Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anyone heard of this?


  • Please log in to reply
50 replies to this topic

#1 bwrighttwo

bwrighttwo

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 PM

Posted 05 September 2014 - 11:41 AM

First let me say that my terminolgy may not be verbatim but is close.

I let a "Foriensics Expert" (at least they claim to be) take a look at one of the many machines I have had issues with for some time now (take a look at my past content). They told me someone had gotten remote access to my network and configured a loop or loopback partition. I can't remember exactly what they said but, it also had something to do with kerberos and some kind of ticket. They said it was protected with some kind of password that is impossible to delete or crack. Like I said this may not be verbatim and I also do not know her credentials. It was free so I said why not.  . Anyone who has heard of something like this I would like to hear your input. Thanks

 

Sorry if this is in the wrong topic.



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,097 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:22 PM

Posted 05 September 2014 - 11:45 AM

How was contact made with this expert? Did you initiate the contact? If so, what website....give a link.

What problems were you having?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 PM

Posted 05 September 2014 - 11:59 AM

It was someone my wife met through her business.

 

It would take me days to tell you everything. The biggest thing is I have several machines that have a dev/sda that nothing will wipe. Every single one of them act as if they are pre-configured like an Enterprise machine would be. I really do not know how to explain it. I have done many clean re-installs and every one of them eventually degrade until they are not usable.


Edited by bwrighttwo, 05 September 2014 - 12:04 PM.


#4 buddy215

buddy215

  • Moderator
  • 13,097 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:22 PM

Posted 05 September 2014 - 12:07 PM

Do you use each of these machines daily? What type of business if any are these machines used for?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 PM

Posted 05 September 2014 - 12:15 PM

None of them are used for business now. The one that originally had problems was my work machine. This was 3 years ago. It is no longer used. The other 3 I have now are just used for looking up info on the internet and just trying to figure out what is going on with them. I quit using them for any kind of business or personal use that might compromise my personal info. I suppose they got everything they needed the first time 3 years ago. If you take a look at my past content here you may get a better picture.



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:22 PM

Posted 05 September 2014 - 01:29 PM

Was it "golden ticket" that this person mentioned? Kerberos, golden ticket, mimikatz?

 

Now you also mention /dev/sda. That's the first harddisk on Linux machines. So are your machines Linux or Windows?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 PM

Posted 05 September 2014 - 01:41 PM

That is exactly what they said.

 

They all were Window 7 originally.  I have used live Linux distros and have downloaded them as well, trying to figure out what is going on with them. I do seem to remember when this all first started finding evidence of "OS X" or "X OS" stuff as well. Pardon me if my terminology is off. 



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:22 PM

Posted 05 September 2014 - 02:33 PM

Don't worry about the terminology.

 

Are your machines member of a domain, and do you have a domain controller (running Windows Server 2008/2012/...)?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 PM

Posted 05 September 2014 - 02:57 PM

I have never configured them to be although they seem to end up with a domain. When I first install W7 I do not think W server is there but after a few updates it seems to appear. It acts like a machine that has been pre-configured like an Enterprise machine would be. Matter of fact one of them showed that is was an Enterprise machine in a scan. I do not remember which scan it was. I actually contacted Microsoft and they sent me something to fix it via email. Something went wrong with the download though. Again i can't remember what. I am at work right now. When I get home I can try to figure out what it was if you want.



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:22 PM

Posted 05 September 2014 - 03:09 PM

Well, if you don't have a domain controller, you don't need to worry about golden tickets.

 

For the interested, CERT EU has published a paper on Golden Tickets.

http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 PM

Posted 05 September 2014 - 03:23 PM

How would i know if i had a domain controller on a Linux machine?



#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:22 PM

Posted 05 September 2014 - 03:36 PM

Domain controllers are Windows machines, not Linux.

You need to have a machine running Windows Server 2008, 2012, ... and then promote it to domain controller.

 

Rest assured, it's impossible that you installed a domain controller and joined your machines without knowing.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 PM

Posted 05 September 2014 - 03:57 PM

Could it not be pre-configured to automatically do this? 

 

 

I just thought of something. I just installed Linux Mint 17 on one of my machines last night. When I click on my networks, there are two and Windows is one of them.   Before I say any more let me get home and make sure I am not giving you the wrong info. By the way,... Thanks for your time.


Edited by bwrighttwo, 05 September 2014 - 04:03 PM.


#14 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 PM

Posted 05 September 2014 - 04:18 PM

I just checked a PM i had with someone that asked me what networks were showing the last time I did a download of a Linux distro. The networks were "Windows Network" and "Dell Machine". Before you ask,...I chose the option to completely overwrite disk when downloading Linux.

This is another thing I somehow came up with that could be an issue.    Refer to link in next reply.


Edited by bwrighttwo, 05 September 2014 - 04:20 PM.


#15 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 PM

Posted 05 September 2014 - 04:19 PM

https://en.wikipedia.org/wiki/Return-oriented_programming

 

 

Could this be relevant?


Edited by bwrighttwo, 05 September 2014 - 04:20 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users