Stuff I'm Up To

Technical Ramblings

SSH Weak MAC Algorithms Enabled — February 15, 2017
Kali Linux — February 14, 2017
Hardening Windows — February 12, 2017

Hardening Windows

When it comes to Microsoft Windows straight out of the box it’s full of security weaknesses. These are a number of ways to harden it so that your vulnerability scans pass with nothing more than information messages.

The list grows with each discovery of a new vulnerability.

This list was last updated 2 March 2017.

Continue reading

OpenVPN & DNS Lookup Failures — February 10, 2017

OpenVPN & DNS Lookup Failures

I’ve noticed that occasionally my OpenVPN connection fails to resolve host names for systems at the other end of the tunnel. If I check the DHCP settings I can see I am being pushed the DNS servers for the remote end, but nslookup fails to use them.

This is to do with the binding order. In previous version of Windows you could adjust the binding order, but on Windows 10 this option has been removed.

To ensure your OpenVPN Interface appears before your other adapters you need to use some PowerShell to change the InterfaceMetric. The lower the number the higher the priority.

Continue reading

TLS and NPS — February 9, 2017

TLS and NPS

Looks like NPS only supports TLS1.0 by default. So if you go restricting your ciphers too much you’ll find none of your NPS clients able to connect using EAP.

That’s a bit of a problem when you have an 802.1x secure network and every client is expected to authenticate. If a cipher is not available on both client and server then you’ll get a client unable to connect or reconnect when their sessions require.

So in order to expand the ciphers supported by newer systems you should ensure you can deliver them over a wider number of protocols , including TLS1.1 and 1.2.

Ensure you have the required update patch for your system

To add these registry values, follow these steps:

  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following subkey in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type TlsVersion for the name of the DWORD, and then press Enter.
  5. Right-click TlsVersion, and then click Modify.
  6. In the Value data box, use the following values for the various versions of TLS, and then click OK.
    TLS version DWORD value
    TLS 1.0 0xC0
    TLS 1.1 0x300
    TLS 1.2 0xC00

    Any OR’ed combination of these values will enable the corresponding protocols. By default, TLS 1.0 is enabled. If any invalid value is configured, TLS 1.0 will be used.

  7. Exit Registry Editor, and then either restart the computer or restart the EapHost service.

 

Support for TLS1.0, 1.1 and 1.2 = 0xFC0. TLS1.1 and 1.2 only = 0xF00.

References: https://support.microsoft.com/en-us/help/2977292/microsoft-security-advisory-update-for-microsoft-eap-implementation-that-enables-the-use-of-tls-october-14,-2014

Server Message Block (SMB) Protocol Version 1 Unspecified RCE (uncredentialed check) —

Server Message Block (SMB) Protocol Version 1 Unspecified RCE (uncredentialed check)

Start Powershell as an administrator and run the following to disable SMB Version 1.

PS C:\> Get-SmbServerConfiguration | select enablesmb1protocol

enablesmb1protocol
 ------------------
 True


PS C:\> Set-SmbServerConfiguration -EnableSMB1Protocol $false

Confirm
Are you sure you want to perform this action?
Performing operation 'Modify' on Target 'SMB Server Configuration'.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):

PS C:\> Get-SmbServerConfiguration | select enablesmb1protocol

enablesmb1protocol
 ------------------
 False

On Windows 2008 you need to do this by using the registry. Add/edit the following Key and set it to 0 (Zero).

To enable or disable SMBv1 on the SMB server, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

Then you need to run some command line (as administrator) programs:

c:\> sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
c:\> sc.exe config mrxsmb10 start= disabled

If you only add the registry change Nessus will then complain that the client is still vulnerable.

References: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) — February 3, 2017
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) – Tomcat —
SSL 64-bit Block Size Cipher Suites Supported (SWEET32) – Tomcat —

SSL 64-bit Block Size Cipher Suites Supported (SWEET32) – Tomcat

Following on from the Windows vulnerability for SWEET32, Here’s how to resolve the same issue with Tomcat 8. This use the OpenSSL format string for ciphers, so can also be applied to anything using the same cipher list.

ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!ECDHE-RSA-DES-CBC3-SHA"

Simply by adding the !ECDHE-RSA-DES-CBC3-SHA to your existing : delimited cipher list disables the cipher on the server. The prefix ! means NOT – which disables the cipher.

Alternatively you can simply disable all ciphers using triple DES using !3DES.

When you encounter some other cipher vulnerability listed in you Nessus scan just copy the cipher name into the list prefixed with !. Be wary that some of your connecting applications may not like this. So keep a log of what you added so you can rollback.

To use the AES 256 bit ciphers, it is necessary to install the JCE Unlimited Strength Jurisdiction Policy Files.

Java Ciphers & Algorithms — February 2, 2017

Java Ciphers & Algorithms

I’ve tasked myself with getting one of our most used vendor apps up to compliance with our security audits. It’s not as easy as I’d hoped. Especially seeing as I seem to have run beyond the encryption export limitations Java distribute.

One of the products uses JDBC to connect to a Microsoft SQL server which is hardened and only supports a limited set of high grade encryption ciphers. This caused me to see connection failures with exception messages such as “failed to generate DH keypair” and “RSA premaster secret error”.

Then I discovered the Bouncy Castle.

Continue reading

Rant by a Complete Java Noob — February 1, 2017

Rant by a Complete Java Noob

I confess, I’m a complete Java noob. In fact slightly worse than that, I’m a Java hater. In principle it’s a great idea, cross platform and all that jazz, but in execution it leaves me frustrated. Seems most vendors I encounter may use Java, but use libraries specific to Windows making it as mobile as Jabba the Hutt. Also vendor installations that require Java seem to only be able to support last years version of Java, not the newest stable, and therefore it has so many vulnerabilities it makes it impossible to pass any kind of security audit.

This month I’ve been trying to buckle down and get stuck in to understand things more. Try to figure out how all of this is strung together and see if anything can be done to satisfy the needs of the application and security.

Continue reading

VCSA /storage/log Full —