Aggregator

"It is never too late to be who you might have been."

- George Elliot

This is a continuation of my write-up about this year's Crack Me If You Can challenges. You can view my previous two write-ups using the following links. Each one covered a specific challenge of the CMIYC contest: [Striphash] and [Radmin3 hashes]. 

I'll admit, in my previous posts I was focusing on the plumbing of the challenges. Aka how to extract the hashes and get them in a format that you can run password cracking attacks against. But I danced around how to run successful cracking sessions against those hashes. There's a lot of reasons for that, but the biggest one is that I wasn't very successful during the contest itself. I needed time to step back, and start investigating all the challenges and hints that Korelogic gave out during the contest but I didn't have time to really dig into. Then with sleep and no pressing deadlines I could start to solve, understand, and then incorporate these challenges into my cracking session. That's a lot of words to say that I didn't solve the wifi cracking challenge during the contest, but I felt it would be worthwhile to look into it afterwards and document how I went about working through it. This will hopefully be one of the more day-to-day practical write-ups as well since cracking wifi passwords is something that can be pretty common during pen-test engagements if you can line up the appropriate permissions.

• Rapid7 Writeup: Poorly Purged Medical Devices Present Security Concerns After Sale on Secondary Market
• Link: https://www.rapid7.com/blog/post/2023/08/02/security-implications-improper-deacquisition-medical-infusion-pumps/
• Reason: This is why I normally don't have to crack wifi passwords during my research. There are usually other ways to gain access to networks than having to start up Hashcat. Also this report is really interesting and I'd like more people to be aware of it.
• Cap-2-Hashcat
• Link: https://hashcat.net/cap2hashcat/
• Reason: This site will extract WPA handshakes from wireless packet captures and convert them into a format you can crack with Hashcat. I'm really hesitant to include this link since while it is very good for helping out during password cracking competitions, please don't ever use this site for any sort of real life penetration testing assistance. You are sending the data to the "cloud" and you should always be mindful about doing that with a sponsor's traffic.
• HCXTools
• Link: https://github.com/ZerBea/hcxtools
• Reason: This is the proper way to parse packet captures and extract password hashes to crack on your own machines. It takes more work than Cap2Hashcat, but it's the proper way to treat sponsor data, and it gives you more flexibility to troubleshoot when something goes wrong.
• Wireshark Wiki: How to Decrypt 802.11 Traffic
• Link: https://wiki.wireshark.org/HowToDecrypt802.11
• Reason: Once you've cracked the WPA1-PSK password, you'll want to view the decrypted traffic. Wireshark is one the easier ways to do that.
• Example Hashcat Formatted Hashes
• Link: https://hashcat.net/wiki/doku.php?id=example_hashes
• Reason: You really should have this page bookmarked regardless of if you are competing in a competition or not. Whenever I'm starting a non-standard password cracking session I find myself referring back to this site to try to figure out what type of hash I'm dealing with, or to understand how I need to format it so I can crack it with Hashcat.

As a bit of backstory for myself, I got my start in computer security being a wireless penetration tester/red-teamer. I had perfect timing since new tools to crack WEP sessions had just been released and a Symantec Antivirus remote exploit had become available. So by pressing a few buttons I could look like a super L33t hacker without really knowing anything.

Ever since then, I've had a soft spot in my heart for wireless hacking. The challenge though is I rarely do any wireless hacking in my day job. Yes, I do vulnerability impact analysis research, but I usually start with a white card that assumes I already have access to the wireless network. How do I justify that? Well let me refer you to my talk at BSidesLV2023: Passwords911 Authentication Adventures in Healthcare. To be more specific, I end up buying a lot of used medical equipment off of eBay (my job is so weird but awesome). Often these medical devices still have hospital credentials such as wireless passwords, and Active Directory tokens, as well as patient records still on them.

Don't just take my word for it. The security company Rapid7 did a similar analysis and found over half of all wireless infusion pumps that they purchased on the secondary market had sensitive data still on them [Link]. As a disclaimer, I haven't seen any reporting of threat actors doing this in the wild. This particular attack requires a lot of luck and physical proximity to the institution that sold the medical equipment. Basically it would be a huge pain to try and pull off in real life. But it does work pretty well when I'm requesting a white-card so that way I can focus on the part of the assessment that I really want to dig into.

Now that the "cooking recipe back-story" of this post out of the way, let's look at the challenge itself. In the first hint file released after the contest started "cmiyc-2024_street_files_2" it included a "street.pcap" file along with the following note:

-----

From: Jarlaxle

To: Tiamat

Jarlaxle

-----

Figuring out accounts sounds promising when it comes to cracking the challenge passwords. So let's open up the pcap in Wireshark.

Ok, so this pcap looks like something we can use to crack the WPA1 pre-shared key. The next question is, how do we get the WPA1 hash?

One option is to use the excellent and easy to use cap2pcap site run by Hashcat [link]. You just need to upload the packet capture and a couple of seconds later it returns to you a download of the hash to crack. For a contest like this, it is super easy and absolutely the way to go so you can focus your time and effort on other tasks. 

The problem is you can get in big trouble if you use this site for real world penetration testing engagements. You are uploading sponsor data to a cloud based hacking site probably being monitored by who knows what threat actors. I'm not throwing shade at the Hashcat team for offering this service. It's a great service and I really appreciate they provide it. But you don't want to be uploading client data to other reputable cyber security sites such as Virus Totals either. Basically if you are getting paid to do this type of analysis, you are also getting paid to learn to dump the hashes from a packet capture file using your own systems.

• Install prerequisite libraries
• sudo apt-get install pkg-config libpcap-dev libcurl4-openssl-dev
• Remove the old version of libssl-dev if you have it already
• sudo apt remove libssl-dev
• Manually install libssl-dev to be a more modern version (the Ubuntu WSL version is way out of date and the toolset requires a version of libssl > 3.0)
• Note: I'm using the instructions from the following webpage: [Link]
• cd /usr/local/src/
• wget https://www.openssl.org/source/openssl-3.0.8.tar.gz
• tar xzvf openssl-3.0.8.tar.gz
• cd openssl-3.0.8
• ./config shared zlib
• make
• make test (only do this if you have 2 hours to let it run instead of just YOLOing it and doing the next step)
• sudo make install
• Modify your system PKG_CONFIG_PATH and LD_LIBRARY_PATH to include the link to your new libsssl-dev
• export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig
• export LD_LIBRARY_PATH=/usr/local/lib64
• Get the newest version of HexTools
• cd [MAIN INSTALL DIR]
• git clone https://github.com/ZerBea/hcxtools.git
• Go into the hcxtools directory
• Build and install hcxtools
• make -j $(nproc)
• sudo make install

Ignoring all the Googling and troubleshooting, the process to get HcxTools installed and working was a breezy two hours or so. I don't know why people don't do this instead of using Hashcat's easy to use online service...

I will say, these write-ups are mostly for myself. I guarantee sometime in the future I'll need to install HcxTools, so it is nice to have someplace I can refer back to vs. having to do all that Googling and troubleshooting again. So now that we have HcxTools installed, let's use it to extract the WPA hash from the packet capture.

Using HcxTools to Manually Dump the WPA1 Hash:

• hcxpcaptool -o [FILE TO SAVE THE HASH] [HASHFILE]
• e.g.: hcxpcapngtool -o ./challenge_files/CMIYC2024_Street/hashes/pcap.hash ./challenge_files/CMIYC2024_Street/hashes/cmiyc-2024_street_files_2/street.pcap

I'd include a screenshot of this, but it looks almost exactly like the online service that Hashcat provides in the picture included above.

Using John the Ripper's wpapcap2john to Manually Dump the WPA1 Hash:

If you are going to use John the Ripper to crack the WPA1 hash, there is an easier option available to you. Included in the Jumbo version of JtR is a tool called wpapcap2john that is super easy to use and will save the resulting hash in a format that John the Ripper can use.

• /mnt/c/github/JohnTheRipper/run/wpapcap2john ./hashes/cmiyc-2024_street_files_2/street.pcap

• Reason: The formats that JtR and Hashcat use to crack WPA1-PSK hashes are very different. Therefore I need to use HcxTools for Hashcat and wpapcap2john for JtR. I suspect there is some flag in HcxTools that will do the conversion but I don't know what it is. It's not a big deal, but it would be a nice quality of life improvement for when I need to crack more complex Wifi passwords.

The WPA1-PSK hash file formats for both John the Ripper and Hashcat are different but once you have the hashes you can pick which tool you want to crack them with. I personally like using John the Ripper since I don't have a lot of GPU power to throw at the problem and I like JtR's rule logic better. But Hashcat is much preferable if you do have the compute power to really throw at the problem. I'm going to show examples of using both tools, since luckily the street password that Korelogic provided for this file was fairly simple to crack.

Cracking with John the Ripper:

• john --format=wpapsk ./hashes/pcap2.hash

Cracking with Hashcat:

The first step with cracking the WPA1-PSK hash in hashcat is figuring out what format to target. There's a lot of different wifi cracking modes! Now if you are lazy you can simply skip the '-m' option and let Hashcat autodetect the password hash which works pretty well for well defined hash types. The other option is you can refer to the list of Hashcat hash mode examples. The hash dumped from HcxTools starts with "WPA*02*" and when looking through the example hashes that matches up to "-m 22000"

Now it's just up to us to run a cracking session. To keep things simple, I used the standard JtR passwords.lst wordlist since that's a pretty good small one, and I picked the d3ad0ne.rule included in Hashcat as that tends to be my default go-to ruleset to use. In retrospect I should have kept it smaller with something like best64.rule (you can tell the reason when you look at my anemic password cracking setting in the screenshot below), but it was a very weak password so it didn't make much of a difference this time.

• hashcat -m 22000 -a 0 ./hashes/pcap.hash ~/repos/john/run/password.lst -r ~/tools/hashcat/rules/d3ad0ne.rule

The easiest way to decrypt the encrypted session in the packet capture is to use Wireshark. I included a link to the official tutorial on how to do that at the top of this blog entry since I always have to look it up every time I do this. But here is a quick list of the steps:

1. Open the packet capture in Wireshark
2. In Wireshark go to Edit->Preferences
3. Next go to Protocols and expand it out. Select "IEEE 802.11". Note: I always forget it starts with IEEE.
4. Next to "Decryption Keys" click "Edit"
5. Press the "+" button to add a new key and pick "WPA-pwd". Then enter in the PASSWORD:SSID and click "save"

• Trust me on taking the time to enter in the PASSWORD:SSID vs. just the password. It'll usually work with just the password, but I've wasted time troubleshooting when problems popped up due to me being lazy and just YOLOing in the password by itself.

Quick Disclaimer: I don't know if Wireshark is smart enough to realize the last ":" is the delimitator or not so it might not actually mess up your decryption if a ":" is in the password. Setting up a wifi network and testing that out will need to be a rabbit hole for a different day.

Once you do this, Wireshark will automatically decrypt the traffic making it really easy to start digging into it and looking for fun conversations and artifacts.

I'm sure there is some toolset or script out there that will parse through this decrypted traffic and pull out interesting passwords and information from it. My first instinct would be to go with DSniff, but looking at the repo it hasn't been updated in the last 14 years. (Side note: This also gave me the realization "OMG I'm old"). 

• Reason: This manual process works for grabbing a couple of passwords from the packet capture but it really doesn't scale and I could easily be missing things.

Since I was curious and didn't want to spend six hours digging into another side-quest of investigating packet capture analysis tools, I'll admit for this first pass I just started scrolling through the decrypted traffic to see if there was anything interesting. And the TLDR was, yes, there was a lot of interesting traffic.

FTP Credential Analysis: I need to dig into this more, but at least in the initial street file hashes, there does not appear to be a user with the name "yashica". I might need to throw their password, (along with others extracted from this packet capture) into a general wordlist and run it against all the uncracked hashes I have. That is, unless there is another hint file that provides further context. So the next question, is "what about that passwords-street" file they are downloading?

Yup, that could be useful as well! Now, I want to preface this next point by once again saying that there must be a better way to analyze these packet captures, and doing it by hand is tedious and error prone. But if you are going to parse it hand like I am doing, you can look at the filter that gets applied in Wireshark when you follow a TCP stream and manually increment it by one to view the next TCP session. It's not a pretty way to do things, but it's much better than hunting and pecking and scrolling through the full packet capture.

Other interesting side quests: There is one session where the user grabs the following webpage: "/obscure/path/for/extra/security/passwords-street.html", 

I know I started this post by saying that I needed to get away from all the plumbing of extracting/formatting hashes and start actually cracking the challenge passwords. Unfortunately, it looks like I totally failed in that task again. Now that we have some hint files and sample passwords though, making use of this data will hopefully be the subject of a follow up blog post. For now though I really enjoyed writing this blog post and getting back into practicing my wifi hacking skills. So thanks again to Korelogic for including this challenge in this year's contest.

The post CMIYC2024: Wifi Cracking Challenge appeared first on Security Boulevard.

根据Coremail邮件安全人工智能实验室监测，2024年Q2全国企业级用户遭受超过21.4亿次暴力破解，相比于Q1的39.1亿次暴力破解，环比降幅约为45%，无差别的暴力破解攻击大幅下降，但数据显示暴力破解攻击成功次数正在回升。

2024年Q2全域暴力破解成功次数达到912.7万次，环比增长11.4%。攻防专家推测可能是攻击者优化口令字典规则，其次加大了撞库攻击比例，导致破解成功率提高，因此邮箱管理员仍需保持警惕并采取必要的防护措施。

而企业邮件系统用户众多，管理员难以掌握所有邮箱用户的账号安全设置状态，如：客户端专用密码开启情况、二次验证情况、自动转发等。面对如此严峻的挑战，CACTER安全管理中心第二代（以下简称“SMC2”）全面焕新，SMC2在上一代产品的基础上，进行了全面的升级和优化。

不同于SMC1以安全监控态势为主的产品形态，SMC2更注重邮件安全事件的检测与闭环处置能力。作为邮件系统专属安全管家，SMC2支持监测失陷账号、网络攻击、主机威胁，拥有邮件审计、用户行为审计、用户威胁行为分析等能力，并提供账号锁定、IP加黑、邮件召回、告警等处置手段，简化管理，助力企业邮件系统安全运营，全方位守护邮件系统的安全。

数据与分析｜轻松处理和应用邮件系统日志

作为一款内网安全产品，SMC2独立于邮件系统进行安装。通过轻量级的agent采集邮件系统的日志数据，然后对数据进行清洗并入库，这一过程不会占用邮件系统服务器的资源，也不会影响邮件系统的正常收发业务。

SMC2能够处理包括登录日志、收发信日志、行为日志和访问日志在内的多种日志类型，这些日志数据是邮件系统安全分析的基础，管理员可以轻松处理和应用邮件系统日志，快速便捷做好邮件系统运维管理工作。

1、邮件审计：高效邮件检索与安全取证工具

SMC2的邮件审计功能为用户提供了强大的邮件信息检索能力。管理员可以通过组合检索，快速定位邮件信息，并通过审计结果导出功能，将检索结果进行整理和分析。这一功能不仅能够帮助管理员定期或根据特定事件触发审计，及时发现潜在的安全风险或违规行为，而且在安全事件发生或争议时，邮件审计功能还可以作为取证的重要工具。

2、邮件召回：智能补救措施

当检测到可疑或威胁性邮件时，SMC2支持管理员执行邮件召回操作，将邮件从用户邮箱中撤回至不可见目录或垃圾箱中。这不仅阻止了威胁的进一步传播，还为用户提供了一种补救措施。召回操作后，系统还可以自动通知用户，告知其邮件被召回的情况，确保透明度和及时沟通。

3、用户行为审计：构建安全行为档案

用户行为审计功能则从用户操作的角度出发，支持对用户登录、邮件操作、附件下载等39种用户行为的分类查询和时间链条查询。这不仅帮助管理员快速了解用户在特定时间段内的操作行为链条，且数据保存长达180天以上，满足了合规性要求。

4、用户威胁行为分析：智能风险评估

SMC2创新性引入了用户威胁行为分析模块，通过构建用户安全画像，从用户行为出发评估风险等级，并以可视化的方式呈现行为分析结果。这一功能不仅暴露了单独看似不敏感但关联起来具有风险的行为，而且为管理员提供了辅助研判的有力证据。

5、用户安全配置跟踪：集中管理安全配置

SMC2集中展示了所有邮箱用户的安全配置情况，管理员可以通过组合查询，快速发现不符合规定或存在潜在风险的用户配置。这包括自动转发地址、可信任设备、黑名单和白名单等，帮助管理员提高管理效率并简化管理流程。

6、收发信量统计与登录趋势分析：洞察系统运行状态

SMC2支持用户级和系统级的收发信量统计与登录趋势分析。管理员可以查看系统级的收信、发信和登录情况，并通过不同维度的数据分析，找出域内的收发信和登录规律。系统还可以提示管理员潜在的异常指标，如突然增多的威胁邮件、异常发信数量的用户等。

发现即处置｜主动发现和闭环处置邮件系统威胁

1、主动发现&锁定被盗账号：智能算法的应用

SMC2内置了检测23种异常登录行为的算法，能够精准识别暴力破解、异地登录等风险行为，及时为管理员提供事件详情，辅助研判账号安全状态，并支持直接在SMC2中锁定问题账号。

2、网络攻击与主机威胁的监测：安全防护全面升级

SMC2还能够主动发现Coremail旧漏洞利用等网络攻击行为，以及SQL注入、XSS跨站脚本攻击等常见web攻击。此外，SMC2内置了漏洞扫描器指纹，能够识别常见的漏洞扫描器，并且能够监测到攻击者对邮件系统的文件变更，留意未被告知的变更，记录与查询变更信息，检查主机威胁迹象。

3、准实时/定时告警：安全管理的即时响应

为了使管理员能够及时响应安全事件，SMC2支持设置准实时告警和定时告警。告警的设置可以根据管理员的使用习惯和重要时期的需要进行自定义，确保安全事件能够得到快速有效的处理。

方向与研究｜SMC2未来准备解决的管理难题

SMC2未来的发展将继续围绕提升邮件系统安全管理的智能化和自动化水平。随着技术的不断进步，SMC2将集成更先进的算法和大数据分析能力，以更准确地识别和响应安全威胁。

SMC2将实现更加精细化的安全态势感知，通过深度学习技术对用户行为进行模式识别，提前预测并防范潜在风险。同时，SMC2将加强与现有邮件系统的整合，实现更流畅的数据交换和更高效的日志分析流程，进一步降低管理成本并提升操作便捷性。

随着SOAR（安全编排自动化响应）理念的深入应用，SMC2也将能够提供更加自动化的处置流程，减少对人工干预的依赖，提高响应速度。

SMC2的目标是成为一个全面、智能、高效的邮件安全管理平台，不仅能满足当前的安全需求，更能预见并适应未来可能出现的安全挑战，为用户打造一个安全、可靠、高效的邮件使用环境。

2024年Q2管理员社区季刊新近完成，主要盘点了2024年上半年社区的精选文章和热门活动等精彩内容。本文为2024年Q2 管理员社区季刊内容节选，完整内容请上CACTER管理员社区进行查看。

CACTER管理员社区

CACTER管理员社区属于云服务中心板块之一，由Coremail服务团队、CACTER邮件安全团队及多条产品线共同维护，定位为知识库社区，集7*24h在线自助查询、技术问答交流、大咖互动分享、资料下载等功能于一体，专属于Coremail邮件管理员、安全员成长互动的知识库社区。

2024年Q2安全态势

根据Coremail邮件安全人工智能实验室数据显示，2024年Q2钓鱼邮件发送&接收源TOP100域名行业分析，国内钓鱼邮件受害者所在行业比较集中，教育排名第一，约占钓鱼邮件总数的60%（3914.1万封）；企业排名第二，约占26%（1713.4万封）；排名第三的行业为IT互联网，占5%（329.1封）。

其中教育行业收到的钓鱼邮件数量环比上升186%，教育领域于网络安全防护层面存有潜在的薄弱环节，庞大的师生用户数量、频繁的邮件往来，以及邮箱用户安全意识的参差不齐，这些都有可能致使教育行业成为黑客优先选择的攻击对象。

攻击者可以运用社会工程学手段，通过伪装成相关角色（例如老师、合作伙伴、客户或上级主管）的身份，针对性地向特定用户发送钓鱼邮件，从而提高攻击的成功率。

2024年上半年热门内容回顾

在2024年上半年里，CACTER管理员社区积极推动社区话题的交流与讨论，共发起7次社区话题，发布了27篇文章。重保将至，“2024重保HVV行动资料”“CACTER邮件安全大礼包”、“安全使用邮箱建议（用户及管理员向）”等邮件应急处置和安全科普向的经验分享，再次成为了CACTER管理员社区最热门的内容。

2024年上半年热门活动回顾

2024年上半年，CACTER管理员社区延续去年的年终福利活动，开展了“积分回馈兑换春节礼盒”活动，获得管理员的认可。其他热门活动，如“恶意样本提交激励活动”、“Coremail SRC 漏洞奖励活动”，仍有许多用户积极参与，充分展示了CACTER管理员社区的线上优势。

2024年上半年直播回顾

2024年上半年CACTER管理员社区举办了5次直播活动。每一次直播都为管理员带来邮件安全产品的好消息和福利。

1月份的社区年终福利直播，不仅有专家级干货分享，龙年惊喜大礼盒兑换活动；3月份的邮件防泄密直播，则通过真实客户案例分享，向管理员展示了CACTER邮件数据防泄露EDLP的实战应用；4月份的AI大模型专场直播，更是探索了AI大模型在邮件反钓鱼领域的应用，以及揭秘了Coremail邮件安全人工智能实验室对清华智谱AI大模型的应用。

5月份的防御邮件威胁直播分享会，更是带来了CAC2.0反钓鱼防盗号新功能——威胁邮件提示，为构建企业邮件安全闭环提供有力支撑；CACTER邮件安全团队在6月份开展的重保防护经验直播分享会上“倾囊相授”，将多年积累的重保防护经验分享给管理员们。

CACTER将继续努力，为社区用户提供更多优质、实用的内容，致力于为CACTER管理员社区用户提供更加丰富、有用的内容，促进社区的发展与进步。