Command Injection, Cryptography, Downloads, Embedded, Hacking Tools, Microsoft, NTFS, Python, QEMU, RDP, Vulnerability, Vulnerable, Windows

Qvm-Create-Windows-Qube – Spin Up New Windows Qubes Quickly, Effortlessly And Securely

May 27, 2021, 10:51 AMMay 27, 2021 681

qvm-create-windows-qube is a tool for quickly and conveniently installing fresh new Windows qubes with Qubes Windows Tools (QWT) drivers automatically. It officially supports Windows 7, 8.1 and 10 as well as Windows Server 2008 R2, 2012 R2, 2016 and 2019.

The project emphasizes correctness, security and treating Windows as an untrusted guest operating system throughout the entire process. It also features other goodies such as automatic installation of packages including Firefox, Office 365, Notepad++, Visual Studio and more using Chocolatey.

Installation

Download the installation script by opening the link, right-clicking and then selecting “Save [Page] as…”
Copy install.sh into Dom0 by running the following command in Dom0:
- qvm-run -p --filter-escape-chars --no-color-output <qube_script_is_located_on> "cat '/home/user/Downloads/install.sh'" > install.sh
Review the code of install.sh to ensure its integrity
- Safer with escape character filtering enabled above; qvm-run disables it by default when output is a file
Run chmod +x install.sh && ./install.sh
- Note that this will install packages in the global default TemplateVM, which is fedora-XX by default
Review the code of the resulting qvm-create-windows-qube.sh

A more streamlined and secure installation process with packaging will be shipping with Qubes R4.1.

Usage
<div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="Usage: ./qvm-create-windows-qube.sh [options] -i -a -h, –help -c, –count Number of Windows qubes with given basename desired -t, –template Make this qube a TemplateVM instead of a StandaloneVM -n, –netvm <qube> NetVM for Windows to use -s, –seamless Enable seamless mode persistently across reboots -o, –optimize Optimize Windows by disabling unnecessary functionality for a qube -y, –spyless Configure Windows telemetry settings to respect privacy -w, –whonix Apply Whonix recommended settings for a Windows-Whonix-Workstation -p, –packages <packages> Comma-separated list of packages to pre-install (see available packages at: https://chocolatey.org/packages) -i, –iso <file> Windows media to automatically install and setup -a, –answer-file <xml file> Settings for Windows installation “>

Usage: ./qvm-create-windows-qube.sh [options] -i <iso> -a <answer file> <name>
-h, --help
-c, --count <number> Number of Windows qubes with given basename desired
-t, --template Make this qube a TemplateVM instead of a StandaloneVM
-n, --netvm <qube> NetVM for Windows to use
-s, --seamless Enable seamless mode persistently across reboots
-o, --optimize Optimize Windows by disabling unnecessary functionality for a qube
-y, --spyless Configure Windows telemetry settings to respect privacy
-w, --whonix Apply Whonix recommended settings for a Windows-Whonix-Workstation
-p, --packages <packages> Comma-separated list of packages to pre-install (see available packages at: https://chocolatey.org/packages)
-i, --iso <file> Windows media to automatically install and setup
-a, --answer-file <xml file> Settings for Windows installation

Downloading Windows ISO

The windows-media/isos/download-windows.sh script (in windows-mgmt) securely downloads the official Windows ISO to be used by qvm-create-windows-qube.

Creating Windows VM

Windows 10

./qvm-create-windows-qube.sh -n sys-firewall -oyp firefox,notepadplusplus,office365proplus -i win10x64.iso -a win10x64-pro.xml work-win10

./qvm-create-windows-qube.sh -n sys-firewall -oyp steam -i win10x64.iso -a win10x64-pro.xml game-console

Windows Server 2019

./qvm-create-windows-qube.sh -n sys-firewall -oy -i win2019-eval.iso -a win2019-datacenter-eval.xml fs-win2019

Windows 10 LTSC

A more stable, minified, secure and private version of Windows 10 officially provided by Microsoft

./qvm-create-windows-qube.sh -n sys-firewall -oyp firefox,notepadplusplus,office365proplus -i win10x64-ltsc-eval.iso -a win10x64-ltsc-eval.xml work-win10

./qvm-create-windows-qube.sh -n sys-whonix -oyw -i win10x64-ltsc-eval.iso -a win10x64-ltsc-eval.xml anon-win10

Windows 7

Not recommended because Windows 7 is no longer supported by Microsoft, however, it’s the only desktop OS the Qubes GUI driver (in Qubes Windows Tools) supports if seamless window integration or dynamic resizing is required
See the Security > Windows > Advisories section below for more info

./qvm-create-windows-qube.sh -n sys-firewall -soyp firefox,notepadplusplus,office365proplus -i win7x64-ultimate.iso -a win7x64-ultimate.xml work-win7

Security

qvm-create-windows-qube is “reasonably secure” as Qubes would have it.

windows-mgmt is air gapped
The entirety of the Windows qube setup process happens is done air gapped
- There is an exception for installing packages at the very end of the Windows qube installation
Entire class of command injection vulnerabilities eliminated in the Dom0 shell script by not letting it parse any output from the untrusted windows-mgmt qube
- Only exit codes are passed by qvm-run; no variables
- This also mitigates the fallout of another Shellshock Bash vulnerability
Downloading of the Windows ISOs is made secure by enforcing:
- ISOs are downloaded straight from Microsoft controlled subdomains of microsoft.com
- HTTPS TLS 1.2/1.3
- HTTP public key pinning (HPKP) to whitelist the website’s certificate instead of relying on certificate authorities (CAs)
  - Qubes aims to “distrust the infrastructure”
  - Remember, transport security = encryption * authentication (This allows for the utmost authentication)
- SHA-256 verification of the files after download
Windows is treated as an untrusted guest operating system the entire way through
All commits by the maintainers are always signed with their respective PGP keys
- Should signing ever cease, assume compromise
- Current maintainer 1: Elliot Killick
  - PGP key: 018F B9DE 6DFA 13FB 18FB 5552 F9B9 0D44 F83D D5F2
- Current maintainer 2: Frédéric Pierret (No Keybase account)
  - PGP key: 9FA6 4B92 F95E 706B F28E 2CA6 4840 10B5 CDC5 76E2
  - Mostly concerned with Qubes R4.1 support
The impact of any theoretical vulnerabilities in handling of the Windows ISO (e.g. vulnerability in filesystem parsing) or answer file is limited to windows-mgmt

Windows

Maintenance

Don’t forget to apply any applicable updates upon creation of your Windows qube. Microsoft frequently builds up-to-date ISOs for current versions of Windows, such as Windows 10. For these Windows versions, it’s recommended to periodically visit the official Microsoft site download-windows.sh provides to get a fresh Windows image out of the box.

Advisories

Windows 7 and Windows Server 2008 R2 reached end of life (EOL) on January 14, 2020. Updates for these OSs are still available with Extended Security Updates (ESUs) if paid for. Office 365 for these OSs will continue getting security updates at no additional cost until January 2023.

If RDP is to be enabled on a Windows 7 qube (not default) then make sure it is fully up-to-date because the latest Windows 7 ISO Microsoft offers is unfortunately still vulnerable to BlueKeep and related DejaBlue vulnerabilities.

A critical vulnerability in Windows 10 and Windows Server 2016/2019 cryptography was recently disclosed. This allows any and all cryptography in these OSs (including HTTPS; the little padlock in your browser) to be easily intercepted. When Microsoft releases an updated ISO, the direct links in download-windows.sh will be updated but until then please update your qubes if they run the aforementioned OSs.

Privacy

qvm-create-windows-qube aims to be the most private way to use Windows. Many Qubes users switched from Windows (or another proprietary OS) in part to get away from Microsoft (or Big Tech in general) and so being able to use Windows from a safe distance is of utmost importance to this project. Or at least, as safe a distance as possible for what is a huge, proprietary binary blob.

Windows Telemetry

Configures Windows telemetry settings to respect privacy.

Opt-out of Customer Experience Improvement Program (CEIP)
Disable Windows Error Reporting (WER)
Disable DiagTrack service
Switch off all telemetry in Windows 10 “Settings” application
Enable “Security” level of telemetry on compatible editions of Windows 10
See spyless.bat for more info

Whonix Recommendations for Windows-Whonix-Workstation

Everything mentioned here up to “Even more security” is implemented. “Most security” is to use an official Whonix-Workstation built yourself from source. This feature is not official or endorsed by Whonix.

It’s recommended to read this Whonix documentation to understand the implications of using Windows in this way.

Easy to Reset Fingerprint

There are countless unique identifiers present in every Windows installation such as the MachineGUID, installation ID, NTFS drive Volume Serial Numbers (VSNs) and more. With qvm-create-windows-qube, these unique identifiers can easily be reset by automatically reinstalling Windows.

Limitations

Fingerprinting is possible through the hypervisor in the event of VM compromise, here are some practical examples (not specific to Windows):

Xen clocksource as wallclock
- Timezone leak can at least be mitigated by configuring UTC time in the BIOS/UEFI, the local timezone can still be configured for XFCE Dom0 clock
- However, correlation between other VMs remains trivial
CPUID
Generally some of the VM interfaces documented here (e.g. screen dimensions)

Contributing

You can start by giving this project a star! High quality PRs are also welcome! Take a look at the todo list below if you’re looking for things that need improvement. Other improvements such as more elegant ways of completing a task, code cleanup and other fixes are also welcome.

Lots of Windows-related GSoCs for those interested.

The logo of this project is by Max Andersen, used with written permission.

This project is the product of an independent effort that is not officially endorsed by Qubes OS.

Qubes Windows Tools Known Issues

Please send patches for these if you are able to. Although, be aware that Qubes Windows Tools is currently unmaintained.

All OSs

All OSs except Windows 7/Windows Server 2008 R2

Prompt to install earlier version of .NET
- This only appears to be a cosmetic issue because qrexec services still work
- Has been merged but QWT needs to be rebuilt to include it and there’s currently no maintainer

Windows 10/Windows Server 2019

Private disk creation fails
- Temporary fix: Close prepare-volume.exe window causing there to be no private disk (can’t make a TemplateVM) but besides that Windows qube creation will continue as normal
- Has been merged but QWT needs to be rebuilt to include it and there’s currently no maintainer

Mailing list threads

Windows tagged Qubes OS GitHub issues

Todo

End Goal

Have a feature similar (or superior) to VMWare’s Windows “Easy Install” feature on Qubes. VMWare’s solution is proprietary and only available in their paid products.

VirtualBox also has something similar but it’s not as feature-rich.

Source : KitPloit – PenTest Tools!

Huge security flaw in macOS lets hackers steal your passwords

Motorola Moto G (2nd Gen) gets Android Marshmallow update

WhatsApp down on New Year’s Eve: Users worldwide unable to connect as messaging app crashes repeatedly

WhatsApp for Windows Phone update brings starred messages, new camera interface

Microsoft Lumia 950 Dual SIM, Lumia 950 XL Dual SIM Launched in India

Nokia C1 Leak Tips Launch With Android and Windows 10 Mobile

A solar-powered “Lunar” smartwatch seems like a good idea — if it works

TV Service is being killed by Google Fiber; The Company wants to concentrate on High Speed Internet

Google Home now lets you set and manage your reminders

Hacker Steve Lord says Windows Phone is the”hardest nut to crack”

Google Makes Full-Disk Encryption Mandatory for New Android 6.0 Devices

Hike users can now send messages without internet

Social-Analyzer – API And Web App For Analyzing And Finding A Person Profile Across +300 Social Media Websites (Detections Are Updated Regularly)

Six Methods to Create a Secure Password You’ll Actually Remember [INFOGRAPHIC]

Here’s how to kick nazis off your Twitter right now

Twitter CEO promises to crack down on hate, violence and harassment with “more aggressive” rules

Twitter users join 24hr boycott to protest online harassment

Twitter says it may “refine” its policies after reversing position on Blackburn campaign ad

WhatsApp video calling feature, new design leaked

Microsoft Lumia 950 Dual SIM, Lumia 950 XL Dual SIM Launched in India

Flipkart Partners With Google to Launch App-Like Mobile Website

Google Makes Full-Disk Encryption Mandatory for New Android 6.0 Devices

Indian govt to launch its own operating system for official use

Google Makes Website Making Easy With “Material Design Lite” and Free Website Builder

CakeFuzzer – Automatically And Continuously Discover Vulnerabilities In Web Applications Created Based On Specific Frameworks

Mantra – A Tool Used To Hunt Down API Key Leaks In JS Files And Pages

ScrapPY – A Python Utility For Scraping Manuals, Documents, And Other Sensitive PDFs To Generate Wordlists That Can Be Utilized By Offensive Security Tools

Parrot 5.1 – Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

Psudohash – Password List Generator That Focuses On Keywords Mutated By Commonly Used Password Creation Patterns

Hoaxshell – An Unconventional Windows Reverse Shell, Currently Undetected By Microsoft Defender And Various Other AV Solutions, Solely Based On Http(S) Traffic

Callisto – An Intelligent Binary Vulnerability Analysis Tool

Surf – Escalate Your SSRF Vulnerabilities On Modern Cloud Environments

LFI-FINDER – Tool Focuses On Detecting Local File Inclusion (LFI) Vulnerabilities

Artemis – APK Infrastructure Investigator

Artemis – A Modular Web Reconnaissance Tool And Vulnerability Scanner

FirebaseExploiter – Vulnerability Discovery Tool That Discovers Firebase Database Which Are Open And Can Be Exploitable

Sri Lanka arrests 2 men over Taiwan bank hacking

Here’s the Facebook Hacking Tool that Can Really Hack Accounts, But…

3 Wipro employees arrested for hacking UK firm TalkTalk

Samsung agrees to pay Apple $548 million for copying its iPhone designs

Indian hackers ‘pay back’ Pakistan for 26/11

Boy, 15, arrested in Northern Ireland in connection with TalkTalk hack

Sri Lanka arrests 2 men over Taiwan bank hacking

324,000 Financial Records with CVV Numbers Stolen From A Payment Gateway

Over 800,000 Brazzers User Accounts Hacked

Aryabhatta college of Delhi University (DU) website hacked by Pakistani Hackers

Indian Railways page hacked by Al Qaeda. And this is the message they left for Indian Muslims

JNU’s Website Defaced by Indian Hackers

‘Pokémon Snap’ lives on through ‘Pokémon Go’ photography contest

Desk lamp transforms from notepad into a modern, stylish lamp

Nissan drove a GT-R around a racetrack using a PS4 controller

Razer’s first ever smartphone could be coming next month

Oculus Go solves VR’s two biggest problems

Truly driverless cars could soon be allowed on California’s roads

Electron_Shell – Developing A More Covert Remote Access Trojan (RAT) Tool By Leveraging Electron’s Features For Command Injection And Combining It With Remote Control Methods

Skyhook – A Round-Trip Obfuscated HTTP File Transfer Setup Built To Bypass IDS Detections

Pinkerton – An JavaScript File Crawler And Secret Finder Developed In Python

WMIExec – Set Of Python Scripts Which Perform Different Ways Of Command Execution Via WMI Protocol

AtlasReaper – A Command-Line Tool For Reconnaissance And Targeted Write Operations On Confluence And Jira Instances

NucleiFuzzer – Powerful Automation Tool For Detecting XSS, SQLi, SSRF, Open-Redirect, Etc.. Vulnerabilities In Web Applications

Your iPhone will Alert You if You are Being Monitored At Work

Warning! — Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

WhatsApp down on New Year’s Eve: Users worldwide unable to connect as messaging app crashes repeatedly

WhatsApp video calling feature, new design leaked

Bad Santa! Microsoft Offers — ‘Upgrade now’ or ‘Upgrade tonight’ to Push Windows 10

Samsung agrees to pay Apple $548 million for copying its iPhone designs

Androidqf – (Android Quick Forensics) Helps Quickly Gathering Forensic Evidence From Android Devices, In Order To Identify Potential Traces Of Compromise

FireStorePwn – Firestore Database Vulnerability Scanner Using APKs

LibAFL – Advanced Fuzzing Library – Slot Your Fuzzer Together In Rust! Scales Across Cores And Machines. For Windows, Android, MacOS, Linux, No_Std, …

Cpufetch – Simplistic Yet Fancy CPU Architecture Fetching Tool

Umbrella_android – Digital And Physical Security Advice App

Ghost Framework – An Android Post-Exploitation Framework That Exploits The Android Debug Bridge To R emotely Access An Android Device