Sunday, March 17, 2019

2019-011-Zach_Ruble-building_a_better_cheaper_C2_infra


Shout-out to Thomas…

    Tried to meetup while at SEA comic-con

Patreon

Log-MD

Hacker’s Health - Ms. Roddie is at TROOPERS (Ms. Berlin?)

4 podcasts?

SpecterOps Training / workshopCon  - https://www.workshopcon.com/events

Zach Ruble- @sendrublez

C2 infra using Public WebApps

TARCE - Teaching Assistant RCE(?) - they run your code every week, don’t check for backdoors before running it...

C2 Basics

    Local HTTPd server (bashfile)

    Python scrapes web server

3 components

-Servers

-Communication channels

-Malware and client

-

3 Requirements of a C2

-victim receives commands

-Vic executes

-Send results back

Web server serving a static file

Malware on machine scraping site with python requests and executing it as commands.

Crontab @reboot

 

State change = change the text field

https://www.bleepingcomputer.com/news/security/russian-state-hackers-use-britney-spears-instagram-posts-to-control-malware/

https://uwbacm.com/

 

Long haul/short haul server

Long haul - regain persistence

Short haul - sends commands to victims

 

Slack as C2 - Blends in to the Env

    Send and receive messages

    Using Real Time Messaging API

https://3xpl01tc0d3r.blogspot.com/2018/06/how-to-use-slack-as-c2-sever.html

https://link.springer.com/chapter/10.1007/978-3-319-27137-8_24

https://glitch.com/

Https://github.com/bkup/SlackShell

 

Reddit as a C2

    “Reddit Rising”

 

Glitch.com

    Serverless platform

 

Using Google search results as

    Would Google Algos see odd behavior of hundreds of hosts searching for the same thing?

Log file analysis?

    How can we protect against this?

C2 News (If we go short) :

https://www.zdnet.com/article/outlaws-shellbot-infects-servers-for-monero-mining

Automating OSINT

https://twitter.com/jms_dot_py

http://www.automatingosint.com/blog/

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Posted by at No comments:
Labels: , , , , , , , , , , , , , ,

Monday, March 11, 2019

2019-009- Log-MD story, Noid, communicating with Devs and security people-part1


Log-MD story (quick one) (you’ll like this one, Mr. Boettcher)

    SeaSec East meetup

    "Gabe"

 

https://www.sammamish.us/government/departments/information-technology/ransomware-attack-information-hub/

 

New Slack Moderator (@cherokeeJB)

Shoutout to “Jerry G”

 

Mike P on Slack: https://www.eventbrite.com/e/adversary-tactics-red-team-operations-training-course-dc-april-2019-tickets-54735183407

www.Workshopcon.com/events and that we're looking for BlueTeam trainers please

 

Any chance you can tag @workshopcon. SpecterOps and lanmaster53 when you post on Twitter and we'll retweet

 

Noid - @_noid_

noid23@gmail.com

 

Bsides Talk (MP3) - https://github.com/noid23/Presentations/blob/master/BSides_2019/Noid_Seattle_Bsides.mp3

Slides (PDF)

https://github.com/noid23/Presentations/blob/master/BSides_2019/Its%20Not%20a%20Bug%20Its%20a%20Feature%20-%20Seattle%20BSides%202019.pdf

 

Security view was a bit myopic?

“What do we win by playing?”

Cultivating relationships (buy lunch, donuts, etc)

Writing reports

Communicating findings that resonate with developers and management

    Often pentest reports are seen by various facets of folks

    Many levels of competency (incompetent -> super dev/sec)

 

Communicating risk? Making bugs make sense to everyone…

 

The three types of power:

https://www.manager-tools.com/2018/03/three-types-power-and-one-rule-them-part-1 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Posted by at No comments:
Labels: , , , , , , , , , , , , , ,

Sunday, March 3, 2019

2019-008-windows retpoline patches, PSremoting, underthewire, thunderclap vuln


BrakeingDownIR show #10

GrumpySec appearance?

https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887

https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Mitigating-Spectre-variant-2-with-Retpoline-on-Windows/ba-p/295618

https://blogs.technet.microsoft.com/srd/2018/03/15/mitigating-speculative-execution-side-channel-hardware-vulnerabilities/

“Microsoft has added support for the /Qspectre flag to Visual C++ which currently enables some narrow compile-time static analysis to identify at-risk code sequences related to CVE-2017-5753 and insert speculation barrier instructions. This flag has been used to rebuild at-risk code in Windows and was released with our January 2018 security updates. It is important to note, however, that the Visual C++ compiler cannot guarantee complete coverage for CVE-2017-5753 which means instances of this vulnerability may still exist.’

Retpoline = “Return Trampoline”

    “That’s because when using return operations, any associated speculative execution will 'bounce' endlessly.”

    https://www.tomshardware.com/news/retpoline-patch-spectre-windows-10,37958.html

Cool site (Andrei) *long time podcast supporter*

UndertheWire.tech - powershell wargame

---

PSRemoting -https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-6

https://www.howtogeek.com/117192/how-to-run-powershell-commands-on-remote-computers/

https://blogs.technet.microsoft.com/askperf/2012/02/17/useful-wmic-queries/

Caveats:
Network connection you’re on must be set to “private”, not public

WinRM service has to be enabled on both the local and remote hosts (at least, I think so --brbr)

 

https://www.engadget.com/2019/02/27/dow-jones-watchlist-leaked/

http://time.com/5349896/23andme-glaxo-smith-kline/

http://thunderclap.io/

https://int3.cc/products/facedancer21 -  USB

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Posted by at No comments:
Labels: , , , , , , , , , , , , , ,

Sunday, February 24, 2019

2019-007-bsides_seattle_recap-new_phishing_vector-Kernel_use_after_free_vuln


Bsides Seattle recap (Bryan)

New phishing technique to bypass email filters-

https://www.helpnetsecurity.com/2019/02/20/phishers-new-trick-for-bypassing-email-url-filters/

https://en.wikipedia.org/wiki/Office_Open_XML_file_formats#Relationships

Use after free in Linux kernel:

https://securityboulevard.com/2019/02/linux-use-after-free-vulnerability-found-in-linux-2-6-through-4-20-11/

https://www.webopedia.com/TERM/U/use-after-free.html

https://cwe.mitre.org/data/definitions/416.html

https://www.acodersjourney.com/top-20-c-pointer-mistakes/

https://www.kernel.org/doc/html/v4.14/dev-tools/kasan.html

https://nvd.nist.gov/vuln/detail/CVE-2019-8912

 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Posted by at No comments:
Labels: , , , , , , , , , , , , , ,

Sunday, February 17, 2019

2019-006: CSRF, XSS, infosec hypocrites, and the endless cycle


https://www.zdnet.com/article/google-working-on-new-chrome-security-feature-to-obliterate-dom-xss/

 

 

https://www.owasp.org/index.php/DOM_Based_XSS


CSRF - confused deputy https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

 

Google Cloud Platform - tip tricks, stuff ms. berlin learned

 

Layer 8 conference - Rhode Island’’


I was wrong…..cycles don’t sync --Ms. Berlin https://health.clevelandclinic.org/myth-truth-period-really-sync-close-friends/

 

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Posted by at No comments:
Labels: , , , , , , , , , , , , , ,

Sunday, February 10, 2019

2019-005: Security Researcher attack, disabling SPECTER, and Systemd discussion


https://www.secjuice.com/security-researcher-assaulted-ice-atrient/

https://www.csoonline.com/article/3338112/security/vendor-allegedly-assaults-security-researcher-who-disclosed-massive-vulnerability.html

 

Tweet of application teardown: https://twitter.com/duniel_pls/status/1093565709630824448

 

https://www.zdnet.com/article/linux-kernel-gets-another-option-to-disable-spectre-mitigations/

https://liliputing.com/2019/02/mozillas-project-fission-brings-site-isolation-to-firefox-spectre-and-meltdown-protection.html

https://capsule8.com/blog/exploiting-systemd-journald-part-1/

 

Segue from systemd/journald into:

“Super daemon for all daemons”

    Replaced things like sysvinit, rc.d, and even inetd

Lennart Poettering and Kay Sievers

Systemd (PID1)

    Configured using only text files

        .service

        .device

        .swap

        .timer (.service file of the same time must exist)

            ‘Transient timers can be created’

            https://wiki.archlinux.org/index.php/Systemd/Timers

/etc/systemd/system/foo.timer

[Unit]
Description=Run foo weekly and on boot

[Timer]
 OnBootSec=15min
OnUnitActiveSec=1w

[Install]
 WantedBy=timers.target

Logs are in binary format

Cgroups - control groups

    Isolates resource usage (CPU, memory, disk I/O, network, etc) of processes

    Bound by the same criteria

    Used a lot of places (hadoop, k8s, docker, LXC)

http://without-systemd.org/wiki/index.php/Arguments_against_systemd

https://www.freedesktop.org/wiki/Software/systemd/TipsAndTricks/

https://lwn.net/SubscriberLink/777595/a71362cc65b1c271/

http://0pointer.de/blog/projects/systemd.html

https://en.wikipedia.org/wiki/Systemd

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Posted by at No comments:
Labels: , , , , , , , , , , , , , ,

Sunday, February 3, 2019

2019-004-ShmooCon, and Bsides Leeds discussion, Facetime bug (with update), a town for ransom


Facetime bug update: https://www.cnbc.com/2019/02/01/apple-facetime-bug-fix-and-apology.html

 

ShmooCon discussion

 

Bsides Leeds discussion

 

@largeCardinal

@bsidesLeeds

https://www.bbc.co.uk/news/uk-scotland-edinburgh-east-fife-47028244

 

https://www.theverge.com/2019/1/27/18195630/gdpr-right-of-access-data-download-facebook-google-amazon-apple

 

https://www.theverge.com/2019/1/25/18198006/uber-jump-electric-scooter-austin-teen-arrested-bank-robbery-police

 

https://www.cnbc.com/2019/01/28/apple-facetime-bug-lets-you-listen-even-if-someone-doesnt-answer.html

 

https://www.news5cleveland.com/news/local-news/oh-cuyahoga/trio-of-current-and-former-officials-indicted-in-cuyahoga-county-corruption-probe

 

https://www.theverge.com/2018/12/28/18159110/centurylink-internet-911-outage-fcc-investigating

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Posted by at No comments:
Labels: , , , , , , , , , , , , , ,
Subscribe to: Comments (Atom)