Skip to content

Notes

  • 5 min read

Proxmox Images

Whether it's metasploitable2, SIFT, or some other prepackaged image you're wanting to run from your Proxmox hypervisor, it's easy to get lost in the configuration process. Generally speaking through, you want to get your image into a qcow2 format and then moved onto the Proxmox host in a location where you keep your images. The default location is /var/lib/vz/images. Here's a walkthrough of how to do it.

Converting to qcow2

The conversion process varies slightly depending on what you're given. If it's an .ova file, you'll need to first run: 

tar -vxf filename.ova
This extracts the files. From there, you've likely got a vmdk file and this is what you'd convert to qcow2 using: 
qemu-img convert -f vmdk -O qcow2 ~/Downloads/sift-disk1.vmdk ~/sift.qcow2

Transferring to Proxmox Host

Now that you have the image in a format that works for Proxmox, you can transfer it over to the Proxmox host using whatever method works for you. I'll show the commands for scp using the standard password login through scp or using creds.

scp with password 
scp ~/sift.qcow2 root@proxmox_ip:8006/var/lib/vz/images/
The command explained
  • scp: we want to transfer a file to/from the machine we're on to/from another machine
  • ~/sift.qcow2: this is the from location (in this case on our client computer)
  • root@proxmox_ip:8006/var/lib/vz/images: this is our to location (in this case, it's the proxmox IP address running on the native Proxmox port 8006 and going to the images directory)
    When you hit enter for this command, you'll be prompted for the Proxmox root password so long as you didn't change it to disallow password authentication.
scp with creds 
scp -i id_rsa ~/sift.qcow2 root@proxmox_ip:8006/var/lib/vz/images/
The command explained
  • scp: we want to transfer a file to/from the machine we're on to/from another machine
  • -i id_rsa: this assumes you have your computer's public ssh key in the authorized_keys file on the Proxmox host (this is a more secure way of logging in rather than using a password)
  • ~/sift.qcow2: this is the from location (in this case on our client computer)
  • root@proxmox_ip:8006/var/lib/vz/images: this is our to location (in this case, it's the proxmox IP address running on the native Proxmox port 8006 and going to the images directory)

Creating Skeleton VM

From the Proxmox web interface, follow these steps to create a new VM skeleton:

  1. Log in to the Proxmox portal: Open your Proxmox web interface in a browser.
  2. Click on the "Create VM" button: This option is typically at the top-right of the interface. createVM
  3. Enter the VM details: creatingVM
  4. Skip the ISO Image step: nomedia
    • Select the "Do not use any media" option since you will attach the disk image later.

  5. Configure the VM hardware:

    • System: Choose the firmware (BIOS or UEFI) appropriate for your image. If unsure, use the default.
    • Hard Disk: Skip adding a hard disk here since you will import the disk image later.
    • CPU: Allocate a reasonable number of cores (e.g., 2 cores for basic setups).
    • Memory: Assign sufficient RAM based on your VM requirements (e.g., 4096 MB for SIFT).
    • Network: Add a network device (e.g., VirtIO or E1000) as required.
    • Finalize: Review your settings and click "Finish" to create the skeleton VM.

Importing, Attaching Image

From the Proxmox host's shell, you'll now need to associate the image with the VM you created. 

qm importdisk 113 /var/lib/vz/images/sift.qcow2 local-lvm

Once this finishes successfully, you'll go back into the portal's view of the VM's settings. You'll notice in the Hardware tab there is now a hard disk that says Unused Disk 0 (or something similar). Double-click it, select the appropriate Bus/Device option and then click add.
unused add

How do I know which Bus/Device to select?
  1. Check the Documentation: Most prepackaged images specify their recommended Bus/Device type.
  2. Trial and Error: If documentation isn't clear, try adding the disk using a likely candidate (e.g., SCSI or VirtIO) and boot the VM. Adjust if the image fails to boot or the OS doesn't detect the disk.
  3. Inspect the OS: If you can mount the image or access the OS configuration, check what drivers are pre-installed (e.g., VirtIO drivers for Linux-based VMs).


    Known:
    • Metasploitable2: VirtIO
    • SIFT Workstation: SCSI
    • REMnux: SCSI
    • Kali Linux: VirtIO
    • Parrot Security OS: VirtIO

Setting the Boot Order

Ensure the VM knows to look for the hard disk when it boots:

  1. Go to the Options tab in the VM settings. bootorder
  2. Double-click Boot Order. chkboxprioritize

Start the VM

Fire up that puppy up.

  • 10 min read
Draft

Encrypted Client Hello

Background

When you want to visit a website, you might click a link or type in the domain name and boom, in an instant, the page loads on your screen. Behind the scenes, however, a complex exchange occurs between your browser (client) and the website’s server to establish a secure connection. This process, known as the TLS handshake, negotiates how information will be encrypted and transmitted between the two parties. While different versions of TLS (Transport Layer Security) implement this handshake slightly differently, the overall goal remains the same: agree on secure parameters for communication.

The TLS handshake begins when the client sends a Client Hello message to the server. This message contains critical information, such as supported versions of TLS, a list of preferred cryptographic algorithms (cipher suites), and any additional capabilities or settings required to establish a secure channel. These capabilities are communicated through a series of extensions, which serve as modular options that allow the client and server to enable or disable specific features based on what they support.

Client Hello and Extensions

The Client Hello message includes a set of extensions that help tailor the connection to the client’s needs and the server’s capabilities. Some commonly used extensions include:

  • Supported Versions: Indicates the versions of TLS the client can support, such as TLS 1.2 or TLS 1.3.
  • Server Name Indication (SNI): Allows the client to specify the exact hostname it wants to connect to, useful for servers that host multiple domains on a single IP address.
  • Key Share: Provides the client’s public key for Diffie-Hellman or elliptic curve key exchanges, which are used to securely agree on a shared secret.
  • Signature Algorithms: Lists the signature algorithms that the client supports, enabling the server to choose a compatible one for signing handshake messages.
  • Supported Groups: Specifies the elliptic curve groups that the client supports for key exchange.

These extensions offer flexibility and extensibility to the handshake process, enabling advanced features like session resumption, early data transmission, and post-quantum cryptography.

  • 10 min read
Draft

Cryptography 101

crypto-chacho

Cryptography is designed to support key security objectives in cybersecurity:

  • Confidentiality,
  • Integrity,
  • Authentication, and
  • Non-repudiation.

Understanding these principles is crucial for implementing secure systems and communications. This is a walkthrough of implementing these goals with a classic example that demonstrates the use of asymmetric key exchange, symmetric encryption, and digital signatures.

Alice and Bob have been demoing cryptography for decades. No reason to retire them now.

Confidentiality

Confidentiality ensures that information is only accessible to those authorized to see it. This is achieved through encryption techniques, which transform readable data (plaintext) into unreadable data (ciphertext). We’ll illustrate this concept through an example involving two parties: Alice and Bob.

Step 1: Generating Asymmetric Keys

Before Alice can securely send data to Bob, they need to establish a secure channel for sharing a symmetric key. Bob first needs to generate an RSA key pair:

# Generate Bob's RSA private key (4096 bits)
openssl genpkey -algorithm RSA -out bob_private.pem -pkeyopt rsa_keygen_bits:4096

# Extract Bob's public key from the private key
openssl rsa -in bob_private.pem -pubout -out bob_public.pem

Now, Bob shares his bob_public.pem file with Alice. This public key will be used to encrypt a symmetric key, ensuring that only Bob can decrypt it using his private key.

Why doesn't Alice encrypt it with her private key and let Bob decrypt with Alice's public key?

In this confidentiality portion of the scenario, Alice is wanting to ensure only Bob can decrypt. If Alice signed with her own private key, anyone could use her public key to decrypt the message. Using Bob's public key to encrypt ensures that only Bob, who keeps his private key on lockdown, can decrypt. That said, her private key will be used to address the integrity portion of the cryptogrpahy objectives.

  • 6 min read
Draft

John-the-Ripper & Hashcat

john-chacho

John-the-Ripper & Hashcat: Password-Cracking 101

Is your password policy truly as strong as you think? There's only one sure way to find out—by testing it! In the world of penetration testing, password cracking is an essential skill for uncovering weak credentials and assessing overall security. This walkthrough will guide you through the use of two powerful password-cracking tools, John the Ripper and Hashcat, and how to leverage them with wordlists generated by CeWL, a tool that scrapes websites for likely passwords. We'll explore how to gather targeted wordlists, feed them into cracking tools, and ultimately test the strength of your password policies.

John the Ripper

A versatile password cracking tool for identifying weak passwords in various encrypted formats.

Hashcat

A powerful, GPU-accelerated password cracker that supports a wide range of hashing algorithms. Where the rubber meets the road (but mostly if you have the GPU to harness the power).

CeWL

A web scraper tool that generates custom wordlists by crawling websites for potential password phrases.

Setting Up

Kali or Parrot

If you are running Kali Linux or Parrot Sec OS, you may not need to install much, but check to ensure you're running the latest versions.

  • 3 min read

Magic Bytes & File Forensics

magicbytes-chacho

Magic Bytes & File Forensics

Here's a walkthrough that includes basic checks for file integrity, metadata analysis, content inspection, and security intelligence gathering. Each step is fleshed out with context to guide the triage process:

1. Basic String Extraction

Use strings to extract readable text from the DOCX file. This helps identify hidden or encoded text, suspicious URLs, or any embedded messages without unzipping the file. 

strings suspiciousfile.docx

What to Look For

Scan the output for suspicious phrases, URLs, encoded strings (e.g., base64), or unusual content that doesn't fit the context of the document.

2. File Identification and Format Check

Use file to confirm that the file type is consistent with its extension and to get a basic idea of its format. If the DOCX file claims to be something else, this is a red flag. 

file suspiciousfile.docx

What to Look For

Verify that the output indicates the file is a valid ZIP archive, which is the expected format for DOCX files.

Note

When it is some other format type, (e.g. jpg, etc.), it may end up being helpful to do a google search on "jpg file structure." This will help find documentation as to what the specific magic bytes and other pertinent file structure components are specific to that file type.

  • 6 min read

VM Packet Capture Considerations

When running a virtual machine (VM) to capture network data, there's a potential problem that can arise due to network offloading. This is a specific issue related to capturing network data in a virtualized environment. Network offloading can be likened to missing pages in a notebook; when you capture packets without network offloading, it's like having a complete set of notes with all the necessary information. But when network offloading occurs, it's as if some crucial pages are missing or not present, making it harder to understand the original context and intent.

pcap-chacho

What Happens?

  1. Network Offloading: Many modern network cards and VM hosts support network offloading, allowing the NIC or host to handle certain aspects of the TCP protocol stack on behalf of the guest VM.

  2. MSS (Maximum Segment Size): The MSS is a parameter that specifies the largest amount of data that a device is willing to receive in a single TCP segment. While MSS itself is not altered by offloading, offloading can impact how TCP segments are handled, potentially obscuring details in captured traffic.

  3. VM Network Stack: The VM’s network stack, specifically the virtual NIC, handles TCP segments. Disabling offloading within the VM ensures that packet capture tools see traffic as it is truly handled by the VM without NIC-induced alterations.

  4. Impact on Captured Traffic: When offloading is enabled, the virtual NIC or the host might process packets differently, altering their structure in ways that are not reflected accurately in packet captures.

The Impact

  • Altered Packet Handling: Network offloading features like TSO and GRO can segment or reassemble packets in ways that make captured data appear differently than the actual traffic flow, which can complicate analysis and debugging.
  • Obscured TCP Details: Important TCP details, including segment boundaries, can be masked by offloading, making the captured data less representative of true network behavior.

This can lead to challenges when trying to analyze or debug network problems, as the captured data may not accurately represent the true network behavior.

Disabling Offloading

To disable offloading within a VM, use the following command:

  • 4 min read

RegEx Primer

greppinglogs-chacho

Finding Patterns in Logs (or Other Files)

What is Regex?

Regular Expressions (regex) are sequences of characters that form search patterns. They are used for matching, searching, and manipulating text, making them incredibly useful for analyzing data, detecting patterns, and automating tasks. In cybersecurity, regex can help identify sensitive information, extract useful data from logs, and detect anomalies.

Different Regex Formats

Regex patterns come in several different formats, each suited to specific use cases:

  • Basic Regular Expressions (BRE): Simple, portable expressions that match literal text or basic patterns. Use when you need simplicity without advanced matching requirements.
  • Extended Regular Expressions (ERE): Adds flexibility with operators like +, ?, and {}, useful for moderately complex patterns.
  • Perl-Compatible Regular Expressions (PCRE): Highly versatile, supporting lookaheads, lookbehinds, and more. Ideal for complex patterns and advanced searches.
  • POSIX Regular Expressions: Found in POSIX tools (like awk), with specific character classes like [[:alnum:]]. Choose for cross-platform consistency.

Basic Concepts of Regex

Literal Characters

Match exactly what you type (e.g., abc matches "abc").

Metacharacters

Special characters with unique functions:

  • .: Matches any character except a newline.
  • ^: Anchors the match to the start of a line.
  • $: Anchors the match to the end of a line.
  • \: Escapes a metacharacter to treat it as a literal.

Character Classes

Define a set of characters:

  • [0-9] or \d: Matches any digit.
  • [a-zA-Z]: Matches any letter (uppercase or lowercase).

Quantifiers

Define how many times an element must appear:

  • *: Matches 0 or more times.
  • +: Matches 1 or more times.
  • ?: Matches 0 or 1 time.
  • {n,m}: Matches between n (minimum) and m (maximum) times.

Grouping and Capturing

Parentheses () group patterns and capture matched text.

Why Use Regex in Cybersecurity?

  • Log Analysis: Quickly search and filter through logs to find specific events, IP addresses, error codes, or patterns.
  • Data Extraction: Extract sensitive information like credit card numbers, email addresses, or phone numbers.
  • Intrusion Detection: Identify patterns indicative of malicious activity, like SQL injection attempts, XSS payloads, or anomalous user behavior.
  • Data Sanitization: Validate and sanitize inputs to prevent injection attacks.

Choosing a Regex Format

Basic Regular Expressions (BRE)

When to Use:

Use BRE when working with simple patterns and in cases where compatibility with various systems is a factor.

Example:
grep -Bil '(secret|confidential|sensitive)' /path/to/file.txt

This command uses BRE to search for "secret," "confidential," or "sensitive" in the file.

  • 6 min read

Examining RAM Dumps

ram-chacho

Volatility is an advanced memory forensics framework used for analyzing RAM dumps. It helps digital forensic investigators and cybersecurity professionals extract valuable information from volatile memory, including processes, registry hives, network connections, and more. This tool is often used in incident response, malware analysis, and CTF challenges due to its ability to dig deep into system states captured at the moment a memory dump is created.

Volatility Cheatsheet

Installation and Setup

  1. Install Dependencies: 

    sudo apt update
sudo apt install python3 python3-pip git

  2. Clone Volatility 3 Repository: 

    git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3

  3. Install Volatility Requirements: 

    pip3 install -r requirements.txt

  4. Run Volatility 3: 

    python3 vol.py -h

Basic Commands

  • 5 min read

ICS Incident Response Playbooks

watertreatment-chacho

Playbooks for responding to incidents involving Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) systems, and Remote Terminal Units (RTUs) provide a structured, repeatable response process. Each playbook should be tailored to the unique characteristics and operational context of these devices and systems while addressing the specific types of threats they face.

Here is an overview of what these playbooks might look like:

PLC Incident Response Playbook

Objective: Identify, contain, and remediate incidents affecting PLCs to prevent unauthorized control, data manipulation, or disruption of physical processes.

Key Components

  • Preparation

    • Maintain an updated inventory of all PLCs, including their firmware versions, IP addresses, network segments, and connected devices.
    • Regularly back up PLC configurations and firmware.
    • Implement strict access controls and authentication mechanisms, such as role-based access control (RBAC).
    • Ensure logging and monitoring of PLC traffic, including command and configuration changes.
    • Conduct regular security training for staff on PLC threats and best practices.

  • Detection

    • Monitor for unauthorized PLC connections or traffic patterns.
    • Use Intrusion Detection Systems (IDS) and anomaly detection tools to identify unusual Modbus, Ethernet/IP, or other relevant protocol traffic.
    • Look for unexpected PLC behavior, such as unscheduled reboots, changes in operating mode, or altered setpoints.

  • Initial Containment

    • Isolate the affected PLC from the network if feasible without disrupting critical operations.
    • Disable remote access to the PLC and review recent access logs to identify unauthorized actions.
    • Verify the integrity of the PLC’s configuration and firmware by comparing it against a known good baseline.
  • 8 min read

ICS Protocols

railway-chacho

This is just a short primer on 12 common protocols used in various industrial control systems (ICS). The goal of this entry is just to get a quick at-a-glance understanding of what the protocol is used for and why/how indicators of compromise might be identified in a system that has been attacked.

1. Modbus

  • Introduction: Used in industrial control systems like manufacturing, water treatment, and energy for communication between devices such as PLCs and sensors/actuators.
  • Overview: A simple, open serial protocol operating over serial lines (Modbus RTU) or TCP/IP networks (Modbus TCP).
  • Indicators of Compromise:
    • Unexpected traffic from unauthorized IP addresses.
    • Unusual function codes in Modbus packets.
    • High frequency of commands indicating reconnaissance or brute-force attempts.
  • Exploitation Methods:
    • Man-in-the-Middle (MitM) Attacks: Intercepting and altering messages.
    • Unauthorized Commands: Sending malicious commands to change configurations or disable processes.
    • Replay Attacks: Capturing and replaying messages to disrupt operations.
  • Potential Attack Examples:
    • MitM Attack: Altering commands to change a pump's setpoint.
    • Unauthorized Commands: Sending Function Code 5 (Write Single Coil) or Function Code 6 (Write Single Register).
    • Replay Attack: Replaying captured traffic to repeat commands.

  • Display Filter Suggestions:

    • Detect Unauthorized Commands: 

      modbus.func_code == 5 || modbus.func_code == 6
      Useful to identify potentially malicious commands that could alter device configurations.

    • High Frequency of Commands: 

      modbus && frame.time_delta < 0.1
      Useful for detecting a high volume of commands that could indicate a brute-force attack.

    • Unexpected Source/Destination IPs: 

      ip.src != {expected_ip} && ip.dst == {modbus_device_ip}
      Useful to identify traffic from unauthorized IPs targeting Modbus devices.