#Tom's Weblog

In this post I will explain how to configure, enable and deploy Bitlocker via GPO’s (Group Policy Objects). If you or your organisation are able to use or use MBAM (Microsoft Bitlocker Administration and Monitoring), SCCM (Microsoft System Center Configuration Manager) or Intune please use that instead.

The clients in this scenario are members of a traditional domain (non Azure AD) and are equipped with a TPM (Trusted Platform Module) that we want to use for storing the encryption keys. In addition a recovery key is generated that will be stored in AD in case the drive needs to be recovered. As our targets are Windows 10 machines we will be using the new XTS-AES introduced in version 1511.

Configuring Bitlocker GPO’s

The following images are screenshots shared by reddit user /u/Andy202/ and show the configuration we are going to use:

Enabling Bitlocker

While the configuring can be done with Group Policies, actually enabling Bitlocker on client machines needs to be done either by manually enabling it on the machine or by running a PowerShell script. The same reddit user that gave us the example configuration also provides the following PowerShell script used for enabling Bitlocker:

$CdriveStatus = Get-BitLockerVolume -MountPoint 'c:'
if ($CdriveStatus.volumeStatus -eq 'FullyDecrypted') {
    C:\Windows\System32\manage-bde.exe -on c: -recoverypassword -skiphardwaretest
}

An alternative script using the “new” bitlocker powershell cmdlets:

$BLV = Get-BitLockerVolume -MountPoint 'c:'
if ($BLV.volumeStatus -eq 'FullyDecrypted') {
    Add-BitLockerKeyProtector -MountPoint 'c:' -RecoveryPasswordProtector
    Enable-Bitlocker -MountPoint 'c:' -TpmProtector
}

In short both scripts do the following:

1. Set drive information to variable $BLV
2. Check if the encryption status equals ‘FullyDecrypted’
3. If so add add a recovery password (which is pushed to AD)
4. Enable Bitlocker with the TPM option to store the keys in the TPM

While both of the above scripts will work I chose the latter. The script will need to place in a location where client machines can reach it for example the SYSVOL share.

Deployment

The goal here is to automate the deployment. Windows offers several options for performing a task after a predefined trigger namely:

• Logon scripts (runs as the user when the user logs in)
• Startup scripts (runs at system start and before the user logs in)
• Scheduled tasks (runs as any user you like it to run and whenever)

I have tried all the options and the only one that worked was the Scheduled Task. The reason (I think) lies in the fact that for enabling Bitlocker a user with administrative privileges needs to be logged in. For this reason we configure the task to use ‘NT AUTH/System’ privileges and to trigger after a user logs in. After a user logs in the task triggers and runs the PowerShell script made in the previous step. Et Voila, Bitlocker with TPM is now enabled and the recovery keys are safely stored in AD.

(Security) Considerations

Now as a former pentester / ethical hacker I must disclose that this is in no way the most secure Bitlocker setup. While it might, in theory, be possible to prevent attacks targeting memory (DMA/Cold boot) in software (where the decryption keys are stored), time has shown again and again that given enough time every piece of software or hardware can be compromised.

So, if you are in need for a more secure setup please consider using Pre Boot Authentication in addition to the TPM as this requires something outside the system (a password known only by the user) to unlock the TPM and decryption keys. This prevents the keys ending up in places where attackers can access them. More info can be found in the references below.

References:

• Initial config
  • https://www.reddit.com/r/sysadmin/comments/aburax/how_to_enable_bitlocker_via_gpo/
• Bitlocker Powershell cmdlets
  • https://docs.microsoft.com/en-us/powershell/module/bitlocker/enable-bitlocker?view=win10-ps
• Bitlocker countermeasures
  • https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures
• Demonstration of memory attacks against Bitlocker
  • https://www.youtube.com/watch?v=RqvPZnLkP70
• Repo of PCILeech (a tool to dump the contents of memory)
  • https://github.com/ufrisk/pcileech

A while back I wanted to try cloning a MiFare card using the proxmark 3. The target was a card used for opening garbage containers in the city where I live. Reasons being that I wanted a spare in case I lost the original (replacements cost about 10 euro) and I wanted to put it on my key chain to have it always with me.

The cloning process is fairly easy and roughly consists of the following steps:

1. Identify the type of card
2. Get keys
3. Dump content
4. Analyze content of card
5. Write dump to empty card*
6. ……
7. Profit!!!!!

Identifying the type of card

The proxmark client has an easy way to search and identify cards by using the “lf search” and “hf search” commands. The command output shows that the card is indeed a MiFare classic card.

 [usb] pm3 --> hf search
 [=] Checking for known tags…
 UID : B4 EE 82 34           
 ATQA : 00 04          
  SAK : 08 [2]          
 TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1          
 [=] proprietary non iso14443-4 card found, RATS not supported          
 [=] Answers to magic commands: NO           
 [+] Prng detection: WEAK           
 [+] Valid ISO14443-A tag  found 

Dumping 1,2,3

Dumping the content of the cards is as easy as running “hf mf dump“. Sadly I was too eager (and inexperienced) and forgot that in order to dump the card you first need to get the keys.

 [usb] pm3 --> hf mf dump
 [!] Could not find file hf-mf-B4EE8234-key.bin   

Getting the keys and dumping the card

There are several ways to cracking MiFare cards but the easiest way is just test and see if the default MiFare keys work. Luckily for me the default key “FFFFFFFFFFFF” did and I was able to dump the card.

Dumping the card:

 
 [usb] pm3 --> hf mf dump
 [=] Reading sector access bits…          
 …………….
 [+] Finished reading sector access bits          
 [=] Dumping all blocks from card…          
 [+] successfully read block  0 of sector  0.          
 [+] successfully read block  1 of sector  0.          
 [+] successfully read block  2 of sector  0.          
 [+] successfully read block  3 of sector  0.          
 [+] successfully read block  0 of sector  1.

[snip]

[/snip>          
        
 [+] time: 17 seconds
 [+] Succeded in dumping all blocks
 [+] saved 1024 bytes to binary file hf-mf-B4EE8234-data.bin           
 [+] saved 64 blocks to text file hf-mf-B4EE8234-data.eml           
 [+] saved to json file hf-mf-B4EE8234-data.json 

Analyzing the content of the card

After completing the dump I decided to look at the data on the card using hexdump. I found that the only data was at the start of the file and seemed to correspond with the UID, ATAQ and SAK. My guess was that the container/reader only checked for the UID of the card before opening.

Writing the dump to a new card*

At this point I thought I hit the jackpot and could just write the dump to any blank MiFare card without issues but no. As I learned then the first block of any MiFare card is called the “Manufacturers block” and it is not writable by default. Therefore there is no way to change the UID on normal MiFare card. However there are some Chinese sellers that sell so called “Magic” or “UID block 0” modifiable cards where block 0 is (re)writable. The proxmark client will tell you if the card will answer to magic commands as highlighted in the command output:

 [usb] pm3 --> hf search
 [=] Checking for known tags…
 UID : AA B5 11 02           
 ATQA : 00 04          
  SAK : 08 [2]          
 TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1          
 [=] proprietary non iso14443-4 card found, RATS not supported          
 [+] Answers to magic commands (GEN 1a): YES           
 [+] Prng detection: WEAK           
 [+] Valid ISO14443-A tag  found

At this point we can write the dump to the Chinese card:

 [usb] pm3 --> hf mf cload hf-mf-B4EE8234-data.eml 
 [+] loaded 1024 bytes from text file hf-mf-B4EE8234-data.eml           
 [=] Copying to magic card          
 ……………………………………………………….
 [+] Card loaded 64 blocks from file      

Running hf search again to check to see if the process was successful. As can be seen the UID has been changed to that of the target card:

 [usb] pm3 --> hf search
 [=] Checking for known tags…
 UID : B4 EE 82 34           
 ATQA : 00 04          
  SAK : 88 [2]          
 TYPE : Infineon MIFARE CLASSIC 1K          
 [=] proprietary non iso14443-4 card found, RATS not supported          
 [+] Answers to magic commands (GEN 1a): YES           
 [+] Prng detection: WEAK           
 [+] Valid ISO14443-A tag  found  

If you found this interesting or have feedback/questions please leave a comment!

P.S. Almost all of the above can be done using the “autopwn” command present in the proxmark repo from RfidResearchGroup.

References:

• https://www.mouser.com/ds/2/302/MF1S503x-89574.pdf
• https://github.com/Proxmark/proxmark3/wiki
• https://github.com/RfidResearchGroup/proxmark3
• https://timdows.com/projects/using-a-mobile-phone-to-clone-a-mifare-card/

1. Go to device manager
2. Right click on the prolific usb to serial adapter and select update driver.
3. Select browse my computer
4. Select from a list of devices
5. Uncheck the checkbox next to supported devices
6. Scroll down the list and select prolific
7. Select the driver from 2007
8. Select next
9. Done

References:

1. Todo (link to the forum post who referenced this method)

In the beginning of this year I got a YubiKey NEO from a colleague. As I
was already using LastPass to manage my passwords I wanted use my YubiKey as part of the two factor authentication process.

You can register your YubiKey by going to the premium “Multi-factor options” in your LastPass account settings and enabling the YubiKey option. For the two factor authentication to work you need to press the button on the YubiKey to generate a OTP (One Time Password) which will be stored with LastPass.

When I tried this for the first time I ran into a problem and got the following error: “At least one of the YubiKey tokens provided failed to validate.”. Copy and pasting this error in Google led me to a post on the LastPass support forum in which the solution was provided.

Thank you for contacting LastPass Support.

You need to set your YubiKey configuration to OTP authentication mode:

http://www.yubico.com/products/services … bikey-otp/

Once that is done, visit the following URL: https://lastpass.com/debug.php and where it says ‘YubiKey with LastPass’, run the authenticator to make sure everything is working properly.

If no issues found, try to setup the YubiKey once again:

https://helpdesk.lastpass.com/security- … ntication/

Let me know how it goes.

Best,
Jed

After enabling OTP I could register my key and start using it with LastPass.

I recently upgraded a Acer Aspire 5040 to Windows 7. After the upgrade I installed all the drivers and found the wifi was not working correctly.  Everything looked fine but I could not see any access points to connect to. To fix this issue I had to go Acer’s support website and download and install the Launch Manager. Before installing I had to enable compatibility mode for Windows XP and select run as administrator on the setup.exe. After rebooting the lights on the front of the laptop turned on and  I could now detect access points.

References:

1. http://www.acer.com/ac/en/GB/content/drivers
2. http://www.sevenforums.com/network-sharing/57483-wireless-acer-aspire-5020-a.html