Hashing Files

File hashes are awesome,

A hash is a one way algorithm that when data is put into spits out changed data.

Hash rules…
1. Hashes are one way, you cant feasibly take a hash and convert it back into what it was before it got hashed.
2. A hash will always give you the same length of characters as a result if you hash a 1TB file with MD5 it will spit out 32 characters, if you hash a single letter string it will still give you 32 characters.
3. Hashes are not fool proof, it is possible that 2 files could have the same hash but it is extremely unlikely.
4. Changing any part of a file will result in a completely different file hash, if you change 1 byte of a 1PB file it will give you a completely different set of 32 characters.

So with that being said hashing a file is a great way to…
– figure out if the file you downloaded is identical the file the server on the other end of the connection was trying to send you.
– find out if a file has changed over time (assuming that you had a hash of it).

getting a hash, There are lots of different types of hashes one can get, MD5 is very common for file verification and although one could argue that its not cryptographically strong as it once was forging a file to get an identical hash is still beyond the capabilities of anyone on earth.

Some of the tools hosted here and on other sites have hashes those hashes may be MD5 or SHA1 by confirming the hash after downloading the file you can be reasonably certain that you have a bit for bit copy of the original which can help diagnose issues with installers or verify the security of the linux ISO you downloaded, keep in mind if a site is compromised that the attacker could easily upload his own file and hash in which case the hash would match the new malicious file.  It is best to google the hash string after hashing the file to see if any mirrors or other people have gotten it before you. somebody may have found that a certain hash is malicious.  In some cases verifying the hash of the file over time is useful and if your lucky the wayback machine can help with that.

Powershell: Get-FileHash pathtofile -Algorithm MD5

Screen Shot 2017-04-27 at 10.08.45 AM.png

Bash: MD5 pathtofile

Screen Shot 2017-04-27 at 10.14.36 AM.png

Creating a Windows 10 bootable VHDX

So Windows 10 is kind of a disaster we have known that for some time, This is a guide to make windows 10 a little bit less of a disaster by enabling your windows 10 system to boot directly from a VHDX file doing so has the fallowing advantages. Or in short it lets you make an easily transportable windows 10 image

– you get to have windows 10 in a file, easy to back up or transport to another machine.
– might make imaging systems very easy
– allows you to do seemingly risky things in windows without fear of totally bricking your OS
– would allow you to have different bootable windows files for different people or rather for different uses

disadvantages
– may not be stable, its designed for developers Microsoft recommends not using this in production.
– you wont be able to use bitlocker

So with that out of the way heres how this works

You’ll need a windows 10 iso, mount it and extract the sources file to your desktop

use the windows disk management utilities to create a blank VHDX
Note: microsoft seems to recommend making your VHDX file a static not dynamic vhdx file, I have run into some trouble booting in to dynamic files with errors about there not being enough drive space, consider yourself warned.
– initialize the vhdx file format as gpt and ntfs name it whatever you would like.
– mount your new vhdx file

open a admin powershell to the sources directory

dism /apply-image /imagefile:install.esd /index:1 /ApplyDir:vhdxdriveletter:\

Wait for windows to write all the files to the VHDX…

once thats done all that needs to be done is to add the VHDX to the boot record like so

bcdboot driveletterofmountedvhdx:\Windows

Reboot and your good to go just select your vhdx on boot, worth noting that you can edit the description of the VHDX file using this little gem the visual bccd editor

The cost of doing email wrong

So, true story (from about a year ago)… it was a normal day in the office I grabbed coffee at the Keurig to return to my desk, signed into my notebook and looked at the Helpdesk que, nothing super new my boss walked in I said hi like normal.  About an hour later I get a weird message from our CTO saying that he received a message from a Law Office with a bill attached in a zip file he wanted me to take a look at it.

Now would be a good time to point out everything wrong with this message. First of all it has an attached .zip file,
– nobody should put a bill in an attached zip file unless they are trying to encrypted what they are sending and even if that were the case my boss should have gotten an out of band message with the decryption key (out of band meaning the law office should have contacted him and told him what the password was).
– mentioned above, our CTO was not expecting the message… if they had contacted him it would have been less fishy, he would have expected the bill and known what caused it.
– misspelled or unprofessional looking email, dead give away that whoever wrote it was probably not the law firm in question.

I opened up a CentOS based VM with a desktop user interface from a snapshot, opened my my mail, download the zipped attachment, cut the virtual network the vm was on and unzipped the message. Sure enough in libreoffice the document said in big red letters “in order to display this document you need to enable macros” yep, its malware… surprise?

So lets recap, CTO gets a email from a law firm that looks fishy, sends it to me, i grab the attachment, loaded with malware….

Heres the disturbing part at the beginning, it was sent from that law firms email server. The origin of the message was made blatantly obvious by the original message header. so I proceeded to the next step call the law firm.

(paraphrasing ahead)

“ring ring ring”
me – “hi this is austin janey from company I worked for previously I just received an email from you thats got a nasty malware attachment”
law firm – “were sorry we think our servers been compromised we have an IT contractor looking into it”
“click”

took their domain name went to mxtoolbox found out that they didn’t have SPF or DMARC setup at all. This is something I see fairly often, if you don’t have SPF setup then anybody can basically send email as you thats not what was happening here but might have been a contributing factor, and not having any reporting enabled also means when you are being spoofed theres no way for you to know about it.

Heres what is happening here, one way or another the firms exchange server was compromised and the attacker/bot/malware infection was using their server to send mail to all their clients, mail that had malware called ransomware. This is the cost of doing email wrong, a lot of companies think that because they don’t harbor sensitive data they don’t need to take basic security measures this is negligence. The most valuable thing you or your company owns is your name, the second most valuable thing you have are your customers and friends, the third most valuable thing you have to a hacker is your ability to exploit the first 2 things for their own personal gain.

I doubt this law firm is still conducting business, and it sounds like they might have quite a legal battle ahead of them if any of their clients were to receive said email and become subsequently infected.

So how would someone prevent this from happening.
1. make sure you have correctly configured SPF and DMARC records.
2. make sure your exchange server has a strong password set (and 2fa if its supported) and outgoing spam rules so that if you do get compromised the impact is minimized.
3. if possible enable mail attachment scanning and prohibit certain types of files from being emailed all together.
4. user training, teaching users of your mail system to identify what bad email looks like can go a long way, if nothing else teach them to question anything that they receive that calls them to do something they didn’t expect to receive or do.

Network level advertisement blocking

Its been a while thought I would throw this out there.  You hate ads, I hate ads, we don’t trust advertisers with our privacy or increasingly our security because of advertising campaigns.  So lets take a moment and block that network  wide.

So there’s this great project for the raspberry pi called PI-hole, https://pi-hole.net/  it lets you run a DNS server on your raspberry pi and block ads on your network, its pretty great whats even better is that you can install it on CentOS7 and use it as a DNS server with a web UI for a small business network,  Lets hammer this out

Your going to need a centos7 vm

Log in and run the below command as root (look at the code first on their website to make sure your comfy with this)

curl -L https://install.pi-hole.net | bash

Congratz you now have Pi-hole installed.

Now lets lock down those adlists, the Pi-holes defaults I have found are not so great but you can edit those, once again as root run this command to copy the defaults to the adlists.list file

cp /etc/pihole/adlists.default /etc/pihole/adlists.list

Now using your text editor of choice edit the adlists.list file (I used nano)

nano /etc/pihole/adlists.list

Uncomment any lists that you might want and save.

One final note on security….  Pi-hole was not really designed for a business network case and point of this is that you can go to the ip address of the Pi-hole server and add items to the blacklist or whitelist with no username or password required,  That said the web frontend seems to be the only vulnerable part of the Pi-hole install and since were on CentOS7 I don’t have any other reservations on security here.  So lets fix that one hole shall we.

Go setup ZeroTier one if you havent already and create a network.

Install zerotier on your centos vm and join your network making note of your new zerotier IP address.

Open /etc/lighttpd/lighttpd.conf with your favorite text editor and add a line right above server.document-root that reads…

server.bind  = “172.22.132.58” (use your zerotier ip)

But with your VMs ZeroTier ip address.

Then restart lighttpd.conf

service lighttpd restart

And you should be good to go, go to your original network IP to confirm the webui is no longer being broadcast over your lan and then go to the zerotier ip (make sure you have zerotier installed on your workstation and are on the same network as the Pi-hole) you can still use the LAN ip of your VM for DNS but the webui  should no longer be displayed or available to the local network.  This means only ZeroTier connected clients that are on your zerotier network can manage the Pi-hole server.  Now just point your router at your Pi-hole if you haven’t already and you should be good to go.

The Awesome Firefox Plugins list

Every once in a while I end up installing/reinstalling Firefox and I forget the awesome plugins I use, I made this post because I forget them, worth noting that some of these plugins will adversely affect your browsing experience, you have been warned.

Sending Email with Powershell

Sending email from powershell, With nothing installed on a windows 7-10 system you can send yourself email, and attachments using nothing but powershell.  This is useful if you have a dummy email account you want to be able to send system information from.

$ReportEmail.Subject = This will go in the subject line, in this case we are telling the system to put its hostname in the subject line.

$ReportEmail.Body = this content will go into the body of the email, in this case we are piping the content of a text file we made into the email body.

$SMTPServer = ‘smtp.mailserver.com‘ ; $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587) ; $SMTPInfo.EnableSsl = $true ; $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential(‘randomaccountyouown@some.com‘, ‘passwordforthataccount’); ; $ReportEmail = New-Object System.Net.Mail.MailMessage ; $ReportEmail.From = ‘randomaccountyouown@some.com‘ ; $ReportEmail.To.Add(‘recivingemailaccount@some.com’) ; $ReportEmail.Subject = Get-WMIObject Win32_ComputerSystem | Select-Object -ExpandProperty name ; $ReportEmail.Body = Get-Content -Path C:\fileyouwanttoattach.txt -Raw ; $ReportEmail.Attachments.Add(‘c:\fileyouwanttoattach.txt‘) ; $SMTPInfo.Send($ReportEmail)

So this is pretty great you fill in the blanks and if all goes well you should be able to send yourself some email, some things that I should note, if your using this is some automated fashion you should probably make the email thats sending disposable.   You can attach almost any file as long as its 20MBs or smaller (this is subject to change depending on mail provider) make sure to stay within your email providers terms of service.

One of the really cool things you can do with this script is to use it in conjunction with other scripts to do things like pipe ipconfig into a text file on C: then attach that to an email to yourself to get the IP of that system.

#note that this script is more of a template for your ideas and is in no way free of bugs/typos, but it does work!

script as a preformated string
$SMTPServer = 'smtp.mailserver.com' ; $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, portnumber) ; $SMTPInfo.EnableSsl = $true ; $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('randomaccountyouown@some.com', 'passwordforthataccount'); ; $ReportEmail = New-Object System.Net.Mail.MailMessage ; $ReportEmail.From = 'randomaccountyouown@some.com' ; $ReportEmail.To.Add(‘recivingemailaccount@some.com’) ; $ReportEmail.Subject = Get-WMIObject Win32_ComputerSystem | Select-Object -ExpandProperty name ; $ReportEmail.Body = Get-Content -Path C:\fileyouwanttoattach.txt -Raw ; $ReportEmail.Attachments.Add(‘c:\fileyouwanttoattach.txt') ; $SMTPInfo.Send($ReportEmail)