Disclaimer: This blog series won't be very technical. It is intended to be easy to understand and follow. Like most of my blogs, I have no reason to be peacocking with technical jargon like all the infosec losers.
Overview and donation information: https://weirdquadratic.blogspot.com/p/blog-overview.html
To the reader: Feel free to share anything I write with those who need it. And be sure to make local copies as I am sure it is a matter of time until this blog will be taken down as well.
Introduction
These last couple of years have been extremely difficult. During my last months of employment at Microsoft, I started learning math and exploring the factorization problem as I needed a new challenge. A whole lot of traumatic events happened soon after, and I think, as a traumatic reaction, I kept working on factorization for the next couple of years. I am sure a psychologist could explain to me why trauma caused a complete obsession with the factorization problem. I learned a lot about math, especially since I dropped out of high school and had no math education beyond that. I still believe I am closing in quickly on a breakthrough, but some days, the pressure of it is too much.
Last night I found myself thinking back to those days I had lived in Vancouver, Canada, roller-skating with my teamlead around the seawall, drinking beers on Sunset beach and talking about life. And thinking back to all the cool people I had gotten to know there. I was just in absolute torment, being unable to go back to those places and people, stuck in social isolation and unemployment. I had decided I was going to end my life.
It is very difficult a lot of days, and what happened last night is not a rarity. Today, with the hopes and perspectives of a new day ahead, I decided I must act, perhaps what will give me purpose again, is simply writing about something I used to enjoy before my life came crashing down.
Today is day 0, a new beginning. 3 years ago, when my employment ended, I was in the process of a multi-year audit of all the cryptographic components. Well, the software side at least, as learning the mathematics behind it is still an ongoing process.
Since I cannot ever again submit my work to Microsoft, after how they treated my friend and former manager for defending me, I will simply start documenting everything and sharing it here, including anything I find. I am a bear and my pride and loyalty to my friends is much more important than any money in the world.
My hope is to find some creative vulnerabilities, something AI wouldn't easily be able to find. Not just to keep relevance, but also to keep research fun. There is few things as soul draining as looking for buffer overruns all day long. There is a subset in the Offensive Security community who thinks memory corruption vulnerabilities are the l33t3st thing in the world. They are not, and 99.99% of them follow very classical patterns. This is also the reason why those types of bugs won't stay immune to a pattern recognition machine like AI.
Be aware it is 3 years ago now, since I've last done any bug hunting. So I am beginning from the very basics, not just for the reader but also to ease myself back into the process. As this series progresses the topics will become more complex and technical.
Setting up a research station
If we want to audit cryptographic components, ideally we should set up a domain locally so that we can have access to all the enterprise features. Follow the steps below to setup up your research infrastructure.
Step 1: Install Hyper-V
Install Hyper-V https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/get-started/install-hyper-v
We should always use a virtual machine. The benefit being that we can much more easily audit kernel code or processes which would otherwise not be accessible. But the biggest advantage by far is that we can always reset to a clean state and don't accidentally ruin our host computer by doing obscure vulnerability research. (veterans will know what I'm talking about, we've all been there , done that)
Step 2: Download windows Enterprise
If you sign up for the Windows insider program you can easily download Windows enterprise .iso's: https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewiso
I generally prefer using Windows 10 over Windows 11 for debugging purposes, as windows 11 can be a pain sometimes. Hence I will download “Windows 10 Insider Preview Enterprise (Release Preview Channel)”
Step 3: Install Windows Enterprise
Install the .iso we just downloaded in Hyper-V. Instructions: https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/get-started/create-a-virtual-machine-in-hyper-v
Optional: I usually install virtual machines on external SSDs. Because they can start taking up a lot of disk space very quickly, especially with automatic checkpoints enabled. You also should probably get into the habit of disabling automatic checkpoints so you don't suddenly find yourself running out of disk space.
Make sure to leave the VM disconnected from the network until after your installation so that you can use an offline account. (But do remember to reconnect it later, otherwise you won't be able to domain join)
Step 4: Download and install Windows Server.
The .iso we just installed, you can think of it as the windows installation that the typical corporate user will be using. Of-course, to set-up a domain, we also need a second virtual machine running Windows Server.
Download “Windows Server Vnext Preview ISO (Canary)” from here: https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver
Ideally I would download older builds as these latest builds are often a little bit more difficult to debug, especially when it comes to processes like LSASS. But let us see how it goes and problem solve as needed.
Make sure to select “Windows server 2025 Standard (Desktop Experience)” during installation, so we have a graphical user interface.
Setup 5: Install AD DS
Instructions: Install Active Directory Domain Services on Windows Server | Microsoft Learn
If you prefer the GUI scroll down to “Install AD DS by using Server Manager”. Here are the important steps summarized:
In the Server Manager window click “Add roles and features”
As “Installation Type” select Role-Based or feature-based installation
As “Server Roles” Select “Active Directory Domain Services” and “DNS Server”
Install the roles. We can add more roles or features later if we must.
Once done, you should see the following option appear in the Server Manager:
Click “Promote this server to a Domain Controller”
At “Deployment configuration” select “Add a new forest” and enter a name. I.e “bear.com”
At “Domain controller options” Enter an easy to remember DSRM password
Install and wait for the installation to complete
Step 6: Joining the domain
Next go to your Windows 10 Enterprise VM and go to adapter settings and change the DNS server to be the IP of the Windows Server machine we just promoted to Domain Controller.
Next type “Access Work or School” in the search bar. Then press connect and select “Join this device to a local Active Directory domain” and enter “bear.com” or whatever the name is you have given your domain.
I had to disable firewall for it to work. We can enable firewall later and add all the rules if we must. It's just for local testing anyway.
Login with “Administrator” and whatever your password is.
Congrats. You have just created a domain and domain joined another VM locally.
In the future we will be creating seperate standard user accounts with limited privileges for testing purposes.
In the next part in this series I will setup debugging and IIS and we will try to debug some code in Secure Channel. I may come back and edit things here later if debugging doesn't work out of the box. (I.e I forgot if using generation 1 or 2 VMs mattered).
If there are any questions leave a comment
No comments:
Post a Comment
Note: only a member of this blog may post a comment.