Aug 31, 2022

3 advanced and comprehensive vulnerability scanners


This is an introduction video on 3 advanced and comprehensive vulnerability scanners: Nuclei, Trivy, Vuls.

 Nuclei is an advanced website, network, CVEs vulnerability scanner. Trivy a scanner that specialized in container images, filesystems, git repositories and Kubernetes. Vuls can be used to scan any server using ssh for a wide range of vulnerabilities. 


Links:

Aug 30, 2022

Vulnerabilities with a High CVSS score in Kenna

There is a long-awaited feature released in Kenna VM (Aug 18) where 8 new query search terms are added to allow searching based on CVSS v2 or v3. 

  • cvss_v2_score
  • cvss_v2_exploit_subscore
  • cvss_v2_impact_subscore
  • cvss_v2_temporal_score    
  • cvss_v3_score
  • cvss_v3_exploit_subscore
  • cvss_v3_impact_subscore
  • cvss_v3_temporal_score
According to Kenna's article, below is the syntax for vulnerabilities with high CVSSS score. 

cvss_v2_score:>=7 AND cvss_v3_score:>=7

However, the syntax above will produce a blind spot in querying any CVE released before 2015 or after 2022-08, which may only contain either CVSS v2 or CVSS v3 score. For example, cve-2013-3900, which contains only CVSS v2 7.6 (without CVSS v3), is not covered by syntax above.

There are 4 groups of vulnerabilities in Kenna.

CVSS v2 CVSS v3 Kenna Syntax
NoNo-cvss_v2_score:"*" AND -cvss_v3_score:"*"
YesNocvss_v2_score:"*" AND -cvss_v3_score:"*"
NoYes-cvss_v2_score:"*" AND cvss_v3_score:"*"
YesYescvss_v2_score:"*" AND cvss_v3_score:"*"


Supposedly the syntax should be [ cvss_v2_score:>=7 OR cvss_v3_score:>=7 ]. But this is prohibited in Kenna syntax format.

One of the possible solution to search any CVE with high CVSS score could be:

cvss_v2_score:>=7 AND -cvss_v3_score:<7 


Links:

Aug 27, 2022

VulnScanner: Vuls

Vuls, is an agentless vulnerability scanner for Linux/FreeBSD. It is open-source, agent-less that based on information from NVD, OVAL, etc.

Vuls supports local and remote scan (with and without root). It uses multiple vulnerability databases, including:

  • Vulnerability Database - NVD, JVN
  • OVAL - Red Hat, Debian, Ubuntu, SUSE, Oracle Linux
  • Security Advisory - Alpine-secdb, Red Hat Security Advisories, Debian Security Bug Tracker
  • Commands
  • PoC, Exploit - ExploitDB, Metasploit, etc
  • CERT - US-CERT, JPCERT
  • Libraries
  • WordPress

Links:

Aug 26, 2022

VulnScanner: Trivy

Trivy is a comprehensive security scanner released by AquaSec. It is reliable, fast, extremely easy to use.

Trivy has different scanners that look for different security issues, and different targets where it can find those issues.

Targets:

  •     Container Image
  •     Filesystem
  •     Git repository (remote)
  •     Kubernetes cluster or resource


Scanners:

  •     OS packages and software dependencies in use (SBOM)
  •     Known vulnerabilities (CVEs)
  •     IaC misconfigurations
  •     Sensitive information and secrets


Installing Trivy (Ubuntu):

$ sudo apt install wget apt-transport-https gnupg lsb-release

$ wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null

$ echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list

$ sudo apt update

$ sudo apt install trivy


First use:

$ trivy image python:3.4-alpine



Links:

Aug 25, 2022

Windows 10/11 Installation Bypass

In the past, we can choose to use Microsoft account (Hotmail/Outlook) to setup the login or use an offline account (like how we did traditionally) during the installation.

Recently, the "offline account" option isn't available any more if Internet connection is available during the installation. 

There are some advantages to use online account, but if you still prefer offline account, there are 2 ways.

First, cut off the Internet during the Windows 10/11 installation.

Second, cheat them while maintain the Internet connection. 

Microsoft will continue to ask for a valid Microsoft account if you provide an invalid Hotmail/Outlook account. So, simply enter "sample@hotmail.com" and fill in with any random password, till the system gives up. 

Then the offline account option will be available.

Aug 24, 2022

Compare AD to AAD

Azure Active Directory (AAD) is the next evolution of identity and access management (IAM) solutions for the cloud. Microsoft introduced Active Directory (AD) Domain Services in Windows 2000 to give organizations the ability to manage multiple on-premises infrastructure components and systems.

Azure AD takes this approach to the next level by providing organizations with an Identity as a Service (IDaaS) solution for all their apps across cloud and on-premises.

Most IT administrators are familiar with Active Directory Domain Services concepts. The following table outlines the differences and similarities between Active Directory concepts and Azure Active Directory.

 

Links:


Aug 23, 2022

Browser Audit

Comparing 3 browsers, Firefox, MS Edge, and MS IE, and here is the results.

 

 Firefox 103.0

Firefox 103.0

MSIE 11.0

MS Internet Explorer 11.0

MS Edge 105.0

MS Edge 105.0

Links:

Aug 22, 2022

HTML5 Test

How well does your browser support HTML5?


MS Edge 105.0



Firefox 103.0


MS Internet Explorer 11.0

Links:

Aug 21, 2022

Qualys BrowserCheck Summary

Visit to Qualys® BrowserCheck to perform a security analysis of your browsers and plugins. And it will run several system checks including the Top4 Security Controls.

 

Method 1 - Install plugin

  • Click the "Install Plugin" button.
  • Scan and view all the security issues.
  • Follow recommended steps to resolve each vulnerability found.  


Method 2 - Scan without installing plugin


Link:

Aug 20, 2022

Caret Browsing

This is a useful feature whenever you need to select text at a web page using you keyboard in Firefox browser.

This mode is known as Caret Browsing and you can toggle it by pressing F7.

When this setting is enabled, Firefox will display a movable cursor in web pages, allowing you to select text with the keyboard.

Or you may toggle this mode in the Settings page, Accessibility, Always use the cursor keys to navigate within pages.

Caret Browsing

Links:

Aug 19, 2022

Redirect IP Address to Domain Name in NGINX

Here's the instruction from Günter Scholtz on how to redirect IP address to domain name in Nginx and Apache.

Setting up a Default Route in Nginx

Method 1. Return a 301 redirect for requests made to IP.

server {
  listen 80;
  listen [::]:80;
  server_name 192.168.1.80;
 
  add_header X-Frame-Options "SAMEORIGIN";

  return 301 https://www.example.com$request_uri;
}

 Method 2. Return a 301 redirect which only no other rule matches. ('server_name _' means non-matches server name)

 server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name _;

  return 301 https://www.example.com$request_uri;
}


Setting up a Default Route in Apache

Method 1. Redirect IP requests to domain name by adding a rewrite rule that matches the IP.

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^192.168.1.80$
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301]

Method 2. Redirect all other request (with no subdomains).

RewriteEngine on
RewriteCond %{SERVER_NAME} !=www.example.com
RewriteRule ^ https://www.example.com%{REQUEST_URI} [END,NE,R=301]


Links:

Aug 18, 2022

Retirement of CVSS v2 and XML Feed

As of July 13th, 2022, NVD will stop generating Vector Strings or Severity Score for CVSS v2. This means the existing CVSS v2 information will remain in the database but the NVD will no longer actively populate CVSS v2 for new CVEs.

This change comes as CISA policies that rely on NVD data fully transition away from CVSS v2. 

Here are the historical of the CVSS version and the timeline.

Timeline CVSS v2 CVSS v3 CVSS v4
2007 - 2014YesNo-
2015 - 2022YesYes-
2022 - nowNo
Yes-
2024 No
Yes(tentatively)

 

As of July 22nd, 2022, XML URLs will be removed from the data feeds page (according to phase 2 of XML retirement plan). 

However, NVD will continue to update the feed and host the URLs. And any automated process that downloads the XML feeds should not be impacted.

Aug 17, 2022

Limitation in EPSS

The EPSS model was initiated in 2019 in parallel with the criticisms of the Common Vulnerability Scoring System (CVSS) in 2018.

EPSS is a measure of exploitability of an CVE in the next 30 days. It is best used when there is no other evidence of active exploitation. 

EPSS should not be treated as a complete picture of risk, but it can be used as one of the inputs into risk analyses.

EPSS version 2, released in February 2022. This latest release has created a lot of excitement around EPSS, especially since improvements to CVSS (version 4) are still being developed.

This blog post at Carnegie Mellon University evaluates the pros and cons of the Exploit Prediction Scoring System (EPSS), which is a data-driven model designed to estimate the probability that software vulnerabilities will be exploited in practice.

The author has a few concerns about EPSS and has raised these concerns. The two general spheres of problems include the problems due to model opacity and problems stemming from the details of data provenance. This means any vulnerability analysis or risk management process cannot rely on EPSS only, and EPSS cannot replace any existing threat intel process by itself. Currently, EPSS v2 is useful in some restricted scenarios only.

EPSS Opacity

The EPSS target audience, development process, and future governance are opaque.

EPSS uses machine learning to predict exploitation probabilities for each CVE ID. This reliance on pre-existence of a CVE ID, is one reason why EPSS is not useful to software suppliers, CSIRTs, and many bug bounty programs. 

Most of those stakeholders need to prioritize vulnerabilities that either do not have public CVE IDs or are types of vulnerabilities that never receive CVE IDs, such as mis-configurations.


See the full post of the article with the link below.


Links:

Aug 14, 2022

Learning about Temporal CVSS Score

CVSS score is commonly used in vulnerability management metrics by which the severity of vulnerabilities can be computed and compared.

CVSS scores range from 0-10, with this numeric rating being composed of three sub groups of metrics (Base, Temporal, Environmental), of which each metric group has several subcomponents.

CVSS score metrics

Base metrics, which are the primary metric group reported in NIST's NVD. It is a public database of CVSS scores for known vulnerabilities. Base metrics do not cange over time, and remain the same throughout the lifetime of a CVE.

Temporal metrics, change over time as a result of activities conducted by both software vendors and hackers. These metrics may or may not be available in NVD. If the vendor has created a patch for public, the temporal score for the CVE will be lower. However, if there are known exploits for a vulnerability, the temporal score will be higher. As the availability of patches and exploit code changes, the underlying attributes of temporal metric will change including the overall CVSS score.

Environmental metrics apply to the specific environment in which a vulnerability exists. And it is specific to each enterprise. These metrics relate to either the business criticality of the asset, or to compensating controls that make an organization susceptible to the vulnerability. 

CVSS Temporal Metrics

According to FIRST, “Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability.” There are three metrics within this metric group – Exploit Code Maturity, Remediation Level, and Report Confidence.

Temporal Metric: Exploit Code Maturity/5

Exploit code maturity answers the question, “Is this exploit being used in the wild?” Many exploits are only theoretical in nature, and never actually get exploited by adversaries. Others get exploited, but code to operationalize those exploits never gets widely distributed, rendering it unusable to unskilled hackers, who represent the majority.

Exploit Code Maturity is rated at one of five levels: not defined (X), high (H), functional (F), proof-of-concept (P), unproven (U).

Temporal Metric: Remediation Level/5

Remediation level refers to the availability and maturity of a fix or patch for the vulnerability. As remediation code matures, the Temporal score will decreased.

Remediation Level is rated at one of five levels: not defined (X), unavailable (U), workaround (W), temporary fix (T), official fix (O).

Temporal Metric: Report Confidence/4

This metric measures the confidence level that the vulnerability actually exists, as well as the details of the issue. For example, if the vendor publicly acknowledges that a vulnerability exists, there is a very high confidence level that the vulnerability is real.

Report confidence is rated at one of four levels: not defined (X), confirmed (C), reasonable (R), unknown (U).

 

In order to calculate the overall CVSS score, beside getting the Base score, Temporal score must also be accounted for when determining the severity, and priority, of open vulnerabilities.


Links:

Aug 12, 2022

Cyber Incident on iPay88

Another Cyber incident.

Unlike the Cyber attack on Cisco, there is no much information been disclosed by iPay88. As iPay88 is the largest online payment gateway and platform in Malaysia, some financial data could be leaked. 


Links:

Aug 11, 2022

Cyber Attack on Cisco

The threat actors manage to gain access to corporate network even the VPN is protected with MFA. And 2.75GB of data are stolen from Cisco.

IMO, using push notification MFA can be insecure if it is mis-configured. Same for any 2FA or MFA, a mis-configured security controls is just a false sense of security. 

Here is the initial vector from Cisco Talos.

Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account. After obtaining the user’s credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka "vishing") and MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving. Vishing is an increasingly common social engineering technique whereby attackers try to trick employees into divulging sensitive information over the phone. In this instance, an employee reported that they received multiple calls over several days in which the callers – who spoke in English with various international accents and dialects – purported to be associated with support organizations trusted by the user.  

Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to multiple systems, which alerted our Cisco Security Incident Response Team (CSIRT), who subsequently responded to the incident. The actor in question dropped a variety of tools, including remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and added their own backdoor accounts and persistence mechanisms. 

We all can learn more TTP (tactics, techniques, and procedures) from this Cisco breach at Cisco Talos.


Links:

Aug 10, 2022

Command Line Commands – CLI Tutorial

Windows command line is always my favorite tool. It is one of the most powerful utilities where I can interact with OS directly.

Here's are some of the commands, and I put them under 2 groups.


Without Admin Privileges 

C:\> driverquery

C:\> systeminfo

C:\> prompt xx@localhost $$ 

C:\> dir | clip

C:\> assoc

C:\> fc 

C:\> title cmdline

C:\> cipher

C:\> netstat -an

C:\> color 0a

C:\> for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear

C:\>  ipconfig /all

C:\> powercfg /energy 

C:\> attrib +h + s +r folder_name

C:\> start https://www.google.com

C:\> tree

C:\> ver 

C:\> tasklist /IM "task.exe" /F

C:\> vol


Need Admin Privileges

C:\> powershell start cmd -v runAs

C:\> dism

C:\> sfc   

C:\> taskkill /IM "chrome.exe" /F

C:\> shutdown


Link:

Aug 9, 2022

Leadership First

 Don't push your most loyal people to the point that they no longer care.

Because if you do, you run the risk of pushing away great talent while settling for mediocrity.

~ Leadership First

Aug 7, 2022

Start MSIE Browser Even Replaced by MS-Edge Browser

Internet Explorer 11 (on Windows 10)

Still miss your MS Internet Explorer browser?

Here's a way to "start" your IE browser even it has been replaced by MS Edge.

  1. Press "win" key, and start typing "Internet Options".
  2. Click on "Internet Options", and you should see "Internet Properties" control panel.
  3. Click on "Programs" tab.
  4. Click on "Manage add-ons" button, and see the "Manage Add-ons" window.
  5. At the bottom, click on "Learn more about toolbars and extensions" link.
  6. MSIE browser is back!! 😜

 

Note that this method works in both Windows 10 and 11. Let's start 🏄 with MSIE again.

Aug 4, 2022

Encryption for SSH and TLS

Two most common cryptography protocols: SSH and TLS/SSL, are commonly mis-configured in many ways.

 

SSH (22/tcp)

The SSH key exchange algorithm is fundamental to keep the protocol secure. It is what allows two previously unknown parties to generate a shared key in plain sight, and have that secret remain private to the client and server.

Nearly all encryption schemes require parties to have a shared secret. Key Exchange algorithms are what allow two parties to create a shared secret while exchanging information in public sight. Key Exchange algorithms do not actually exchange keys, but rather partial variables that allows both parties to create a shared secret.

Over time, some implementations of this algorithm have been identified as weak or vulnerable.

A weak Key Exchange Algorithms use components with fundamental security flaws. There are only two primary reasons they are be regarded as ‘weak’:

  1. The algorithm uses SHA1. 
  2. The algorithm uses RSA 1024-bit modulus keys.

When flaws were identified in SHA1, it was believed this could potentially impact SSH security. An attack against the protocol would carry an extreme level of difficulty and would be nearly impossible to conduct in practice.

Despite the unlikeliness of an attack occurring, using encryption algorithms with known weaknesses such as SHA1 will raise a Low Risk issue on a network penetration test.

A list of known weak key exchange algorithms:

  • diffie-hellman-group-exchange-sha1
  • Diffie-hellman-group1-sha1
  • gss-gex-sha1-*
  • gss-group1-sha1-*
  • rsa1024-sha1

Besides that, there is also issue of SSH weak MAC algorithms. These algorithms exist in the majority of SSH configurations and are generally considered Low Risk.

As with most encryption schemes, SSH MAC algorithms are used to validate data integrity and authenticity. A ‘MAC algorithm’ should not be conflated with a MAC (Message Authentication Code) as these are two distinct components. The MAC algorithm uses a message and private key to generate the fixed length MAC.

A weak MAC algorithm may be considered weak for the following reasons:    

  1. A known weak hashing function is used (MD5) 
  2. The digest length is too small (Less than 128 bits) 
  3. The tag size is too small (Less than 128 bits) 

The following are the most common known weak MAC algorithms encountered in SSH:    

  • hmac-md5
  • hmac-md5-96
  • hmac-sha1-96
  • hmac-sha2-256-96
  • hmac-sha2-512-96


TLS/SSL (443/tcp)

3 commonly mis-configured ciphers in TLS/SSL server:

  • Information disclosure with predicted IV in CBC
  • NULL ciphers supported
  • 'Export Ciphers' enabled  

SSLv3 and TLS1.0 implementations using Chained-block ciphers (CBC) may be vulnerable to plain-text recovery attacks. When predictable IVs are used in CBC mode, an attacker can leverage this in more advanced attacks as demonstrated in the ‘BEAST’ attack.

There are two ways to remediate this: 1) Disable TLS 1.0 completely to enforce TLS 1.1 and TLS 1.2; 2) Leave TLS 1.0 support enabled, but disable Chained Block Ciphers (CBC).

NULL ciphers offer no true cryptographic data confidentiality. Instead of secure mathematical algorithms to protect data, null ciphers use predefined blocks of data to obfuscate plain-text. No protection is actually provided by null ciphers and should not be used in production environments where confidentiality is required.

Examples of null ciphers:

  • TLS_NULL_WITH_NULL_NULL
  • TLS_RSA_WITH_NULL_MD5 / NULL-MD5
  • TLS_DHE_PSK_WITH_NULL_SHA / DHE-PSK-NULL-SHA

Export ciphers’ are low-grade cryptographic ciphers that were authorized to be used outside the US during the 1990’s. During this time encryption was heavily regulated by the US government as auxiliary military equipment. This allowed intelligence agencies greater ease to eavesdrop on foreign communication channels of interest.

Although export ciphers may be strong enough to secure data from the general public, they include many well known flaws that would allow state-sponsored actors to break the encryption if intercepted. Supporting export ciphers poses an excessive risk to users who may be using older web clients.

Because most SSL/TLS services negotiate ciphers in a top-down fashion, it is rare that clients such as web browsers will negotiate all the way to down to export grade encryption. Despite this, consideration should be given to downgrade attacks where negotiation of export ciphers may be forced by a MITM vector. 

Examples of 'export ciphers':

  • SSL_RSA_EXPORT_WITH_RC4_40_MD5 / EXP-RC4-MD5
  • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA / EXP-DES-CBC-SHA

 

Links:


Aug 3, 2022

SSH and TLS Enumeration

SSH and TLS/SSL are the two (2) most common encrypted protocols used daily by sysadm. Here, I listed some cmdline commonly used by me daily in troubleshooting the 2 protocols and some links below.


SSH (22/tcp):

Enumerate SSHD configuration with SSHscan

$ python sshscan.py -t 192.168.31.1

Enumerate SSH algorithm with NMAP

$ nmap --script ssh2-enum-algos 192.168.1.1

Print its (client) configuration after evaluating Host and Match blocks.

$ ssh -G 192.168.31.1

Queries ssh for the algorithms supported: cipher, cipher-auth, mac, kex, keq-gss, key, key-cert, key-plain, key-sig, protocol-version.

$ ssh -Q query_option


TLS/SSL (443/tcp):

$ sslyze www.facebook.com

$ ./sslscan.exe 192.168.31.1

$ tlsscan 192.168.31.1

$ ./tls-scan -c www.facebook.com --cacert=./ca-bundle.crt --pretty


Links:


Aug 2, 2022

Edit HTML Page

We can easily edit any website text with bookmarklet.

Simply highlight the (bold) text below, and drag it into your bookmark/favorite bar.



javascript:document.body.contentEditable = 'true'; document.designMode='on'; void 0


Whenever you want to edit text on a page, just click the bookmarklet. And start edit the web page !!

Aug 1, 2022

GitLeaks

Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos

It is a fast, light-weight, portable, and open-source secret scanner for git repositories, files, and directories. With over 5 million docker downloads, 10k GitHub stars, and over 200k homebrew installs, gitleaks is the most trusted secret scanner among security professionals, enterprises, and developers. 


Links: