Multi-Layered Approach

An excellent webcast from Eran Livne (Qualys) about Multi-layered Approach to address Log4Shell vulnerabilities. Watch the on-demand webcast if you want. 

There is also a great demo on how to use multi-layered approach with Qualys to perform log4shell assessment (remote scan, auth scan, agent, inventory scan, prioritize, externally expose/shodon, container, images, patch management, mitigation action, EDR).

My quick notes:

1. See what your attackers see
2. Find where you are vulnerable
• Vulnerability scan
•  In-depth vulnerability scan
• Inventory scan
• Protect your container/image
  
3. Remediation based on priorities
4. Monitor for attack in progress

Links:

• https://www.qualys.com/log4shell-cve-2021-44228/
  
• https://github.com/Qualys/log4jscanlinux
• https://github.com/Qualys/log4jscanwin
  

Lab21 Architecture Design

I have been deciding on the virtualization tools for my Lab21 between VMWare Player and VirtualBox. Both have advantages on their own. 

There are 3 types of networking in virtualization tools: NAT, host-only, and bridged.

1. NAT - Most commonly used. 
2. Host-only - Mostly for private used.
3. bridged - For advanced user only.
   

While doing my research on which tools to use, I come across an interesting video run OpenWrt router image on a VirtualBox with "host-only + bridged" environment. 

After watching the video, it gives me more ideas about how to design Lab21 architecture.

Links:

• OpenWrt on VirtualBox HowTo
• OpenWrt on x86 hardware
• https://downloads.openwrt.org/releases/21.02.1/targets/x86/64/ 
  

Log4Shell at Christmas Eve

A quick summary for Log4Shell issue at Christmas eve.

• Log4j Zero-Day - Log4Shell
• Log4Shell Mitigation Guide 
• Live Patch Log4Shell
• Log4Shell 2.0 

 

Weaponise Exploits for samAccountName Spoofing (CVE-2021–42278) & Domain Controller Impersonation (CVE-2021–42287)

Exploit to impersonate from regular domain user released!

Microsoft released patches to address two (2) vulnerabilities that affect Windows Active Directory domain controllers: samAccountName Spoofing and Domain Controller Impersonation in November 2021. 

Both vulnerabilities, samAccountName Spoofing (CVE-2021–42278) & Domain Controller Impersonation (CVE-2021–42287), allow an adversary with access to low-privileged domain user credentials, to obtain a Kerberos Service Ticket for Domain Controller computer account. This will effectively allows a regular domain user to take control of a domain controller.

Mitigation / Detection

It is recommended to install the Microsoft patch (KB5008602) to mitigate against this attack. This patch fixes the issue with PAC confusion and S4U2self created earlier.

Another way is, setting the Machine Account Quota to 0 is also a quick fix for stopping low privileged user from being able to create machine accounts. Other than that, removing Authenticated Users from SeMachineAccountPrivilege and adding Domain Admins or another group of allowed accounts.

Links:

• Hunting for samAccountName Spoofing (CVE-2021–42278) & Domain Controller Impersonation (CVE-2021–42287)
• CVE-2021-42287/CVE-2021-42278 Weaponisation 
• https://github.com/WazeHell/sam-the-admin
  

Log4j Scanner

By now, everyone should have heard of the log4j RCE vulnerabilities (cve-2021-44228 and cve-2021-45046 and cve-2021-45105).

There is a opensource scanner released by CISA through collaboration with broader cybersecurity community called "Log4j Scanner".

Other than CISA, Metasploit has added a module called Log4Shell HTTP Scanner, which capable of identifying vulnerable instances via pre-determined HTTP request injection points.

Known impacted software includes Apache Struts 2, VMWare VCenter, Apache James, Apache Solr, Apache Druid, Apache JSPWiki, Apache OFBiz.

Links:

• https://github.com/cisagov/log4j-scanner
• https://www.rapid7.com/db/modules/auxiliary/scanner/http/log4shell_scanner/  
• Qualys Scanner for Windows OS - Log4jScanWin.exe
  

 

Log4Shell: RCE 0-day exploit found in log4j (a Java logging package)

On Thursday (December 9th), a 0-day exploit in the popular Java logging library log4j (version 2) was discovered that results in Remote Code Execution (RCE) by logging a certain string.

Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. This exploit is also known as "Log4Shell".

The 0-day was tweeted along with a POC posted on GitHub. It has now been published as CVE-2021-44228.

More resources are available at https://log4shell.com/

Impact

Many services are vulnerable to this exploit including cloud services (Steam, Apple iCloud); apps like Minecraft, Apache Struts; and any software that embedded Log4J as logging package. 

Affected Apache Log4j Versions

From the initial investigation, almost all version of log4j v2.0 till v2.14.1 are vulnerable. And version 1 of log4j is vulnerable too.

How the exploit works

• A server with a vulnerable log4j version installed/embedded. 
• An endpoint with any protocol (HTTP, TCP) that allows attacker to send the exploit string.
• A log statement that logs out the string from the requester.
• Outgoing connection to a malicious LDAP and RMI server.
  

This means, by limiting outgoing connection, we can prevent loading the exploit and mitigating the vulnerability. However, it is not possible to just block specific ports, LDAP (389/tcp) and RMI (1099/tcp/udp). The attacker can hosts the exploit payload at any arbitrary ports.

It might be possible with application layer firewall inspection to restrict the outgoing protocols, ie LDAP and RMI should be blocked. 

Alternatively, one might deploy a HTTP proxy and restrict outgoing traffic thru the proxy only since LDAP and RMI do not work over a HTTP proxy.

What Is Zero Trust Security Architecture

Zero Trust is a shift of network defenses toward a more comprehensive IT security model that allows organizations to restrict access controls to networks, applications, and environment without sacrificing performance and user experience.

~ McAfee

Nowadays, many organizations are adopting Zero Trust (ZT) as an element of their trust network architecture and enterprise security.

ZT is a model which can be simply applied to:

• network architecture
• authentication and authorization architecture
  
• cloud and container architecture 

 

Three (3) Approaches to Zero Trust Architecture:

• Enhanced Identity Governance (with MFA)
  
• Micro-segmentation
• Network infrastructure and software-defined perimeters

 

Zero Trust Access (ZTA) Vs. Zero Trust Network Architecture (ZTNA)

ZTA relies on the organization’s Identity and Access Management (IAM) policies, often requiring MFA as a way to verify that they are who they say they are. Additionally, ZTA usually includes maintaining a continuous inventory of devices and users connecting to the network while continuously scanning for new access.

While ZTA focuses on who and what connects to a network, ZTNA focuses on who and what can connect to applications located on the network. ZTNA places the applications behind a gate called a “proxy point,” creating a secure, encrypted tunnel that data travels across. This makes it easier to secure remote users and entities without having to use a VPN.

Five use cases for zero trust:

1. Enterprise satellites
2. Multi-cloud architecture
3. Managing third-party, non-employee access
4. Across enterprise boundaries
5. Customer-facing services
   

(Residual) Risks to Zero Trust:

• Component Configuration
  
• Denial of Service (DoS) Attack
• Stolen Credential

 

Links:

• https://www.mcafee.com/enterprise/en-us/security-awareness/cloud/what-is-zero-trust.html
• https://securityscorecard.com/blog/what-is-zero-trust-architecture
• https://securityscorecard.com/blog/what-is-zero-trust-security
• Basic principles of a Zero Trust enterprise cybersecurity architecture
  

NEW Native Azure AD KERBEROS!!!

This is a short demo on showing Azure AD is supporting native Kerberos now. 

Command lines:

1. dsregcmd /status
   
2. klist 
3. klist purge
   
4. klist get krbtgt

 

Picking which Azure AD Synchronization Technology!

This is a short video to show you the difference between the 2 Azure AD sync technologies:  AAD Connect vs Cloud Sync.

Notes - 3 rules:

1. AAD Connect instance sync to a single AAD instance
2. AAD instance only sync with single AAD Connect instance
3. An object can only replicate by one sync instace

 

Links:

• Topologies for Azure AD Connect
• Azure AD Connect cloud sync supported topologies and scenarios
• Comparison between Azure AD Connect and cloud sync
• https://practical365.com/how-to-decide-between-azure-ad-connect-and-azure-ad-connect-cloud-sync/ 
  

Mouse Jiggler

With the idea from HakByte, we wrote a similar small python utils and convert it o Windows EXE. 

This is mouse jiggler tool which prevents it from falling asleep by moving the mouse to simulate human input (bypass screensaver locking).

Then I just convert it to Windows executable with pyinstaller.

pyinstaller --onefile --noconsole mouse_jiggler.py

pyinstaller --onefile -w -f  mouse_jiggler.py

Links:

• Mouse Jiggler - https://github.com/myseq/utils
  

Linux OS for Lab21

I have shortlisted a few Linux distributions for Lab21 project. Namely a few are:

• Ubuntu Desktop 20.04
• Ubuntu Server 20.04
• AlmaLinux 8.5
• Rocky Linux 8.5

Other Linux distribution that are still under consideration:

• Kali Linux
• Fedora Linux
• Centos Linux
  

Virtualization options:

• VMWare Workstation for Player
• VirtualBox
  

OpenShift and Kubernetes

 

These are the 2 videos that can explain quickly about what Kubernetes and OpenShift is.

Start of Lab21 Project

Today, I start my "Lab-21" project.

All the information will be documented at GitHub repository "Lab21". 

Links:

• https://github.com/myseq/Lab21
  

Network Forensic Analysis Tool (NFAT)

BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). 

It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords fo offline Brute Force attack.

Two (2) BruteShark versions are available, A GUI based application (Windows) and a Command Line Interface tool (Windows and Linux).

BruteSharkCLI

Links:

• Install Mono - https://linuxize.com/post/how-to-install-mono-on-ubuntu-20-04/
• BruteShark - https://github.com/odedshimon/BruteShark
• https://hakin9.org/brute-shark-a-network-analysis-tool/