Last Week in Security (LWiS) - 2022-09-19
CloudFox (@sethsec + @cvendramini2), MiraclePtr in Chrome, Jetty hacking (@m1ke_n1), ExternalC2 myths (@RET2_pwn), NTLMv1 attacks (@n00py1 + @an0n_r0), Golden Ticket patches soon (@varonis), plaintext Citrix passwords (@gentilkiwi), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-05 to 2022-09-19.
News
- Security update (Uber). The Uber hack made headlines last week, and for good reason. Looks like a single social engineering success (MFA push is too annoying?) plus some share drive spelunking allowed the attacker to achieve widespread system compromise. I wish this was surprising. It looks like they're hiring security engineers now.
- A New Life for Certificate Revocation Lists. Interesting thoughts from Scott on twitter.
- Twitter Whistleblower Says There Was at Least One Chinese Spy Working at the Company. Mudge's rumored $7MM severance and non-disclosure didn't cover congressional hearing it seems. Look's like someone is trying to dig up dirt on him.
- GTA 6 source code and videos leaked after Rockstar Games hack. This looks like a "legitimate" insider as opposed to the Uber hack.
Techniques and Write-ups
- Traces of Windows remote command execution. The quieter you become, the more... you know the joke. This post shows the artifacts left behind from a variety of "RCE" techniques (lateral movement) on Windows.
- Introducing: CloudFox. Cloudfox helps you gain situational awareness in unfamiliar cloud environments. It's a command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
- Use-after-freedom: MiraclePtr. Google's quest to prevent memory corruption exploits continues with a novel C++ add-on to Chrome for Windows and Android as of Chrome 102. Props to the team for pushing this out despite a tiny performance hit.
- Jetty Features for Hacking Web Apps. Some neat tricks specific to Jetty in this post.
- Myths About External C2. This post shows the basics of External C2 using a mock teamserver and agent (python).
- The Blind Spots of BloodHound. Nice attack graph you have there; it'd be a shame if something... happened to it...
- Practical Attacks against NTLMv1. Or check out the tweet-length-summary. TLDR: disable NTLMv1 everywhere!
- Fighting Golden Ticket Attacks with Privileged Attribute Certificate (PAC). PAC enforcement is scheduled for October 2022, are your golden ticket tools ready? The table at the end of the article is worth the price of admission.
- A Basic Guide to iOS Testing in 2022. Enough to get you started!
- Stealing Access Tokens From Office Desktop Applications. Your apps authenticate to MS services as you, and so the authentication material is in memory. This post shows you how to extract and use it - to read Outlook emails for example.
- Relaying YubiKeys. Hardware FIDO2 keys are the answer to all phishing right? Right!? Well if an attacker has your PIN and you don't have "touch to sign" enabled, then yes, its just another annoying step. "Touch to sign" is what keeps this from being practical, as the attacker would then also have to trick the user into touching the key for every blob they wanted to sign. Could always skip all that and use virtual-fido to nullify all the benefits of a hardware security device.
Tools and Exploits
- Mimikatz update. Now you can dump plaintext Citrix passwords from memory. Best part is you don't even need elevated rights for the current use context! If anyone has this as a BOF, DM me!
- ldapnomnom - Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP).
- CVE-2022-37706-LPE-exploit - A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04) - NOTE: only for enlightenment window manager (Tizen based TVs and... thats it?).
- MasqueradingPEB - Maquerade any legitimate Windows binary by changing some fields in the PEB structure.
- CVE North Stars - Leveraging CVEs as North Stars in vulnerability discovery and comprehension.
- ExecRemoteAssembly - Execute Remote Assembly with args passing and with AMSI and ETW patching.
- Teamsniper is a tool for fetching keywords in a Microsoft Teams such as (passwords, emails, database, etc.).
- DylibHijackTest - Discover DYLD_INSERT_LIBRARIES hijacks on macOS.
- Codecepticon is a .NET application that allows you to obfuscate C#, VBA/VB6 (macros), and PowerShell source code, and is developed for offensive security engagements such as Red/Purple Teams. What separates Codecepticon from other obfuscators is that it targets the source code rather than the compiled executables, and was developed specifically for AV/EDR evasion.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- CheeseOunce - Coerce Windows machines auth via MS-EVEN. Will we ever run out of coercion techniques?
- How we built Pingora, the proxy that connects Cloudflare to the Internet. Some companies are large enough where the milliseconds matter. I hope Pingora is opensourced soon!
- requests-ip-rotator - A Python library to utilize AWS API Gateway's large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.
- DiffusionBee - Stable Diffusion GUI App for M1 Mac. DiffusionBee is the easiest way to run Stable Diffusion (AI image generation) locally on your M1 Mac. Comes with a one-click installer. No dependencies or technical knowledge needed.
- CitrixSecureAccessAuthCookieDump - Dump Citrix Secure Access auth cookie from the process memory.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.