its Windows drivers that will never be fixed.
|
|
#
?
Jun 10, 2017 08:02
|
|
|
https://www.theregister.co.uk/2017/06/12/tata_bank_code_github/quote:Staff at Indian outsourcing biz Tata uploaded a huge trove of financial institutions' source code and internal documents to a public GitHub repository, an IT expert has claimed. Let's hope nobody hardcoded anything fun in 
|
|
#
?
Jun 12, 2017 17:17
|
|
|
That was certainly not doing the needful.
|
|
#
?
Jun 12, 2017 17:27
|
|
|
https://twitter.com/ButtCoin/status/874393234037932032
|
|
#
?
Jun 12, 2017 23:46
|
|
|
Martytoof posted:https://www.theregister.co.uk/2017/06/12/tata_bank_code_github/ Could have stopped at "Tata"
|
|
#
?
Jun 12, 2017 23:52
|
|
|
Aahahahahaha some idiot goon I know mentioned the other day he wanted to set up a miner for these things.
|
|
#
?
Jun 13, 2017 00:00
|
|
|
Furism posted:Talking about Veracrypt... Is it just me or is it less stable than TrueCrypt? I've had crashes, volumes that don't mount until a reboot, or the GUI sometimes getting stuck (not hanging, just not being able to minimize it away) and I could swear it's a bit longer than TC to mount a drive. The slower mount time was intentional. TrueCrypt's key derivation (i.e. turning a human-readable password into an actual encryption key for the block cipher) used a maximum of 2,000 iterations of the hashing function, while VeraCrypt upped that to 500,000 iterations. This slows down the mounting of a volume by a factor of about 250 times (although once it's been mounted, there should be no performance penalty in using it). But more importantly, it slows down a mounting ATTEMPT by that same factor, so brute-force attacks on the password are 250 times slower. It's a small inconvenience for a legitimate user but a much bigger stumbling block for an attacker. https://veracrypt.codeplex.com/wikipage?title=Header%20Key%20Derivation As for instability, I haven't had any problems with it, but then I only give it very light use.
|
|
#
?
Jun 13, 2017 02:11
|
|
|
Found some remote xss on a popular web app but also found out it sends the payload but does not execute in their Android/iOS client. Need to decompile and see how the xss string is processed in the mobile client because it's def not a webview but still hoping for system calls.
|
|
#
?
Jun 13, 2017 03:10
|
|
|
Powered Descent posted:The slower mount time was intentional. TrueCrypt's key derivation (i.e. turning a human-readable password into an actual encryption key for the block cipher) used a maximum of 2,000 iterations of the hashing function, while VeraCrypt upped that to 500,000 iterations. This slows down the mounting of a volume by a factor of about 250 times (although once it's been mounted, there should be no performance penalty in using it). But more importantly, it slows down a mounting ATTEMPT by that same factor, so brute-force attacks on the password are 250 times slower. It's a small inconvenience for a legitimate user but a much bigger stumbling block for an attacker. Makes a lot of sense, thanks!
|
|
#
?
Jun 13, 2017 07:19
|
|
|
EVIL Gibson posted:Found some remote xss on a popular web app but also found out it sends the payload but does not execute in their Android/iOS client. Name and shame or keep it on your blog. Or go full disclosure right here so we can all eat bans
|
|
#
?
Jun 13, 2017 12:34
|
|
|
cheese-cube posted:Name and shame or keep it on your blog. Or go full disclosure right here so we can all eat bans Lol nice stuff. It was really supposed be a question for any really talks or writes for xss in non webview, but okay, your answer is acceptable .
|
|
#
?
Jun 13, 2017 18:30
|
|
|
Hey mate if you want to talk tech then post away or xpost to the yossec thread. Sorry for being a brash poo poo oval office.
|
|
#
?
Jun 13, 2017 18:36
|
|
|
If it's not in a webview and isn't being processed as JavaScript then as far as the app is concerned it's not XSS. Edit: not to say that there aren't security issues there. I'd encourage you to keep going and RE the app.
|
|
#
?
Jun 13, 2017 18:37
|
|
|
https://twitter.com/F4R4D4YDC414/status/879192624057528320
|
|
#
?
Jun 26, 2017 05:42
|
|
|
When I was doing assessments as a consultant three years ago, I was seeing OS/2 pre-Warp being used. Windows 2000 being in production is not surprising.
|
|
#
?
Jun 26, 2017 05:46
|
|
|
Lain Iwakura posted:When I was doing assessments as a consultant three years ago, I was seeing OS/2 pre-Warp being used. Windows 2000 being in production is not surprising. I think it's more the three "Account Unknown"s.
|
|
#
?
Jun 26, 2017 05:49
|
|
|
Absurd Alhazred posted:I think it's more the three "Account Unknown"s. I would wager that they're accounts that have had been deleted and thus are only referenced by their GUID?
|
|
#
?
Jun 26, 2017 05:54
|
|
|
Lain Iwakura posted:I would wager that they're accounts that have had been deleted and thus are only referenced by their GUID? I guess you were right all along then!
|
|
#
?
Jun 26, 2017 05:55
|
|
|
Lain Iwakura posted:I would wager that they're accounts that have had been deleted and thus are only referenced by their GUID? Correct, it will display "Account Unknown" if it cannot translate the SID into a SAM account name which usually happens if the account is deleted or if the account is a domain account and the server cannot contact a DC. So yeah, doesn't really mean anything.
|
|
#
?
Jun 26, 2017 07:18
|
|
|
If you use docker this probably affects you.
|
|
#
?
Jun 26, 2017 16:20
|
|
|
https://twitter.com/ortegaalfredo/status/878477207873695746
|
|
#
?
Jun 27, 2017 02:37
|
|
|
From Ycombinator https://github.com/infobyte/spoilerwall I'm going to fork this and replace the movie quotes with dickbutte or random arghy rants. Staging release is tomorrow. When QA is done we go straight to prod!
|
|
#
?
Jun 27, 2017 06:55
|
|
|
A new persistent thread that has gone ignored by everyone for a decade has finally been publicized: http://seclists.org/oss-sec/2017/q2/616
|
|
#
?
Jun 27, 2017 14:41
|
|
|
https://twitter.com/0x09AL/status/879731559976378369 So there's a new ransomware around
|
|
#
?
Jun 27, 2017 17:47
|
|
|
Furism posted:https://twitter.com/0x09AL/status/879731559976378369 Isn't rundll32.exe part of windows?
|
|
#
?
Jun 27, 2017 18:05
|
|
|
Thermopyle posted:Isn't rundll32.exe part of windows? https://twitter.com/0x09AL/status/879744664974360576
|
|
#
?
Jun 27, 2017 18:09
|
|
|
That doesn't seem right either. I'm not a windows developer but I feel like lots of things run rundll32.exe?
|
|
#
?
Jun 27, 2017 18:12
|
|
|
Thermopyle posted:That doesn't seem right either. I'm not a windows developer but I feel like lots of things run rundll32.exe? Check if you can find that process in your task manager. I sure can't. Only system process I have that starts with r is RuntimeBroker.exe Sininu fucked around with this message at 18:18 on Jun 27, 2017 |
|
#
?
Jun 27, 2017 18:15
|
|
|
SinineSiil posted:Check if you can find that process in your task manager. I sure can't. Yes I can. according to Process Explorer the "scan to PC" function of my HP scanner uses rundll32.exe to run a DLL.
|
|
#
?
Jun 27, 2017 18:18
|
|
|
rundll32.exe is used to "run" DLL files which aren't normally runnable like exe files. So, while it's possible some malware is being run this way, rundll32.exe being present isn't necessary and sufficient to say you've got some ransomware. You've got to check for that scheduled task he's talking about : https://twitter.com/0x09AL/status/879739959942553600 It seems wrong to say "you're probably infected" if you see it in your process list, but I'm not positive about how common it is to run DLL's in this fashion. Some Googlin' leads me to believe it's pretty common, but I'm not sure.
|
|
#
?
Jun 27, 2017 18:22
|
|
|
Thermopyle posted:Yes I can. according to Process Explorer the "scan to PC" function of my HP scanner uses rundll32.exe to run a DLL. Couldn't find anything with Process Explorer running as admin either, and after Googling a bit I'm kind of surprised about it. Is that process very rarely used nowadays?
|
|
#
?
Jun 27, 2017 18:25
|
|
|
Yeah, that wasn't the best Tweet to mention that malware, but it (the malware) is apparently spreading in very visible places.
|
|
#
?
Jun 27, 2017 18:26
|
|
|
Lol wrong thread
|
|
#
?
Jun 27, 2017 18:29
|
|
|
|
| # ? May 12, 2024 19:55 |
|
|
Ahah tomorrow everyone is gonna be hosed when they turn on their pcs. Apparently it's not using smb 1 to spread anymore? Wmic and psexploit apparently
|
|
#
?
Jun 27, 2017 19:02
|
|
