Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
  • Post
  • Reply
Methylethylaldehyde
Oct 23, 2004

BAKA BAKA


Cup Runneth Over posted:

But there's hot single women in {YOUR_AREA}

I think you mean hot {marital fetish} {sex of choice} in {target area}, the more specific the fetish, the more likely you are to be open to honey-potting. Click {here} for malware targeting your specific sexual kinks.

If you're top quartile for user education vis a vis malware bullshit, anyone who isn't spear phishing you for a payout or mossad is gonna avoid dealing with you simply because you're too hard to trick. Anyone who is able to kidnap you is gonna get your passwords via rubber hose method, and anyone who isn't can't do anything you don't allow via user error or unpatched vulns. Patch your poo poo, and don't send wire transfers to uzbekistan banks.

Methylethylaldehyde fucked around with this message at 08:47 on Aug 29, 2020

Adbot
ADBOT LOVES YOU

Truga
May 4, 2014




Lipstick Apathy

CLAM DOWN posted:

I am far far too elite to fall prey to your petty whaling schemes

Cup Runneth Over posted:

But there's hot in {YOUR_AREA}

Proteus Jones
Feb 28, 2013





Hair Elf

Cup Runneth Over posted:

But there's hot single women in {YOUR_AREA}

In Cardboard Box Town? (just outside Vancouver)

duck monster
Dec 15, 2004



CommieGIR posted:

Oh good, the old methodology of "Escape the Security Requirement through a couple clicks" lives on past Windows 95.

Nothing says "Secure" like "Being so helpful in our UI that you don't have to be secure"

I still remember one of the earlier versions of NT, possibly NT 3.1, its been a while, that had a help link on the login screen. If you clicked through it opened up the full chm reader which you could helpfully get into the file system via "open" and then use its overly useful dialogue to open a cmd window, logged in as SYSTEM. From there you could get explorer.exe up and it all goes downhill from there

RFC2324
Jun 7, 2012

Http 418


duck monster posted:

I still remember one of the earlier versions of NT, possibly NT 3.1, its been a while, that had a help link on the login screen. If you clicked through it opened up the full chm reader which you could helpfully get into the file system via "open" and then use its overly useful dialogue to open a cmd window, logged in as SYSTEM. From there you could get explorer.exe up and it all goes downhill from there

P sure that was the 9x line, not the NT line.

NT had a different, but equally dumb security flaw iirc

D. Ebdrup
Mar 13, 2009
Probation
Can't post for 4 hours!


duck monster posted:

I still remember one of the earlier versions of NT, possibly NT 3.1, its been a while, that had a help link on the login screen. If you clicked through it opened up the full chm reader which you could helpfully get into the file system via "open" and then use its overly useful dialogue to open a cmd window, logged in as SYSTEM. From there you could get explorer.exe up and it all goes downhill from there
Opening chm reader to pop a Windows system is still a regular thing on Windows 10, demonstrated a few months ago:
https://www.youtube.com/watch?v=ZdsSgklRoag


RFC2324 posted:

P sure that was the 9x line, not the NT line.

NT had a different, but equally dumb security flaw iirc
Nope, it's affected every single version of Windows, and probably will affect all future versions of Windows.

D. Ebdrup fucked around with this message at 15:57 on Sep 1, 2020

stevewm
May 10, 2005


Another one that works on Windows 10 is to boot into a command prompt from installation media, rename cmd.exe to utilman.exe (after renaming utilman.exe to something else). You then boot normally, click the Ease Of Access button on the login screen, and now have a CMD prompt logged in as SYSTEM. Do whatever you need to do, and reverse the change.

I've used it a couple times to get around lost/forgotten passwords.

The Fool
Oct 16, 2003



stevewm posted:

Another one that works on Windows 10 is to boot into a command prompt from installation media, rename cmd.exe to utilman.exe (after renaming utilman.exe to something else). You then boot normally, click the Ease Of Access button on the login screen, and now have a CMD prompt logged in as SYSTEM. Do whatever you need to do, and reverse the change.

I've used it a couple times to get around lost/forgotten passwords.

this won't work on a bitlockered system

you should be bitlockering all the things if you can

duck monster
Dec 15, 2004



RFC2324 posted:

P sure that was the 9x line, not the NT line.

NT had a different, but equally dumb security flaw iirc

No, this was definately NT. The 9x line you just had to mash escape.

edit: I wonder if this sort of thing worked on all those old cytrix terminal servers

duck monster fucked around with this message at 16:28 on Sep 1, 2020

D. Ebdrup
Mar 13, 2009
Probation
Can't post for 4 hours!


duck monster posted:

No, this was definately NT. The 9x line you just had to mash escape.

edit: I wonder if this sort of thing worked on all those old cytrix terminal servers
The Chicago kernel didn't even have LUA, that was introduced with the NT kernel if memory serves.

stevewm
May 10, 2005


On 9x the network login screen was just that.. A screen to collect your credentials to authenticate against a Microsoft network resource. It was NOT a login to Windows. Which is why you could just cancel it. Windows itself would work, but since you didn't supply your network credentials, any connections to network resources requiring authentication would not work.

CLAM DOWN
Feb 13, 2007


RICKARUS

It's Moot baby!




stevewm posted:

Another one that works on Windows 10 is to boot into a command prompt from installation media, rename cmd.exe to utilman.exe (after renaming utilman.exe to something else). You then boot normally, click the Ease Of Access button on the login screen, and now have a CMD prompt logged in as SYSTEM. Do whatever you need to do, and reverse the change.

I've used it a couple times to get around lost/forgotten passwords.

You are why I insist on locking the hell down every endpoint I can.

Pablo Bluth
Sep 7, 2007

I've made a huge mistake.


My last year of school had a PC in the student common room running what must have been Win95 plus some third party security program that was meant to lock it down to a few approved programs. I think it took me a few days to figure out a way of using a Word macro to launch a command prompt that eventually let me re-enable safe boot and ultimately disable the lockdown program. Reboot and PC and use it to play games instead. I don't think they ever figured out who was doing it or how...

stevewm
May 10, 2005


Pablo Bluth posted:

My last year of school had a PC in the student common room running what must have been Win95 plus some third party security program that was meant to lock it down to a few approved programs. I think it took me a few days to figure out a way of using a Word macro to launch a command prompt that eventually let me re-enable safe boot and ultimately disable the lockdown program. Reboot and PC and use it to play games instead. I don't think they ever figured out who was doing it or how...

During my high school years, I usually spent my lunch periods in the library downloading mp3s and various other things off IRC using mIRC. (and ferrying it all home on copious amounts of floppy disks!) The lockdown app normally prevented mIRC from running, so it had to go.

Library computers where NT4 running some sort of app that was a combination web filter and lock out app. (IIRC it was called CyberPatrol). It famously even blocked parts of the school's own website.

I had a batch file on a few library computers I frequented that would simply rename the main EXE of the lock down app and reboot. Upon reboot the lockdown app wouldn't run, so nothing was blocked. When I wanted to reverse it, I would just run the batch file again which put it back to the original name and rebooted again.

I later figured out how to add programs to the allowed list.. It was ridiculously easy. It was a .INI file in the c:\WINNT folder. I just added mIRC to that and never had to worry about disabling the lockout app again. I could also whitelist websites.

wolrah
May 8, 2006
what?


My middle school computer lab still had Windows 3.1 machines in 1998 and their "lockdown" program was just a driver loaded from config.sys, so I set up my own DOS boot chain on a floppy that was the same files but with the driver commented out. Enter class, insert my floppy, reboot, no lockdown. Remove disk when I leave, no traces left behind and it's back to normal after a reboot. I was proud of that one as a 12 year old.

The regular classrooms had Windows 95 machines with Novell Netware but strangely weren't really locked down at all, I installed all the games and software I wanted on those without any kind of limitation.


Who else had the "Bess" internet filter at their school? gently caress that dog. Fortunately it was pretty trivial to bypass since it just did URL scanning. Use the IP address, search engine cache, Akamai, etc. and you could get to anything.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



win 9x had zero security model, everything was root and if you had local console access you could do anything you wanted short of goofy custom software explicitly killing certain commands or programs, and even those you could disable on next reboot

Nostalgamus
Sep 28, 2010



I knew i saved this gif for a reason:

Only registered members can see post attachments!

stevewm
May 10, 2005


wolrah posted:

My middle school computer lab still had Windows 3.1 machines in 1998 and their "lockdown" program was just a driver loaded from config.sys, so I set up my own DOS boot chain on a floppy that was the same files but with the driver commented out. Enter class, insert my floppy, reboot, no lockdown. Remove disk when I leave, no traces left behind and it's back to normal after a reboot. I was proud of that one as a 12 year old.

The regular classrooms had Windows 95 machines with Novell Netware but strangely weren't really locked down at all, I installed all the games and software I wanted on those without any kind of limitation.


Who else had the "Bess" internet filter at their school? gently caress that dog. Fortunately it was pretty trivial to bypass since it just did URL scanning. Use the IP address, search engine cache, Akamai, etc. and you could get to anything.

My middle school computer labs also had 3.1 but with Novell Netware. There was no lock down though of any kind, and internet access wasn't a thing yet. Many hours where wasted with NetWars though, with the teachers permission even. Some even held NetWars tournaments. Individual class rooms had Apple II or Mac LC "pizza box" machines with Apple II cards. No lockdown stuff on those either, though it wasn't really necessary. Nothing was networked then, except for the Win 3.1 computer labs.

Sir Bobert Fishbone
Jan 16, 2006

Beebort


We were an all-Mac shop in my middle/high schools. I don't remember any tech workarounds to get admin mode, but my friend and I ingratiated ourselves to the point where we could just ask our computer teacher to put in the password whenever we needed it. There then came a day where she had to tell us that we were using 85% of the entire district's storage space, and to probably knock it off. It was a delicate line to walk.

Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

Our high school was mostly a Mac shop, and setting the error sound to 8 seconds of silence was a nice way to show off all the concurrency capabilities that System 6 didnít have.

SAVE-LISP-AND-DIE
Nov 4, 2010


I just got my first InfoSec job offer for a pentesting role

I posted in this thread a few months ago, asking if anyone had made the move from software engineer to infosec. Thanks, thread!

CyberPingu
Sep 15, 2013

Ready To Ruck!





Congrats buddy

I'm currently in the process of preparing for OSCP, pen testing is fun and hopefully will be doing it as a career soon too.

wolrah
May 8, 2006
what?


Sir Bobert Fishbone posted:

We were an all-Mac shop in my middle/high schools. I don't remember any tech workarounds to get admin mode, but my friend and I ingratiated ourselves to the point where we could just ask our computer teacher to put in the password whenever we needed it. There then came a day where she had to tell us that we were using 85% of the entire district's storage space, and to probably knock it off. It was a delicate line to walk.
Classic Macs were really easy to get around basically anything on. Booting with extensions disabled was enough to do it most of the time in my experience.

OS X is actually a proper operating system with a real security model so it usually took some effort. Except that one time when it allowed you to log in as root with a blank password.

The Fool
Oct 16, 2003



I mean, it's been a while since I checked, but I'm pretty sure single user mode is still a thing

Klyith
Aug 3, 2007

GBS Pledge Week


lol Apple issuing notarization signatures to the most common piece of mac malware

guess shlayer is giving them a 30% cut on all the revenue from clickjacks and ad injections, the most important part of being on apple

wolrah
May 8, 2006
what?


The Fool posted:

I mean, it's been a while since I checked, but I'm pretty sure single user mode is still a thing
Setting a firmware password would prevent a user without the password from being able to boot in single user mode. In theory that should have also prevented booting OS 8/9 with extensions disabled as well but because the OS itself had no meaningful security model it was easy to reset from within the OS if you knew what you were doing.

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!

Pillbug

CyberPingu posted:

Congrats buddy

I'm currently in the process of preparing for OSCP, pen testing is fun and hopefully will be doing it as a career soon too.

Same, I was gonna take my OSCP this year but then Covid hit and my company is now declining to pay for the test, so I'll wait till next year and keep practicing.

astral
Apr 26, 2004



wolrah posted:

Classic Macs were really easy to get around basically anything on. Booting with extensions disabled was enough to do it most of the time in my experience.

OS X is actually a proper operating system with a real security model so it usually took some effort. Except that one time when it allowed you to log in as root with a blank password.

Loved that one of those classic Mac OS "Desktop Security" programs was called Foolproof and simply disabling extensions was enough to stop it.

Volmarias
Dec 31, 2002


Klyith posted:

lol Apple issuing notarization signatures to the most common piece of mac malware

guess shlayer is giving them a 30% cut on all the revenue from clickjacks and ad injections, the most important part of being on apple

What is even the point of this program?

wyoak
Feb 14, 2005

a glass case of emotion



Fallen Rib

CommieGIR posted:

Same, I was gonna take my OSCP this year but then Covid hit and my company is now declining to pay for the test, so I'll wait till next year and keep practicing.
OSCP is super fun, I got it a couple years ago and now I've forgotten nearly everything

Space Gopher
Jul 31, 2006
BLITHERING IDIOT

Volmarias posted:

What is even the point of this program?

The idea is that a safety net with some holes is more useful than no safety net at all.

apseudonym
Feb 25, 2011



Klyith posted:

lol Apple issuing notarization signatures to the most common piece of mac malware

guess shlayer is giving them a 30% cut on all the revenue from clickjacks and ad injections, the most important part of being on apple

Are we going to repeat the decade+ debate about "bad people shouldn't be able to get tls certs" but on macos?

Certs are only good for identity, they're no good at saying you don't suck. Stop trying to use them for that.

Klyith
Aug 3, 2007

GBS Pledge Week


Volmarias posted:

What is even the point of this program?

Could be about safety, but given apple's proclivities and current strategy, my feeling is it's to lay one course of bricks for the future walled garden.

Space Gopher posted:

The idea is that a safety net with some holes is more useful than no safety net at all.

It's true, since at least they can pull the certs quickly. It's funny that apple devotes a whole lot of human manpower to scrutinizing the app store for monetization, but this is an automated system that's trivially taken advantage of.

apseudonym posted:

Are we going to repeat the decade+ debate about "bad people shouldn't be able to get tls certs" but on macos?

Certs are only good for identity, they're no good at saying you don't suck. Stop trying to use them for that.

Cool, tell apple not to sell it that way. Or even make the signing more like the windows signed drivers system where devs have full independence once they've gotten their identity validated.

apseudonym
Feb 25, 2011



Klyith posted:



Cool, tell apple not to sell it that way. Or even make the signing more like the windows signed drivers system where devs have full independence once they've gotten their identity validated.

Not sure I'd take window's code signing model as one to be followed

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



Volmarias posted:

What is even the point of this program?

now they can revoke the cert and the company that pulled the poo poo has divulged a bunch of personal info to get it in the first place

Volmarias
Dec 31, 2002


BangersInMyKnickers posted:

now they can revoke the cert and the company that pulled the poo poo has divulged a bunch of personal info to get it in the first place

I somehow get the feeling that they haven't divulged anything that's real, and they'll just pop another one of these up the next day.

EVIL Gibson
Mar 23, 2001

Internet of Things is just someone else's computer that people can't help attaching cameras and door locks to!


Switchblade Switcharoo

wyoak posted:

OSCP is super fun, I got it a couple years ago and now I've forgotten nearly everything

As someone that is taking it now, it got way different. You can't use metasploit metapeter for the test, but nothing stops you from breaking down the ruby code its based on to upload a stack smashing executable you made and manually trigger the exploit.

edit: plus you need to broadcast your lab computer's screen to their internal monitoring network because cheating got out of hand apparently.

Cup Runneth Over
Aug 8, 2009

She said life's
too short to worry
She said life's
too long to wait
It's too short not
to love everybody
Life's too long to hate





Volmarias posted:

I somehow get the feeling that they haven't divulged anything that's real, and they'll just pop another one of these up the next day.

They did it within the day, actually!

spankmeister
Jun 15, 2008








Slippery Tilde

EVIL Gibson posted:

As someone that is taking it now, it got way different. You can't use metasploit metapeter for the test, but nothing stops you from breaking down the ruby code its based on to upload a stack smashing executable you made and manually trigger the exploit.

edit: plus you need to broadcast your lab computer's screen to their internal monitoring network because cheating got out of hand apparently.

You can use meterpreter on one machine in the exam. Once you use it, it's locked to that machine wether the exploit is successful or not. So choose wisely.

Imo I'd use it for a windows privesc you're struggling with because that poo poo is obnoxious and msf has a bunch of stuff to make that way easier.

Adbot
ADBOT LOVES YOU

Achmed Jones
Oct 16, 2004









Shredded Hen

You don't need meterpreter for anything on the exam. You can use it if you really want, but it's by no means necessary. If you really need it, you goofed

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply