Recently I released ssh-audit v2.3.0 with new policy configuration checking support. This makes IT admins' lives easier, since it boils down the output of ssh-audit to a simple pass/fail answer.
Standard Scans vs Policy Scans Normally, ssh-audit goes through the list of cryptographic algorithms supported by the server, and rates each one. Here’s example output against an unhardened Ubuntu Server 20.04 system:
After applying the right hardening guide for this OS, ssh-audit’s output looks like this: [ Read more... ]
I reported a serious local privilege escalation flaw in GOG Galaxy Client on April 28, 2020, but my follow-up investigation (detailed below) found the vendor’s fix to be insufficient. By updating the proof-of-concept exploit code, it is possible to execute arbitrary commands as SYSTEM in GOG Galaxy Client v2.0.13 through v2.0.15 v2.0.19 (the latest as of this writing).
GOG did not reply that this issue was officially fixed, although changes were silently made at some point after the v2. [ Read more... ]
The GOG Galaxy client is video game management software published by GOG. An audit of its security (for versions 1.2.64 and 126.96.36.199) revealed a critical local privilege escalation flaw that allows the execution of arbitrary commands as SYSTEM.
GOG fixed this issue in v2.0.13, released on February 25, 2020. Unfortunately, I was not notified of this until April 28, 2020–the 90-day deadline as per Google’s vulnerability disclosure policy. It is unknown if a fix was issued for the v1. [ Read more... ]
Today, on behalf of the Rainbow Crackalack Project, I’m proud to announce the immediate availability of NTLM 9-character rainbow tables!
A Brief Recap Ten months ago, in June 2019, I released the Rainbow Crackalack v1.0 software along with NTLM 8-character tables for free via Bittorrent. The tables could (and still can) be obtained by purchasing them on an SSD hard drive as well.
At the same time, I announced a Kickstarter project to raise at least $3,000 to purchase equipment to generate 9-character tables with. [ Read more... ]
It’s been known for years now that SSH servers can (and should) be hardened by removing weak default algorithms. For example, recent versions of OpenSSH ship with algorithms suspected of being back-doored by the NSA (i.e.: ECDSA with the NIST P-curves), along with other algorithms with sub-128bit security levels.
But did you know that client software can be hardened too?
Why Harden Client Software? In a world where all servers are properly hardened, there would be no need to re-configure client software. [ Read more... ]
Today marks the release of ssh-audit v2.0.0! This tool audits SSH server configurations and highlights vulnerabilities in the following areas:
Host key types & sizes Key exchange algorithms Ciphers Message authentication codes (MACs) It is especially useful since the defaults on many systems are, let’s say… less than ideal.
Here’s example output against an older CentOS 6 machine:
Aside from cloning the GitHub repository, you can obtain ssh-audit from PyPI as well: [ Read more... ]
Today marks the release of Rainbow Crackalack v1.0!
This project was started to fill a gap in the password-cracking toolset. Rainbow tables were popular up until around 2012, when they began to be phased out in favor of rules-based cracking. While newer techniques are indeed very effective, rainbow tables still excel at cracking fully random passwords. Humans don’t typically use fully random passwords, but for high-privilege accounts (such as Windows domain administrator accounts), they are more common. [ Read more... ]
A lot of administrators install the SSH service and assume its in top shape. What they don’t realize is that system packages tend to be optimized for compatibility, not security. While a lot of systems include defaults that are fine for most cases, there is still a lot of room for improvement–especially for high-security environments.
Depending on how old the package for your distribution is, the default configuration may have the following problems: [ Read more... ]
A few months ago on an internal pentest, I wanted to do an MITM attack on SSH tunnels to capture credentials. Besides the out-dated SSHv1 downgrade trick, the only thing I could find was the JMITM2 tool. But not only was it last updated in 2004, I couldn’t get it to work either.
So I sat down and wrote a patch for OpenSSH v7.5p1 (the latest version) to make it do what I want. [ Read more... ]