Sunday
Oct022011

Controlling user password rights

DateSunday, October 2, 2011 at 8:41PM

I recently needed to programatically set the "User cannot change password" flag on some users. After qucikly looking up the value that needed to be set in the UserAccountControl property (PASSWD_CANT_CHANGE, 0x40), adding this value does however not work.

The "User cannot change password" flag is controlled through the DACL ("change password").

To do this automatically I used the following C#.Net (3.5) snippet:

PrincipalContext pc = new PrincipalContext(ContextType.Domain, "domain")
UserPrincipal up = UserPrincipal.FindByIdentity(pc, "domain\\username");
up.UserCannotChangePassword = true;
up.Save();
AuthorThomas Flenstad | CommentPost a Comment |
tagged , , in
Tuesday
Feb222011

Saving data in PNG images

DateTuesday, February 22, 2011 at 9:59PM

I attended a security conference last week and a speaker named Saumil Shah had an interesting presentation. One of the examples he gave was about using PNG images to store bad/evil JavaScript to hide it from antivirus applications. Converting the JS byte for byte to a grayscale value he saved the scripts as PNG files and used HTML5 and Canvas to decode the image back into scripts.

Some time earlier this winter I heard about this method for compressing JS, but it never crossed my mind that it could be used for hiding bad JS from antivirus applications.

Seeing as I am a geek and I like to tinker with stuff for no apparent reason I decided to make my own version, but instead of making it grayscale I would make it RGBa. Except for making it a smaller picture (in pixels, not in size) it functions in the same way. Grayscale is a better way to go for compression, the only reason why I made this is because I can.

Example outputThe first version of this script converts everything byte for byte, so "Hey" would be [72,101,121]. In the next version I will add some basic encoding/bit rotation to make it a bit more tricky for AVs to catch on if they start scanning and decoding PNGs.

The PHP script:

<?php
class Picii
{
    /****************
    ** Picii v0.1
    ** Converts ASCII into byte and displays in form of a picture
    ** Written by: Thomas Flenstad / http://www.aroonie.com
    *****************/

    private $inputAsPixels = array();
    private $inputLength = 0;
    private $imageSize = array();

    public function __construct()
    {
    }

    // ----------------------------------------
    // START: debug functions

    public function D_GetBytes()
    {
        return $this->inputAsPixels;
    }

    public function D_GetDimensions()
    {
        return $this->imageSize;
    }

    // END: debug functions
    // ----------------------------------------

    private function CalculateDimension($input)
    {
        $this->inputLength = strlen($input);
        $inputSqrt = sqrt($this->inputLength/3);

        // Simple way to find approx size of image, feel free to improve
        if ($inputSqrt == (int)$inputSqrt)
        {
            $this->imageSize['x'] = $this->imageSize['y'] = $inputSqrt;
        }
        else
        {
            // Out of 1000 random strings this gave me 1.3% overhead.
            // Decided it was close enough since we're not doing compression anyway...
            $this->imageSize['x'] = ceil($inputSqrt);
            $this->imageSize['y'] = round($inputSqrt);
        }

        // for debugging purposes
        $this->imageSize['totalPixels'] = $this->imageSize['x'] * $this->imageSize['y'];
        $this->imageSize['totalBytes'] = $this->imageSize['totalPixels']*3;
        $this->imageSize['actualBytes'] = $this->inputLength;
    }

    private function ConvertToPixelArray($input)
    {
        $n = 0;
        $l = $this->inputLength / 3;

        for ($i = 0; $i < $l; $i++)
        {
            for ($e = 0; $e < 3; $e++)
            {
                // Breaks early if there isn't enough data to store in all channels (RGB)
                // Sets alpha value to indicate number of channels to look for data in
                // See comment in GeneratePicture();
                if ($n >= $this->inputLength)
                {
                    if ($e != 0) 
                        $this->inputAsPixels[$i]['alpha'] = (3 - $e);
                    return;
                }

                $this->inputAsPixels[$i]['alpha'] = 0;
                $this->inputAsPixels[$i][$e] = ord($input[$n]);
                $n++;
            }
        }
    }

    public function GeneratePicture($input)
    {
        $this->CalculateDimension($input);
        $this->ConvertToPixelArray($input);

        if ($this->imageSize['x'] != 0)
        {
            $loc_x = 0;
            $loc_y = 0;

            // Creates picture
            $pic_o = imagecreatetruecolor($this->imageSize['x'], $this->imageSize['y']);  

            // Enables alpha
            imagealphablending($pic_o, false);
            imagesavealpha($pic_o, true);

            // Clear background
            imagefill($pic_o, 0, 0, imagecolorallocatealpha($pic_o, 255, 255, 255, 127));

            foreach ($this->inputAsPixels as $pixel)
            {   
                // Calculates alpha value of the last pixel and marks the end
                // if alpha = 0 then R, G and B contains data
                // if alpha = 1 then R and G contains data
                // if alpha = 2 then R contains data
                // if alpha = 127 then no data.
                if( $pixel['alpha'] != 0)
                {
                    for ($i = 0; $i < $pixel['alpha']; $i++)
                    {
                        $pixel[(2-$i)] = 255;
                    }
                }

                // Paint
                imagesetpixel($pic_o, $loc_x, $loc_y, imagecolorallocatealpha($pic_o, $pixel[0], $pixel[1], $pixel[2], $pixel['alpha']));
                $loc_x++;       

                // Time for a new line?
                if ($loc_x == $this->imageSize['x'])
                {
                    $loc_y++;
                    $loc_x = 0;
                }
            }

            return $pic_o;
        }
        else
        {
            return false;
        }
    }
}
?>

Usage
$pic = new Picii();
imagepng($pic->GeneratePicture('Input goes here'));

Please let me know if you find any bugs or other issues with the code. The JS to decode the image will be released in a couple of days.

AuthorThomas Flenstad | Comment1 Comment |
tagged , , , in
Sunday
Feb062011

Querying AD using bitwise filters 

DateSunday, February 6, 2011 at 11:32AM

Certain attributes in AD are stored as hexadecimal values instead of as a string. A friend of mine requested (yes, I take requests, use the contact form) a script that lists all the users in a domain which has the "Password never expires" property set to true. I found that the property was stored in the userAccountControl attribute, which is a 4 byte integer.

When we're filtering for attributes like the userAccountControl we have to use a ruleOID. To check against single flag bits use the 1.2.840.113556.1.4.803 ruleOID. My LDAP filter ended up looking like this:
(&(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))

In this filter 65536 is the decimal value of 0x00010000 which again is the hexadecimal value for ADS_UF_DONT_EXPIRE_PASSWD. More info about the userAccountControl attribute and the meaning of the different values can be found here. Microsoft has some info about ruleOIDs and bitwise filtering here.

Enough talking, here's the script:

#################################################################################
# PowerShell script to list users with the "password never expires" property set
# Version: 1.0
# Written by: Thomas Flenstad / http://www.aroonie.com
#################################################################################

function Get-PwdNoExp
{
  # Searches AD and adds a filter to the search so it only returns users who's password is set to never expire
  $dsearcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]"")
  $dsearcher.Filter = "(&(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
  # 65536 = 0x00010000 which is the value for ADS_UF_DONT_EXPIRE_PASSWD
  $dsearcher.PageSize = 1000
  $members = $dsearcher.FindAll()
  
  # Generates output table
  $output = @()

  foreach ($member in $members)
  {
    $object = New-Object PSObject
    $object | Add-Member Noteproperty Name $member.Properties.name[0]
    $object | Add-Member Noteproperty DN $member.Properties.distinguishedname[0]
    $output += $object
  }
  
  return $output
}

 Usage is as simple as: Get-PwdNoExp

AuthorThomas Flenstad | CommentPost a Comment | Reference2 References |
tagged , , , , in
Page 1 2 3 Next 3 Entries ยป