Last Week in Security (LWiS) - 2022-10-03
Kerberos downgrade attack (@tiraniddo), Havoc C2 (@C5pider), ASNmap (@pdiscoveryio), static vs behavioral detection (@ShitSecure), Freeze payload toolkit (@Tyl0us), multiple tools from @D1rkMtr, cheap Yubikeys, Playstation 5 jailbreak, and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-09-26 to 2022-10-03.
News
- Activate phishing-resistant MFA. No excuse to not have hardware MFA at this point. Cloudflare makes it $10 per key for high quality Yubikey 5's. This is the best $-to-protection ratio you will ever spend (if you enforce it).
- Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server. Microsoft pushed out a temporary rewrite rule to Exchange on prem, but my advice would be to stop hosting this RCE-as-a-service product in your environment. Sadly, the big providers have taken over the dream of a decentralized internet with email for now.
- Former NSA Employee Arrested on Espionage-Related Charges . I suppose you only read about the ones with bad OPSEC but man, this guy wasn't even really trying. I suspect his short employment period also put him under extra scrutiny. With OPSEC this bad, perhaps he should have applied to work at the CIA and contribute to America's Throwaway Spies.
- Introducing Wolfi - the first Linux (Un)distro designed for securing the software supply chain. I'm not fully sold on this "undistro." Seems a bit like Nix but with the package manager removed?
- PS5-4.03-Kernel-Exploit An experimental webkit-based kernel exploit (Arb. R/W) for the PS5 on 4.03FW. Not really useful for red teaming, but a neat exploit chain.
Techniques and Write-ups
- Introducing FingerprintX: The fastest port fingerprint scanner. httpx is a great tool for web scanning, but fingerprintx expands it other ports and protocols. Grab the code and start scanning!
- Two Lines of JScript for $20,000 - Pwn2Own Miami 2022. Exploitation doesn't always have to be "hard." If calc pops, it doesn't matter if you spent 2 hours or 2 years working on the exploit. Try some simple things first!
- Issue 2310: Windows: Kerberos RC4 MD4 Encryption Downgrade EoP. James Forshaw, destroyer of Windows worlds, is at it again. Who knew you could downgrade Kerberos encryption so badly, as well as other tricks to get the actual amount of data you need to brute force down to a single byte. Well played.
- The difference between signature-based and behavioral detections. A good primer on types of AV/EDR detections and ideas for how to get around them. TLDR: You will be writing custom code.
- What I learnt from reading 220* IDOR bug reports.. You're going to learn about IDOR today!
- YARI: A New Era of YARA Debugging. Woah, this is seriously cool if you work with yara. Code here.
- Kernel Driver Exploit: System Mechanic. I know I am late on this one (technically not last week), but it was too good to not include. Don't worry the blog is now monitored.
- Phishing With Chromium's Application Mode In this blog post mr.d0x shows how Chromium's application mode allows us to easily create realistic desktop phishing applications.
Tools and Exploits
- Iscariot Suite is a collection of tools to enhance and augment trusted open-source and commercial Blue Team/Sysadmin products, turning them into traitorware to achieve offensive security goals.
- Havoc. This is the much anticipated C2 from @C5pider. It also supports Third Party Agents.
- ASNMap - A Golang CLI tool for speedy reconnaissance using ASN data.
- constellation is the first Confidential Kubernetes. Constellation shields entire Kubernetes clusters from the (cloud) infrastructure using confidential computing.
- VirusTotalC2 Abusing VirusTotal API to host our C2 traffic, useful for bypassing blocking firewall rules if VirusTotal is in the target white list, and in case you don't have C2 infrastructure, now you have a free one.
- AzTokenFinder is a small tool to extract JWT (or JWT like looking data) from different processes, like PowerShell, Excel, Word or others.
- Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods.
- ChTimeStamp - Changing the Creation time and the Last Written time of a dropped file by the timestamp of other one , like the "kernel32.dll" timestamp.
- ADSrunner - Write a UUIDs bytes array "*" collected to the Alternate Data Stream of the current binary , then the ADS Runner will get the DATA tranfert it into a char table nice UUIDS shellcode and Run it.
- FileLessRemoteShellcode - Run Fileless Remote Shellcode directly in memory with Module Unhooking, Module Stomping, No New Thread. This repository contains the TeamServer and the Stager.
- DumpThatLSASS - Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk, plus functions and strings obfuscation, it contains Anti-sandbox, if you run it under unperformant Virtual Machine you need to uncomment the code related to it and recompile.
- airstrike is a basic stage 0 implant.
- KnownDllUnhook - Replace the .txt section of the current loaded modules from KnownDllsto bypass edrs.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- monkey365 provides a tool for security consultants to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews.
- lemmeknow. The fastest way to identify anything!
- jot - Rapid note management for the terminal.
- SnaffPoint - A tool for pointesters to find candies in SharePoint.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.