"This account has been hacked! Change your password right now!"

    That's a pretty scary subject and it's one of the latest tactics used in spam emails which attempt to extort money from the recipient.  We've seen variations of this message which include the password but this one in particular does not.  

    The message further states:

    "You may not know me and you are probably wondering why you are getting this e mail, right?  I’m a hacker who cracked your email and devices a few months ago."

    "Do not try to contact me or find me, it is impossible, since I sent you an email from YOUR hacked account."

    I had so many different ideas for the title of this post because there are so many different ways to call attention to this problem.  "Too much point and click."  "Attention to detail."  "Understanding your environment."  All of these apply.  

    The other day, I was playing around with (I will post on this soon!) Oracle Glassfish --  "Glassfish is the world's first implementation of the Java Platform, Enterprise Edition (Java EE) 6 specification."  I managed to get credentials and with that, I am able to deploy an application which is very much like deploying an application on Tomcat.  

    I setup Metasploit:

    In my last post, I talked about cracking Microsoft Office password protected documents.  In the end of that post, I suggested storing the entire document in a password manager and I also mentioned VeraCrypt.  Truth be told, I was going to link to a post that I thought I'd written for this site but I was mistaken.  I'd actually written documentation for a client specifically about VeraCrypt and for obvious reasons, I'm unable to post that document.  

    Understanding what a product like VeraCrypt can do for us enables us to choose the appropriate level of security for a given situation.  If you're storing sensitive data in files, VeraCrypt could be a potential avenue for adding protection for your sensitive data if password protecting your documents isn't enough.  

    Before moving on, I'd also like to mention that security is inconvenient at times -- most times.  I would love to leave my doors unlocked at my home because it's inconvenient to dig the keys out of my pocket each time I want to open the door.  But that's not the world that we live in.  If you use this product correctly, you will open the vault when needed and you'll close the vault when you're done.  In other words, if you're consistently accessing this data throughout the day, you're going to open it when you come into the office and you're going to close it when you leave.  If you leave it open every minute of every day, it won't protect you much more than the file(s) living in the file system without protection.  That would essentially be the same as installing a deadbolt on your front door but never locking the lock.  

    I can't say that I've encountered Jenkins much in the real world but when I worked with large groups of developers they worked independently of each other and Jenkins probably could have helped with that problem but I digress -- that is no longer my world.  

    I've heard Jenkins mentioned in the context of pentesting larger organizations and I have two impressions:  First, it's discovered frequently.  Second, it's a sitting duck.  I don't know either to be true but I've wanted to get familiar with it.  I've seen it a few times but not in a situation where I could get a solid foothold. 

    Quick sidebar -- I met a red teamer who said he wanted to go through every single exploit in Metasploit to see how it worked.  I understand that concept and this is basically what I'm doing here.  Attack as many things as you can find, become familiar with how they work, and add that knowledge to your toolbox.  It will aid you in pentesting and it will also aid you in securing these applications when you come across them.

    I finally found a vulnerable version of Jenkins, version 1.637, and I wanted to work through every angle -- even if some are redundant.

    Gather as much knowledge as you can in order to make educated decisions.  For example, there's this idea that if we password protect Microsoft Office documents, we are going to keep people from accessing them.  I'd say that is mostly correct and when I'm done explaining how to crack the password, you can decide if what you have stored in them is protected well enough.  

    First, let me state that there are commercial products that will do crack the passwords easily.  I haven't used one of those products in a long, long, time and I think a search would yield legitimate products along with questionable, possibly malware laced, products and it's not something I want to randomly download.  For this post, I'm going to use open source (read:  FREE) and publicly available tools along with the rockyou wordlist.  



    Don't be confused, this is about MS17-010 and the error you'll sometimes see which states:  "Unable to find accessible named pipe!

    Since I came across this while working, I thought I'd document the steps of how I got here and how I worked to move past it.

    I'm on a network with a Windows 2008 Server and when I perform my port scan, I see:

    © 2020 sevenlayers.com