Journey into Security - Part 1

I consider myself a noob, forever asking simple questions. Just how does DNS work? WTF is a floating pointer. A lot of these questions borne out of curiosity, and a few people said they would be interested in hearing how I got into Security. So i decided to write it down, it feels very much ' LOOK AT ME HOW COOL I AM ' and self indulgent writing this, but that couldn't be further from the truth, i hate talking, or writing about myself but in light of the current state of security, and being considered a mentor to a few people and working with extremely bright people i felt obliged.

I have loved computers ever since i could remember, i won't bore you to tears with my first computer because its likely the same as most people my age, but here is a photo of it. 

BBC_Micro_Front_Restored.jpg

2Mhz CPU

A shared computer at home, no games.

Fast forward a very long time to my teenage years and I was asked to help out at a family friends place of work, they had high-speed scanning of documents(invoices, purchase orders etc), I automated parts of this job and put a few people out of work (sorry) With this came the management of the storage of the scanned items, which came with the ability to identify secure methods of storage. At this point, an online presence was just emerging in terms of retail so it wasn't really a consideration that at some point payments would need to be taken online and managed in an office and placed internally. So my curiosity led me to a device known as a domain controller (Windows 2003 SBS) which contained the following 

  1. DHCP
  2. DNS
  3. WINS

WTF was this? and what did they all mean, well i needed to understand what I was working with some I quickly spent a lot of time on  place called TechNet, before Microsoft released the useless bots to answer questions, it was a thriving community with a lot of answers and help, I learned the basics of network management here understanding what a subnet was, and why it was important to track who was using what range, and I why. ( Think credit card processing )

Now I realized at the time a lot of letters started to appear on the signatures of my peers ( MCSE, CompTIA) I thought, what was this? a quick Yahoo!( yes, yahoo ) a search showed me that Microsoft was giving certifications to people who took tests and with that came the letters! Cool, I thought, i was in my 20's and had not sat a test since school, and i did not go to University so it was natural to try and test myself. That particular employer did not give me any training so i had to leave and ended up at one job (i have missed out two roles here that do not have any impact on my journey into security ) - i ended up at a communications company, dealing with MPLS, leased lines, dedicated fibre links etc. Basically, the stuff that powers the internet & telephony.

My first job in this role was to 'map the network' - wait, what? I didn't have the slightest idea where to begin, routers? Switches? i was a Microsoft specialist and had sat away from networking because of dedicated resources, i had the opportunity to understand these things and did so quickly, i had a vague idea of the topology and was able to Visio a map in about 14 days. This was as much a test for me as it was for the company, we had:

  1. WAN Router(s) exposed by default auth
  2. Hardcoded credentials in reception for wifi
  3. Gold Images that had no updates applied for over 10 months

So at this point, i had access to an Active Directory with approx 3,00 users and mobile devices, computers which ran XP and a Windows 7 deployment upcoming. This was my job to manage, design and deploy. I was very scared. computers where something i used not something i knew what to make use of!

I was extremely fortunate enough to attend a Microsoft Course which was titled ' Fast track to managing and maintaining an active directory domain 2003,' , this course 5 days away from my home in a strange city taught me so much, i had 10hrs a day exposed to an active directory domain that i build and could break and rebuild without the fear of a P45 arriving, i got further into some concepts that i had come across ( DHCP, DNS, WINS) and some other more interesting concepts which iginited my interest further.

Security 

I had long been in awe of security specialists, I had only minor interaction with these superheroes, they usually worked in a Firewall team, or some other amazing sounding team - and would only appear when things where bad, so that was my interest, what DID these people do?  Well i quickly discovered that a set of ACLS on a firewall was not as interesting to me as managing a forest of objects for thousands of people and understood securing active directory was much more interesting, i started to dig into Active Directory and trying to understand further i quickly learned about a few things

  1. Active Directory is hard
  2. Active Directory is hard
  3. Active Directory is hard

Now the grizzled amongst will say it's not, I completely disagree - the entire concept of Active directory has been badly managed, and whilst its now an entire attack surface and has brought to light some of the most incredible attack methods, there is very little in the blue team area of protecting Microsoft Active Directories.

So. after dedicating a few years to becoming a specialist* in Active Directory security, i moved on. A role in the legal marketplace. I was protecting the assets of solicitors, a domain unlike any other i've ever worked in before. A difficult but challenging role because of the reliance of physical documentation for legal professionals restricted much of what is digitised. 

Exams, Exams.

Screen Shot 2018-03-04 at 2.13.43 pm.png

I was very boring for a few years, taking exams every few months.

 

One day, I arrived for work and was told i would be sent on an ' intervention', this in the UK refers to a concept when a legal practice is in distress a member of the 'SRA' will intervene and take over, this included all electronic items. I was basically an IT bailiff.  

I had managed antivirus solutions because nobody else would (Who can blame them?) but quickly realised what a GOLDMINE of information was being identified, it was a pretty default policy ( block, allow, delete, quaratine ) the little friction it was generating was not worth the cost of renewals, so I changed it an applied it to different machines, using different policies depending on location and level of practise seniority, I didn't want to get the sack because a partner of the practice couldn't plug in the USB device he also used at home. 

I was identified as a potential for the intervention ' because Bryan knows security '. Did i? Not really, but I did know how dangerous office macros where and why IE6 really shouldn't be used. Let's go - anyway, an 'encrypted database' was being used to store all client data and we needed it to be able to 'take on the cases'. the 'encrypted database' was a Microsoft Access database, it was trivial to crack, made even easier by the fact the password was stored in passwords.txt in the same directory.

Anyway, I was hailed as a savior and even though no laws where broken, that resulted in a lot of money being earnt, and my value rising too (all because of a password policy?)

So i was given access to be able deploy my OWN antivirus policies as a result of some good work around ' finding passwords in directories called passwords', i had shown interest so there we go.

I deployed extremely restrictive policies to execs, so much they complained, i updated device controls to prevent data loss via mobile phones, and usb sticks, and identified the malware as a result of this and thought ' well this is cool', im using something someone hates to hear about to find all this bad stuff, who wouldn't be interested in this?!' Turns out it was only me, and this is where my security passion was really born.

Hello, Pentester 

Fast forward a few months and i received an alert from my very restrictive policy alerting me to someone running passwordump.exe on my domain controller, but not only did i lay a very small egg in my pants but i was worried because the domain controller was a honeypot. I had deployed a few domain controllers in a sense that they advertised the services to a would be a attacker but contained no actual resources. A modern day RODC but RODC was a thing. Turns out we had a 'black box' pen test in which the manager was aware of, i quickly identified the pen tester in a room he had 'walked into' and plugged into a telephone port, identified the DHCP range as being broadcast from my 'domain controller' and thats all - i just named the server as DOMAIN CONTROLLER and no ntds.dit was enough to attract the attention of his toolkit. The server was only running DHCP.

Anyway i tried to take control of his session, and this image made it into the eventual pen test report as a way of positive feedback on deception.

 

 LOL no

LOL no

What does this button do?

I moved on from that role, as my passion for security grew I moved to a company that was responsible for user virtualization, I learned more here about user profiles than i can ever forget, the stages of authentication involved in a login, the handshake and crucially the concepts around Kerberos and NTLM - had a core understanding of authentication and the reliance on trust for authentication, and with this came a more curious minded approach, I worked with extremely talented developers and students who where driven by curiousity from an academic sense, I was purely trying to learn and stop being a noob. I was in a QA team, a bug hunter! sadly, the only bugs that drew attention were not ' this button works', but that the storing of plain text passwords in SQLite databases kinda bugs.  Along with the realisation that I should be documenting every single thing I ever needed to know in a physical form so I bought Moleskines

Lots of them.

IMG_2231.jpg

Notes

Write that sh*t down

As I've written here I have realised a second part will be much more interesting than one long boring post. It will include more of the recent stuff, a failed CISSP study attempt,  how I identified bugs before bug bounties were cool & some malware stuff.