Showing posts with label Testing. Show all posts
Showing posts with label Testing. Show all posts

Overview of public interfaces for SOC/IT-Security staff

In case of an IT-security incident, emergency oder if a new critical vulnerability (like log4j in December 2021) arises, it is good to be prepared, so you can quickly answer questions like:

  • "Are we affected?"
  • "Do we use this technology?"
  • "Where do we use this vulnerable protocol?"
  • "To whom is the attack surface exposed to?"
  • "Are there mitigations in place?"
  • "Is is exploitable without authentication in our setup?"
  • "Which is the best place to place a first mitigation?"
  • etc..
An overview like the following can and will be helpful for your IT-security staff or your Security Operations Center SOC:

System Internet Facing Protocol Authentication Security Used Products/Vendors Logs send to SIEM Contact Person Known Weaknesses
Websites Yes, exposed to all public-ip-addresses HTTPS (TCP:443) & HTTP (TCP:80 - HTTP 301 Redirect to HTTPS) None Web Application Firewall F5 BigIP LoadBalancer WAF & Apache Container on OpenShift Yes Link to CMDB Websites may contain 3rd party code, SBOM see CMDB
Managed File Transfer Yes, but limited to dedicated public ip-addresses of partners HTTPS (TCP:443) HTTPS Tokens Web Application Firewall F5 BigIP LoadBalancer WAF IPSwitch Yes Link to CMDB Runs on VM as appliance, OS might not be hardend from vendor
Citrix Yes, exposed to all public-ip-addresses HTTPS (TCP:443) MFA Netscaler WAF Citrix Systems + Okta MFA Yes Link to CMDB NetScaler WAF Ruleset might be out-of-date
Mailserver Yes, exposed to all public-ip-addresses SMTP (TCP:25) None AntiSpam Mailgatway & AV-Sandbox Cisco E-Mail Security Yes Link to CMDB Mailgateways run on Hardware, might not be hardended from vendor
SSLVPN S2E Yes, exposed to all public-ip-addresses HTTPS (TCP:443) Mutual TLS Certbased + MFA Azure DDoS FortiGate SSLVPN Azure VM + Okta MFA Yes Link to CMDB Possible FortiGate FortiOS SSLVPN Vulnerabilities
M365 ActiveSync Yes, exposed to all public-ip-addresses HTTPS (TCP:443) Mutual TLS Certbased Azure DDoS Microsoft 365 + Intunes Yes Link to CMDB Not part of own Vulnerability-Scanner
VPN S2S Yes, but limited to dedicated public ip-addresses of partners IPSec UDP:500 & UDP:4500 & ESP IPsec IKEv2 Certbased Auth Azure DDoS FortiGate SSLVPN Azure VM Link to CMDB -
DMARC SaaS Yes, exposed to all public-ip-addresses DNS (UDP:53), HTTP (TCP:80), HTTPS (TCP:443), SMTP (TCP:25) None - dmarcadvisor.com SaaS No Link to CMDB Not part of own Vulnerability-Scanner
DNS Server Yes, but limited to dedicated public ip-addresses of partners DNS (UDP:53 & TCP:53) None Azure Network Security Groups RHEL Bind Yes Link to CMDB -
ISP Routers Yes, but limited to dedicated public ip-addresses of ISP routers BGP (TCP:179), BFD, Ping (ICMP:0/8) BGP MD5 Auth - Extreme Networks XOS Yes Link to CMDB
etc.. etc.. etc.. etc.. etc.. etc.. etc.. etc.. etc..

 

Of course you can add many more columns like e.g.:

  • "SBOM technologys used" (for example: RHEL, Apache Tomcat, OpenSSL, log4j, puppet, ansible, splunk universal forwarder, appdynamics,..)
  • Direct links to your Firewall Management System, WAF or SIEM
  • "Is it part of our vulnerability scanner?"
  • "Is the vulnerability scanner scanning it authenticated?"
  • "Is the system/application hardended?"
  • and so on :-)
This list will help in case of an IT-security emergency to sort out the first steps in order to mitigate and fix the issue of the public exposed interfaces (like to the internet or to business partners). However this is only one of many steps necessary - always "asume breach" and make sure an attacker controlling a client or server still is unable to spread (unnoticed) in your companies (cloud) network.
at No comments:
Labels: , , , , , ,

Mitre Att&ck Micro Emulations - Test your own security

It is a very good idea to test your own IT-security systems and processes, if they detect something and what level of detail they provide. Mitre Engenuity launched a new project called: Micro Emulation

Mitre Micro Emulations

On GitHub version 4 was already released providing the first set of tools, which contains ActiveDirectory Enumeration, FileAccess, NamedPipes, ProcessInjection, UserExecution ISOBypass, Marcos and Shortcuts, WebShells, WindowsRegistry: https://github.com/center-for-threat-informed-defense/adversary_emulation_library/releases .
at No comments:
Labels: , , , , ,

Microsoft SmartScreen - Mark of the Web Zone.Identifier ReferrerUrl in NTFS Alternate DataStream

From where does Windows know, if a file is from a trusted or untrusted source? Microsofts Smartscreen writes the downloaded origin into the NTFS Alternate DataStreams of the file. In earlier version of windows it was the Zone, since Windows10 its the source URL, too. 

Example: I've downloaded procexp.com from https://live.sysinternals.com/procexp.exe:

SmartScreen Zone.Identifier NTFS Alternate Datastream

as ZoneID, ReferrerURL and HostUrl. This is also called Windows Defender SmartScreen Extended Mark of the Web. 

Additional testing for Microsoft Defender Smartscreen can be found here: https://demo.smartscreen.msft.net/ & https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen

at No comments:
Labels: , , , ,

Windows Credential Guard CredGuard active?

If you want to check if Microsofts Windows Credential Guard CredGuard is active, you may do so by either checking msinfo32.exe or powershell:

CredGuard Status - msinfo32.exe:

msinfo32.exe credential guard

CredGuard Status - Powershell

[bool] (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning -eq $true

true = active
false =inactive

 

Information about Credential Guard

Credential Guard CredGuard explained

"Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.

For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.

When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Windows Defender Credential Guard with any of these protocols. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.

When Windows Defender Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials."

https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-how-it-works


at No comments:
Labels: , , ,

Zenmap show SSHv2 algorithms/cipher suite

Discover the used SSHv2 algorithms/cipher suite using nmap or zenmap can be done using the follwing nse-script and steps:

URL: https://nmap.org/nsedoc/scripts/ssh2-enum-algos.html
Download: https://svn.nmap.org/nmap/scripts/ssh2-enum-algos.nse

Howto Use Guide

  1. Download NSE-Script
  2. Save nse-script-file into your ...\NMap\Scripts\ folder
    NMap\Scripts\ folder screenshot
  3.  Run nmap or zenmap and the command: nmap --script ssh2-enum-algos *your-target*
    Zenmap screenshot

Example Output 

Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-03 21:18 Mitteleuropäische Zeit
Nmap scan report for 10.140.68.24
Host is up (0.016s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
| ssh2-enum-algos: 
|   kex_algorithms: (10)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|   server_host_key_algorithms: (5)
|       rsa-sha2-512
|       rsa-sha2-256
|       ssh-rsa
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (6)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|   mac_algorithms: (10)
|       umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-sha1-etm@openssh.com
|       umac-64@openssh.com
|       umac-128@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-sha1
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com 

Author: Kris Katterjohn
License: Same as Nmap--See https://nmap.org/book/man-legal.html

at No comments:
Labels: , , , , , ,

Microsoft Windows Defender SmartScreen demo pages for testing

Microsoft provides some demo or testing pages, in which the Microsoft Windows Defender SmartScreen functionality can be tested, similar to the EICAR test virus:

https://demo.smartscreen.msft.net/

Microsoft Smartscreen Test URL Rep Demos

Is This Phishing?
Alert the user to a suspicious page and ask for feedback → https://nav.smartscreen.msft.net/other/areyousure.html

Phishing Page
A page known for phishing that should be blocked → https://nav.smartscreen.msft.net/phishingdemo.html

Malware Page
A page that hosts malware and should be blocked → https://nav.smartscreen.msft.net/other/malware.html

Blocked Download
Blocked from downloading because of its URL rep → https://nav.smartscreen.msft.net/download/malwaredemo/freevideo.exe

Potentially Unwanted Download
A download that may have unwanted content → https://nav.smartscreen.msft.net/download/puaademo/freevideo.exe

This feature is available only on the next major version of Microsoft Edge, based on Chromium

Exploit Page
A page that attacks a browser vulnerability → https://demo.smartscreen.msft.net/other/exploit.html

Malvertising
A benign page hosting a malicious advertisement → https://demo.smartscreen.msft.net/other/exploit_frame.html

Microsoft Smartscreen Test App Rep Demos

Download and run these files to see how SmartScreen responds.

Known Good Program
This program should run → https://demo.smartscreen.msft.net/download/known/freevideo.exe

Unknown Program
SmartScreen should show a warning before running → https://demo.smartscreen.msft.net/download/unknown/freevideo.exe

Known Malware
SmartScreen should block this program from running → https://demo.smartscreen.msft.net/download/known/knownmalicious.exe

at No comments:
Labels: , , ,

Python security testing using mutmut

If you want to test your python code for bugs and possible security issues, one way is mutant testing using mutmut: https://pypi.org/project/mutmut/

Test automation is very important but most of the times only positive test cases are tested, not the negative ones, which might break the programms logic or the python code. This is used by attackers in order to find possible holes, bypasses or in order to break your application. 

Idea behind mutation testing

The idea behind mutation testing is: A programm should describe a path to the correct result. If the programms code is changed at any position a bug should be produced. If the programm still comes to the result "OK", then the programm is not testing the input/parameters or operations enough. This is called a mutant. 

Mutation testing means to make the programm so resilient, that no mutants are created. Another great article about mutation testing can be found here: https://hackernoon.com/mutmut-a-python-mutation-testing-system-9b9639356c78

Getting started

pip install mutmut
mutmut run

This will by default run pytest on tests in the “tests” or “test” folder and it will try to figure out where the code to mutate lies. Run 

mutmut --help
for help. More can be found here: https://pypi.org/project/mutmut/
at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)

Backup GitLab running in a Container and encrypt the backup

Many Gitlab instances run in a docker or podman container. The following is a bash script which  fetches the gitlab-configs and the gitlab-d...