Using Nuclei, IAM Forensics, and Implementing FIDO

SecPro #47: Using Nuclei, IAM Forensics, and Implementing FIDO.


Since the beginning, SecPro has been trying to share all the most interesting open-source tools that we find with the community. In an effort to step up our game, we’re beginning to not only tell you about them, but show you how they work. That’s why this week’s premium articles include walkthroughs on how to use Nuclei, what tools to use for IAM Forensics, and a breakdown on improving your MFA offering. 

Haven’t signed up for the Weekly Insider yet? No worries – there’s a free trial that will give you access to walkthroughs, tutorials, product offers, and Community Wisdom. It’s free for a week, so there’s no reason to miss out on the exclusive articles that our team has put together to make your life easier.

As a thank you, we are offering another free ebook and also a sneak peek into what we will be looking at next week:

  • A full tutorial on how to use PacketStreamer, an open-source tool for collecting packets from Kubernetes, AWS, and other platforms.
  • A deep-dive analysis of the SunCrypt Ransomware.
  • And more articles from our seasoned experts on how to use specific tools to answer your specific problems.

If that sounds good, sign up to the Weekly Insider newsletter and guarantee that you won’t miss out! We look forward to seeing you next week and continuing to answer the community’s questions. Until then, enjoy the articles and keep your eyes open for ransomware gangs and crypto-miners!

Austin Miller

Blue Team

A Guide on Using Nuclei – a YAML based Vulnerability scanner

By Indrajeet Bhuyan

Automation is a favorite topic for most cyber security enthusiasts. We like to automate most of the boring stuff. Some people automate so that they don’t have to waste time doing the repetitive task while others automate as they are just too lazy to do the task . But whatever be the reason, automation is getting popular in the Cyber security field. So popular that you can find in many job descriptions today where they ask you if you have got automation skills. 

Today I would like to introduce an interesting tool that can automate a lot of things for you. A lot of bug bounty hunters already use this tool to find quick low hanging fruits (bugs). Let me introduce to you Nuclei. 

Nuclei is a community-powered, fast and customizable vulnerability scanner. Just like most modern security tools, Nuclei too is built in Go lang for faster processing. Nuclei works on YAML-based templates which leads to zero false-positive results and provides fast scanning on various hosts. 

Want to find out more about Nuclei? Click the link below for the full article!

Red Team

How to do IAM Forensics

By Ricoh Danielson
IAM Forensics is a branch of forensics pertaining to digital identity, the practice of creating accurate digital identities and accounts, and the data that is associated with them. Whether it’s for an external company (you) to acquire good actors or a pentester performing post-exploitation, IAM forensics can be a powerful tool in your arsenal. This guide will provide the basics required to perform and interpret IAM forensic analysis using open source tools and resources.

Understanding the importance of how to do IAM forensics

When it comes to identity access management (IAM) forensics is either a matter of conducting it manually or tactically and technically. If you’re using tools such as guard duty or IAM or some sort of privilege access management tool this will help you to arrive at the conclusion faster. If you ever do it a manual way such as unchain the group policies and also understanding the different privileges that users have, this may take a little bit longer. Both are crucial for understanding and conducting during an investigation. 

Want to find out more about IAM Forensics? Click the link below for the full article!

Blue Team

Multi Factor Authentication – “Fetch, FIDO!”

By Andy Pantelli
We cannot simply rely upon passwords for authentication.  They can too be complex, or too simple, they can be cracked by brute force or easily forgotten.  Forcing users to change passwords too frequently results in the repeated use of a password, or in some cases users either writing them down or making a note saved to a device.   
With passwords being responsible for 80% of data breaches, and users having up to 90 online accounts study has found that 51% of passwords are reused.  Additional verification was clearly needed.

Enter Multi Factor Authentication

Simply by having the correct password does not Identify you, sure it’s provides authentication but that is simply not enough.  A compromised password still gives the same level of access to a malicious actor that it would to the owner of the password.
Strong Authentication, commonly known as Multi Factor Authentication (MFA) is defined by using more than authentication method; something we have, and something we know.   A compromised password is useless without the OTP sent via SMS, or a security token generated by Software or a hardware device.

Want to find out more about MFA? Click the link below for the full article!


T1218: Signed Binary Proxy Execution

By Austin Miller

Signed binaries are at the heart of secure practices, with digital certificates giving us clear signs as to what we can trust and what we cannot. Using digital certificate validation and application controls to tighten up security is a top concern on all operating systems, but Windows seems to be disproportionately targeted by adversaries proxying commands through signed processes, according to recent research. 

32,133 malware samples (forming a total 16% of all samples analyzed) were found to use Signed Binary Proxy Execution, according to the Red Report. As a form of Living off the Land attack (LotL), a special subcategory has been created to describe the use of legitimate binaries to evade the standard defenses – Living off the Land binaries, or LOLBins. This tactic is used by the adversary to circumvent otherwise trustworthy services, but how exactly does it work? 

Want to know how to exploit signed binary proxies? Click the link below for the full article!

News Bytes

Lenovo Forums Stores Passwords in Plaintext 

According to one disgruntled Lenovo Forums user, it appears that the “remember me” tickbox remembers more than it should. The support site for the multinational technology company seems to save passwords in plain text and make them accessible to anyone who uses the correct connect ID. As you can imagine, this is a huge security issue for many users on the forum. 

Eagle-eyed security-minded users noted that when the “remember me” checkbox was selected that both the username and the user’s password were saved to a cookie. Through a simple session hijacking attack, the adversary could easily steal credentials. Not only is this an issue for Lenovo Forums, but also for broader credential stuffing campaigns. 

As of Friday this week, there has been no official statement by Lenovo or Lenovo Forums about how passwords are stored and how they plan to remedy this problem. Vigilance is advised for anyone using the website attached to the popular technology production company. 

Want to catch up on some more news from the week gone by? Click the link below!

Secret Knowledge: Building Your Security Arsenal

Here’s another edition of Secret Knowledge, with plenty of tools to help you test and secure your infrastructure systems. All tools are chosen by our crack team of researchers on the most important metric of all – sounding a bit interesting.

Multi Factor Authentication

  • privacyidea/privacyidea: privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. 
  • venth/aws-adfs: The project provides command line tool – AWS-ADFS to ease AWS CLI authentication against ADFS (multi factor authentication with active directory).
  • multiOTP/multiotp: multiOTP open source is a GNU LGPL implementation of a strong two-factor authentication PHP class. multiOTP open source is OATH certified for HOTP/TOTP.

IAM Forensics

  • keycloak/keycloak: Open Source Identity and Access Management For Modern Applications and Services.
  • dromara/MaxKey: MaxKey SSO, Leading-Edge IAM(Identity and Access management) product. 
  • CESNET/perun: Perun is well suited for managing users within organizations and projects and managing access rights to the services. 

Vulnerability Management

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.