#krackattack WiFi encryption “Key Reinstallation Attack”

What happened?

A flaw has been discovered and widely reported as breaking WiFi encryption. The attack is a client-based attack and exploits vulnerabilities in the 4-way handshake of the WPA/2 protocol.

As the problem lies within the WiFi standard, the potential impact is widespread, affecting just about every smartphone and PC. The exploit could allow attackers to read WiFi traffic between devices and wireless access points. Certain implementations on Linux and Android devices are more severely impacted, allowing attackers to modify network traffic.

No need to panic

The flaw is not as ubiquitous and severe as the headlines suggest. The following context has been made public:

• Secured protocols (for example, HTTPS) still provide protection for applications.
• Attackers require close proximity to the wireless network – they need to be in range of the WiFi client.
• The attack is complex to execute and there are no public exploit tools currently available to facilitate the exploit (though this will likely change soon!).
• The exploit was responsibly disclosed, so vendors have already released patches (Microsoft) or intend to release soon (Android, Apple).

What can you do?

1) Implement patches when released.
2) Encrypt critical data in motion, independent of the network.
3) Ensure encryption is properly implemented to good standards (don’t invent your own!).
4) Use a virtual private network (VPN) solution on your devices, especially on public WiFi hotspots.
5) Advise users to only access secure sites, with https:// instead of http:// at the start of the address and check for a locked padlock or key in the browser address bar.

If you’re worried about the protection of your sensitive information, ask us how we can help.

Symantec Endpoint Protection: Setup.exe extruder

What do you do when you need to create around 40 Symantec Endpoint Protection packages?!

I’m way too impatient to do it manually, and after automating the sylink creation (see previous post), I got the idea of automating the setup.exe creation.

Prerequistes:
Ok, first thing you will need to do is setup your sylink files: instructions here

You will need 7-zip on your SEPM, this allows us to update the contents of the zip archive.

Export a setup msi directory from your SEPM, do not create a single exe file.
Once you have done this, zip up the output into a regular zip file call input.zip, this will be your $setup_src

Running the Script:
1) put all of your sylink files into a directory structure like this:

Sylink/
  domain1/
    group1_sylink.xml
    group2_sylink.xml
  domain2/
    group3_sylink.xml
    group4_sylink.xml

2) create a domains.txt file in the Sylink/ directory:

domain1
domain2

3) create a groups.txt (or use your previous groups.txt from the sylink creation) and put one in each domain directory (ie: Sylink/domain1/groups.txt). The groups.txt has a list of each group:

group1
group2

4) find the makesfx.exe: it is on the SEPM, in your SEPM install path: /Symantec Endpoint Protection Manager/tomcat/bin, and copy it to a convenient location. You will point the script variable $MakeSFX to it.

5) edit the script variables, make sure the paths point to the right places. Note for $bits and $type, I manually update these depending if im exporting 32 or 64 bit packages and Server or Desktop packages (depending on the SEP features in the package)

$update = @"
C:\"Program Files"\7-Zip\7z.exe u
"@
$delete = @"
C:\"Program Files"\7-Zip\7z.exe d
"@
$MakeSFX = "D:\temp\MakeSFX.exe"
$setup_src = "D:\temp\input.zip"
$setup_dst = "D:\Program Files\Symantec\SEP Agents\bulk\"
$sylink_dir = "D:\Program Files\Symantec\SEP Agents\Sylink\"
$domains_txt = $sylink_dir + "domains.txt"
$bits = "_x32"
$type = "_Desktop"

6) run the script and marvel at how much faster you can extrude out (think sausage factory 🙂 ) setup files!

You can pull the scripts from Asterisk Labs Github repository

Im pretty sure I have hit the Win inflection on this chart:
Geeks and repetitive tasks

Actually, this script generated about 40 setup exe’s for me in 20 minutes. If it takes about 5 minutes to export a setup.exe from the SEP console, Im certain I’m in front, even with script setup time, and definately with reduction in Repetitive Click Boredom.

Symantec Endpoint Protection: Sylink.xml hacking to automate SEPM migration

I have completed a couple of projects recently migrating customers from Symantec Endpoint Protection v11.0 to v12.1, including moving to a new SEP Manager. In these projects, the decision was made to do a fresh install of the SEPM, and move the clients into the new manager, without using replication between the old and new SEPM.

The file on the SEP v11 client called Sylink.xml tells the client which server to connect to, what the server certificate is and which group the client should join on the SEPM (among other things).

There is a tool on the SEP media part 2 in Tools\SylinkDrop.exe which can be used to swap the Sylink.xml file on the SEP client.

During these projects I was looking for a way to simplify the creation of the sylink.xml file, the projects both involved a large number of client groups – I didnt really want to manually export the communication settings for over 30 groups!

This lead me on a powershell path of discovery, and the realisation that powershell could load an xml file as a data object, manipulate it, and then write it out! This was exactly what I needed.

The process I used to generate the sylink files was:
– Create the group structure in the SEPM
– Create a groups.txt file: this file had a list of SEP client groups per line
– export a sylink.xml file from the destination SEPM: for example, download the communication settings file from the “My Company” top
level group.
– run the update_sylink.ps1 powershell script
– deploy the sylink files to the SEP agents with SylinkDrop.exe

The groups.txt file contained lines like:

My Company\Desktops
My Company\Desktops\WA
My Company\Desktops\NSW
My Company\Desktops\NT
My Company\Desktops\QLD
My Company\Desktops\SA
My Company\Desktops\TAS
My Company\Desktops\VIC

Note that SEP is case sensitive – the groups.txt file must match the group names in the SEPM.

When you export the sylink.xml, you will end up with a file that looks like:

<?xml version="1.0" encoding="UTF-8"?><ServerSettings DomainId="BC7791940DEADBEEF3A86829"><CommConf><AgentCommunicationSetting AlwaysConnect="1" CommunicationMode="PULL" DisableDownloadProfile="0" Kcs="18F84DEADBEEF2CF46D" PullHeartbeatSeconds="1800" PushHeartbeatSeconds="300" UploadCmdStateHeartbeatSeconds="300" UploadLearnedApp="0" UploadLogHeartbeatSeconds="300" UploadOpStateHeartbeatSeconds="300"/> <LogSetting MaxLogRecords="100" SendingLogAllowed="1" UploadProcessLog="1" UploadRawLog="1" UploadSecurityLog="1" UploadSystemLog="1" UploadTrafficLog="1"/>
<RegisterClient PreferredGroup="My Company\Workstations (location based)" PreferredMode="1"/> <ServerList FreezeSmsList="0" Name="Default Management Server List"> <ServerPriorityBlock Name="List0"> <Server Address="10.10.10.10" HttpPort="8014" VerifySignatures="1"/> <Server Address="SEPM"
HttpPort="8014" VerifySignatures="1"/> <Server Address="SEPM" HttpPort="8014" VerifySignatures="1"/> </ServerPriorityBlock> </ServerList> <ServerCertList>

<Certificate Name="SEPM">MIICujCCAiOgAwIBAgIQhjuQQqXvBWWzipD7elI3oTANBgkqhkiG9w0BAQUFADB3MXUwCQYDVQQI&#xd;

A4GBAI6RsCE0zyFwDY6rsKeOaGVtEtZNvz5Lbas2b0OYOX53GA7JbeJMWB5OqMZ5EM76PZx/toMZ&#xd;

vUN+ypsPydoiLKd7uMsNWaFGzP4JKJjiJsrhGi3l1pLlR553GxZz2UZ1zbX7knjjiReVLrniIyYd&#xd; CPFkI/DEADBEEF+fnUbxr259h</Certificate>

</ServerCertList>

</CommConf></ServerSettings>

The powershell script can actually update any token in the xml file, we are just using it to update the PreferredGroup item:

$xml_orig = New-Object XML
$xml_orig.Load("Sylink.xml")

$grps = get-content groups.txt
ForEach ($i in $grps) {
$i
$PreferredGroup = $i.toString()
$xml_new = New-Object XML
$xml_new = $xml_orig

$xml_new.ServerSettings.CommConf.RegisterClient.PreferredGroup = $PreferredGroup

$j = $i.Replace("\", "_")
$filename = $j.Replace(" ", "_")
$xml_new.Save($filename + "_Sylink.xml")
remove-variable xml_new
}

The script needs the groups.txt and sylink.xml to be in its currect directory.
The sylink files will be output to the currect directory, with the group name preceding, eg: My_Company_Desktops_WA_Sylink.xml.
All that is left is to run SylinkDrop -s “target sylink.xml” on the agents to repoint them to the new SEPM. I have used both Symantec Management Platform (Altiris) to do this, and AD group policy.

You can pull the scripts from Asterisk Labs Github repository

I have used this script to save a lot of time generating sylink files for migrations. This also gave me an idea for automating the creation of a large number of setup.exe files for SEP deployments: Stay tuned for more on that!