Configure, enable and deploy Bitlocker via Group Policies

In this post I will explain how to configure, enable and deploy Bitlocker via GPO’s (Group Policy Objects). If you or your organisation are able to use or use MBAM (Microsoft Bitlocker Administration and Monitoring), SCCM (Microsoft System Center Configuration Manager) or Intune please use that instead.

The clients in this scenario are members of a traditional domain (non Azure AD) and are equipped with a TPM (Trusted Platform Module) that we want to use for storing the encryption keys. In addition a recovery key is generated that will be stored in AD in case the drive needs to be recovered. As our targets are Windows 10 machines we will be using the new XTS-AES introduced in version 1511.

Configuring Bitlocker GPO’s

The following images are screenshots shared by reddit user /u/Andy202/ and show the configuration we are going to use:

View post on imgur.com
A startup script (for enabling Bitlocker) is defined and both FireWire and Thunderbolt devices are disabled in an attempt to prevent DMA (Direct Memory Access) attacks.
View post on imgur.com
The encryption type is chosen, another DMA prevention option enabled and the recovery options are configured.
View post on imgur.com
More recovery options, forced encryption of the systems OS drive and TPM configuration.

Enabling Bitlocker

While the configuring can be done with Group Policies, actually enabling Bitlocker on client machines needs to be done either by manually enabling it on the machine or by running a PowerShell script. The same reddit user that gave us the example configuration also provides the following PowerShell script used for enabling Bitlocker: 

$CdriveStatus = Get-BitLockerVolume -MountPoint 'c:'
if ($CdriveStatus.volumeStatus -eq 'FullyDecrypted') {
    C:\Windows\System32\manage-bde.exe -on c: -recoverypassword -skiphardwaretest
}

An alternative script using the “new” bitlocker powershell cmdlets: 

$BLV = Get-BitLockerVolume -MountPoint 'c:'
if ($BLV.volumeStatus -eq 'FullyDecrypted') {
    Add-BitLockerKeyProtector -MountPoint 'c:' -RecoveryPasswordProtector
    Enable-Bitlocker -MountPoint 'c:' -TpmProtector
}

In short both scripts do the following:

  1. Set drive information to variable $BLV
  2. Check if the encryption status equals ‘FullyDecrypted’
  3. If so add add a recovery password (which is pushed to AD)
  4. Enable Bitlocker with the TPM option to store the keys in the TPM

While both of the above scripts will work I chose the latter. The script will need to place in a location where client machines can reach it for example the SYSVOL share.

Deployment

The goal here is to automate the deployment. Windows offers several options for performing a task after a predefined trigger namely:

  • Logon scripts (runs as the user when the user logs in)
  • Startup scripts (runs at system start and before the user logs in)
  • Scheduled tasks (runs as any user you like it to run and whenever)

I have tried all the options and the only one that worked was the Scheduled Task. The reason (I think) lies in the fact that for enabling Bitlocker a user with administrative privileges needs to be logged in. For this reason we configure the task to use ‘NT AUTH/System’ privileges and to trigger after a user logs in. After a user logs in the task triggers and runs the PowerShell script made in the previous step. Et Voila, Bitlocker with TPM is now enabled and the recovery keys are safely stored in AD.

(Security) Considerations

Now as a former pentester / ethical hacker I must disclose that this is in no way the most secure Bitlocker setup. While it might, in theory, be possible to prevent attacks targeting memory (DMA/Cold boot) in software (where the decryption keys are stored), time has shown again and again that given enough time every piece of software or hardware can be compromised.

So, if you are in need for a more secure setup please consider using Pre Boot Authentication in addition to the TPM as this requires something outside the system (a password known only by the user) to unlock the TPM and decryption keys. This prevents the keys ending up in places where attackers can access them. More info can be found in the references below.

References:

How to clone MiFare Classic with the proxmark3

In this post I will share how to clone a MiFare Classic card using the proxmark3.

Process:

  1. Obtain keys
  2. Dump card content
  3. Write dump to empty card
  4. Todo: Autopwn

Obtain keys

There are several ways to cracking MiFare cards but the easiest way is just test and see if the default MiFare keys work. Luckily for me the default key “FFFFFFFFFFFF” did and I was able to dump the card.

Trying out the MiFare default keys

Dumping card content

 [usb] pm3 --> hf mf dump
 [=] Reading sector access bits…          
 …………….
 [+] Finished reading sector access bits          
 [=] Dumping all blocks from card…          
 [+] successfully read block  0 of sector  0.          
 [+] successfully read block  1 of sector  0.          
 [+] successfully read block  2 of sector  0.          
 [+] successfully read block  3 of sector  0.          
 [+] successfully read block  0 of sector  1.

[snip]

[/snip>          
        
 [+] time: 17 seconds
 [+] Succeded in dumping all blocks
 [+] saved 1024 bytes to binary file hf-mf-B4EE8234-data.bin           
 [+] saved 64 blocks to text file hf-mf-B4EE8234-data.eml           
 [+] saved to json file hf-mf-B4EE8234-data.json

Writing the dump to a new card*

At this point I thought I hit the jackpot and could just write the dump to any blank MiFare card without issues but no. As I learned then the first block of any MiFare card is called the “Manufacturers block” and it is not writable by default. Therefore there is no way to change the UID on normal MiFare card. However there are some Chinese sellers that sell so called “Magic” or “UID block 0” modifiable cards where block 0 is (re)writable. The proxmark client will tell you if the card will answer to magic commands as highlighted in the command output: 

 [usb] pm3 --> hf search
 [=] Checking for known tags…
 UID : AA B5 11 02           
 ATQA : 00 04          
  SAK : 08 [2]          
 TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1 | 1k Ev1          
 [=] proprietary non iso14443-4 card found, RATS not supported          
 [+] Answers to magic commands (GEN 1a): YES           
 [+] Prng detection: WEAK           
 [+] Valid ISO14443-A tag  found

At this point we can write the dump to the Chinese card:

 [usb] pm3 --> hf mf cload hf-mf-B4EE8234-data.eml 
 [+] loaded 1024 bytes from text file hf-mf-B4EE8234-data.eml           
 [=] Copying to magic card          
 ……………………………………………………….
 [+] Card loaded 64 blocks from file

Running hf search again to check to see if the process was successful. As can be seen the UID has been changed to that of the target card: 

 [usb] pm3 --> hf search
 [=] Checking for known tags…
 UID : B4 EE 82 34           
 ATQA : 00 04          
  SAK : 88 [2]          
 TYPE : Infineon MIFARE CLASSIC 1K          
 [=] proprietary non iso14443-4 card found, RATS not supported          
 [+] Answers to magic commands (GEN 1a): YES           
 [+] Prng detection: WEAK           
 [+] Valid ISO14443-A tag  found

References:

How to emulate/simulate amiibos with the proxmark3

In this post I will explain how to emulate/simulate Amiibo using the proxmark3. For those who don’t know what a proxmark is here is a short description from the website:

The Proxmark is an RFID swiss-army tool, allowing for both high and low level interactions with the vast majority of RFID tags and systems world-wide. Originally built by Jonathan Westhues over 10 years ago, the device has progressively evolved into the industry standard tool for RFID Analysis.

https://proxmark.com/

Proces:

  1. Download and compile the proxmark client (flash proxmark)
  2. Download and run mfu2bineml
  3. Emulate/simulate the amiibo with the proxmark3
  4. Profit!!!!

Download and compile the proxmark client

#Install dependencies
sudo apt-get install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi

#Clone the proxmark3 GitHub repo
git clone https://github.com/tomvanveen/proxmark3.git

#Install the blacklist rules and add user to dialout group (Linux/ubuntu/debian)
make udev

#Clean and complete compilation
Make clean && make all

#Flash the bootrom and fullimage 
client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf

Download and run mfu2bineml

We are using mfu2bineml, a perl program written by Samy Kamkar, to convert the amiibo to a format the proxmark3 will understand. To do this, simply run the program with the amiibo as input and put the output into a file: 

user@ubuntu-vm:~/Desktop/amiibo$ ./mfubin2eml Champion\ Mipha.bin > amiibo.eml

Character / info: 01 07 00 00 03 5a 09 02
Game : 010 The Legend of Zelda
Character: 7 --
Variation: 00 --
Type : 00 Figure
Amiibo : 035a The Legend of Zelda
Series : 09 The Legend Of Zelda
Last : 02 (should be 02)


Looks like encrypted file but setting preventing us from decrypting
Does not contain header, adding
UID: 04c25292aa5280
PWD: 00000000

hf mf eload u Champion Mipha.bin
hf 14a sim t 7 u 04C25292AA5280

Emulate/simulate the amiibo with the proxmark3

The last part of the program will tell you what commands to use in the Proxmark client to load the eml file and emulate/simulate the Amiibo. Because I love tool output here is the output from the Proxmark client: 

pm3 --> hf mf eload u /home/user/Desktop/amiibo/amiibo
…………………………………………………………………………………………………………………………………………………………………………………………………………………………………
[+] Loaded 255 blocks from file: /home/user/Desktop/amiibo/amiibo.eml 
pm3 --> hf 14a sim t 7 u 04C25292AA5280
[+] Emulating ISO/IEC 14443 type A tag with 7 byte UID (04 C2 52 92 AA 52 80 ) 
[+] press pm3-button to abort simulation

And here is a video demonstration of the Amiibo emulation. 

References:

ZMR-250 buildlog

In this post I will share my experiences with building a budget quadcopter I bought from AliExpress. This is by no means a tutorial and I advise you to look in the links section of this post if you are looking for a one.

So let’s begin.

It came without instructions, I messaged the seller and he/she replied that there are enough build instructions available

One problem though it came without instructions. I messaged the seller and got a reply similar to use google and RTFM. Not knowing where to go from there I shelved the project. Two weeks ago I decided to get over my self doubt and continue the project. After all how hard could it be right?

I started looking for tutorials online and found one which suited my needs.

http://www.dronetrest.com/t/qav-zmr-250-assembly-build-guide/1244

Although the overall proces seems simple the tutorial managed to confuse me quite a bit. The topics I got confused about:

  • Which length srew to use for the motors
  • How to connect the wires for the motors
  • How to orientate the cc3d board computer
  • How to connect the receiver to the cc3d

Motor screw length

This will probably vary on the types of motors but I ended up using 6 mm screws which I thought would be to long and might damage the motors. I tested it with one motor which continued to work. I decided what worked for one will work for all and fitted the 6mm screws on all motors. Please note that this does not mean 6 mm is the right fit for your motors.

How to connect the motor wires

According to the tutorial the wires for motors that turn clockwise have to be switched and the wires for the CCW motors do not need switching. Further along the tutorial it says the wire for the CCW motor needs to be switched. To be clear only the first statement is true (although this issue could probably be fixed in the firmware).

IMG_0979
Build almost completed.

Orientation of the cc3d board.

The tutorial tells you to place the cc3d board with the arrow to the side (left) but instead this needs to point at the front of the copter. Putting the cc3d arrow to the left will make the computer think the side is the front of the copter which causes the copter to flip immediatly on takeoff.

After fixing these issues I was able to get my quad of the ground.

I’ve included the maiden flight below:

Note2Self #1:

buy a small drone and learn how to fly it.

Tried to fly the drone outside and crashed it :(.

Also one of the motor wires came loose and when testing for damage the ESC fried.

Fried ESC

Note2self #2: 

Do not remove shrink wrap from ESC’s or re apply if removed. Plus isolate the power pads on the power distribution board. The frame of the QAV250 is conductive and will create shorting causing all tons of fun like mini fires :D.

ToDo:

  1. Get 4 new ESC + motor
  2. Get a new smaller drone to fly indoors
  3. Get a strap to fasten the battery

Saturday the 14th of october:

Got my replacement motors plus ESC’s in the mail. Also got my mini drone the day before. Those things are awesome and a good tool to learn how to fly a quad.

28th of January

So I rebuilt my quad just to find out one of my motors stutters. When searching for a solution I found several other people had this problem in combination with the cc3d and librepilot. One suggestion was to update the firmware on my simonk Esc (which of course are cheap ripoffs of the real thing). I looked at the pcb to find a fis 330 chip was there waiting for me. Supposedly these can be flashed with an arduino nano and blheli suite. So that’s where we are going next.

How to flash bios chips with Raspberry Pi

This post is an addition to my previous post: “How to flash bios chips with Arduino“.

While doing some research online I found several articles/posts from people using a Raspberry Pi to flash SPI flash chips. Apparently the Raspberry Pi  is very suitable for this kind of thing as it has a SPI interface and is able to run linux. I was eager to try this out for myself so I got out my Pi 3 model B and got to work. For this project I used a Winbond 25X80 salvaged from a motherboard I had lying around.

Preparing the RaspberryPi

As others have pointed out, the latest version of Raspbian (Stretch) will also work by adding the spispeed param to the Flashrom command.

Enable the SPI interfaces by typing sudo raspi-config and selecting P4 SPI under the Interfacing options.

Select option 5: Interfacing options
Select SPI to enable the SPI interfaces

The SPI interfaces will become available under /dev/spidev0.0 and /dev/spidev0.1.

Next we install the packages are needed by Flashrom by using the following command.

sudo apt install git libpci-dev libusb-1.0 libusb-dev

Make and install Flashrom.

git clone https://github.com/flashrom/flashrom.git
cd flashrom
make && sudo make install

Connecting the Raspberry to the SPI flash chip

The table below show the connections between the RaspberryPi and the chip.

RPi pin SPI flash
25 GND
24 CS
23 SCK
21 DO
19 DI
17 VCC 3.3V and /HOLD and /WP

Flashing the chip

In order to verify Flashrom correctly identifies the chip we run Flashrom without any operations.

pi@raspberrypi:~ $ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512
flashrom p1.0-76-g291764a on Linux 4.14.34-v7+ (armv7l)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Winbond flash chip "W25X80" (1024 kB, SPI) on linux_spi.
No operations were specified.

Now that Flashrom correctly identifies the Winbond W25X80 we can continue to backup the current BIOS.

pi@raspberrypi:~ $ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r flash.dat
flashrom p1.0-76-g291764a on Linux 4.14.34-v7+ (armv7l)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Winbond flash chip "W25X80" (1024 kB, SPI) on linux_spi.
Reading flash... done.

After backing up the old BIOS we can safely write the new BIOS back to the chip.

pi@raspberrypi:~ $ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -w flash.dat 
flashrom p1.0-76-g291764a on Linux 4.14.34-v7+ (armv7l)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Winbond flash chip "W25X80" (1024 kB, SPI) on linux_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... 
Warning: Chip content is identical to the requested image.
Erase/write done.

References:

Adding a YubiKey to Lastpass

In the beginning of this year I got a YubiKey NEO from a colleague. As I
was already using LastPass to manage my passwords I wanted use my YubiKey as part of the two factor authentication process.

You can register your YubiKey by going to the premium “Multi-factor options” in your LastPass account settings and enabling the YubiKey option. For the two factor authentication to work you need to press the button on the YubiKey to generate a OTP (One Time Password) which will be stored with LastPass.

When I tried this for the first time I ran into a problem and got the following error: “At least one of the YubiKey tokens provided failed to validate.”. Copy and pasting this error in Google led me to a post on the LastPass support forum in which the solution was provided.

Thank you for contacting LastPass Support.

You need to set your YubiKey configuration to OTP authentication mode:

http://www.yubico.com/products/services … bikey-otp/

Once that is done, visit the following URL: https://lastpass.com/debug.php and where it says ‘YubiKey with LastPass’, run the authenticator to make sure everything is working properly.

If no issues found, try to setup the YubiKey once again:

https://helpdesk.lastpass.com/security- … ntication/

Let me know how it goes.

Best,
Jed

After enabling OTP I could register my key and start using it with LastPass.

How to update Atari 1040 STF to TOS 1.04

After finishing the drive swap mod on Atari 1040 STF I continued browsing the Atari forum’s hardware section and found a post/guide on how to update the operating software. In general, updating the OS is advisable as newer versions may contain bug fixes, security updates and increased I/O compatibility. The same goes for my Atari. The last available version for my machine, 1.04 a.k.a. Rainbow TOS, contains all of the above and is found to be faster overall.

On the Atari, the OS is stored on two or in my case six ROM (Read Only Memory) chips. As the name indicates, writing to ROM chips is not possible so they have to be replaced with chips containing the newer OS. While it is possible to buy a “ready to go” upgrade package it is also possible to go the DIY route and prepare the chips yourself. I opted for the latter as it is much more fun, educational and gives a real sense of achievement when finished.

Continue reading How to update Atari 1040 STF to TOS 1.04

How to restore WiFi on a Acer Aspire 5040 running windows 7

I recently upgraded a Acer Aspire 5040 to Windows 7. After the upgrade I installed all the drivers and found the wifi was not working correctly.  Everything looked fine but I could not see any access points to connect to. To fix this issue I had to go Acer’s support website and download and install the Launch Manager. Before installing I had to enable compatibility mode for Windows XP and select run as administrator on the setup.exe. After rebooting the lights on the front of the laptop turned on and  I could now detect access points.

References:

  1. http://www.acer.com/ac/en/GB/content/drivers
  2. http://www.sevenforums.com/network-sharing/57483-wireless-acer-aspire-5020-a.html

How to flash bios chips with Arduino

In this post I will explain how to flash bios chips with an Arduino. We will be using a Arduino Duemilnove (uno, mega or clones do also work) and a ASUS P5B motherboard that no longer boots after a failed bios update.

Here is an outline of the steps (some of these steps are not strictly necessary but I figured they might help the uninitiated):

  1. Identify board
  2. Find documentation for the board
  3. Locate and identify bios chip
  4. Find documentation for the chip
  5. Find pinout and operating voltages (important)
  6. Prepare the Arduino and installing flashrom
  7. Connecting the Arduino to the chip
  8. Testing
  9. Flashing and verify
  10. Troubleshooting

Identify board and finding documentation

As mentioned in the introduction we are using an ASUS P5B motherboard. The manual of this board can be found on the ASUS website (a direct link can be found in the list of references).

Locate and identifying the bios chip

In the manual we find a board layout that shows the location of the chip, to the right of pci slot 3.

In case the location is not documented we have to find it ourselves. The following page provides instructions on how to locate the bios chip: http://www.bios-chip24.com/Information/Bios-Chip-localization

The next step is to identify what brand and type of chip we are dealing with in order to find the datasheet. Usually the writing on the chip is everything we need as it states the manufacturer and model number. The motherboard manual mentions a “MXIC 25L8005” and if we look at the board we see that the model is indeed a 25L8005 made by Macronix.

MX25L8005

Typing the model number into google returns the datasheet as one of the first results. The information we are looking for is the pinout and operating voltage. The following image shows the pinout of the 25L8005:

The pin names do not make much sense if you are seeing them for the first time so the datasheet also include a description of the pin names:

For more information on what exactly the pins do please refer to the datasheet.

Preparing the Arduino

For the Arduino to be able to act as a serial programmer we need to first prepare it using frser-duino. The following command(s) will download and install the required packages, install flashrom, clone frser-duino and flash the Arduino. 

sudo apt install git flashrom gcc-avr binutils-avr avr-libc avrdude && git clone --recursive https://github.com/tomvanveen/frser-duino.git && cd frser-duino && make ftdi && sudo make flash-ftdi

Connecting the Arduino to the SPI chip

The following image is an example schematic taken from the flashrom GitHub and shows the pins on the Arduino and the pins on the chip they should connect to (please note that PB0 does not have to be connected):

Emergency edit here: I know understand why people use resistors between the Arduino pins and the chip. The Arduino operates on 5V meaning its logic levels are also at 5V. This need to be brought down to 3.3v using a level shifter.

Flashing the SPI chip

To verify that everything is working correctly we first run flashrom without any operations:

sudo flashrom -p serprog:dev=/dev/ttyUSB0:2000000

The output should look like this: 

flashrom v0.9.9-91-g0bfa819 on Linux 4.10.0-28-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
serprog: Programmer name is "frser-duino"
Found Macronix flash chip "MX25L8005" (1024 kB, SPI) on serprog.
No operations were specified.

If the previous command worked as expected we are now ready for our final step. To write the new BIOS to the chip we use the following command: 

sudo flashrom -p serprog:dev=/dev/ttyUSB0:2000000 -w [NEWBIOS]

The output should look like this: 

flashrom v0.9.9-91-g0bfa819 on Linux 4.10.0-28-generic (x86_64) flashrom is free software, get the source code at https://flashrom.org Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns). serprog: Programmer name is "frser-duino" Found Macronix flash chip "MX25L8005" (1024 kB, SPI) on serprog. Reading old flash chip contents... done. Erasing and writing flash chip... Erase/write done. Verifying flash... VERIFIED.

And that is it. We have successfully flashed a chip using the SPI interface. If you have any questions or feedback about this post please leave a comment below!

References

  • Wiring fail 1
  • Wiring fail 2
  • Wiring fixed
  • Fingers crossed!
  • It boots!
  • 2018 Retry 1
  • 2018 Retry 2