Last Week in Security (LWiS) - 2023-11-13
Initial access and Bobber (@Flangvik), Slack 🍪 fun (@Tw1sm), attacking EDR (@dottor_morte), finding hard-coded secrets (@frycos), and more!
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2023-11-06 to 2023-11-13.
News
- Server Message Block (SMB) protocol changes - New firewall rules, SMB NTLM blocking exception list, alternative SMB ports, and more!
- [PDF] Charting China's Climb as a Leading Global Cyber Power - China has lots of 0day's attributed to it and the willingness to use them at scale.
- [PDF] Kaspersky Threat Intelligence - Modern Asian APT Groups - Recorded future releases an 18 page report on chinese APTs. Kaspersky says, hold my beer (370 pages) 😂.
Techniques and Write-ups
- Post-exploiting a compromised etcd - Full control over the cluster and its nodes - This paper aims to demonstrate that a compromised etcd is the most critical element within a k8s cluster, as it is not subject to role restrictions or the AdmissionControllers.
- Hacking Like Hollywood With Hard-Coded Secrets - A good write up on firmware blob to authentication bypass on a Ganz Security Solutions device.
- Attacking an EDR - Part 3 - The last post for the "Attacking an EDR" series.
- The Triforce of Initial Access - Initial access TTPs based on phishing + gathering loot automatically. Check out Bobber in the tools section.
- Abusing Slack for Offensive Operations: Part 2 - "Slack has followed the cookie storage blueprint used by browsers, like Google Chrome, making existing tooling and techniques adaptable for Slack exploitation." Easy to dump from memory on Windows, a bit more complicated on macOS.
- Hacking the Canon imageCLASS MF742Cdw/MF743Cdw (again) - Stack-based buffer overflow in the Canon firmware. Cool writeup.
- Abusing Microsoft Access “Linked Table” Feature to Perform NTLM Forced Authentication Attacks - The Microsoft Access "linking to remote SQL Server tables" feature that can automatically leak Windows user NTLM hashes via port 80. While most NTLM leaks are via port 445, this one is much more likely to make it out of the corporate firewall.
- Using SSL Certificates for Red Team Payloads - Interesting idea. "I found out that you could embed x.509 extensions into a certificate in the form of OIDs". You can use these x.509 extensions to inject your payload.
- Demystifying Cobalt Strike's “make_token” Command - Nice little deep dive into make_token.
- systemd hardening made easy with SHH. Could be used to audit for weak services 😉.
Tools and Exploits
- Nuclei AI - Browser Extension - Browser Extension for Rapid Nuclei Template Generation (requires a cloud account).
- fastsync - Fast synchronization across networks using speedy compression, lots of parallelization and fast hashmaps for keeping track of things internally.
- MAAS - Malware As A Service. This project describes a DevOps approach which leverages the CI/CD capabilities of gitlab to build a malware artifact generation pipeline.
- SharpVeeamDecryptor - Decrypt Veeam database passwords.
- proxyhub - An advanced [Finder | Checker | Server] tool for proxy servers, supporting both HTTP(S) and SOCKS protocols. 🎭
- Bobber - Evilginx database monitoring with exfiltration automation.
- SharpReflectivePEInjection - Reflectively load and execute PEs locally and remotely bypassing EDR hooks
- CVE-2023-32629 & CVE-2023-2640: Privilege escalation - Ubuntu Privilege Escalation bash one-liner
- .NetConfigLoader - List of .Net application signed by Microsoft that can be used to load a dll via a .config file (AppDomain Hijacking). Ideal for EDR/AV evasion and execution policy bypass.
- Bloodhound_Community_Docker - Generator of docker-compose file to allow secure configurations and multi-deployment strategy.
- CVE-Half-Day-Watcher - a security tool designed to highlight the risk of early exposure of Common Vulnerabilities and Exposures (CVEs) in the public domain.
- GoSleepyCrypt - In-memory sleep encryption and heap encryption for Go applications through a shellcode function.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- the !CVE Program - The mission of the !CVE Program is to provide a common space for cybersecurity !vulnerabilities that are not acknowledged by vendors but still are serious security issues.
- hakrevdns - Small, fast tool for performing reverse DNS lookups en masse.
- RoastInTheMiddle- Roast in the Middle is a rough proof of concept (not attack-ready) that implements a man-in-the-middle ARP spoof to intercept AS-REQ's to modify and replay to perform a Kerberoast or Sessionroast attack.
- Implementing Tic Tac Toe with 170mb of HTML - no JS or CSS 🤯
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.