SecPro #46: DNS Tunneling, Attacking with XSS, and Understanding Web Application Vulnerabilities.
Hey,
Another busy week has gone by in the world of cybersecurity and another set of vulnerabilities have revealed themselves to the _secpro team. Not only have we seen countries on both sides of the “Cyber Cold War” heat up the conflict, we have seen the adversary try everything from firmware level hacking to simple social engineering trickery.
To get an insight into the mind of the attacker, we have also included three premium articles in this week’s news letter which subscribers to the Weekly Insider can access straight away.
For people that are wanting to break into the AWS architect market, we would like to offer the AWS Certified Solutions Architect Associate Exam Readiness Diagnosis Tool. No extra payment, no sign up, just a free tool that will assess your capabilities and see if you are ready to step up and take the exam. Although this was offered to our premium subscribers first, we plan to eventually roll out these tools and training programs to all of our _secpro subscribers.
Cheers!
Austin Miller
Editor-in-Chief
Red Team
DNS Tunneling – Stealing Data over DNS
DNS – We all know it, we all need it. After all, it is the ‘phone book’ of the internet. But how much is being done within organisations to protect themselves from attacks over the DNS protocol? How much is even known about the potentially devastating Cyber Attacks that are exposed by not taking some simple steps to protect DNS within Enterprises?
This article is focused on risks in the Enterprise world, where IT teams should be keeping the business safe with best practise & procedures.
Want to find out more about DNS Tunneling? Click the link below for the full article!
Red Team
DOM Invader – Speeding up DOM-based XSS findings
Cross-site scripting or XSS is a popular web application attack. It has found its place in OWASP 2013, OWASP 2017, and even in the latest OWASP 2021 (but with a name change). According to Hackerone’s 2021 report, the most common flaw which is discovered in their platform is cross-site scripting.
Here in this article, we will talk about a very useful chrome extension provided by burp suite which makes finding DOM-based XSS very fast and easy. But before that let me give you a quick introduction to cross-site scripting.
Cross-site scripting is a client-side attack. Here the attacker tries to execute malicious scripts in the web browser of the victim. It allows an attacker to carry out any actions that the user can perform, and to access any of the user’s data.
Want to find out more about the DOM-based XSS attacks? Click the link below for the full article!
Blue Team
Cross Origin Resource Sharing (CORS) – Understanding Web Application Vulnerabilities
What is CORS?
Cross Origin Resource Sharing, or simply known as CORS provides a method for Browsers to control access to resources located outside of a Domain & provides a means for websites to relax the Same Origin Policy. CORS is designed to extend and provide flexibility to SOPs but can provide the potential for cross-domain attacks if poorly configured or implemented. As defined by the World Wide Web Consortium (W3C) CORS is an extension to SOPs. Modern web applications make use of JavaScript to dynamic, often interactive & functional websites to provide users with a feature-rich online experience.
What is the “same origin”?
Simply, it is a protocol (http, https), port if defined (https://example.com:8080), and lastly the host.
https://www.example.com/anything and https://www.example.com/nothing are the same origin BUT http://www.example.com/something is not the same origin as either of the two examples because of the protocol difference.
Want to find out more about the Cross Origin Resource Sharing ? Click the link below for the full article!
MITRE ATT&CK
T1003 – OS Credential Dumping
By Austin Miller
Onto the fifth most common attack vector in the MITRE ATT&CK – accessing and dumping credentials after initial access. Although credential dumping can be the primary objective of a cyberattack and lead to credential stuffing, the adversary will often try to maintain a foothold in a system and escalate privileges to cause maximal damage.
What is OS Credential Dumping?
Obtaining and dumping credentials is an easy way for the adversary to start lateral movement across the network. Many different tools are used, but popular open-source tools like Mimikatz, Gsecdump, and even Windows Task Manager are all commonly used by threat actors and ethical hackers alike to access credential stores.
Want to know how the adversary exploits obfuscated files? Click the link below for the full article!
Threat Hunting
Do you really know what your IoT devices are up to?
While the world has become more and more unpredictable, I’ve continued to enjoy the steady stream of SharkFest seminars that unearth new and interesting ways to use Wireshark in an enterprise setting. This week, I’ve been catching up on How Smart Are My “Things”?, a talk given by Simone Mainardi, PhD who investigated the traffic that goes through IoT devices when they are idle.
As more companies are turning to IoT devices to fulfill their production needs, cybersecurity professionals need to have a full understanding of what exactly these devices are doing. If you are adding an IoT device or network to your organization’s repertoire, you should be running similar tests to show exactly what leaves your network, when, and how you can manage that potential security risk.
Want to find out more about chatting IoT devices? Click the link below!
News Bytes
WatchGuard’s failure to report critical flaw sets a dangerous precedent
Another week, another security vendor has a scandal erupt. This time, it’s the turn of WatchGuard because the company failed to report that a critical vulnerability had been discovered and exploited by the Russia military, it is suspected. Due to an entire line of firewall devices being compromised, a botnet was established which is also suspected to have played a role in the cyberattacks all around the world.
Identified as CVE-2022-23176, the major issue was in the Fireware OS that would allow a remote attacker with unprivileged credentials to access any connected system through an exposed management access flaw. This vulnerability had apparently been shared with WatchGuard by the FBI in November 2021 after it had become a key attack vector for Sandworm, a hacking group which has become even more notorious since the start of the Russia-Ukraine conflict. Cyclops Blink – the malware spread over this exploit – affected many companies, mainly through flaws in the WatchGuard firewall and also ASUS routers.
If you believe that you have been affected by this exploit, WatchGuard’s software tool and accompanying instructions can be used to fix the issue.
Want to catch up on some more news from the week gone by? Click the link below!
Secret Knowledge: Building Your Security Arsenal
Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.
Vulnerability Assessment
- disruptops/cred_scanner: A simple file-based scanner to look for potential AWS access and secret keys in files
- prevade/cloudjack: Route53/CloudFront Vulnerability Assessment Utility
- RhinoSecurityLabs/ccat: Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments.
Offensive Security
- j3ssie/osmedeus: A Workflow Engine for Offensive Security
- j3ssie/metabigor: Metabigor is Intelligence tool, its goal is to do OSINT tasks and more but without any API key.
- SharonBrizinov/s3viewer: s3viewer is a free tool for security researchers that lists the content of publicly open storages and helps to identify leaking data.
IP Rotators
- PortSwigger/ip-rotate: Extension for Burp Suite which uses AWS API Gateway to rotate your IP on every request.
- proxycannon/proxycannon-ng: A private botnet using multiple cloud environments for pentesters and red teamers. – Built by the community during a hackathon at the WWHF 2018 security conference
- tomsteele/cloud-proxy: cloud-proxy creates multiple DO droplets and then starts local socks proxies using SSH