Chocobo RootThe Chocobo Root exploit (CVE-2016-8655) was discovered by Philip Pettersson in 2016. The bug itself was introduced to the Linux kernel in 2011 and patched in 2016. It affected a variety of Linux kernel versions and distributions. Exploit DB has C code and Metasploit module for this vulnerability. This bug allows an attacker to run arbitrary commands with administrative privileges by switching AF_PACKET socket versions or cause denial of service.
Understanding the Threat LandscapeAs a SOC analyst, you'll need to understand the essentials and most important concepts of the threat landscape and also understand what a threat is and how to classify it.
Functions of the SOCThe essentials and most important activities a SOC analyst must perform inside a Security Operation Center.
Kubernetes Management TechniquesThere's a lot of management approaches you can use to work in a Kubernetes cluster; you can use an imperative or a declarative style.
Intro to WiresharkIf you are a computer network or security enthusiast, you've probably heard of Wireshark. Wireshark is the world's most popular network protocol analyzer. It lets you dive into captured traffic and analyze what is going on within a network. You can use it to diagnose network issues and find network vulnerabilities.
Voidtools EverythingEver wish you could search your computer like you search Google? Now you can! Voidtools "Everything" is a search engine for Windows files. With Everything, you can search for Windows files and folders by their filenames or content.
Escaping Docker Privileged ContainersPrivileged containers are often used when the containers need direct hardware access to complete their tasks. However, privileged docker containers can enable attackers to take over the host system. Today, let's look at how attackers can escape privileged containers.
Kubernetes ServicesKubernetes services are an abstract way to expose a container as a network service.
PowerShell Code SigningIf you are a system administrator, you might have had to run Task Scheduler jobs or delegate tasks to end-users. But have you wondered how you could run these tasks securely? How do you ensure the integrity and quality of the scripts on your system? This is where code signing can help!
Sysinternals SysmonWindows System Monitor (sysmon) is a kernel-level driver that allows for the selective capture and logging of detailed system actions that happen on a Windows system. This data can be used by developers to debug issues and/or by security professionals looking for suspicious activity.
How Overprivileged Processes Compromise Your SystemRunning processes with higher privileges than they need may lead to a significant system compromise.
Introduction to TcpdumpTcpdump is a command-line packet analysis tool. Much like Wireshark, you can use Tcpdump to capture and analyze packets, troubleshoot connection issues, and look for potential security issues on a network.
Tracking Process InjectionProcess Monitor is a tool on Windows systems that helps you monitor for issues on your system. You can view process, registry, filesystem, and network activity in real-time.
What is Process Monitor?Process Monitor is a tool on Windows systems that helps you monitor for issues on your system. You can view process, registry, filesystem, and network activity in real-time.
Kubernetes IntroductionKubernetes deployment configurations are responsible for deploying containerized applications on top of the Cluster in production environments.
Installing and using the KeePassXC password managerDo you have a single password that you use to access all of your accounts? Is your password short and easy to remember?
Wireshark's Command Line Tool: TSharkToday, let's talk about how you can use Wireshark's command-line interface, TShark, to capture and analyze network traffic.
Securing your Network Traffic with WireGuard VPNMany VPN software packages have a bewildering array of configuration options, some of which leave subtle security holes. WireGuard was developed as a reaction to this, and aims to be simpler for users to configure.
OpenVPN Access ServerAnonymity and privacy are becoming a problem nowadays, with lots of hackers trying to steal others' identities. OpenVPN provides Virtual Private Network solutions to secure data while accessing the internet. This guidance will describe the installation process of OpenVPN Access Server.
Kubernetes OverviewKubernetes is an open-source orchestration system for automating application deployment, scaling, and management of containers.
Password Spraying AttacksHave you heard of a password brute-force attack? A brute-force attack is when attackers try to hack into a single account by guessing its password.
Intro to PHP Object Injection VulnerabilitiesPHP serialization is frequently used for storing or sending a PHP object. However, weak implementation of it may cause a severe vulnerability for the web application like remote code execution.
Hacking The Web With FiddlerIt's no secret that hackers, developers, and IT professionals like us use a lot of tools. Today, let's talk about a powerful addition to your toolkit called Fiddler! Fiddler is a free web debugging proxy for any browser and platform.
Introduction to MetasploitMetasploit is a penetration testing framework that helps you find and exploit vulnerabilities. The Metasploit Framework is one of the most useful testing tools available to security professionals. Using Metasploit, you can access disclosed exploits for a wide variety of applications and operating systems. You can automatically scan, test, and exploit systems using code that other hackers have written.
PowerShell Basics - Part 1This is the first part of the PowerShell Basics series covering PowerShell Objects, two most widely used Operator groups and how to use proper quotes.
Backing Up With BorgBorgBackup, or “Borg” in short, is a backup program that supports deduplication, compression, and encryption. Borg provides an efficient and secure way of backing up your data.
PowerShell IntroductionThis module is for people looking to get started with their PowerShell journey.
Privilege Escalation Via CronCron is a super useful job scheduler in Unix-based operating systems. It allows users to schedule jobs that run periodically. Today, let's dive into how to use Cron and the security risks of a misconfigured Cron system!
Log Management with the Systemd JournalSystemd adds many features to help administer system and network services running on Linux, and the journal is one of them. The systemd journal stores log messages in a central database.
Apache For BeginnersSetting up a website might be simpler than you think. Apache is a web server software available on Linux systems. It is one of the most popular web servers on the market, and for good reason. It is free and completely open-source, and also feature-rich, and simple to set up. Today, let’s learn to set up your website using Apache!
Backing Up With RsyncRsync is a widespread utility for both downloading and hosting files for remote backup.
Patching Binaries With GhidraLast time, we talked about how to reverse engineer a binary using Ghidra. But what if you wanted to make modifications to the binary itself? The process of making changes to a binary and modifying its instruction flow is called "patching a binary". Hackers do this to bypass built-in protections, or to make the program behave in a different way to make the exploit development process go more smoothly. And today, let's talk about how to do this directly in Ghidra!
Intro to reverse engineering with GhidraReverse engineering is a process that hackers use to figure out a program's components and functionalities in order to find vulnerabilities in the program. You recover the original software design by analyzing the code or binary of the program, in order to hack it more effectively. Today, let's take a look at how to reverse engineer a single program using a piece of open-source software called Ghidra.
Visual Spoofing with UnicodeUnicode was developed to represent all of the world's languages on the computer. Early in the history of computers, characters were encoded by assigning a number to each one. This encoding system was not adequate since it did not cover many languages besides English, and it was impossible to type the majority of languages in the world.
Gathering System Information On An Ubuntu ServerToday, we'll investigate our operating system and find out what is going on with its software, hardware and network connections.
Introduction of SUDO KILLERSUDO KILLER provides an easy and effective way to scan for Sudo bugs and misconfigurations as an unprivileged user.
Discovering The Hidden Web Using GoBusterGobuster provides an easy and effective way to recon remote web contents.
Stealing Port Knock Sequences for Server AccessThere are a few ways that a knock sequence can potentially be leaked. The knock sequence could be accidentally published. It could also be leaked through compromised log files. Finally, it could be stolen through packet sniffing.
Writing Custom Rules for YaraYARA provides an easy and effective way to write custom rules based on strings or byte sequences found in samples and allows you to create your own detection tools.
Finding Secrets in Git Repos with TruffleHogIt's all too easy for developers using Git to commit information that shouldn't be visible to everyone who has access to the source. This could be configuration files containing database passwords, deploy scripts including server credentials, or even the private key files for SSH or HTTPS. Removing the secret data from the current version doesn't help, because the previous version is stored in the history and is still accessible. TruffleHog is one tool which makes it easier to search through the history of a git repository to discover passwords and other secrets.
Using ProxyChains to Proxy Your Internet TrafficProxyChains is a common penetration testing tool for the redirection of connections through SOCKS4, SOCKS5 or HTTP proxies.
Exploiting ReDoSToday, let's explore how attackers can exploit poorly written regex patterns to launch denial of service attacks!
Password Reuse and Lateral MovementWhat are common ways for attackers to access user passwords and how you can protect yourself from those who would try to steal your credentials.
Windows LoggingMicrosoft Windows has a robust logging subsystem which captures a number of system events and activities by default and can be additionally capture all kinds of useful data. Event sources are grouped into log providers with unique event IDs for each event. Unlike Unix-based systems which primarily create logs as line-based text files, Windows events are stored in a binary log format identified by a .evt or .evtx file extension. This formatting makes it difficult to directly access the log files but Windows provides APIs and log viewer programs for easy queries.
Scanning and Enumeration Defence with Port KnockingPort knocking is a stealth method to externally open ports that, by default, the firewall keeps closed. The benefit is that, for a regular port scan, it may appear that the service of the port is just not available.
Microsoft Defender Advanced Threat ProtectionThe next generation security tools are designed to help users keep pace with modern bad guys (skilled and motivated programmers, often with large resources) while simultaneously improving privacy, security, and system integrity. These tools are powered by intelligence, insights, signals, alerts from many systems, and continuous human testing, and can integrate with trusted partner systems as well.
Diving into YarGenLast time, we talked about how to detect malware using YARA, and how to find YARA rules to use online. But if you can't find YARA rules published online that suits your needs, you'll need to write your own rules instead!
Malware Detection Using YaraHave you ever wondered how malware is detected? How do malware scanners work? How does Gmail know that the suspicious attachment you got was "dangerous"? After all, malware comes in all shapes and sizes, and there is no one characteristic that tells you whether a file can cause harm or not.
Linux Privilege Escalation Using CapabilitiesIn Linux environments a superuser can do practically anything and is not bounded by normal security checks. In other words, the superuser has a number of privileges which allow him to change the system as he pleases. Linux divides these privileges into distinct units, known as capabilities. These capabilities can be added to an executable, which will give any user running that executable the specific superuser privilege defined by the capability.
Windows Authentication with NTLMWindows authentication is based on many security best practices although it has several weaknesses especially when it comes to legacy authentication in the form of New Technology LAN Manager (NTLM), which first debuted with Windows NT in the mid 1990's.
SSH-AuditSSH (secure shell) is a widely-used protocol for remote administration of Unix and Linux servers. The default configuration of many SSH server implementations includes several potentially-insecure settings so as to maintain compatibility with outdated client software. The ssh-audit tool can be used to check the server settings and recommend changes so as to improve security.
Privileged Remote Code Execution in OpenSMTPDOpenSMTPD is the mail transfer agent (e-mail server) of the OpenBSD operating system, and is also available as a 'portable' version for other Unix systems such as GNU/Linux. OpenBSD is known for having a strong focus on security features, and serious security vulnerabilities in OpenBSD are very rare - there have only been two remote holes exploitable in the default install in the project's 23-year existence. The recent CVE-2020-7247 vulnerability in OpenSMTPD, announced on the 29th of January 2020, very nearly added a third item to that list.
RangeForce Module TutorialOn the RangeForce platform, there is an ever-growing amount of hands-on learning modules and challenges that teach you how to prepare, detect and respond to the latest cyber threats and system vulnerabilities. The best part is that it's a cloud-based, on-demand, SaaS environment which means that no complex setup or hardware is required. You access everything through your web browser so a decent internet connection is all you need.
Suricata as an IPSSuricata is a real-time threat detection engine that helps protect your network against threats by actively monitoring network traffic and detecting malicious behavior based on written rules. It can operate in a network security monitoring (NSM) mode and can also be configured as an intrusion detection system (IDS) or intrusion prevention system (IPS).
Windows Active Directory BasicsIf you have ever tried to remotely connect to another computer via SSH, RDP or many other protocols, you might have wondered why your local system account can't just automatically be trusted by the remote system and give you access. Or what if you want to share some content from your system and have to manually create local accounts for your friends on your system so they can log in? Windows Active Directory solves problems like this by providing a framework for central authentication and managing permissions.
Enumerating with NmapNmap is not only the best port-scanning tool out there, but also a very good service-level enumeration tool with support for customized scripts and hundreds of publicly available scripts ready to use out of the box. This is possible through the Nmap Scripting Engine (NSE), Nmap's most powerful feature that gives its users the ability to write their own scripts and use Nmap for more than just port scanning.
HTTPS SecurityExtensible Markup Language (XML) has an infamous feature called XML eXternal Entities (XXE). It is the most well-known XML attack vector and still has a high place in the OWASP Top 10 most common vulnerabilities list.
XML External EntitiesExtensible Markup Language (XML) has an infamous feature called XML eXternal Entities (XXE). It is the most well-known XML attack vector and still has a high place in the OWASP Top 10 most common vulnerabilities list.
Insecure Deserialization in JavaSerialization is the process of converting an object into a data format which can later be used to restore the object. People often serialize objects in order to store or to send them as part of communications. Deserialization is the reverse of that process -- taking data structured in some format and rebuilding it into an object.
DOM-based XSSDocument Object Model-based Cross-site Scripting (DOM-based XSS) is a lesser-known form of XSS. It's different from reflected and stored XSS because the exploit happens entirely on the client-side and does not conceptually require a server-side vulnerability.
Regular ExpressionsRegular expressions (regex or regexp) is an awesome technique that can be used in a variety of ways. At first it may seem a bit intimidating, especially for those without a formal education in Computer Science, but with a little practice, it can become a really fast and powerful tool.
Misconfigured PATHAn environment variable is a dynamic-named value that can affect the way running processes will behave on a computer. They are part of the environment in which a process runs. For example, a running process can query the value of the TEMP environment variable to discover a suitable location to store temporary files, or the HOME or USERPROFILE variable to find the directory structure owned by the user running the process.
Network Discovery With NmapNmap, also known as network mapper, is a free and open-source security tool widely known for its powerful network discovery, enumeration and security auditing abilities. Network administrators use Nmap to establish a network map and get more information about what's going on inside the network - which hosts are online, what ports are open, which services are offered, and more.
Privilege Escalation Using the Docker/LXD groupsDocker and LXD are both software platforms for building applications in small and lightweight environments called containers, which are isolated from other processes, operating system resources and the kernel. Some Docker/LXD features require the daemon to be run with super-user privileges - features like port binding, mounting filesystems etc.
NiktoAttacking a website is not a straightforward process where you start randomly typing and suddenly have access to the system. Before exploiting a vulnerability, you have to actually find the vulnerability. The first part of attacking a system is information gathering. There are a lot of excellent tools out there for information gathering like Maltego or Nmap. Even a simple Google search can give you lots of useful information. After compiling a list of targets to focus on, you can start scanning those targets for vulnerabilities that can potentially be exploited. This is where Nikto comes in.
Docker RunC Container EscapeDocker containers allow developers to package their application with all of its dependencies and components, into a single package. This way it will run quickly and reliably in many different computing environments. On the surface Docker containers can seem safe, as they isolate an application and its dependencies into a self-contained unit, but in reality, we all know that nothing is truly secure. The same goes for Docker.
Network Defense and Monitoring With Suricata
Suricata is a real-time threat detection engine that helps protect your network against threats by actively monitoring network traffic and detecting malicious behavior based on written rules. It can operate in a network security monitoring (NSM) mode and can also be configured as an intrusion prevention system (IPS) or intrusion detection system (IDS). The Suricata project is free and open-source and stands out from its alternatives such as Snort, Zeek or Sagan, with native support for multi-threading, HTTP/TLS logging and other great features. It is a great asset to your network defense solutions, whether the goal is to protect a business or home network.
Linux privilege escalation using Wildcard InjectionWildcards are symbols which represent other characters. You can use them with any command such as the cat or rm commands to list or remove files matching a given criteria. There are others, but the one that is important to us right now is the * character, which matches any number of characters.
Linux privilege Escalation using the SUID BitThe SUID bit is a flag on a file which states that whoever runs the file will have the privileges of the owner of the file. So, if you are student and the file is owned by root, then when you run that executable, the code runs with the permissions of the root user. The SUID bit only works on Linux ELF executables, meaning it does nothing if it's set on a Bash shell script, a Python script file, etc.
Dirty CowKernel exploitation is becoming much more popular among exploit writers and attackers. Playing with the heart of the operating system can be a dangerous game. Kernel exploits require both art and science to achieve. Every OS has its quirks and so every exploit must be molded to fully exploit its target. This blog covers just one of these exploits, whimsically entitled Dirty Cow.
Docker BasicsDocker is a software platform for building applications in small and lightweight execution environments called containers, which are isolated from other processes, operating system resources and kernel. Containers are assigned resources that no other process can access, and they cannot access any resources not explicitly assigned to them. The concept of containerization has been around for some time, until docker, an open source project launched in 2013, helped to popularize the technology. Originally built for Linux OS, Docker became a multiplatform solution and catalyzed the microservices-oriented approach in development.
ModSecurity Filter Evasion and Better ConfigurationModSecurity is a rule-based Web Application Firewall (WAF) which is most commonly deployed to provide protections against generic classes of vulnerabilities using the OWASP ModSecurity Core Rule Set (CRS). However, if instead of OWASP CRS the default (weaker) ruleset is used, then it can be circumvented in certain cases.
API SecurityApplication programming interfaces (APIs) - the connecting links between services, applications and data, have become essential for enterprise developers as they allow programmers to easily integrate and reuse different external software components instead of having to develop those components themselves.
SQL Injection Isn't Going AnywhereSQL injections might sound like a thing of the past, but in actuality it is still one of the most widely used methods of attack directed towards web applications around the world. As stated in the Akamai Media Under Assault report a staggering 69.7% of all web application attacks between January 2018 and June 2019 were SQL injections. That is a LOT considering that it was supposedly first discovered by a man by the name of Jeff "Rain Forrest Puppy" Forristal back in 1998. Yes... '98.
Blind SQL InjectionBlind SQL injection is similar to normal SQL injection, except that the HTTP responses will not contain the results of the relevant SQL query and a generic error page is shown instead. Only one bit of information (true/false) can be extracted per request -- but that is all it takes.
Meteor Blind NoSQL InjectionI recently came across a Meteor application, which had a publicly callable method 'users.count' that would return the count of users registered in the app. While this may not be significant from a threat assessment perspective, I decided to give it another look and dig a bit deeper.
Blind Command InjectionExecuting a Command Injection attack simply means running a system command on someone’s server through a web application or some other exploitable application running on that server. Executing a Blind Command Injection attack means that you are unable to see the output of the command you've run on the server.
SNMP Arbitrary Command ExecutionSNMP, the Simple Network Management Protocol, which in certain communities is better known as Security Not My Problem, is a protocol to monitor and manage networked devices.
Password Cracking CountermeasuresIf you set up a server, or any information system for that matter, it is important to also secure it according to best practices.
Password CrackingMost of us are familiar with usernames and passwords, the most common tool to secure information from unauthorized access. However, not everyone is familiar with the security requirements for strong passwords and because of this, many user passwords can be easily guessed.
Breaking JSON Web TokensJSON Web Tokens (JWT) are commonly used to implement authentication and authorization on websites and APIs. While there are numerous cases for why you really should not use JWT in your applications, it is very common to see them all around the internet as API and session tokens.
NoSQLMapToday we are going to take a look at NoSQLMap - a tool that is designed to find and exploit various NoSQL vulnerabilities. NoSQLMap is largely oriented towards testing MongoDB and CouchDB, but support for other NoSQL databases such as Redis and Cassandra is planned for future releases.
NoSQL InjectionThe NoSQL injection vulnerability can be used by a malicious actor to access and modify sensitive data, including usernames, email addresses, password hashes and login tokens. Chained with other vulnerabilities it can lead to a full site takeover.
Wireshark Is CoolIt doesn't matter if you're a security engineer, a network administrator or even a cyber-criminal, the tools to monitor network traffic are the key to your success. By having a detailed view of the numerous packets traversing the network it is possible to ascertain a lot about the security condition of that network. It is also a great asset when you need to troubleshoot network load. One of the most common tools for all of that is Wireshark.
The Basics of Linux File ManagementKnowing how to navigate within the Linux operating system and operate on files in the file system is the most important skill a future DevOps engineer needs. Without that basic knowledge, any future endeavor within any Linux-based system is going to be extremely hard. If one is not able to copy or move a file, create a directory or even view the contents of a directory, then he/she will lose their bearings quickly. So before you go deeper into the world of Linux, here are a few pointers on how to get about in it.
The Basics of Linux Software Management
Linux, like most other operating systems, supports various types of software. Managing that software is a basic skill all Linux users should have. Doing it via a graphical user interface is usually pretty self-explanatory, as you just have to follow the instructions on the screen. Performing the same task by using a command line interface on the other hand is a whole different matter and could scare some Linux newcomers. To help crumble that fear a bit, here are some of the things to keep in mind about software management on a Linux-based operating system.
Cross Site Request Forgery
When Sir Timothy (aka Tim Berners-Lee) designed the first version ofhis new information system in 1989 (that became the Web two yearslater), it was meant for connecting various research documents viareferences. Back then, and even later when the budding Web started togrow, there was no need for tracing the reader’s progress - when a pagewas revisited, it was opened from the beginning again. To this day, themain protocol of the Web, HTTP, is a bit like a senile senior to whomhis/her children must re-introduce themselves all over every time theypay a visit.
How to change your UserAgent in Chrome or Firefox (gif!)
Every browser has a UserAgent attached to it. Any website you go to gets this information through the request headers.
Unrestricted File UploadHere's a simple attack that may not seem as common these days, but even with sufficiently secure frameworks unknowing developers can bypass security features and produce a vulnerable application. Even large IT companies stumble sometimes. Do not let it come to you as a surprise, as there are loads of ways to attack and bypass security features.
Insecure Direct Object References
Insecure Direct Object References (also known as IDOR) happen when it’s possible to get direct access to different data objects within a web application which are exposed to users. As a result of this vulnerability it is possible for potential attackers to bypass authorization or access data like files or database records in the system directly. It can be done by modifying the value of a parameter used to directly point to an object. This is caused by the fact that the web application takes user supplied input and uses it to retrieve an object without performing authorization checks.
Nowdays cookies are a vital part of browsing the internet. They are a way to keep track of your movements within a site and store data directly onto your web browser. Keeping them as secure as possible prevents bad people from hijacking your web sessions and stealing our identity.
Command Injection Basics
Executing a Command Injection attack simply means running a system command on someones server through a web application. Executing the command is of course the easy part, the hard part is finding and exploiting the vulnerable crack in the system which could be anything from an insecure form field on a web page to an open port in the network interface.
Path Traversal is a fancy name for what is basically just accessing different directories in the URL. “Say what?” I hear you say. This is a very basic form of attack, but let’s go through it step by step.
Exploiting XSS 101
You’ve probably heard about Cross-site scripting (XSS), but nowadays it sounds like a distant memory of a problem that existed in the 90’s. In reality it’s still a very much important threat. It’s not on the top 10 list on OWASP for no reason. Need proof? Check out how XSS was used to take over admin accounts on Wix.com (with 90 million users) or how Slack was hacked. These bugs have since been fixed of course, but there are many more.