Jul 31, 2022

SOC 2 Compliance

SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider.


Notes about SOC 2:

  • Developed by America Institute of CPAs (AICPA).
  • Defined cirteria for managing customer data based on 5 "trust service principles" - security, availability, processing integrity, confidentiality and privacy.
  • SOC 2 reports are unique to each organization (Vs PCI DSS which is rigid requirements)
  • Type I describes if a vendors system and design is suitable to meet relevant trust principles.
  • Type II describes the operational effectiveness of vendor systems.


Links:

Jul 30, 2022

2022-1H State of Vulnerability Intelligence

Half of 10.0 CVSS vulnerabilities reported so far in 2022 scored incorrectly.


Notes:

  • NVD failed to report 27.3% of CVE (11,860 vulns).
  • 52% of all 10.0 CVSS (v2) vulns reported in 2022 are scored incorrectly.
  • CVSS v3.1 is better refined for IoT vulns.
  • Large gap between CVSS model identifies as critical vulnerabilitie that require immediate attention.
  • EPSS aims to address the CVSS model's issue of inaccuracy, and save time in patch management.
  • EPSS model can increase the efficiency of patch management from 5% to 42.5%.


Links:

  • https://flashpoint.io/resources/report/state-of-vulnerability-intelligence-2022-midyear/

Jul 29, 2022

Happy System Administrator Appreciation Day

Try playing bofhle game.  Each guess must be a valid 5 letter Unix or Linux command. Hit the enter button to submit.

⬜⬜🟨⬜🟨
🟨⬜⬜🟨⬜
🟨⬜🟩🟩🟩
🟩🟩🟩🟩🟩
 
Happy Sysadm Day! https://sysarmy.com/bofhle/

Jul 27, 2022

SMS 2 Factor authentication

Why is SMS 2 Factor authentication not secure?

Firstly, I would say that there is nothing wrong 2FA; it is wrong when we use 2FA with SMS, and this is a typical kind of "mis-configuration".

Second, 2FA via SMS is easy to setup and requires no download of any app or reader except a mobile phone with SIM card.

Anyway, NIST, USA has recommended that 1-time SMS is no longer secure to.

SMS Vulnerabilities

  • Intercepting SMS codes
  • Spoof SMS verification
  • Phone account hijacking


Alternative secure authentication options

  1. OTP method - one-time password
  2. FIDO U2F (leading option for 2FA) - similar to smart card wit PKI.
  3. Push Authentication - faster than typing password
  4. Multi-Factor Authentication (MFA) - best solution


Links:

Jul 26, 2022

Microsoft Defender Vulnerability Management

 

Microsoft Defender Vulnerability Management Dashboard:

  • Exposure score and trends
    • weakness, likelihood, device value, alerts.
  • Recommendations
    • top security recommendations, high exposure score, software update and upgrade, or uninstalls, impact, or configuration change.
  • Alerts and threat insight.
  • Ticketing with Service Now or Microsoft Endpoint Manager.
  • Exception scoping, justification, and expiry.
  • Track the progress of the remediation requests and review exceptions.
  • Show Top Vulnerable Software.
  • Supports add-ons such as asset inventory, block vulnerable versions of apps, monitor for compliance (security baseline assessment).  

Links:

Jul 25, 2022

Kubernetes Attack and Defense: Break Out and Escalate!



My notes:

  • Pod vs container.
  • Pod has a IP address.
  • Nodes run kubelet, container runtime, kube-proxy
  • Attack K8s from a compromised node
    • break out of a container (5 CVEs)
    • over-privilege pod - mount /dev, access to node filesystem, use of node's network namespace, load module, root access, hostPID, hostNetwork Pods
    • phish login access to node
  • steal kubelet and kube-proxy auth cred, /var/lib/kubelet, service account token
  • steal secrets from other pods with env
  • run programs on the node
  • create "mirror pods"
  • steal cred to the vault
  • pull cred for nod's cloud IAM account, http://169.254.169.254/latest/meta-data/iam/security-credentials/<name>/
  • access to bucket storage/S3
  • Defenses:
    • Admission control, SeccompDefault, Security Profiles Operator, Steering Workloads to Nodes, Upgrade the Cluster.
    • Pod Security Policy, Pod Security Standards.
    • Open Policy Agent (OPA) Gatekeeper
    • Kyverno


Links:

Jul 21, 2022

Utils: rh_access.py

Just release a small util to query CVE released by Red Hat.


$ ./rh_access.py -e cve-2022-34484 cve-2022-29226 cve-2022-26354 -v

rh_access.py

Links:


Jul 18, 2022

AD and Kerberos PenTest

Here, I keep the notes on the commands and tools/scripts used for pentest on AD and Kerberos.  

 

Reconnaissance Commands:

c:\> net user

c:\> whoami

c:\> whoami /groups

c:\> net user /domain

c:\> net user [username] domain

Brute Force Active Directory:

msf > use auxiliary/scanner/smb/smb_login

mimikatz # lsadump::dcsync /domain:pentestlab.local /all /csv

 

Kerberos brute-force:

  1. kerbrute - Linux tool
  2. Rubeus - Windows module

ASREPRoast and Kerberoasting

  1. GetNPUsers.py
  2. Rubeus

Cracking the AS_REP and TGS

  1. Hashcat
  2. John

Overpass The Hash/Pass The Key (PTK)

  1. getTGT.py
  2. Rubeus and PsExec

 Pass The Ticket (PTT)

  1.  tickey
  2. Mimikatz or Rubeus

Silver ticket and Golden ticket:

  1. ticketer.py
  2. Mimikatz, Rubeus and PsExec

 

Links:

Jul 16, 2022

Cloud IMDS

Ryan post an excellent blog post about Cloud Instance Metadata Services (IMDS). This is misunderstood but deeply important feature to lock down when deploying workloads in cloud. IT could be a major blind spot for many security teams.

Every cloud instances (VM) can query its IMDS when it requires access to cloud environment.

IMDS is a REST API that is available at a well-known, non-routable IP address (169.254.169.254 or fd00:ec2::254).


AWS's IMDS has a default deployment that is vulnerable. 

$ curl 169.254.169.254/latest/meta-data/iam/security-groups
$ curl 169.254.169.254/latest/meta-data/iam/security-credentials
$ curl 169.254.169.254/latest/meta-data/iam/security-credentials/EC2S3FullAccess

Jul 12, 2022

Risk vs. threat vs. vulnerability

Here's a short article to explain very well the difference between risk, threat, and vulnerability.


Risk is the potential for loss, damage or destruction of assets or data caused by a cyber threat.

Threat is a process that magnifies the likelihood of a negative event, such as the exploit of a vulnerability.

Vulnerability is a weakness in your infrastructure, networks or applications that potentially exposes you to threats.


Links:

Jul 7, 2022

SSL Configuration Generator

There is a Mozilla websites that maintains a reference guide for navigating the TLS landscape, as well as a configuration generator to assist system administrators.

Mozilla maintains three (3) recommended confiruations for servers using TLS.

  • Modern - modern clients that support TLS 1.3, with no need for backwards compatibility
  • Intermediate - recommended confiruation for a general-purpose server
  • Old - services accessed by very old clients or libraries, such as Internet Explorer 8 (windows XP), Java 6, or Open SSL 0.9.8


Mozilla SSL Configuration Generator

Links:


Jul 6, 2022

SSLyze – Fast and powerful SSL/TLS scanning tool

SSLyze tool is an automated cyber security tool that is used to scan the target domain for SSL/TLS vulnerabilities like Heartbleed, OpenSSL, and many more. This tool is developed in the Python language and is also available on the GitHub platform.


Installation:

$ cd repo

$ git clone https://github.com/nabla-c0d3/sslyze.git

$ cd sslyze

$ sudo python3 setup.py install

$ sslyze -h

$ sslyze www.geeksforgeeks.org

 

Links:

Jul 5, 2022

Currently 0-day Is Not Hard

Google Project Zero researcher Maddie Stone presents a speech at the FIRST conference which titled "0-day In-the-Wild Exploitation in 2022…so far".

It revealed that nine out of 18 zero-day flaws detected and disclosed as exploited in-the-wild in 2022 are variants of previously patched vulnerabilities.

  • Found 18 detected zero-days as exploited in-the-wild.
  • At least 9 of them are variants of previously patched vulnerabilities.

This means that many of the attacks were not so sophisticated, instead threat actors that exploited the issue were able to come back and trigger the known vulnerability through a different path. 

For example:

  • CVE-2022-30190 (Follina Windows vulnerability) ~  CVE-2021-40444 MSHTML zero-day
  • CVE-2022-21882 (Windows win32k) ~ CVE-2021-1732
  • CVE-2022-22587 (iOS) ~ CVE-2021-30983
  • CVE-2022-1096 (Chromium) ~ CVE-2016-5128, CVE-2021-30551, CVE-2022-1232
  • CVE-2022-1364 (Chromium v8) ~ CVE-2021-21195
  • CVE-2022-26134 (Atlassian Confluence) ~ CVE-2021-26084
  • CVE-2022-26925 (PetitPotam) ~ CVE-2021-36942 (patch regressed)

“When 0-day exploits are detected in-the-wild, it’s the failure case for an attacker. It’s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can’t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method.”

To properly address zero-day vulnerabilities Google researchers recommend platform security teams and other independent security researchers to invest in root cause analysis, variant analysis, patch analysis, and exploit technique analysis.

Learn from 0-days exploited in the wild to make -day hard.

Make 0-day hard by:

  • Increase the cost (mean time, expertise) per exploit.
  • Increase the number of exploits required.

 

Links:

Jul 4, 2022

GitHub Actions + Nuclei

This is a demo on using GitHub Action and Nuclei to protect your CI. It also includes how an attacker can leverage GHA to mine cryptocurrencies, pivot into other targets, and distribute backdoors into different repositories. 


Links:

Jul 3, 2022

SSHScan

SSHScan is a testing tool that enumerates SSH Ciphers. Using SSHScan, weak ciphers can be easily detected.


Links:

Jul 2, 2022

SSl/TLS Recon

sslscan2 

  • support legacy protocols, SSLv2 and SSLv3, as well as TLSv1.3
  • no longer reliant on OpenSSL.
  • enumerate server key exchange groups.
  • enumerate server signature algorithms.
  • can use docker.

tlsscan

  • TLS/SSL protocol scanner
  • support newer protocols and ciphers scan via upstream OpenSSL project.

tls-scan

  • single threaded asynchronous/event-based program.
  • track/test/debug certificate and TLS configuration.
  • Scan for TLS-based server, collect X.509 certs and ciphers.
  • Support TLS and StartTLS protocols.
  • produces output in JSON.


Links:


Jul 1, 2022

Patch_Tuesday Utils

A step-by-step how I generate patch_tuesday.exe from python script. You can download the python script or the executable directly (at GitHub).


c:\home> pip install colorama

c:\home> pip install pyfiglet

c:\home> pip install pyinstaller

 

Method 1:

c:\home> pyinstaller --onefile --add-data "C:\Python3\Lib\site-packages\pyfiglet";./pyfiglet   patch_tuesday.py

Method 2:

c:\home> pyinstaller --onefile --collect-all pyfiglet patch_tuesday.py


c:\home> cd dist

c:\home\dist> patch_tuesday.exe -h

patch_tuesday.exe -h

c:\home\dist> patch_tuesday.exe -k 2022-jun -v

patch_tuesday.exe -k 2022-jun -v

Tips: Try "patch_tuesday.exe -k 2022-jun -vc" for chart output.


Links: