Encryption & OpenPGP

The  is more of comprehensive post detailing how to setup and use PGP encryption on any Linux machine using the most widely used GnuPGP, as the name describes PGP Is free open source. i will describe and explain core concepts the following ,

  1. Why encryption & core concept of the OpenPGP
  2. Generating encryption
  3. Revocation certificate
  4. Backup configuration and data

 

Encryption

Generally there are two types of encryption: Symmetric and asymmetric. In symmetric encryption shared key is used to encrypt document and decrypt from clear text to cipher text  example of symmetric tools 7zip widely used or HDD hard disk drive encryption, Bitlocker, Becrypt. Clearly the use of symmetric is only worth anything if both sender and receiver know the secret.  Asymmetric.

Asymmetric encryption much more secure , in total two keys are used throughout the encryption process The way asymmetric key works is that if document encrypted with one key only be decrypted with using the other key a.k.a Public and Private keys, this form of encryption also known as trapdoor algorithms  “Consider a padlock and its key. It is trivial to change the padlock from open to closed without using the key, by pushing the shackle into the lock mechanism. Opening the padlock easily, however, requires the key to be used. Here the key is the trapdoor and the padlock is the trapdoor function”

So what does encryption provide ?

Confidentiality

Asymmetric encryption is used to maintain the confidentiality i.e  the privacy of your data, documents , this formation of encryption involves generating a “keypair” i.e if document is encrypted with one can only be decrypted by the other (public, private)  you share your public key with other and keep your private keys for yourself. People who want to communicate with you via encrypted e-mail will use public key to encrypt the clear text to cipher-text and read it.

Asymmetric encryption  has security advantages with a few drawbacks. It’s computationally intensive, in actual fact Asymmetric uses hybrid encryption rather than just public keys  https://en.wikipedia.org/wiki/Public-key_cryptography

Installing and using OpenPGP

This just a basic guides to get started with installing and running OpenPGP on Centos 7. I;m not running Windows or other GNU/Linux flavours but you can probably find some good guides installing PGP online elsewhere.

Install GnuPG2

Almost all linux operating system have GnuPGP but if not for some reason it should be pretty easy to install

 sudo yum install gnupgp2 pinentry-gtk 

install_pgp

Figure 1 installing gnupgp2 locally

Below gpg –version  for successful installation

Screenshot from 2017-05-29 09-26-49

Figure 2 gpg version with successful installation

 

Generate A Keypair

This involve using your favourite command launch terminal app and type

gpg –gen-key

you will this this

Screenshot from 2017-05-29 09-40-06
Figure 3  – just choice the default version 1 to select RSA

Next we select the key size i like to have 4096  but that a decision yo need to make. remember the the loner key the more security however they can also take very long to generate on the older hardware especially old legacy embedded system

RSA as selection and the key size is 4096

Screenshot from 2017-05-29 09-43-11

Figure 4  –  The key size and how long the key should be valid is your decision. if somehow your private key becomes compromised you will be able to revoke it using the revocation certificate just hit y and enter again.

0 valid and the key does not expire

Screenshot from 2017-05-29 10-12-50

Figure 5 Email address must be your valid email

 

Your User ID constructed

Screenshot from 2017-05-29 10-16-22

Figure 6 Just type O  to confirm a dialog box will appear asking for a passphrases. this is crucial to make sure that even if an attacker gain access to your private key , they might not be able to use it. Make sure this is a strong password. Complex password at least 18 characters long i.e mixture of upper, and lower case letters, numbers, special characters

Screenshot from 2017-05-29 10-55-43

Figure 7 The initial 8 character  F6ACBB42  key ID on the line beginning with pub is the unique public master id which is used for identity and signing. The one line beginning with sub is that of your public subkey ( key used for encryption)  and your primary user ID is on the line beginning with uid .. Read on  more man gpg2

Key servers

How do you publish or let people know about your public key ? That’s where key servers comes to help.  a key server is a computer that receives and then serves existing cryptographic keys to users of other programs.

To publish your public key to a keyserver, run:   gpg2  –send-keys Public_ID

Screenshot from 2017-05-29 11-11-55

Figure 8 Sending keys to key servers  http://pgp.mit.edu/

 

Public key export

To be able to receive encrypted files you need the export public key and share with others via email attachment or via usb memory

Lists the existing keys

Screenshot from 2017-05-29 11-58-18

Figure 9 listing the keys i.e you need username demo for generating key

Exporting key to “key.txt” specified key name demo

Screenshot from 2017-05-29 11-58-46Figure 10 export of demo public key demo

Key.txt contains the public key

Screenshot from 2017-05-29 11-59-27

Figure 10 public key contains public demo key

Revocation Certificates

if the key becomes a compromised somehow you should revoke it i.e declare the key is no longer is safe, you still require to type in the Passphrase

gpg2 –gen-revoke “publicid”  creates a revocation .asc format

Screenshot from 2017-05-29 19-30-36

Figure 11 revoke certificate

Just follow the instruction and press 1 to revoke the key

Screenshot from 2017-05-29 19-32-53

Figure 12 – press 1 for key has been compromised

Next import the key to be revoked locally

Screenshot from 2017-05-29 20-07-01

Figure 13 key locally revoked

In order to let the key server know, just send the key ID to it using

Screenshot from 2017-05-29 20-09-37

Figure 14 sending the revoked key to the keyserver

 

Web of Trust  / Key signing ?

Web of trust is very interesting security concept with GnuPGP, let say an attacker decide to generate a keypair using your identify i.e your name and email . How are people to know which belongs to who  ? This is where Web of Trust comes into help  which is basically is key signing , the more people sign key the more likely becomes trusted.

Fortunately key signing is very simple task.  You need the user’s key if it is stored on key server simply run

Receive key_ID

Screenshot from 2017-05-29 20-47-43

Figure 15 receive key from the keyserver

Signing key

Screenshot from 2017-05-29 20-59-11

Figure 16  we sign the key we imported from the key server

It’ll ask you to confirm the signature operation, and then it’ll ask you to input your passphrase. Once this is done you have added your signature to the key is now modified,

you need to send it back to the keyserver

Screenshot from 2017-05-29 21-14-50

Figure 17 sending the signed key back to the key server  (Web of trusted created)

Encrypting document

gpg --encrypt --recipient ambientcrypto secret.txt

 

Screenshot from 2017-05-29 23-05-43

Figure 18 is encrypting a document locally secret.txt.gpg  

Decrypt the secret.txt.gpg

Screenshot from 2017-05-29 23-11-21

Figure 19 decrypted secret.txt.gpg – you need pass phrase to decrypt the key

What if you want to encrypt files for others ?  That’s the cool thing about GnuPGP using public available keys

gpg --import key.asc

Screenshot from 2017-05-30 21-14-09

Figure 20  importing keys to encrypt document for someone else

Alternatively, you will be able to find key on public keyserver. Here’s what it look like when someone searcher for key

Screenshot from 2017-05-30 21-19-49

Figure 21 search for a key with name ‘security’ from the pool key servers

 

Further Reading  https://www.gnupg.org/documentation/

Why you should be using Azure and move on premise infrastructure to cloud ?

Microsoft Azure cloud computing services for deploying managing application and service through ta global network of Microsoft managed data centres. T provide software as a service , platform as service and infrastructure as service with large number of services , tools and framework including both Microsoft specific and third party software systems .

But really why should you move to cloud? Well next couple of paragraph explains,

After my introduction to Azure cloud implementing azure infrastructure solution decided to look at the one of the core Azure cloud service Azure Security centre Prevent, detect and to threats with increased visibility and control over resource groups , essentially Virtual machines,  NSG Network security groups, network anomalies e.g. external/network attacks especially windows attack vector.

What did I really found.. Next step is to test the underlying Security operation centre security identify how it respond to determined sophisticated PowerShell based on memory/disk attack ,

We created a resource group under the name of securesystem.co.uk and deployed a windows server 2012 R2 with domain active directory installed and a SQL Server 2016 as joined server to the domain.

The new ARM template when deploy a VM by default doesn’t allow any incoming connection, in another word port 3389 Remote Desktop Protocol is not allowed. We created a new NSG Network security group and allowed port 3389 for remote management. Of course you should never allow direct access to RDP over the public network but still very common very mistake administrator make.

Next we enabled Security centre and added a policy to monitor our resource group containing the Domain controller active directory and domain joined SQL Server 2016. Now that we have configured virtual machines and security centre monitoring.. You probably figured out our next step… The attack

In this scenario I use the following attacks and tools,

  1. RDP Remote Protocol attack using a dictionary attack with most common used passwords
  2. –         Custom designed PowerShell/Python command and control framework
  3. –         Persistence and lateral movement using pass the hash attack
  4. –         Forensic network analysis and anomaly detection

On our kail attacking host we used medusa with dictionary file containing the password attacked the 51.140.123.240 which is the SRV01 domain controller listening on port 3389. Of course for sake of demonstration we added the correct password to the list as highlighted the password found “ReallySecure$$” Success .

1

Figure 1 Medusa conducted controlled dictionary attack from Kali Linux attacking machine

Next we logged on to the SRV01 using Rdesktop from kali machine using the credentials we found in previous initial RDP attack

2

Figure 2 RDP session with the target SRV01 domain controller server

Custom powershell agent created and base64 encoded to copy over the target machine in order to maintain a persistence on target machine and ensure the agent payload lives in memory only after self-destruct.

3

Figure 3 powershell agent runs and on target machine and self-destruct itself and lives in memory

Custom Namlook framework python/powershell command control uses public key infrastructure for command and control so the idea is to encrypt the traffic between the target victim machine and my attacking command and control machine

4Figure 4 we have connection back from the target azure SRV01 to our python powershell command and control the payload. The payload as you see it spawn the powershell on PID 3632 and we also have internal IP address, machine name, user logged on, ad the last seen is based on 5 second interval to check if the server still sending the heartbeats .

Next step we decided to deploy a persistence stager to our target machine the idea is to force the target SRV01 server to send cmd.exe shell back to our command control every day at 8:00am or simply at startup. So whenever a use logins we get nice shell back from the SRV01

5

Figure 5 Stager but with high detection ratio as this would touch the disk and lives in HKLM:\Software\Microsoft\Network\debug registry . we encode the payload to be base64

The agent now lives inside registry debug file whenever the user logins to the SRV01 server the persistence module trigger happens and sends encrypted shell back to the command  control

6

Figure 6 debug embedded with base64 encoded powershell agent.

Next step we decided to conduct situational awareness to check what other host is reachable within from compromised target, this module simply uses nmap network mapper to identify hosts and the port numbers

7

Figure 7 SQLSRV01 10.0.0.4 identified with the open ports 445 SMB , 3389 ?

Next we used another module to extract password hashes directly from SYSTEM/SAM file. System file is required as it contains the windows secret bootkey to extract the password hashes from SAM file

8

Figure 8 USER Private and RID 500 indicates the user is local administrator account and user Guest RID 501 is guest but disabled by default.

Another fantastic we used is the mimikatz by benjamin DEPLY a.k.a gentilkiwi written in C but ported to powershell to make the use of extracted password hashes and use that as way gaining access to the connecting SQLSRV2 host with the PTH Pass the hash attack, which essentially is to inject the NTLMv2 hash into the process PID 1240 and call the cmd.exe on target server.

9

Figure 9 now is just a matter of running another PS module to steal the token to give us full administrative access on target SQLSRV02 box.

One last demo was to check how security centre identify malicious executables land on the disk with up to date AV. Of course it’s simple to bypass AV. As you see I recompiled the mimikatz simply by replacing all mimimkatz strings in code with Kikitaz to bypass Anti-virus..

10

Figure 10 extracted password hashes from SRV01 Server 2012 KIKTAZZZ

Azure Security centre and on disk analysis

process explore is one of the top windows system internal tool we use for security/troubleshooting investigations , it lists all the process and one can easily identify malicious process, schedule tasks, TCP/IP connections and most importantly file signature and many more ..

Process explore identified the PID 3632 Powershell v.1.0 and command line containing the agent PowerShell code runs under the user private context. Base64 encoded code to send the shell back to the command and control.

11

Figure 10 Process explore identifies the PowerShell malicious code

Closer dynamic analysis we can see winhttp.dll dynamic link library establishes makes 5 minutes interval to our command and control

12

Figure 11 winhttp.dll used for establishing the C2 connection

Azure security centre main dashboard resource security health with recommendations on vulnerabilities such as open NSG network security  groups, Patching as well as container encryption

13

Figure 12 azure security centre

Azure Security Centre Security Alert with description of each suspicious activities and severity level

14

Figure 13 dates and individual attack type with severity level Medium to High

Closer analysis shows our dictionary attack from my attacking machine 82.32.182.245 against SRV01 Server 2012 has been identified as network anomaly, good indication of brute force attack

15

Figure 14 RDP network anomaly brute force  detection

Powershell agent identified as malicious with decoded script showing the command and control IP address

16

Figure 15 Agent identified as malicious powershell

In conclusion it’s clear how Microsoft raised security bar against the sophisticated attacks especially identifying network anomaly and memory based attacks as we demonstrated using PowerShell as command and control. As these types of attacks on premises difficult to identify almost impossible but with Azure the response time is almost 2 ~ 3 hours

The future is here, so time to accept and adopt to cloud services  🙂

Hit me up for security related projects or 5 minutes of CLI ? 🙂

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v2.0.22 (GNU/Linux)

mQENBFkl+OwBCAC555CkUnv94N2ZG3M9LrGj4WdrQ98PxwhDaZ/SQ/M126hp/VhE
Pk/3BTXuoTjGrmMANU7MidKeoWwflwFsnW8m0W3+yxnkBUv/V+q6gQHDPpWoxhMw
NrDSlud4ybTVq4q/Coo1Eapt2cb3kVUIDzVYegMOKwXN2ch+S5HF/64935Us61GS
0jH2CLaF43P9apPoz7DbyOyl+bAQlzoylW1khB/1fQ8Qv6533IAvGoNted9XITBB
L7mlWZ03AuhDNbYgpKrsuuAnjl7a/5qGdr6GwWbJr4e21uycAUOGUnOpf6Lb+Z3N
aKLo5c7KHm3M0FyM7pycb/0PatI/ZYqLe0QpABEBAAG0KWFtYmllbnRjcnlwdG8g
KHRvcikgPHNhZGkuemFuZUBnbWFpbC5jb20+iQE5BBMBAgAjBQJZJfjsAhsDBwsJ
CAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQf6H8r5r/2Izqxgf/WlCPWrPBNmZs
lGYWnJRvb/6JgBkc12Cd7LD7wNNeTj3dQzv0kWdsq5/JQODnt/WGXPIBmKsbF9lT
4BjCBn+fla6VcpO1o6FzTmmLNbR4QLCypYr9KlrZ9lpm46Ocigkz9PlVrWz0pL+e
lf7LZ+pffTkq5mUB6sh0KF/mhhBdGJP7+y6yDQABnNlnQHlJekrJitOvnEUn326s
dz3Kn7nPTHxpOPuTBjs9mmlKW3Yc/jKEoyVHtAqkgTZ5XVW8/DLxobWjrark+o7L
JxaOAP6d8WnJK17BZ3c7G3cp0h0J64CX5D7sn7AD288ABWCxOCzZcVMIU778TGNZ
US7UgvUD8bkBDQRZJfjsAQgAu5mNoMb71L2Qv/8Q9zeFigOuq0Osm2jPggIvtTS7
FSpuXjxXZyBsJV5yXAa9iAGM/62acyyrj4wXzGjWEWQhAZwxMAd05Do+qYiFOVX/
ozLq17RAfFR5M5RgeiTVug7lJjurWDiwl2AJ4cPtIkxofWwnIyzlsfK/WV8n92id
UprTFRTm08fzit3VJXg8uRFOg1jdUoBW5KwrVQ1/er7+4/wPyONUYHwTpBX5E7hK
ePWs+Urt/Oh/U9P/G/7UV2OmHciU1PtttcYHYBlXbtZQAXKJO+sTkL1hqfK2s+Qn
JBajn4tZL0sU3nkYni5/AII80KH5T03hugoakxD2fLuYxwARAQABiQEfBBgBAgAJ
BQJZJfjsAhsMAAoJEH+h/K+a/9iMiW4H/25N87OzTk39XDTD/ON3J8J0PlWjrHw/
T4ywTGAchWFhgWusGROI+eutreZZToRv0Ei0ZVv5z4rJ88NImUI9LVtXe7DMQF4t
dFGZ7Ci4BDjAqc0CVBJ+Vh25t0M13w/BnTeCggdyoUBGzQCLfL2d/HGyudinYakw
OLdmo1tRrRsWnazAvFXSc6CY6KkkPV722hmP3zIITXmLJnApqY6HUKZ60WqATnFx
/47/rBl6Erc5e/i/jXrHBaSzyuODQSsCL/ymSkfXdxAoyAmdBynWk3MbR4avd1A2
2oKJkb76DrJQ7aB8mYyB7inPWtssiSIgs+j3TWx+RKDuMBMf+gDht0w=
=SNCP
—–END PGP PUBLIC KEY BLOCK—–