Blog¶

9/7/24
4 min read

Regular Expressions (regex) are sequences of characters that form search patterns. They are used for matching, searching, and manipulating text, making them incredibly useful for analyzing data, detecting patterns, and automating tasks. In cybersecurity, regex can help identify sensitive information, extract useful data from logs, and detect anomalies.

Different Regex Formats

Regex patterns come in several different formats, each suited to specific use cases:

Basic Regular Expressions (BRE): Simple, portable expressions that match literal text or basic patterns. Use when you need simplicity without advanced matching requirements.
Extended Regular Expressions (ERE): Adds flexibility with operators like +, ?, and {}, useful for moderately complex patterns.
Perl-Compatible Regular Expressions (PCRE): Highly versatile, supporting lookaheads, lookbehinds, and more. Ideal for complex patterns and advanced searches.
POSIX Regular Expressions: Found in POSIX tools (like awk), with specific character classes like [[:alnum:]]. Choose for cross-platform consistency.

Basic Concepts of Regex

Literal Characters

Match exactly what you type (e.g., abc matches "abc").

Metacharacters

Special characters with unique functions:

.: Matches any character except a newline.
^: Anchors the match to the start of a line.
$: Anchors the match to the end of a line.
\: Escapes a metacharacter to treat it as a literal.

Character Classes

Define a set of characters:

[0-9] or \d: Matches any digit.
[a-zA-Z]: Matches any letter (uppercase or lowercase).

Quantifiers

Define how many times an element must appear:

*: Matches 0 or more times.
+: Matches 1 or more times.
?: Matches 0 or 1 time.
{n,m}: Matches between n (minimum) and m (maximum) times.

Grouping and Capturing

Parentheses () group patterns and capture matched text.

Why Use Regex in Cybersecurity?

Log Analysis: Quickly search and filter through logs to find specific events, IP addresses, error codes, or patterns.
Data Extraction: Extract sensitive information like credit card numbers, email addresses, or phone numbers.
Intrusion Detection: Identify patterns indicative of malicious activity, like SQL injection attempts, XSS payloads, or anomalous user behavior.
Data Sanitization: Validate and sanitize inputs to prevent injection attacks.

Choosing a Regex Format

Basic Regular Expressions (BRE)

When to Use:

Use BRE when working with simple patterns and in cases where compatibility with various systems is a factor.

Example:

grep -Bil '(secret|confidential|sensitive)' /path/to/file.txt

This command uses BRE to search for "secret," "confidential," or "sensitive" in the file.

9/7/24
6 min read

Examining RAM Dumps

ram-chacho

Volatility is an advanced memory forensics framework used for analyzing RAM dumps. It helps digital forensic investigators and cybersecurity professionals extract valuable information from volatile memory, including processes, registry hives, network connections, and more. This tool is often used in incident response, malware analysis, and CTF challenges due to its ability to dig deep into system states captured at the moment a memory dump is created.

Volatility Cheatsheet

Installation and Setup

Install Dependencies:

sudo apt update
sudo apt install python3 python3-pip git

Clone Volatility 3 Repository:

git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3

Install Volatility Requirements:
```
pip3 install -r requirements.txt
```
Run Volatility 3:
```
python3 vol.py -h
```

Basic Commands

8/29/24
5 min read

ICS Incident Response Playbooks

watertreatment-chacho

Playbooks for responding to incidents involving Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) systems, and Remote Terminal Units (RTUs) provide a structured, repeatable response process. Each playbook should be tailored to the unique characteristics and operational context of these devices and systems while addressing the specific types of threats they face.

Here is an overview of what these playbooks might look like:

PLC Incident Response Playbook

Objective: Identify, contain, and remediate incidents affecting PLCs to prevent unauthorized control, data manipulation, or disruption of physical processes.

Key Components

Preparation
- Maintain an updated inventory of all PLCs, including their firmware versions, IP addresses, network segments, and connected devices.
- Regularly back up PLC configurations and firmware.
- Implement strict access controls and authentication mechanisms, such as role-based access control (RBAC).
- Ensure logging and monitoring of PLC traffic, including command and configuration changes.
- Conduct regular security training for staff on PLC threats and best practices.
Detection
- Monitor for unauthorized PLC connections or traffic patterns.
- Use Intrusion Detection Systems (IDS) and anomaly detection tools to identify unusual Modbus, Ethernet/IP, or other relevant protocol traffic.
- Look for unexpected PLC behavior, such as unscheduled reboots, changes in operating mode, or altered setpoints.
Initial Containment
- Isolate the affected PLC from the network if feasible without disrupting critical operations.
- Disable remote access to the PLC and review recent access logs to identify unauthorized actions.
- Verify the integrity of the PLC’s configuration and firmware by comparing it against a known good baseline.
  Continue reading

8/29/24
8 min read

ICS Protocols

railway-chacho

This is just a short primer on 12 common protocols used in various industrial control systems (ICS). The goal of this entry is just to get a quick at-a-glance understanding of what the protocol is used for and why/how indicators of compromise might be identified in a system that has been attacked.

1. Modbus

Introduction: Used in industrial control systems like manufacturing, water treatment, and energy for communication between devices such as PLCs and sensors/actuators.
Overview: A simple, open serial protocol operating over serial lines (Modbus RTU) or TCP/IP networks (Modbus TCP).
Indicators of Compromise:
- Unexpected traffic from unauthorized IP addresses.
- Unusual function codes in Modbus packets.
- High frequency of commands indicating reconnaissance or brute-force attempts.
Exploitation Methods:
- Man-in-the-Middle (MitM) Attacks: Intercepting and altering messages.
- Unauthorized Commands: Sending malicious commands to change configurations or disable processes.
- Replay Attacks: Capturing and replaying messages to disrupt operations.
Potential Attack Examples:
- MitM Attack: Altering commands to change a pump's setpoint.
- Unauthorized Commands: Sending Function Code 5 (Write Single Coil) or Function Code 6 (Write Single Register).
- Replay Attack: Replaying captured traffic to repeat commands.
Display Filter Suggestions:
- Detect Unauthorized Commands:
```
modbus.func_code == 5 || modbus.func_code == 6
```
  Useful to identify potentially malicious commands that could alter device configurations.
- High Frequency of Commands:
```
modbus && frame.time_delta < 0.1
```
  Useful for detecting a high volume of commands that could indicate a brute-force attack.
- Unexpected Source/Destination IPs:
```
ip.src != {expected_ip} && ip.dst == {modbus_device_ip}
```
  Useful to identify traffic from unauthorized IPs targeting Modbus devices.
  Continue reading

8/27/24
3 min read

Draft

Tshark

tshark-chacho

Why Use `tshark` Over Wireshark?

Tshark is a powerful command-line alternative to Wireshark, especially useful in scenarios where efficiency, automation, and resource constraints are factors. Unlike Wireshark’s GUI, tshark excels in processing large data sets, automating repetitive tasks, and operating in headless environments, making it ideal for large-scale or automated network analysis tasks.

Basic Capture Commands

Capture Traffic

On a Specific Interface.

tshark -i eth0

With a Filter.

tshark -i eth0 -f "port 80"

Write Capture to a File

tshark -i eth0 -w capture.pcap

Setting Up Captures on VMs

There are some considerations to be aware of when capturing from VMs; more on this can be found over here.

8/25/24
6 min read

Remote Access Using WireGuard & TigerVNC

In an era of rapidly evolving technology, many parents who didn’t grow up with modern devices often need help navigating new advancements. When parents live far away, offering this support becomes more challenging. A secure and efficient remote access system can bridge this gap, allowing for support and troubleshooting. This guide walks through how to set up such a system using WireGuard VPN and TigerVNC, ensuring remote connections are secure and effective without sacrificing performance. In this example, the user has a Unifi Dream Machine they are using as their gateway router so the Unifi OS interface is used for the local network configuration.

facetimeDad-chacho

Step 1: Set Up WireGuard VPN on the UDM

Wireguard is used as the preferred VPN protocol because of its lightweight and speed efficiency providing a more ideal solution than OpenVPN.

Access the UDM Interface

1. Open Your Web Browser:

Enter the IP address of your UDM in the address bar (e.g. https://192.168.1.1).
Log in with your credentials.

2. Navigate to the VPN Settings:

In the UDM interface, click on Settings from the left-hand menu.
Go to VPN under the Services section.

8/20/24
3 min read

Draft

Juice Shop Web App

juiceshop-chacho

OWASP Juice Shop is an intentionally vulnerable web application created by the Open Web Application Security Project (OWASP) for security training purposes. It simulates a real-world e-commerce site, allowing users to explore and exploit various security vulnerabilities in a safe environment.

Key Features

Wide Range of Vulnerabilities: Juice Shop covers the entire OWASP Top 10, as well as other common security flaws, offering a comprehensive learning experience.
User-Friendly Interface: Despite being intentionally vulnerable, the application has a realistic and user-friendly interface, making it accessible for beginners and useful for experienced testers.
Gamified Learning: It incorporates a gamification aspect where users can track their progress and achievements as they discover and exploit different vulnerabilities.
Extensive Documentation: Juice Shop comes with extensive documentation, tutorials, and guides to help users understand the vulnerabilities and learn how to mitigate them.
Open Source: As an open-source project, it encourages community contributions and is freely available for anyone to use and modify.

OWASP Top 10

Broken Access Control:
- Test: Attempt to access unauthorized pages or functionalities by manipulating URLs, using different user roles, or changing request parameters.
- Example: As a low-privileged user, try to access an admin page by directly entering the URL (/admin).
Cryptographic Failures:
- Test: Inspect the application's use of encryption and hashing algorithms. Look for the use of weak algorithms or improper implementation.
- Example: Check if sensitive data, such as passwords, are stored using weak hash functions like MD5 instead of stronger options like bcrypt.
Injection:
- Test: Insert malicious code into input fields to see if it's executed by the server, for example: SQL, NoSQL, OS, and LDAP injection.
- Example: Enter '; DROP TABLE users; -- into a form field to test for SQL injection.
Insecure Design:
- Test: Review the application architecture and design documents for security flaws. Perform threat modeling to identify design weaknesses.
- Example: Assess if sensitive data is adequately protected throughout its lifecycle (e.g., encryption in transit and at rest).
Security Misconfiguration:
- Test: Verify the configuration settings of servers, databases, and applications. Check for default accounts, open ports, and unnecessary services.
- Example: Use tools like Nmap to scan for open ports and identify if unnecessary services are exposed.
Vulnerable and Outdated Components:
- Test: Identify all third-party libraries and components used by the application. Check their versions against known vulnerabilities databases.
- Example: Use tools like OWASP Dependency-Check or Snyk to scan for vulnerable dependencies.
Identification and Authentication Failures:
- Test: Evaluate the authentication mechanisms. Attempt brute force attacks, session hijacking, and other techniques to bypass authentication.
- Example: Test password complexity requirements and rate limits on login attempts to prevent brute force attacks.
Software and Data Integrity Failures:
- Test: Check the integrity of software updates and data. Verify the use of digital signatures and other integrity mechanisms.
- Example: Analyze the update mechanism to ensure updates are signed and verified before installation.
Security Logging and Monitoring Failures:
- Test: Review the logging and monitoring configuration. Ensure that security events are logged and monitored properly.
- Example: Attempt actions that should trigger alerts (e.g., multiple failed login attempts) and check if they are logged and generate alerts.
Server-Side Request Forgery (SSRF):
- Test: Manipulate URLs in requests to see if the server can be tricked into fetching data from internal systems or unauthorized locations.
- Example: Modify a URL parameter to access internal services (e.g., changing http://external.com/resource to http://localhost/admin).

You can run it via node.js, a Docker container, or Vagrant. See more info on their website.

8/19/24
2 min read

Draft

Docker Cheatsheet

docker-chacho

Docker is a platform that allows developers to automate the deployment of applications inside lightweight, portable containers. This cheatsheet provides a quick reference to some of the most commonly used Docker commands, formatted for easy copy-pasting. Use this as a handy resource for managing your Docker containers, images, volumes, and more.

8/18/24
8 min read

Draft

Windows Awareness Checks

windowsAwareness-chacho

Introduction

When a penetration tester gains access to a Windows target, the primary goal is to gather as much information as possible about the environment. This includes performing various awareness checks to identify potential security risks, understand the current security posture, and gather intelligence for privilege escalation or further exploitation. This guide outlines a series of checks, grouped by categories, that should be performed immediately after gaining access to a Windows system.

System Information and Security Policies

Check System Information

Gather detailed information about the system, including the operating system version, architecture, and installed patches. This information is crucial for understanding the environment and identifying potential vulnerabilities.

8/12/24
12 min read

TCP: A Closer Look

TCP, as a fundamental protocol, offers options and mechanisms that enhance its functionality across diverse network environments. Understanding these options is crucial for network engineers, security professionals, and system administrators. This primer delves into the key TCP options, such as Maximum Segment Size (MSS), Window Scaling, and Selective Acknowledgments (SACK), as well as essential TCP features like retransmissions, congestion control, and TCP flags. Additionally, it explores the intricacies of TCP window size analysis, padding practices in TCP/UDP, and the implications of TCP options on network performance and security.

tcp-chacho

A small MSS (<1400 bytes) often indicates tunneling or VPNs due to encapsulation overhead.
A standard MSS (~1460 bytes) suggests a typical Ethernet network without additional encapsulation.
A larger MSS (>1460 bytes) points to networks using jumbo frames, commonly seen in high-performance environments.

Filter: MSS Size Variations

tcp.options.mss_val < 1400 or tcp.options.mss_val > 1460