Dec 31, 2020

What is IoC?

IoC stands for Indicator of compromise.

Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.

Links:

  • https://en.wikipedia.org/wiki/Indicator_of_compromise
  • https://azeria-labs.com/iocs-vs-ttps/

 

What is TTP?

TTP stands for Tactics, Techniques and Procedures.

Tactics, Techniques, and Procedures (TTPs) is an essential concept in terrorism and cybersecurity studies. The role of TTPs in terrorism analysis is to identify individual patterns of behavior of a particular terrorist activity, or a particular terrorist organization, and to examine and categorize more general tactics and weapons used by a particular terrorist activity, or a particular terrorist organization.

Links:

  • https://en.wikipedia.org/wiki/Terrorist_Tactics,_Techniques,_and_Procedures
  • https://azeria-labs.com/iocs-vs-ttps/

Internet Exposure of DNS-over-TLS

DNS-over-TLS (DoT) (TCP/853)

Encrypting DNS is great! Unless it's baddies doing the encrypting.


TLDR

  • WHAT IT IS: DNS over TLS is just what it says on the tin: the DNS protocol embedded in a TLS connection, ostensibly to make your DNS request more confidential.
  • HOW MANY: 3,237 discovered nodes. A hodgepodge mix of vendor/version information was discernible, but you’ll need to read the details to find out more.
  • VULNERABILITIES: Whatever is in the DNS that backs the service or in the code that presents TLS (more often than not, a plain, ol’ web server).
  • ADVICE: It’s complicated (read on to find out why!)
  • ALTERNATIVES: Plain, simple, uncomplicated, and woefully unconfidential UDP DNS; DNS over HTTPS (DoH); DNS over QUIC (DoQ); DNS over avian carriers (DoAC).
  • GETTING: Drunk with power. There are nearly two times as many as April 2019.
At face value, DNS over TLS (henceforth referred to as DoT) aims to be the confidentiality solution for a legacy cleartext protocol that has managed to resist numerous other confidentiality (and integrity) fixup attempts. It is one of a handful of modern efforts to help make DNS less susceptible to eavesdropping and person-in-the-middle attacks.

Discovery details

We chose to examine DoT because web browsers have become the new operating system of the internet, and DoT and cousins all allow browsers (or any app, really) to bypass your home, ISP, or organization’s choices of DNS resolution method and resolution provider. Since it’s presented over TLS, it can also be a great way for attackers to continue to use DNS as a command-and-control channel as well as an exfiltration channel.

We chose to examine DoT versus DoH because, well, it is far easier to enumerate DoT endpoints than it is DoH endpoints. It’s getting easier to enumerate DoH since there seems to be some agreement on the standard way to query it, so that will likely make it to a future report.

In case you have been left unawares, Google is a big player] in the DoT space, but it tends to concentrate DNS exposure to a tiny handful of IP addresses (i.e., that bar is not Google-proper). When we filter out CleanBrowsing (yep, they’re everywhere), we’re left with the major exposure in Google being … a couple dozen servers running an instance of Pi-hole (dnsmasq-pi-hole-2.80, to be precise). Cut/paste that finding for OV and DigitalOcean and yep, that same Pi-hole setup is tops in those two clouds as well.

You don’t need to get all fancy and run a Pi-hole setup to host your own DoT server. Just fire up an nginx instance, create a basic configuration, set up your own DNS behind it, and now, you too can stop your ISP from snooping your DNS queries.

Exposure information

Here is where we’d normally talk about versions and CVEs, etc., but the DoT situation is complicated by a few things. First, we have big players in this space using proprietary solutions, so version fingerprints such as  “CleanBrowsing v1.6a” are not very useful information. Second, should we focus on the version of the web server or of the back-end DNS server (or, both)? The latter might not be useful, since you can configure an nginx DoT setup to proxy to a third party, and that’s what will get picked up in the response. 

Attacker’s view

There are no DoT honeypots in project Heisenberg, but DoT is just a TLS wrapper over a traditional DNS binary-format query. When we looked for that in the TCP/853 full packet captures, we saw us (!) and a couple other researchers. Not very exciting, but with the goal of DoT being privacy, we really shouldn’t see random DoT requests.

Attackers are more likely to stand up their own DoT servers or reconfigure other DoT servers to use their DNS back-ends and then use those as covert channels once they gain a foothold after a successful phishing attack. This is a big reason we enumerate/catalog DoT, and we’re starting to see more DoT in residential ISP space and traditional hosting provider IP space. It looks like more folks are experimenting with DoT with each monthly study.

Our advice

IT and IT security teams should block TCP/853, lock down DoT and DoH browser settings as much as possible so there is no way to bypass organizational IT policies, and monitor for all attempts to use DoT or DoH services internally (or externally). In other words, unless you’re the ones setting them up, disallowing rogue, internal DoT is the safest course.

Cloud providers should consider offering managed DoT solutions and provide patched, secure disk images for folks who want to stand up their own. (This is one of the few cases where organizational advice and cloud advice are quite nearly opposite.)

Government cybersecurity agencies should monitor for malicious use of DoT and provide timely updates to the public. These centers should also be a source of unbiased, expert information on DoT, DoH, DoQ (et al).

Links:

  • https://www.rapid7.com/blog/post/2021/01/15/nicer-protocol-deep-dive-internet-exposure-of-dns-over-tls/

Dec 30, 2020

Internet Exposure of memcached

 memcached (UDP/11211)

It's an easy-to-use DDoS Howitzer AND a NoSQL database!


TLDR

  • WHAT IT IS: An in-memory key-value store, used usually in caching website assets for geographically distributed websites.
  • HOW MANY: 68,337 discovered nodes. 68,337 (100%) have version fingerprints
  • VULNERABILITIES: 13 CVEs since 2011, but it has a wicked amplification DDoS issue we cover in the Exposure Information section.
  • ADVICE: Use it! Just don’t expose it to the internet.ALTERNATIVES: Redis and etcd are two similar, alternative in-memory key-value stores with characteristics similar to memcached.

Memcached is an in-memory key-value store for small chunks of arbitrary data (i.e., strings, binary objects) from results of database calls, API calls, or web page rendering. Its simple design has made it wildly popular, as it promotes quick deployment and ease of development.

Discovery details

Project Sonar found 68,337 exposed memcached hosts, and we did a double-take when we saw that South Africa is in third place, since we don’t often find it in any other top 10 lists of exposure. Most (97%) of these SA nodes are in two autonomous systems: Icidc Network (87%) and Internet Keeper Global (10%), and a majority of hosts in each autonomous system appear to have similar exposure counts in both nginx and SSH.

As noted in our section on Redis, Amazon has a cloud “cache” service offering that can also be configured to use memcached directly or emulate the exquisitely diminutive memcached protocol, and Alibaba has a managed memcached service offering, so it is no surprise finding some in those environments, but it is somewhat disconcerting that these instances are exposed to the internet. What’s more surprising is that OVH goes out of its way to help you secure memcached and, yet, ~1,500 folks apparently did not get that rather crucial memo.

Exposure information

Why all the fuss about memcached? Well, way back in 2018, an “Insufficient Control of Network Message Volume” vulnerability in the UDP portion of memcached was used to launch the largest distributed denial-of-service amplification attack ever, and disrupted many major internet services. Cloudflare summed up the flaw quite well in its blog at that time:


"There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge (up to 1MB)."

Attacker’s view

While we do not have a memcached honeypot, we can see connection attempts on UDP 11211 and peek at the packet captures to see if memcached commands (most often, the stats one we use, though we occasionally see what look like misconfigured clients that are connecting to what they think are their memcached servers). The daily memcached command connections we see are mostly from Shadowserver, which is (correctly) self-described as a “nonprofit security organization working altruistically behind the scenes to make the internet more secure for everyone,” despite their scary name. They also scan the internet every day to try to get a handle on exposure and help organizations (for free) get a picture of their attack surface. We heart Shadowserver.

During the first third of 2020, we saw spikes of near 80,000 data-less UDP connections on 11211 across a handful of days, but none of this appears truly malicious in nature.

Our advice

IT and IT security teams should never expose memcached to the internet, and should ensure via playbooks and automation that development, test, and production memcached environments are rigidly controlled.

Cloud providers should continue to offer secure service alternatives to self-hosted memcached, ensure their provider-maintained machine images are kept patched with a default configuration of memcached only available on non-internet-exposed interfaces, and—frankly—not allow memcached to be exposed to the internet on host in their sphere of network control.

Government cybersecurity agencies should provide regular reminders about the dangers of memcached, offer guidance on how to run memcached safely, monitor for malicious use of memcached, and strongly encourage ISPs and cloud providers to block connections to memcached’s default port.

Links:

  • https://www.rapid7.com/blog/post/2020/12/07/nicer-protocol-deep-dive-internet-exposure-of-memcached/

Dec 29, 2020

Internet Exposure of etcd

etcd (TCP/2379)

Gleaming the Kube(rnetes)

TLDR

  • WHAT IT IS: Another distributed key-value store that provides a reliable way to store data that needs to be accessed by a distributed system or cluster of machines.
  • HOW MANY: 2,560 discovered nodes. 2,560 (100%) have version fingerprints
  • VULNERABILITIES: Two low-to-moderate CVEs since 2018.
  • ADVICE: Use it! Just don’t expose it to the internet.
  • ALTERNATIVES: Redis and memcached are two similar, alternative in-memory key-value stores with characteristics similar to etcd.

The etcd key-value service is part of the Kubernetes ecosystem and is designed to hold system/service configuration and state information. The Kubernetes API Server uses etcd's watch API to monitor the cluster and roll out critical configuration changes or simply restore any divergences of the state of the cluster back to what was declared by the deployer. It exposes a JSON API over the HTTP protocol.

We’re including etcd for completeness (since we’ve mentioned in the previous blogs on Redis and memcached), but the sample size is way too small to dig into, since we have no data on which ones are honeypots and which ones are real.

Just like the other two key-value databases, etcd should never be exposed to the internet. Unlike the previous two services, etcd tends to be purpose-driven for Kubernetes orchestration environments, which is another great reason not to expose it to the internet directly.

Links:

  • https://www.rapid7.com/blog/post/2020/12/10/nicer-protocol-deep-dive-internet-exposure-of-etcd/

Dec 19, 2020

Incident Mgmt Vs Vulnerability Mgmt

Everyone agrees that Incident Management is different than Vulnerability Management. But yet still people mix them up when things happen.

Recently, SolarWinds supply chain attack has becomes the hottest topic in the month of December 2020 for Cybersecurity world. With the SUNBURST or SuperNova backdoors found, it is obviously becomes an incident (rather than a vulnerability) if your company is using the affected products. With the investigation is still ongoing, more affected products might be included in the list.

But, why people try to manage the SolarWinds case with vulnerability management? Is it because everyone is more familiar with vulnerability remediation process.

Yes, both incident management and vulnerability management has the remediation process. However it is performed by different teams. The remediation process for an incident is performed by Cybersecurity team, while the remediation process for a vulnerability is performed by IT team.

I guess people just thought that the all remediation process are the same.

Why people mix them up so easy?

I think it is due to sophisticated Cybersecurity team structure. And there is monthly remediation reminder that continuously reminding us on the remediation process. People just like to engage with what they are familiar with.

If your company is using a vulnerability management process to handle the SolarWinds attack or incident, then you should start think about simplifying your Cybersecurity teams. 

Dec 5, 2020

Retirement of Enhanced Security Admin Environment ESAE

Today, I just found that Microsoft has stopped their ESAE strategic architecture. Microsoft has recommended new strategy to complements any existing ESAE implementation. 

The Enhanced Security Admin Environment (ESAE) architecture (often referred to as red forest, admin forest, or hardened forest) is an approach to provide a secure environment for Windows Server Active Directory (AD) administrators.

In early 2018, where I first learned about ESAE. After a deep dive evaluation, my conclusion is, it is too costly to implement such a solution, in term of operating cost, for most of the company (even it is a secure strategy). This is simply because the strategies have never consider the essential security concept. #EssentialSecurity 

And after 3 years, Microsoft has admitted that the ESAE architectural pattern is only valid or applicable in a limited set of scenarios. Any organization who implement ESAE architecture, must accept the increased technical complexity and operational costs of the solution. 

The ESAE retirement post can be found at https://docs.microsoft.com/en-us/security/compass/esae-retirement


Dec 1, 2020

GUI bug in KennaSecurity

There is a minor bug found at the Kenna's user interface that I encounter today.

To simulate the bug, from the Dashboard, look for any Kenna meter that has zero asset count (or you can create one), click on it to explore the asset/vuln list. And you will found that most of the filters are missing at the Explore page, such as:

  • (Asset Filters) Active/inactive
  • (Asset Filters) Tag
  • (Asset Filters) Sort by (everything)
  • (Vulnerability Filters) Status
  • (Vulnerability Filters) Classification
  • (Vulnerability Filters) Connector names .....
  • (Vulnerability Filters) custom fields.....

 😞😞

Nov 28, 2020

New Tools for your Threat Hunting Toolbox

Just finished watching the Youtube video on Mark's presentation. He has introduced 2 of the tools that he created for threat hunting. 


First, he introduces APIify that make anything query-able by SEIM, which used to automate the first few steps in every investigation.Second, is the Domain Stats 2.0 which helps to cache those whois requests for SIEM.

Links:

  • https://github.com/MarkBaggett/apiify



Nov 18, 2020

[Vuln] More About Zerologon Vulnerability (cve-2020-1472)

The cve-2020-1472 vulnerability has been disclosed since Aug. This is an elevation of privilege vulnerability that exists when a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol.

This vulnerability is more to be known as Zerologon, and received a CVSS score of 10.0. Here're the summary of the vulnerability:

  • Proof of concept available [ yes ]
  • Unauthenticated attack [ yes ]
  • Admin privileged access [ yes ]
  • Easy to weaponize [ yes ]
  • Remote attack [ same LAN only YES ] **

Al least last point seems like a good news where a vulnerable client or DC exposed to the internet is not exploitable by itself. (whew)

There are 2 things I would like to emphasis in this post. 

First, the patch released in August isn't a full fix solution. The patch only helps to protect the vulnerable servers (domain controllers) from exploit/malware attack. This is like deploying an antivirus solution that block the WannaCry malware without patching the root problem. 

The root of the problem is at the RPC with Netlogon protocol (MS-NRPC). And Microsoft will release second patch slated for Q1 in 2021 to address the bug.

The NetLogon component is an important functional component to perform authentication on the intra-domain network. It is important to be used for replicating the database backup, and maintaining domain members and domains relationship with domain DC (or cross-domain DC). The worst case for this attack is, the DC can be takenover by unauthenticated attacker.

Second, this vulnerability is targeting mainly on domain controllers (DC), including Samba server. However, the default installation running Samba (as a file server) are not directly impacted.

To Samba, this vulnerability is more of a mis-configuration than bug. Samba has been insisting on a secure netlogon channel since version 4.8 (Mar 2018). This is sufficient fix against the zerologon attack. [Unless they have the smb.conf lines 'server schannel = no' or 'server schannel = auto', those Samba server is not vulnerable]

Samba versions 4.7 and below are impacted by the vulnerability unless they have ‘server schannel = yes’ in the smb.conf. “The ‘server schannel = yes’ smb.conf line is equivalent to ‘FullSecureChannelProtection=1’ registry key in Microsoft OS, the introduction of which we understand forms the core of Microsoft’s fix. ”

Link:

Nov 6, 2020

Where are the DoH clients?

The development of encrypted DNS, specifically DNS-over-HTTPS (DoH), has attracted a relatively large amount of interest to a previously quiet corner of the Internet protocol world.

Here're a list of DoH client of choices:

  • Mozilla Firefox
  • Google Chrome
  • Google Android
  • Microsoft Edge
  • Apple IOS 

Links:

  • https://blog.apnic.net/2020/10/30/an-update-on-developments-with-dns-over-https/

Nov 1, 2020

Quick CVE Checking at Kenna

Earlier, I created a python script that allow me to check the number of vulnerable host based on CVE.

Today I just released second version of the script that show both the vulnerable host and vulnerabilities from Kenna, based on CVE.

If you specify the verbose output option, it will show both active and inactive count for Closed, Open, Risk_Accepted, and False_Positive category.

kenna-cve
kenna-cve-win.exe -h

I also released a Win32 version that allow me to run on my Windows platform (uploaded to GitHub). 

Try this and see:

c:\> kenna-cve-win.exe -v -c 2020-1337

Oct 31, 2020

JSON/CSV in Python

Two simple tutorials to convert between JSON and CSV data.

How to convert JSON to CSV


How to convert CSV to JSON

Links:

  • https://www.youtube.com/watch?v=YLCSVv46ERo
  • https://www.youtube.com/watch?v=LeFDBRAhRls

Oct 9, 2020

Automating Information Security with Python

Just completed my SEC573 training (since Aug 2020), and passed the GIAC Python Coder (GPYC) certification.

Syllabus:

  1. SEC573.1: Essentials Workshop with pyWars
  2. SEC573.2: Essentials Workshop with MORE pyWars
  3. SEC573.3: Defensive Python
  4. SEC573.4: Forensics Python
  5. SEC573.5: Offensive Python

Link: Automating Information Security with Python | SANS SEC573

Oct 1, 2020

Kenna CVE Check

Today I created a small python script that allow me to check the number of vulnerable host in Kenna based on a CVE ID.

It helps me to check on how many hosts contain a particular CVE vulnerability, whether it is Closed, or Open, or Risk_Accepted, or False_Positive.

But I'm thinking to improve the script later by including the vulnerability count for both active/inactive hosts.

Sep 27, 2020

Estimation, Prediction and Forecasting

What's the quick distinction among Estimation, Prediction and Forecasting.

First, Estimation Vs Prediction.

Estimation is after occurrence of the event i.e. posterior probability; while Prediction is a kind of estimation before the occurrence of the event i.e. apriori probability.

Estimation implies finding the optimal parameter using historical data whereas prediction uses the data to compute the random value of the unseen data.

Second, what is Forecasting.

Forecasting is a subset of prediction wherein both use the historical data and estimating about the future events. And the difference between forecasting and prediction is the explicit addition of temporal dimension in forecasting.

Forecasting is a time-based prediction i.e. it is more appropriate while dealing with time series data. Prediction, on the other hand, need not be time based only, it can be based on multiple casual factors that influence the target variable.

Sep 3, 2020

What is Information Security?

 Security without intelligence is just information. Information without innovation is just data.

Information Security
What is Information Security?


 

Aug 31, 2020

Top 25 Most Dangerous CWE

The Top 25 Most Dangerous Software Weaknesses, or CWE Top 25, is a list of the most common and impactful issues experienced over the past 2 years. These weaknesses are dangerous because they are often easy to find, exploit, and may allow for completely take over a system, steal data, or prevent an application from working.

The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.

The following table shows the CWE Top 25, including the number of entries relate to CWE within the NVD(CVE) data set, and the average CVSS score.


RankCWENVD CountAvg CVSSOverall Score
[1]CWE-7937885.8046.82
[2]CWE-78722258.3146.17
[3]CWE-2019107.3533.47
[4]CWE-12515787.1326.5
[5]CWE-11911898.0823.73
[6]CWE-899018.9820.69
[7]CWE-20014676.0119.16
[8]CWE-4169188.2618.87
[9]CWE-3528668.0817.29
[10]CWE-787678.5216.44
[11]CWE-1908467.7015.81
[12]CWE-227927.2713.67
[13]CWE-4765296.838.35
[14]CWE-2874128.058.17
[15]CWE-4343468.507.38
[16]CWE-7324266.996.95
[17]CWE-942958.746.53
[18]CWE-5222837.925.49
[19]CWE-6112777.885.33
[20]CWE-7982348.765.19
[21]CWE-5022178.934.93
[22]CWE-2692787.364.87
[23]CWE-4002497.094.14
[24]CWE-3061938.103.85
[25]CWE-8622366.903.77

Links:

Aug 27, 2020

Kenna Connector Sync History

In February, I created a script to show Kenna connector status.

Lately, I found that I need to check on the history for those offline connectors as well. Thus I improve the script by allowing me to check/show all connectors' history. 

And the new script will allow to customize the last N history.

kenna-connectors
kenna-connectors.py -h

Aug 20, 2020

Kenna Security Searching Tips

I just posted some notes about KennaSecurity search at Github.

Some of them are for funs, like unmappable vulnerability; and some of them are useful for proactive vulnerability management (Pre-NVD-Chatter).

Anyway, the Kenna search syntax is powerful and flexible (based on Apache Lucene if not mistaken) while all the indexing and search optimizations are based on Elasticsearch.

Jul 31, 2020

My Notes on Journalctl in Systemd

Systemd is a system and service manager for modern Linux, by replacing SysVinit. It:

  • runs as daemon with PID 1.
  • Provides aggressive parallelization capabilities
  • Uses socket and D-Bus activation for starting services
  • Offers on-demand starting of daemons
  • Implements transactional dependency-based service control logic
  • Tracks processes using Linux cgroups
  • Supports snapshotting and restoring
  • Maintains mount and automount points

 In traditional SysVinit, we use syslog to stores logs. Then we read and analyze those log files with 'find', 'grep', 'less' commands. However, systemd which collects logs from more sources than syslogs, and keeps the journal logs in binary format. And we need 'journalctl' to perform analysis on those log files.

journald is the daemon from systemd that collects the logs from various log sources like syslog.

journalctl is the command line tool that lets you interact with the journal logs.

With journalctl, you can read logs, monitor the logs in real time, filter the logs based on time, service, severity and other parameters.

The default location of journald logs is /var/log/journal directory. Next, in the /etc/systemd/journald.conf file make sure that the value Storage is set to either auto or persistent.

Keys used in 'journalctl'
Arrow - move by one line
Space - move to next page
b     - move back one page
g/G   - first/last line
100g  - the 100th line
/term - search string
n/N   - next/previous search term
q     - quit

Command line options:
$ journalctl -r      [reverse chronological order]
$ journalctl -n N    [display last N lines]
$ journalctl -f      [same like tail -f]
$ journalctl --utc   [display the time at UTC]
$ journalctl -k      [show only kernel messages]
$ journalctl -u ssh  [show 'ssh' unit messages only]

To filter logs based on time interval:
$ journalctl --since=yesterday --until=now
$ journalctl --since "2020-01-01"


To filter logs based on uid/gid/pid:
$ journalctl _PID=1234

Other useful options:
$ journalctl --disk-usage [ disk space usage ]
$ journalctl -xe     [view last few logs]
$ journalctl -p 3 -xb

-p 3 : filter logs based on priority 3 (which i error)
-x   : additional info on the log
b    : since the last boot (current session)

$ journalctl -p 4..6 -b0 [ warn .. info ]

[ 0/emerg, 1/alert, 2/crit, 3/err, 4/warn, 5/notice, 6/info, 7/debug ]

Link: How to Use journalctl Command to Analyze Logs in Linux (linuxhandbook.com)

Jul 2, 2020

List Kenna Meters

After working on Kenna for some times, I just notice that there are too many Kenna meters (asset-groups) been created.Plus, I need a way that help me to backup all my Kenna meters' parameters.

Thus, I just start working on a python script that helps me to list all the Kenna meters including the asset count, vulnerability count, CVE, Fixes and meter meters.

I create the first version of the script in February, and I just notice I need to improve the script by allowing me to backup all the parameters.

kenna-meters
kenna-meters.py -h


Jun 7, 2020

My First Drone Flight

Today, here come my first drone flight, DJI Mavic Mini quadcopter.

It is such a wonderful experience ;)

Jun 1, 2020

CVSS v3.1 Calculator

Common Vulnerability Scoring System (CVSS) version 3.0 was released in June 2015 and was superseded in June 2019 by CVSS version 3.1. 

The CVSS calculator shows the components of the CVSS score for example and allows you to refine the CVSS base score. Please read the CVSS standards guide to fully understand how to score CVSS vulnerabilities and to interpret CVSS scores. The scores are computed in sequence such that the Base Score is used to calculate the Temporal Score and the Temporal Score is used to calculate the Environmental Score.

The CVSS score is commonly used for vulnerability metrics.


Links:

May 4, 2020

GRUB2 Protection

Single user mode, or maintenance mode, is a mode in which a multi-user computer OS  boots into a single superuser. This mode is commonly know as runlevel 1  or rescue.target (rescue mode) in systems that implement Sys-V or Systemd style initialization respectively.

The single user mode allows administrators direct access to the root filesystem without a password in order to carry out system maintenance, such as

  • Resetting root password ( with rescue mode)
  • Repairing file system corruption error ( with emergency mode) 

Here, I'm using Ubuntu as sample configuration.

Set GRUB Password

In order to secure your system’s single user mode, you need to set the grub password. In this case we are going to generate hashed password for GRUB by running the command below.

# grub2-mkpasswd-pbkdf2
Enter password: <STRONG_PASSWORD>
Reenter password: <STRONG_PASSWORD>
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.2E76F....5334


Now, your GRUB hashed password has been generated:
grub.pbkdf2.sha512.10000.2E76F....5334 [283 bytes long ]

Enable GRUB Password Protection

To enable grub password protection, you have to identify grub menu items to protect, users authorized to access the GRUB and their passwords. The users and their passwords are manually added /etc/grub.d/00_header file.

To edit the /etc/grub.d/00_header, run the command below;
# vim /etc/grub.d/00_header

 

Define Superuser and Password

Once you have opened the above file for editing, enter the superuser and its password at the end of the file in the following format.

cat << EOF
set superusers="superuser"
password_pbkdf2 superuser <STRONG_PASSWORD>
EOF


This should finally look like;

cat << EOF
set superusers="sysadm"
password_pbkdf2 sysadm grub.pbkdf2.sha512.10000.2E76F....5334 [283 bytes long]
EOF


Once you are done editing, save the file and update grub by running the following command.

# update-grub2
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.15.0-36-generic
Found initrd image: /boot/initrd.img-4.15.0-36-generic
done


When grub is updated, the user/password information is automatically added to the GRUB 2 menu configuration file, grub.cfg.

Now your grub is password protected. To verify this, reboot your system and try to boot to rescue mode or emergency mode.

Note that if you lost you both your grub password and the root password, the only way to get to the shell is by booting your system with LiveCD, mount the root partition in rw mode and remove the password in the grub configuration file.

 

Enable Password Protection for all but Default Menu Entries

Before rebooting the system, I usually would like to make an additional configuration here. I don't want to enter additional password every time my system is reboot or turn on. I can protect the GRUB with password for any actions, except booting existing menu entries without changing them.

Now, let's define default menu entries as --unrestricted, allowing to use them without password. Linux menu entries are defined in file /etc/grub.d/10_linux. The simpliest way to change all entries is to modify CLASS variable in the beginning of the file:

CLASS="--class gnu-linux --class gnu --class os --unrestricted"

Now to update actual /boot/grub/grub.cfg you should run update-grub2 (for Debian-based OS, like Ubuntu) or grub-mkconfig -o <path to grub.cfg> for others.

Boot into Rescue Rescue Mode

  1. Reboot the system and goto GRUB bootloader screen.
  2. Press 'ESC' key to go to bootloader screen during the boot process.
  3. Choose the first option "Ubuntu" and press 'e' key to edit.
  4. Append the string “systemd.unit=rescue.target” to the line which starts with ‘linux’ word.
  5. Press ‘CTRL-x’ or F10 to boot the system in rescue or single user mode.
  6. Start your troubleshooting steps, such as recover the root password (passwd root).
  7. Once you are done with troubleshooting steps, use ‘systemctl reboot’ command to restart the system.


Boot into Emergency Mode

In emergency mode, all the files system of a Linux system are mounted in read-only mode. This mode is generally used in the situations where we can’t boot the system in rescue mode, may be due to some file system corruptions. Refer below steps to boot Ubuntu 20.04 in emergency mode:

  1. Reboot Your system and go to GRUB bootloader screen
  2. Press 'ESC' key to go to bootloader screen during the boot process.
  3. Choose the first option "Ubuntu" and press 'e' key to edit.
  4. Append string “systemd.unit=emergency.target” to the line which starts with ‘linux’ word.
  5. Press “Ctrl-x” or F10 to enter into emergency mode.
  6. Start your troubleshooting steps, such as repairing the file system.
  7. If you want to mount / (slash root) in read-write mode then issue the following command, # mount -o remount,rw /
  8. Once you are done with troubleshooting steps, use ‘systemctl reboot’ command to restart the system.

Links:

  • https://www.linuxtechi.com/boot-ubuntu-20-04-rescue-emergency-mode/
  • https://selivan.github.io/2017/12/21/grub2-password-for-all-but-default-menu-entries.html
  • https://kifarunix.com/how-to-protect-single-user-mode-with-password-in-ubuntu-18-04/


Apr 27, 2020

Personal Diary with Notepad

This is a simple and yet useful (hidden) feature in Notepad that I learned recently. 

  1. Create a new text file, with any name. 
  2. Type ".LOG" (all uppercase ) at the first line.
  3. Save (and close) as regular text file.
  4. Every time we double-click to open the file, it will show the date/time, and we can just write any text below it. (good for keeping as forensic logbook)

Apr 2, 2020

TLS/SSL Server Supports The Use of Static Key Ciphers

Today, I have a colleague that asks me about a vulnerability called "TLS/SSL Server Supports The Use of Static Key Ciphers " (ssl-static-key-ciphers).

This vulnerability has CVSS 2.6 (rated by Rapid7). According to Rapid7:

The server is configured to support ciphers known as static key ciphers. These ciphers don't support "Forward Secrecy". In the new specification for HTTP/2, these ciphers have been blacklisted.

Here're the questions to me:

  • What kind of vulnerability is this?
  • Since this vulnerability has low (<4) CVSS rating, can we skip the remediation?
  • Why the vulnerability still exist even I have follow the PCI compliance by only allowing TLS 1.1 and TLS 1.2?

My answers:

  • To me, this is a kind of mis-configuration, rather than a (missing) patching issue.
  • To me, this is not an urgent but it is an important vulnerability. With advanced cracking using GPU, we are not sure if anyone will finally able to crack a session key and lead to full compromise of encrypted channel given some amount of time.
  • Yes, even if you have only TLS 1.2 enabled, your system may still vulnerable to static key cipher attack.Referring to the post on Static Key Cipher Vs Perfect Forward Secrecy, by disable all the weak cipher suites (SSLv2/SSLv3/TLS1.0) and only allowing recommended cipher suites (TLS1.1/TLS1.2), does not guarantee forward secrecy is always used.

Mar 5, 2020

List Users and Roles in Kenna

Last month, I created a ruby script to list all users in Kenna. And I found that I need to list all the roles besides the user list.

Then, I notice I'm not a good ruby developer.

I just re-write a script in python to list all users (including myself) and all roles in Kenna.

kenna-users
kenna-users.py -h

Feb 29, 2020

My Notes on VMware Products

Short/quick notes about VMware products : ESX, ESXi, vCenter, vSphere/client.

ESX/ESXi

  • Both are hypervisor that allowsus to manage VM on physcal host.
  • ESXi operates independently from general purpose OS. Thus simplifies management (Linux-based consoles), better security, and smaller footprint (32MB).
  • ESX must be installed on top a general purpose OS (Windows or Linux).
  • A virtual representation of the processing and memory resources of a physical machine runnign ESXi is kwnon as a host.
  • Two or more ESXi can be grouped into a cluster for resource pools management.

VMware vCenter Server

  • Can be installed as virtural machine on top of ESXi server.
  • Allows for centralized management of all virtual infrastructure : hosts and VMs.
  • Allows to optimize routine operations on large-scale infrastructure.
  • Running on Photon OS, Windows OS (discontinued) or Linux-based appliance.
  • Allow single sign-on, inventory (VMs, hosts, datastores, networks) search, notification, and host profile configurations.
  • Scalability: run up to 2000 hosts and 35000 VMs.
  • Enterprise features : vMotion, VMware High Availability, Vmware Update Manager, Vmware Distrubuted Resource Scheduler (DSR).
  • RBAC, performance monitoring and

 vSphere and vSphere client/HTML5

  • vSphere is a suite that contains ESX, ESXi, vCenter, vSphere client, and used as a modern software-defined data center (SDDC).
  • vSphere client/HTML5 - used to access ESXi (small env) and vCenter (large env) for management.
  • vSphere client is replaced by HTML5-based vSphere in vSphere 6.7

 Links:

  • https://www.mustbegeek.com/difference-between-vsphere-esxi-and-vcenter/
  • https://www.nakivo.com/blog/vmware-esxi-vs-vsphere-vs-vcenter-key-differences/

Feb 28, 2020

Show Kenna Connector Status

While working on Kenna data set, it is largely depends on the input from vulnerability scanning system. Sometimes, the data upload is delayed due to the Kenna connector is taking too long to upload the data.

Thus, I just created a python script that allow me to check the Kenna connector sync status.

Feb 20, 2020

List Users in Kenna

I've been using KennaSecurity for one year. Then I found that something strange with KennaSecurity GUI. 

When you try to list users in Kenna, you can't find yourself in the list even you are administrator.

Thus, I create a simple ruby script that help me to list all the users, including myself. ;)


Jan 18, 2020

Essential OpenSSL Commands

Here, I collected some essential commands for OpenSSL.


Check the Connection:

$ openssl s_client -showcerts -connect www.microsoft.com:443


Decoding BASE64 (PEM) Certificate

Capture the output between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” tags, and save as a text file (i.e. cert_microsoft.com).

Run the command below to read the file, and display it in a textual format.

$ openssl x509 -noout -text -in cert_microsoft.com


Decoding Binary Certificate (DER) Certificate

DER is a binary certificate format and the content is the same as PEM (Base64).

$ openssl x509 -noout -text -inform der -in cert_microsoft.der


Convert Certificate between DER and PEM format

By the way, -inform is short for “input format”

$ openssl x509 -inform der -in cert_microsoft.der -out cert_microsoft.pem

$ openssl x509 -inform der -in cert_mirosoft.der -outform pem -out cert_microsoft.pem

$ openssl x509 -in cert_microsoft.pem -outform der -out cert_microsoft.der

 $ openssl x509 -inform pem -in cert_microsoft.pem -outform der -out cert_microsoft.der

 

Checking the Chain of Trust

$ openssl verify -verbose cert_microsoft.pem

If you see "Error 20 at 0 depth lookup", it means that the intermediate certificate (or certificate for the Issuer of the server certificate) is missing. 

$ openssl verify -untrusted cert_symantec cert_microsoft.pem

If you see "Error 20 at 1 depth lookup", it means the error is no longer on the server certificate (0 depth) but now can't find the issuer certificate for the Symantec cert.

$ openssl verify -untrusted cert_symantec -CAfile ./RootCerts.pem cert_microsoft.pem

You should see everything is "OK" now.

If you have more than 1 intermediate certificate, just concatenate both certs into one.

$ cat inter1.pem inter2.pem > inter_both.pem


Testing SSLv2/SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3

$ openssl s_client -ssl2 -connect microsoft.com:443

$ openssl s_client -ssl3 -connect microsoft.com:443

$ openssl s_client -tls1 -connect microsoft.com:443

$ openssl s_client -tls1_1 -connect microsoft.com:443

$ openssl s_client -tls1_2 -connect microsoft.com:443

$ openssl s_client -tls1_3 -connect microsoft.com:443    

$ openssl s_client [-no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3] -connect microsoft.com:443

 

Get the Common Name (cn) or Subject

$ openssl x509 -noout -subject -in cert_microsoft.pem


Renegotiation (by client)

$ openssl s_client -connect www.microsoft.com:443

HEAD / HTTP/1.0

R

<CRLF>

 

Testing Weak Ciphers

$ openssl s_client -cipher NULL,EXPORT,LOW,3DES -connect <site:port>


Testing NULL Cipher

$ openssl s_client -cipher aNULL -connect <site:port>


Forward Secrecy

$ openssl s_client -cipher EDH,EECDH -connect <site:port>


Testing RC4 ciphers

$ openssl s_client -cipher RC4 -connect <site:port>


Testing Compression (CRIME/TLS or BREACH/HTTP)

"Compression: zlib compression" and "Compression: 1 (zlib compression)" indicate that the remote server is vulnerable to the CRIME attack. "Compression: NONE" means not vulnerable to TLS compression. 

$ openssl s_client -connect <site:port>

GET / HTTP/1.1
Host: example.com
Accept-Encoding: compress, gzip
<CRLF><CRLF> 

If the response contains encoded data, it indicates that HTTP compression is supported; therefore the remote host is vulnerable (to BREACH).


Links: