SecPro #50: Stopping DDoS attacks, brute forcing anti-CSRF forms, and exploiting noPac.
Welcome to another issue of the SecPro newsletter.
Almost a year of weekly SecPro newsletters has gone by and the team is cooking up something special for every subscriber – both the old guard who have been with us since the start and the pros just joining us – to celebrate a whole year flying by. And despite the remorseless passage of time marching on, it seems that the world of cybersecurity is still dealing with the same issues!
For that reason, we’re focusing on ways to deal with DDoS attacks, another great use of the Burp suite, and how the noPac vulnerability has caused havoc for Active Directory administrators.
Of course, don’t forget to claim your free eBook by clicking on the survey below. This offer is available for everyone currently subscribed to the SecPro Weekly Insider, including those of you still enjoying the trial period. Fill it in, tell us what you think, and we’ll send you an eBook as a thank you.
Cheers!
Austin Miller
Editor-in-Chief
Blue team
How to mitigate DDoS Attacks
By Nazifa Alam
Distributed Denial of Service attacks, if successful can lead to an average loss of $20,000-$40,000 per hour, no doubt leaving the attack as one of the most alarming and expensive cybersecurity threats prevalent in the evolving digital landscape. This is a number that even some of the largest organisations can feel threatened by. With each hour of an attack, ramification costs increase. Therefore, what can be done to reduce these costs?
Common forms of DDoS attacks
- Ping of Death – Where the attacker(s) send multiple pings to overload the targeted device. IP packets which are larger than the network’s maximum packet capacity is sent to the victim’s network which are then reorganised, leaving the network unable to handle legitimate packets. This forces the network to become inactive.
- UDP (User Datagram Protocol) Floods – This form of attack floods the targeted network with UDP packets with the aim to flood ports on a remote host. This way, the host continues to look for an available application at the port. Once it is discovered there is no receiving application, the host transmits that the destination was not reachable. This consumes network capability, preventing other devices from connecting.
- NTP Amplification – Where the attacker(s) exploits the performance of NTP server.
- SYN Flood – This involves the attacker using the TCP connection to render the targeted network unavailable. The method behind this consists of SYN requests being sent to the targeted network, which replies with a SYN-ACK response. In response to this reply, the sender who is typically expected to respond does not or sends a response using a spoofed IP address. With each unanswered reply, more network resources are used, preventing other devices from connecting.
- HTTP Flood – This type of attack involves overwhelming the targeted server with an overload of HTTP requests. This attack is effective when the targeted server or application becomes required to meet each HTTP request with the maximum responses.
- Zero-Day Exploits – One of the more powerful forms of attack as this is when all the security flaws of the targeted server or application will become known. The best prevention method against Zero-Day Exploits is to routinely install the released patches as soon as possible.
- Slowloris – Involves the attacker(s) systematically sending incomplete HTTP requests. Each request occupies the network’s resources until the server becomes no longer able to form connections. This type of attack does not need any bandwidth hence, the popularity of this form of attack among cyber criminals.
Why do cyber criminals like to carry out DDoS attacks?
A common reason behind DDoS attacks includes extortion. Typically, the victims of DDoS attacks tend to be corporations of small to medium sized businesses however, the amount of DDoS attacks being levied onto larger corporations have largely increased in the past few years.
Additional causes behind DDoS attacks include hacktivism, theft, disgruntled employees or simply boredom.
DDoS attacks commonly occur when cyber criminals identify underlying vulnerabilities which likely have not been patched in time. Sometimes, automated bots are used to scan for vulnerabilities of multiple targeted websites which are then attacked once an opening is detected.
Checking if your server is being targeted in a DDoS attack
If you suspect that your server is being targeted in a DDoS attack, you first need to check your server. Entering either uptime or top commands will give you an idea of server’s current load.
An acceptable load is dependent on the available number of threads or CPU resources. To find out the current load of your server, you can enter:
grep processor /proc/cpuinfo | WC -1
This will notify you how many logical processors (threads) are available. In the case of a DDoS attack, you may see a load at double, triple or past maximum load. The two following commands will give you your server load and uptime:
grep processor /proc/cpuinfo | -1
Uptime
An example of how this can look is as followed:
How many IP addresses are connected to your server?
As DDoS attacks are committed through an established connection with your server, it is important to check how many IP addresses are connected to your server.
To do this, you can enter the following command:
Nestat -ntu|awk ‘{print $5}’ | cut -d: -f1 -s|sort|uniq – c|sort -nk1 -r
For example:
This will give you a list of how many IP addresses are connected to your server and the number of connections each one has.
How to mitigate a DDoS attack
Once you realize that your server is being targeted in a DDoS attack, you can enter a few commands to block these suspicious IP addresses.
To begin with, you can use the command ‘route add (suspicious IP address without the bracket) reject’ to block the suspicious IP address.
Once this has been done, you can check if the suspicious IP on the server has been blocked using the command:
route -n |grep ipaddress
You can also block IP addresses on the server using itables with the following commands:
iptables -A INPUT 1 -s IPADDRESS -j DROP/REJECT
service iptables restart
service iptables save
You will then need to halt any HTTPd connections and restart them by inputting:
killall -KILL httpd
service httpd startssl
If there is more than one unrecognised IP address forming a multitude of connections, these steps can be repeated.
The most important practice
It is indeed difficult to handle a DDoS attack, given that multiple spoofed IP addressed may be used. Blocking hundreds and thousands of these attacking IP addressed can also be very time consuming. Therefore, the best method against DDoS is actually to have in place effective prevention strategies in place.
This can include:
- Ensuring high levels of network security – By having in place traffic scanning barriers between networks, installed anti-virus and anti-malware software, effective endpoint security practices, web security tools in place and tools to check if traffic source is consistent with the origin of address.
- Using multiple distributed servers – Which will make it harder for the hacker(s) to simultaneously attack.
- Staying on top of the warning signs – Which can include slower performance, multiple crashes, a spike in traffic from users sharing a common profile for example geolocation and web browser version as well as high demand for a single page and poor connection.
The growing financial strains
The IT Security Risks Survey conducted by Kaspersky in 2017 showed that the average cost of a DDoS attack has vastly increased. For SMEs, the cost increased to $120k and for larger corporations, the cost levelled to $2m per attack. These figures have continued to increase into 2022 and will do so into the future years.
The financial consequences that come with DDoS attacks continue to increase and with the increased use of botnets, blocking an overwhelming number of IP addresses is without a doubt a difficult task. During instances like this, stopping a DDoS attack is incredibly hard. The best practice that can be done against DDoS attacks is to utilize all prevention strategies possible.
Red Team
Using Macro to brute force anti-CSRF token-based forms
By Indrajeet Bhuyan
In the last few articles, I shared different Burp suite extensions which can make your web testing easy and faster. Today in this article, I would like to introduce you to an awesome feature of Burp suite called Macro which can help you in performing some complex tasks in web application pen-testing.
Burp suite is one of the top tools for web application testing. However, controls such as CSRF tokens often fail these automated tools. For example, we cannot brute force a phpMyAdmin login page or even DVWA login page directly using the Burp intruder as they have something called an anti-CSRF token that keeps changing. But is it impossible to use tools like Burp Repeater, Intruder etc. if the page has an anti-CRSF token? The answer is no. It is still possible to perform brute force or any other automated testing even though there is an anti-CSRF token on the page.
In this article, we will see how we can bypass these controls so that we can perform tests like brute force in these kinds of login forms easily.
Using Burp Macro to update anti-CSRF token
For this demo we will use DVWA:
This is the login page of DVWA and if we see the request in Burp suite we can see that it adds an anti-CSRF token called user_token in the request so if we send it to intruder and try to brute force, it will fail as the token is not getting updated.
Want to read the full breakdown on how to brute force anti-CSRF token-based forms? Check out Indrajeet’s full article by clicking the link below. 👇
Vulnerability analysis
noPac Vulnerability
By Andy Pantelli
A Microsoft AD Flaw
Late December 2021 Microsoft revealed two exploits when collectively combined by a malicious actor could lead to privilege escalation leading to a complete Domain compromise. The two, named CVE-2021-42278 & CVE-2021-42287 respectively came to be known as ‘noPac’.
When chained together they come to form the ‘noPac’ attack. First disclosed by GitHub user Ridter and then later confirmed by multiple researchers, this is a low-effort exploit which has a critical impact: allowing a regular user the elevated privileges of a Domain Controller. Researchers have even demonstrated that the flaws exposed in Active Directory could be exploited in just 16 seconds with the adversary then able to perform Ransomware attacks, exfiltrate data, damage or even destroy assets and more. The vulnerability impacts any systems that have Microsoft Windows Active Directory installed.
The two vulnerabilities used to chain the attack make use of privilege escalation associated with the Kerberos Privilege Attribute Certificate within Active Directory Domain Services. The second is a Security Account Manager spoofing bypass vulnerability. Looking at what makes up the noPac attack a little closer let’s understand what the two CVEs are all about.
CVE-2021-42278
Disclosed publicly on 09th November 2021 by Microsoft this CVE results from invalid formatting of a computer name. If not enforced correctly as expected computer names will not end with the required character $ that the Active Directory Service would require. Part of the noPac chain an adversary may rename a user account to that of a Domain Controller account omitting the $ symbol at the end.
CVE-2021-42287
Also announced by Microsoft on the same day, 09th November 2021 this CVE is documented as being an elevation of privilege flaw within Active Directory Domain Services. This is given a CVSS score of 8.8 The vulnerability sits within the Kerberos Key Distribution Center (KDC) which is required to process Kerberos Ticket requests. By leveraging the Ticket-Granting Ticket, the flaw allows the access to other tickets as well as access token requests if the system cannot find. The KDC will default search for a best possible match name for the requested ticket ending in the $ symbol.
noPac Attack
Let’s now look at how it works together to exploit the vulnerabilities. Breaking this down into stages;
1. User Account Creation
2. Adversary clears the Service Principal Names
3. sAMAccountName is renamed to a Domain Account name excluding the $ symbol
4. Ticket-granting Ticket is requested
5. sAMAccountName is renamed
6. Service ticket is requested with a S4U2self extension
Want to find out how Andy exploits noPac? Check out the link below. 👇
The SecPro Giveaway
Want to win one of 10 free 3-month Packt+ unlimited subscriptions? We’re giving away these fantastic prizes to our readers and there’s only one thing you have to do – share this newsletter with your friends and in your cybersecurity circles!
Click below to get started!
This Week’s Tutorials & Explainers
The final week of our MITRE ATT&CK breakdown series – it’s finally here! I won’t spoil the surprise, but if you’ve been following closely, the “winner” won’t come as a major surprise. Click the link to read the article!
No news is good news, but we’ve rounded up the big events of the last week to send to you anyway. Find out how the DEA was compromised by some familiar adversarial faces by clicking the link.
Secret Knowledge: Building Your Security Arsenal
Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.
Cross Site Scripting (XSS) Vulnerability Scanner
- payloadbox/xss-payload-list: Cross Site Scripting ( XSS ) Vulnerability Payload List
- epsylon/xsser: Cross Site “Scripter” (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
- secdec/xssmap: Intelligent XSS detection tool that uses human techniques for looking for reflected cross-site scripting (XSS) vulnerabilities
Web Cache Vulnerability Scanner
- Hackmanit/Web-Cache-Vulnerability-Scanner: Web Cache Vulnerability Scanner is a Go-based CLI tool for testing for web cache poisoning. It is developed by Hackmanit GmbH (http://hackmanit.de/).
- Qianlitp/crawlergo: A powerful browser crawler for web vulnerability scanners
- swisskyrepo/DamnWebScanner: Another web vulnerabilities scanner, this extension works on Chrome and Opera
DDoS Detection & Mitigation
- Pragma-Innovation/bgpflowspectool: This tool has been developed to help network engineers to deal with undesirable traffic that is passing through their Internet network.
- Phenomite/AMP-Research: Research on UDP/TCP amplification vectors, payloads and mitigations against their use in DDoS Attacks
- sammwyy/ddos-mitigation: Tips to mitigate and secure your large-scale server against DDoS attacks.