Danger Sampei Nihira Security Config WinXP (POS Ready2009) 2020

[Andy Ful]

Yes, but I would like to broaden the discussion since Umbra mentioned it.

OK.

Final conclusion.
In my PC, even in case of compromise of the OS (absurd hypothesis) Mimikatz could not act.

Your final conclusion is wrong, because it is based on unsupported assumptions.

1. MBAE + OSA can be a good replacement for Windows Updates.
2. OSA can stop obfuscated command lines and all LOLBins.
3. OSA can stop all implementations of Mimikatz (it cannot).

Nothing that was posted in this thread and also in the threads mentioned by you (like from Wilderssecurity forum) does not support that the above assumptions should be true.

But, you are right that the Mimikatz attack via scripting methods would be hardly probable in the wild in the home environment, when .NET Framework is not installed and Windows Script Host scripting is blocked. Of course if the system is compromised, then the legal Python interpreter can be downloaded and Pypykatz can be run to do the same as Mimikatz.

 

[Sampei Nihira]

OK.

Your final conclusion is wrong, because it is based on unsupported assumptions.

1. MBAE + OSA can be a good replacement for Windows Updates.
2. OSA can stop obfuscated command lines and all LOLBins.
3. OSA can stop all implementations of Mimikatz (it cannot).

Nothing that was posted in this thread and also in the threads mentioned by you (like from Wilderssecurity forum) does not support that the above assumptions should be true.

But, you are right that the Mimikatz attack via scripting methods would be hardly probable in the wild in the home environment, when .NET Framework is not installed and Windows Script Host scripting is blocked. Of course if the system is compromised, then the legal Python interpreter can be downloaded and Pypykatz can be run to do the same as Mimikatz.

Absurd.
Pypykatz does not work on Windows XP.
For you assumptions..........................
At the university we did a specific test with an out-of-date PC (apart from the browser) for 4 months with a security configuration similar to mine, no exploit-loaded web page was able to pass the browser.

But I don't want to mention this episode since it was a private test.

Rather I would be interested to know how the attacker through Mimikatz manages to know if the compromised PC is 32 bit or 64 bit.

Read this article written by Mrkvonic(Igor Ljubuncic)

About

About the site page, including Dedoimedo history, author's biography and credentials

www.dedoimedo.com

that I remember is an Linux Systems Expert and regularly writes on W.:

Windows 7 end of support - What to do next guide

Guide discussing the end of support for Windows 7 and considerations for continued use, including security, hardware, performance, and functionality, alternatives like Windows 10 and Linux, and more

www.dedoimedo.com

....For home users, who often happen to be the only user on their own machine, where user-to-admin exploits and local-access exploits are not important, system updates will rarely matter if the users have good network-facing security (router and browsers).....

although the article does not consider that even a Windows 7 OS can be updated the same after the end of extended support:

Bypass Windows 7 Extended Security Updates Eligibility

About that registry entry I mentioned above, I've modified it slightly so that it comes as two lines but when about to import it, I still get the same...

forums.mydigitallife.net

Happy New Year.

 

[Andy Ful]

Absurd.
Pypykatz does not work on Windows XP.

The new beta can parse XP(32/64) lsass dumps.

#pypykatz hashtag on Twitter

On 28 Feb 2019 @gentilkiwi tweeted: "@Narse007 en l’occurrence je ne suis pas.." - read what others are saying and join the conversation.

twitter.com

Anyway, that was only an example of using Python to bypass AV and OSA protection.

For you assumptions..........................
At the university we did a specific test with an out-of-date PC (apart from the browser) for 4 months with a security configuration similar to mine, no exploit-loaded web page was able to pass the browser.

But I don't want to mention this episode since it was a private test.

You know that such a test means nothing.

Rather I would be interested to know how the attacker through Mimikatz manages to know if the compromised PC is 32 bit or 64 bit.

Why the attacker should do it via Mimikatz? It is not Mimikatz that compromised your system.

Read this article written by Mrkvonic that I remember is an Linux Systems Expert and regularly writes about W:

https://www.dedoimedo.com/computers/windows-7-end-of-support-guide.html
...
Happy New Year.

It is similar to what I posted already:
https://malwaretips.com/threads/sam...ig-winxp-pos-ready2009-2019.97166/post-850607

You should also decide which experts you want to listen to - MBAE experts or Mrkvonic, both have very different meaning about Windows Updates and level of security.

By the way, you should apply the SUA (limited user account) in your setup as it was suggested in my post and in the article (the red color was used by the author):
"I've talked about this endlessly over the past decade and a half. You can use a standard user account to reduce the risk of accidental damage."

Happy New Year.

 

[ForgottenSeer 823865]

Absurd.
Pypykatz does not work on Windows XP.
For you assumptions..........................

Wrong again.

At the university we did a specific test with an out-of-date PC (apart from the browser) for 4 months with a security configuration similar to mine, no exploit-loaded web page was able to pass the browser.

Yeah means nothing, they don't have access to the latest exploits nor create any. And If university were good in security, they won't got hacked all the time by their students. Lol.

Rather I would be interested to know how the attacker through Mimikatz manages to know if the compromised PC is 32 bit or 64 bit.

You need to do more research about attacking a system. the first thing attackers checks, once your system is compromised is your computer environment, then they adapt their tools to it. They don't use Mimikatz for it, the stager/dropper do the job, usually by placing a remote shell (or via port scanning).
Serious hacking is all about using attack chain/stages (or not depending the target/situation). If your computer is already compromised, they got all the info they need to deploy Mimikatz and other tools properly ( via obfuscated Download Cradle, etc..).

Also I will point that attacker don't need to install powershell or python in the victim system. The stager embark them and run them in-memory using various methods (but often via reflective dll injection).

I want to reiterate the fact that once an attacker manage to get a kernel exploit active on your system it is game over.

We are here to discuss the absolute, so spare me the "I'm home user, I won't get targeted" or "exploit are rare" argument, those are nothing to do in a security forum. If this is your main point to refute that your system is more vulnerable than a modern OS, so there is nothing to discuss anymore and so you can keep live happily in denial.

Read this article written by Mrkvonic(Igor Ljubuncic)

Please, dont point us to him, with all respect to him (because of his informative blog posts, I like to read) he is no expert. It is not because I do monthly reviews of an OS than suddenly i am a Windows and security expert lol.
I know lot a lot of stuff about security and Windows, I don't consider myself as an expert, far from it...

 

[Sampei Nihira]

I already knew that article:

Extraction des secrets de lsass à distance

Cet article présente la modification d’un outil pour extraire à distance les mots de passe présents dans un dump de lsass, évitant ainsi d’utiliser Mimikatz et d’être détecté par les Antivirus

beta.hackndo.com

And how would this hypothetical remote attacker install ProcDump on a my Windows XP OS?

Again by hypothesis, since in a protected OS like mine it would not be possible to start the attack sequence.

P.S.

@Andy Ful

Still always SUA?
I told you abundantly that in my pc it is sufficient on limited-user privileges applied to browsers and email clients.
Please try NOT to be repetitive.
TH.

 

[Andy Ful]

Sampei Nihira,

It seems that you do not follow the bits of advice included in the articles you read. You treat them selectively without proper understanding. I can see the difference between limiting privileges on an Administrator account and using "limited user account". It seems that our understanding of Windows vulnerabilities, exploits and infection chains are on very different levels. I can also see that these levels will not get close to each other.
I wish you:

1. Let MS does update all Windows XP vulnerabilities until all XP machines will die.
2. Let your faith about MBAE, NEW Moon, OSA (and any 3rd party security you choose) will become reality.
3. Let people who use your setup have safe habits and do not perform risky activities.

Generally, I wish you good luck. Do not mind if some of my posts were waspish.
By the way, I also use Windows XP machine as a media player (CF + Snadboxie + disconnected from the Internet).

 

[Sampei Nihira]

Sampei Nihira,

It seems that you do not follow the bits of advice included in the articles you read. You treat them selectively without proper understanding. I can see the difference between limiting privileges on an Administrator account and using "limited user account". It seems that our understanding of Windows vulnerabilities, exploits and infection chains are on very different levels. I can also see that these levels will not get close to each other.
I wish you:

1. Let MS does update all Windows XP vulnerabilities until all XP machines will die.
2. Let your faith about MBAE, NEW Moon, OSA (and any 3rd party security you choose) will become reality.
3. Let people who use your setup have safe habits and do not perform risky activities.

Generally, I wish you good luck. Do not mind if some of my posts were waspish.
By the way, I also use Windows XP machine as a media player (CF + Snadboxie + disconnected from the Internet).

@Andy Ful

I am not a native English speaker.
I can write answers that you misinterpret.
I'm interested in building a speech.

Right now the thread of the discussion is Pypykatz.
If you want to change the subject, just say it.
That's fine with me.
Do not always go back to what you have already written on the previous pages in this 3D.

I think it would also be interesting for other forum members to block utilities that are potentially harmful to our OS:

 

[Andy Ful]

Sampei Nihira,

You know that I wish you well. I am tired a little with this discussion because it seems useless to you. The readers can get enough information from this thread to make a proper decision. I am also busy now, because I have to investigate/test the security consequences of the modified Recommended Settings in the new version of H_C.
Be safe.

 

[Sampei Nihira]

I have updated the version of UBO Legacy.
UBO Legacy v.1.16.4.13 available today

gorhill/uBlock

uBlock Origin - An efficient blocker for Chromium and Firefox. Fast and lean. - gorhill/uBlock

github.com

I also did my usual weekly anti-phishing test, with today's phishing links, to the browser and DNS.
As usual, the custom list I use with UBO exceeds DNS.

 

[oldschool]

As usual, the custom list I use with UBO exceeds DNS.

Care to post it?

 

[Sampei Nihira]

Care to post it?

But keep in mind that it is suitable for my needs.
My browser doesn't have anti-phishing features like your browsers (unless you've disabled the feature).

In my opinion you should do anti-phishing tests and check if everything is OK for you or you need some integration.

I'll insert the link I use:

PhishTank > Phish Search

Use finished URLs, those without ...
If you need, I will gladly insert my personalized UBO lists.

Let me know, OK?

 

[Sampei Nihira]

Weekly browser update:



and Client email:

 

[Lenny_Fox]

In an advisory, Mozilla rated the vulnerability critical and said it was "aware of targeted attacks in the wild abusing this flaw." The US Cybersecurity and Infrastructure Security Agency said one or more exploits were "detected in the wild" and warned that attacks could be exploited to "take control of an affected system." The Mozilla advisory credited researchers at China-based Qihoo 360 with reporting the flaw.

You are still good to go with XP?

 

[Sampei Nihira]

You are still good to go with XP?

1° - The vulnerabilities concern versions of Firefox that cannot be installed in Windows XP.
2° - If the vulnerabilities should also affect Pale Moon (this is not always the case because the Firefox ESR 52 version is often not subject to the same vulnerabilities):

....They are handled primarily by me (Moonchild) personally being in touch with the Mozilla Security team which provides me with access to relevant bugs on bugzilla, but only after Mozilla has deemed it safe to release to non-team members (which is usually a few days to a week after a Firefox release......

How are security vulnerabilities handled? - Pale Moon forum

3° - Roytam1 applies, if available, almost immediately, patches to versions of browsers developed for Windows XP, in my case New Moon.
This is possible because the version of New Moon we use comes from their alpha build.

4° - Roytam1 usually makes personal changes to the Pale Moon code every week.
This fact also statistically lowers the chances that a browser with different code is as exploitable as the original Pale Moon - Firefox

________________________________________________________________________________________________________________________________________________

Several years ago we analyzed, with the help of Giorgio Maone, the Firefox bugs that would have been rendered "harmless" by the use of Noscript.

This estimate resulted in nearly 80%.
The result was obtained with Noscript with the default settings.

P.S. And my Noscript setting is not default.

 

[oldschool]

Your setup is similar to a 1920's Alpha Romero, scrupulously maintained in mostly original condition! I love following your thread!

 

[Sampei Nihira]

@Lenny_Linux

Pale Moon was also vulnerable to CVE-2019-17026.
Roytam1 ported the patch to XP yesterday:

ported mozilla upstream bug: Bug 1607443 - Fix some alias sets. r=tca… · roytam1/UXP@b8ab527

…mpbell, a=lizzard

github.com

These changes compared to the previous week in the browser:

Official UXP changes since my last build:
- Issue #1338 - Part 1: Update NSPR to 4.24 (f7d301332)
- Issue #1338 - Part 2: Update NSS to 3.48-RTM (f4a12fc67)
- Issue #1338 - Part 3: Update NSS symbols (c097dcf7f)
- Issue #1338 - Part 4: Initialize NSS with desired run-time values. (24f97a168)
- Issue #1338 - Part 5: Clobber for NSS update (b1694ef0a)
- Merge pull request #1341 from MoonchildProductions/nss-work (e30d68b69)
- Issue #1345 - Implement non-standard legacy CSSStyleSheet rules (b4d686d62)
- Merge pull request #1346 from JustOff/PR_CSSStyleSheet_legacy (c66b70c4d)
- Reject sample rates that are out-of-range for libsoundtouch. (c03265177)
- Bug 1322938 - Basic implementation of HTMLDialogElement. (2e3b937f4)
- Bug 1322938 - Emit close event when HTMLDialogElement.prototype.close() is called. (ef2cd8749)
- Bug 1322938 - Update <dialog> element Web Platform Tests expected results. (a4011e724)
- Bug 1322938 - Put <dialog> element behind preference. (b91b0c37e)
- Bug 1322938 - Make the HTML tree builder aware of <dialog>. (25e85f99c)
- Bug 1379728 part 1. Remove the double-definition of the 'close' event from EventNameList.h. (52bda2a82)
- Issue #1348 - Part 1: Clean up input scope support for IMM32. (1672355a7)
- Issue #1348 - Part 2: Teach IMEState about Private Browsing mode. (8ae047bbb)
- Issue #1348 - Part 3: Set IS_PRIVATE input scope in private browsing. (d79cc5fb4)
- Merge pull request #1347 from g4jc/html5_dialog (29bf28ca3)
- Simplify value setting. (d429ac8a6)
- Be more consistent about decoding IP addresses in PSM. (8198126c3)
- Make copy of list before iterating over it. (51b1cd97a)
- Handle missing base64 challenge in NegotiateAuth and NTLMAuth. (0186023f4)
- Issue #1338 - Un-bust building of NSS after update to 3.48 on Linux. (936577621)
- Update GTK clipboard handling (095a02f25)
- Issue #1338 - Followup: certdb: propagate trust information if trust module is loaded afterwards, (f64e760ab)


Official Pale-Moon changes since my last build:
- Issue #1703 - Update UA overrides for Google and YouTube (832effab3)
- Block Noveau NV96 mesa driver layers acceleration. (b7841e5cf)


There are no new Official Basilisk changes since my last build.


My changes since my last build:
- ported mozilla upstream bug: Bug 1607443 - Fix some alias sets. r=tcampbell, a=lizzard (b8ab52794)

Thank you very much for asking your question yesterday.
So the MT community can verify how it is possible to use XP still today safely.

Thanks again.

 

[Nagisa]

@Sampei Nihira May I ask an off-topic question? Where do you find the security updates for XP? Is there a complete list of must-installed patches?

 

[Sampei Nihira]

@Sampei Nihira May I ask an off-topic question? Where do you find the security updates for XP? Is there a complete list of must-installed patches?

After the end of extended support (2014) you need to make a change to the registry to use POSREADY updates.
I insert you 2 3D to get some info on the topic you asked for:

POSReady 2009 updates ported to Windows XP SP3 ENU

msfn.org

On decommissioning of update servers for 2000, XP, (and Vista?) as of July 2019

msfn.org

 

[Sampei Nihira]

There is an update to 2020 that I had not read in the article, in the final part.
I put it to your attention:

Extraction des secrets de lsass à distance

Cet article présente la modification d’un outil pour extraire à distance les mots de passe présents dans un dump de lsass, évitant ainsi d’utiliser Mimikatz et d’être détecté par les Antivirus

beta.hackndo.com

Procdump is no longer needed.
Be careful of rundll32.exe.
My rule in OSA was already selected:



Take your precautions .

 

[ForgottenSeer 823865]

Interestimg approach, anyway rundll32.exe as abused process is old news.

Off topic: are you French (coz I am)? Because most of your links are French stuff.