Author: BenHeise

SpecterOps Adversary Tactics course review

I recently had the opportunity to attend the first public offering of the SpecterOps Adversary Tactics: Red Team Operations course. This excellent, from-scratch training took participants through several modern Tools, Tactics, and Procedures (TTPs) and demonstrated their countermeasures and detections.

Read More

RallySec Episode19 – Oscaron & PWC & Uber Autonomous vehicles

Episode 19 MP3 | Youtube | Twitch.TV | Twitter | Facebook | iTunes | Stitcher Story Title: CVE-2016-8655 – Linux local root exploit Synopsis/Talking points: What are Linux namespaces? What are Linux capabilities? References: http://seclists.org/oss-sec/2016/q4/607 Danny’s Stuff Story Title: PWC RCE Cease and Desist Synopsis/Talking points: PWC are a bunch of douchebags References: PWC threatens to sue security firm for disclosing embarrassing, dangerous defects in its software http://seclists.org/fulldisclosure/2016/Dec/33 An update to this: if you want to test if your SAP system is vuln – since PwC still haven't told their clients – check for ABAP ZACE8M. pic.twitter.com/UR8sQ5IsP2 — Kevin Beaumont (@GossiTheDog) December 12, 2016 Story Title: ShadowBrokers are still at it Synopsis/Talking points: Since their big auction failed, and then their second sale failed, they are trying to sell the tools off individually for anywhere from ~$800-80,000 (depending on price of BTC) References: https://medium.com/@CleetusBocefus/are-the-shadow-brokers-selling-nsa-tools-on-zeronet-6c335891d62a Story Title: Uber Says ‘FU’ To DMV, Rolls Out Self-Driving Cars Without Approval Synopsis/Talking points: Starting today, random Uber passengers use an automated car. While 20 manuf have gotten permits to test automated card, Uber has not. There are already problems. References: http://sfist.com/2016/12/14/uber_says_fu_to_dmv_rolls_out_self-.php https://www.bloomberg.com/news/articles/2016-12-14/uber-rolls-out-self-driving-cars-in-san-francisco-without-dmv-approval...

Read More

RallySec Episode18 – LiveOverflow & Infosec education

Episode 18 MP3 | Youtube | Twitch.TV | Twitter | Facebook | iTunes | Stitcher Guest Interview: -Tell us about yourself LiveOverflow? -How did you (LO) get your start in infosec? -How did you get started in CTFs? -(Each co-hosts background/story/history) (LO) If there is time, I’d really like to hear your opinions and experiences in respect to infosec education. How it helps or not help in your area of industry for jobs, personal development, etc… Is formal education useful? Did you do general CS or special security degree? Any trainings done at e.g. conferences How about Certifications? CISSP, Network+, CEH, OSCP, … Did you learn from books? Blogs? Forums? IRC? Local meetings/hackerspaces? Ever played CTF/Wargames? How do you stay up to date or learn new skills? Especially now that you are not a beginner anymore. Any secret tip? -Upcoming CTFs (CCDC, etc) -What is an infosec resource that not many people seem to know of? -Upcoming conference presentations? Fun questions: -What do you do for fun? -Would you rather fight 100 duck sized HDMoore, 1 horse sized HDMoore, or Option C, and...

Read More

RallySec Episode17 – TorPwnage & CreditCardChallenge & SFMTA Ransomware

Episode 17 MP3 | Youtube | Twitch.TV | Twitter | Facebook | iTunes | Stitcher Story Title: Mirai Botnet activity detected in Germany Synopsis/Talking points: Exploiting SOAP requests sent via the TR-069 protocol used to control DSL modems remotely. Exploit sends an update to reconfigure the modem’s NTP servers. Apparently the backtick characters ““” which are shell specials used to execute the command in backticks are not escaped, resulting in RCE, and thousands of compromised routers This is a command injection vulnerability. Also theres a metasploit module for it already. If you have port 7547 open on your ISP modem/router, you may possibly be at risk. References: https://isc.sans.edu/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759 https://www.exploit-db.com/exploits/40740/ Story Title: Tor got pwned again Synopsis/Talking points: Vulnerability in Mozilla Firefox discovered ITW being used to compromise TOR users According to a user on ycombinator’s hacker news, the exploit is being delivered to visitors of the TOR CP site “giftbox” The exploit reportedly “got loaded on the confirmation page after logging in” Some are stating the exploit payload is roughly similar to that of the FBI’s payload when they were attacking TOR users in 2013 “The malicious payload it delivers, according to an independent researcher who goes by the Twitter handle @TheWack0lian, is almost identical to one that was used in 2013 to deanonymize people visiting a Tor-shielded child pornography site. The FBI ultimately acknowledged responsibility for the exploit, which was embedded in webpages served...

Read More

RallySecurity – Episode 16 – Linux VulnsGiving & LD_PRELOAD rootkits

Episode 16 MP3 | Youtube | Twitch.TV | Twitter | Facebook | iTunes | Stitcher Story Title: (N)jinxed Ubuntu nginx privesc vulnerability Synopsis/Talking points: Debian and Ubuntu suffer from a nginx privesc from the www-data user to root due to loose file permissions on files in /var/log/nginx. A symlink could be dropped by the www-data user, replacing one of the nginx logs that gets executed by logrotate. Logrotate will then execute the symlink, resulting in root permissions. Long story short: clever use of logrotate and symlinks results in privilege escalation to root References: https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html Story Title: An example of how myopic Linux can get (NSF file vulnerability in Ubuntu 12.04.5) Synopsis/Talking points: Ubuntu takes great strides in trying to be a user-friendly OS. If you choose to enable mp3 support during an Ubuntu installation, it turns out, that support for a bunch of other audio formats is added as well, include the .nsf file format for playing NES “chiptunes”. The vulnerability comes from poor bounds checking. Scope of vulnerability is relatively low (e.g. phishing attack/drive-by exploitation is about all this is good for Ubuntu ships with two NSF players. One can delete the vulnerable NSF library with little to no side-effects. WTAF. References: http://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html Story Title: Mash keys, get shells Synopsis/Talking points: Vulnerability with LUKS/cryptsetup results in a “failopen” scenario and root shell. If the root partition of the OS is encrypted with LUKS, all...

Read More