Category Archives: Security

Security: Install mimikatz offline plugin to volatility (DRAFT!!!)

Hi,

here are the steps to install the mimikatz offline plugin to get it running under volatility on a Windows 7 x64 Operating system. Currently draft but works for me.

1. Install volatility
get the latest Python 2 Version and install it. In this example to target directory d:\Python27. Use the x86, 32Bit Version even on x64 systems. Otherwise the volatility installer won’t found the python installation. Choose also a installpath without spaces.

Install Volatility 2.4 Windows Python Module Installer (not the binary installer)
Continue reading Security: Install mimikatz offline plugin to volatility (DRAFT!!!)

Windows: Initate a kernel memory dump

Hi,

for deeper inspection of Windows it is sometimes necessary to get a memory dump of the machine to analyse these output with tools like volatility .

There are several ways to provoke windows to write a dump.
Continue reading Windows: Initate a kernel memory dump

Windows: Read Bitlocker encrypted drive in Windows PE

Hi,

in WinPE it is possible to read bitlocker encrypted drives.

Check state
manage-bde -status c:

If the drive is only protected by a password use
manage-bde -unlock c: -pw
Continue reading Windows: Read Bitlocker encrypted drive in Windows PE

Windows: Recover lost passwords from memory

Hi,

if a User is logged on and forget it’s password you can dump to lsa process and recover the password from a dump file.

Two tools are needed:

  • Microsoft’s sysinternals procdump
  • mimikatz. A tool to play with windows security. Take care when download precompiled binaries. Better get the source code from github and compile it yourself.  Its very easy

Lets start. Login as a User with administrator permissions and dump the lsass process
Continue reading Windows: Recover lost passwords from memory

OpenSSL: Command line examples

Hi,

here are some command line examples for openssl:

Generate a self signed certificate for a (apache) webserver with a 2048 Bit RSA encryption and valid for 365 days.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt

Add x509_v3 extensions from command line (>= V1.1.1)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt -extension 'subjectAltName = DNS:myHost.myDOmain.org, DNS:myHost2.myDOmain.org' -extension 'certificatePolicies = 1.2.3.4.5'\

Get the certificate of a webserver

openssl s_client -connect michlstechblog.info:443

This establish a connection to a webserver and displays the details for the certificate on a webserver, i.e the expiration date

openssl s_client -connect michlstechblog.info:443| openssl x509 -text

Same for a UDP port where DTLS is running
openssl s_client -host michlstechblog.info -port 8888 -dtls1| openssl x509 -text

Show details of a certificate file
openssl x509 -text -in server.crt -noout

Create pfx (pkcs12) file from key and certificate

openssl pkcs12 -export -out file.pfx -inkey host.domain.key -in host.domain.crt

Create pfx (pkcs12) file from key, certificate and the root CA(s), If necessary copy the root and the intermediate certificates in to one CACert.crt file.

openssl pkcs12 -export -out file.pfx -inkey host.domain.key -in host.domain.crt -certfile CACert.crt

Extract a key from a pkcs12 or pfx file
openssl pkcs12 -in file.pfx -nocerts -out host.domain.key

And extract a cert(s) from a pkcs12 or pfx file
openssl pkcs12 -in file.pfx -nokeys -out host.domain.crt

Creating a self signed Certification Authority

To be continued….

See also this post. It describes how to setup a CA for OpenVPN from the scratch.

Generate a CA revokation list

openssl ca -gencrl -passin pass:${CA_PASSWORD} -out crl.pem

Show details of certificate revocation list (crl)

openssl crl -in crl.pem -text

Verify a certificate chain where yourCertificate is directly signed by the CA
openssl verify -CAfile CARootCertificate.cer yourCertificate.cer

Verify a certificate chain where yourCertificate is signed by a intermediate certificate
openssl verify -CAfile CARootCertificate.cer -untrusted Intermediate.cer yourCertificate.cer

or copy CARootCertificate.cer and Intermediate.cer to one file

# Windows
copy CARootCertificate.cer+Intermediate.cer fullChain.cer
# Linux/UNIX
cat CARootCertificate.cer Intermediate.cer > fullChain.cer
openssl verify -CAfile fullChain.cer yourCertificate.cer

Check a certificate against a crl
Copy the chain(root CA cert, intermediate cert) and the crl to a file

cat ca.pem intermediate.pem crl.pem > wholeChain.pem

and check

openssl verify -crl_check -CAfile wholeChain.pem myCert.pem

Create a signing request to renew an existing certificate

openssl x509 -x509toreq -in server.crt -signkey server.key -out server.csr

With some x509v3 extensions. File x509v3_extensions.ext

extensions = x509v3
[ x509v3 ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth,clientAuth
keyUsage = nonRepudiation,digitalSignature, keyEncipherment


openssl x509 -req -days 3650 -in CARootCertificate.cer -signkey CARoot.key \
-out ca_crt.pem -extfile x509v3_extensions.ext -extensions x509v3

List of valid ciphersuites from a given allowed SSL_CTX_set_cipher_list

openssl ciphers '!aNULL:ECDHE+AESGCM:ECDHE+AES' | tr ":" "\n"

Michael