Over the last couple of weeks, I’ve seen a few examples of passwords being rejected for failing to meet the complexity rules.  For example, the current password is “secret1234” and the new password attempted is “secret1235”.  There are similar variations where people attempt to use the year and month – “password201810” and “password201811”. 

My password manager shows that I have 516 accounts and passwords.  Trying to remember 516 passwords is impossible which is why you should use a password manager.  While a typical user might not have 516 accounts, they have quite a few and without a password manager, they try to create something memorable.  I completely understand their need to change one digit and move on -- I disagree but I understand.  Here’s the problem – let’s say I get wind of this type of pattern and the initial portion of the password is “testing” and the remaining portion is a four digit number.  Technically, it’s an eleven digit, alphanumeric, password.  In reality, it’s a four digit, numeric, password. 

Read more: Sequential Passwords

I've never really understood the purpose of Pastebin from a practical sense.  I think I get the concept, I just don't know why you'd use it.  That being said, its darker side is breach data dumping for the world to see.  

Yesterday, I was thinking about the API and wondering if I wanted to write a script to search the pastes for client email addresses.  While digging around on the site, I checked out a few pastes.  Lots of people dumping code snippets and then I saw something.  Among the code snippets, I saw what looked to be base64.  I grabbed it, decoded it, and what I saw looked to be binary gibberish.  I thought it was going to be something clever like a message but that's just me playing too much CTF.  But then I did a Google search for "What is the purpose of Pastebin?" and I saw a search result talking about base64 encoded malware.  What!?!?  After reading the article, I was left with only a partial picture.  Perhaps the author didn't want to spell things out completely?  I don't know.  So I started working it through on my own.

Read more: Pastebin Malware

Have I mentioned that I love WordPress?  I do, as long as I’m not maintaining it.  When I’m maintaining it, I hate it.  My kneejerk reaction is to call it junk.  It’s not junk but it’s what happens when designers cut out developers.  I get it – you’re a designer, you want to move quickly and here’s this product which is easier to learn than coding.  If you want a fancy slider, you install a plugin.  If you want to embed a YouTube video, you install a plugin.  From that point of view, it’s amazing.  From my point of view, every time you bolt on a new widget, there’s a potential for an opening.  Heck, without plugins, you can still get owned which is what we’re going to explore in a moment.

Read more: Hacking WordPress 4.7.4

In order to defend against attacks, you have to understand the attack vectors and weigh the risks.  A meterpreter shell generated into an .exe file with msfvenom won't make it through email and if it somehow did manage to make its way to a desktop, it would immediately get gobbled up by the antivirus software.  I know this for a fact because I've generated said payload and dropped it onto a desktop.  I'm not worried about .exe files.  On the other hand, I consider Microsoft Office documents a potential risk.  

I can block .exe files but I cannot block Microsoft Office documents without angering the masses.  With that in mind, what's the exposure?  Depends on the users, no?  The sender is also a factor. 

Read more: Malicious Macros

I ran into an issue while installing Google Authenticator on Ubuntu 18 and although the solution is simple, it's given me an opportunity to discuss three items.

First, the issue:

You attempt to install Google Authenticator using the following:

sudo apt install libpam-google-authenticator

And you're presented with the following error:

E: Unable to locate package libpam-google-authenticator

Read more: Ubuntu Server - Google Authenticator

I attended Cactuscon this past weekend and there was a talk on cracking Active Directory hashes.  When I entered the room (late), it was standing room only.  For a few minutes, I listened in but eventually ended up leaving because the gist of the talk is something I already practice.  Essentially, build a cracking machine, dump the Active Directory hashes, and check for weak passwords.

My cracking machine is a Dell Precision 3600 Series workstation with an NVidia 8GB GPU.  Without the GPU, using my 400MB wordlist, it takes approximately 2.5 hours to exhaust the list.  With the GPU, it takes 7 minutes.  It's a modest cracking machine and its purpose isn't to win any contests.  I just want to get through a reasonable wordlist in a reasonable amount of time.  This meets that goal.  

Read more: Cracking Active Directory Hashes