Skip to main content

Posts

Showing posts from 2021

Bash Reverse Shell explained.

 

Being a Firewall Engineer : An Operational Approach: A Comprehensive guide on firewall operations and best practices

Glad to announce the second edition of my book, Being a Firewall Engineer : An Operational Approach: A Comprehensive guide on firewall operations and best practices is now live on Amazon . The firewall technologies and the landscape is rapidly changing and therefore i needed to make multiple changes from the first edition.This is not a configuration guide and is suitable for beginners and junior engineers. The following topics are briefly covered in the second edition of this book. Various Job roles related to Firewalls. What makes you a firewall expert? Know the major firewall vendors and their models. Firewall ranking and benchmarks. Understand the packet flow or order of operation. Understand the different types of firewalls. Daily tasks of a firewall administrator Guidelines on firewall hardening and compliance. Understand Change Management process. Illustration on How to make a firewall change (incorporating Change management process) with a real world example.

eLearnSecurity Resources [Syllabus,Report Templates, Useful links]

eLearnSecurity (ELS) offers a lot of great certifications in the field of Cybersecurity. Last year, ELS was acquired by INE. In my opinion, after the acquisition, there are a lot of gaps. First of all, many the links in the training materials are broken. Also information regarding the certification or the training materials are limited on the internet. Though INE has a community forum, getting a clear cut answer or solution is based on your luck. I haven't seen a lot of activity on their community page. It seems like many of the students are not even aware of this new community website. When i was preparing for some of the ELS courses, i was having a hard time to get information on the certification exam, even for the exam syllabus. I have also noticed that many like me, posting queries on syllabus, report templates etc on other websites like reddit, twitter etc. So, here are some of the useful links related to cybersecurity and its certifications, training and Syllabus.  Reporting

DFIR | [Fix] Cuckoo Error : Error starting virtual machine | VBoxManager error

If you are reading this, you might probably encountered the following error while performing the sample analysis in Cuckoo,  Error starting Virtual Machine / VBoxManage error.  This error happens when there is some communication issue between the guest and host or with the VM snapshot. The network configuration of the guest VM should be set as "Host only network" and verify the connectivity between the host and Guest by pinging each other. If that is fine, then check the guest VM snapshot. In my case, i had multiple snapshot and the one Cuckoo was invoking creates the issue. What i did was, i deleted all the existing snapshots and created a clean snapshot, also did a graceful shutdown of the Guest VM (Windows 7 in my case). Also noticed that, while running cuckoo, it try to load the VM snapshot named base2 . Instead of editing any configurations,  i just named the snapshot "base2". Then i put a sample on Cuckoo for analysis. The process completed without any issues.

DFIR KAPE : Evidence Collection

This post is an introduction on Kroll Artifact Parser and Extractor (KAPE) and how it can be used to collect evidences.  When a malware is executed, it usually leaves some evidences about its execution. These are important details used for investigation and forensics. KAPE is an evidence acquisition tool and can be used to acquire all the evidence of execution from the victim's system. The KAPE directory has two main folders. Modules and Targets.  KAPE Modules. The modules directory contains different directories and inside it, we can see the module files with .mkape file extension. That is how the modules are identified. These modules defines how to process the collected evidence, can use scripts or the installed applications. To view all the available modules, browse the Kape directory or execute from the command line. Run kape.exe --mlist . to list all the modules. It is also mentioned in the .mkape file on how to format and store the evidence output.  The bin folder contains

PACSP : Pentester Academy Cloud Security Bootcamp and Certification Review.

Recently i have attended the Cloud security boot-camp from Penetester Academy and has cleared the certification exam (PACSP). This is a simple review about the boot-camp and the certification exam. The boot-camp consists of 5 x 3 hour live interactive sessions. The instructor Jeswin Mathai knows his domain and has delivered the concepts pretty clear. The live sessions are via Zoom meeting and the participants can interact live through the discord channel. No questions unanswered. The discord channel can be also used for support issues, related to labs , access etc. Over all the training channels, delivery methods were excellent. When you signup for the boot-camp, you receives the access code for 50 days of lab access on their AttackDefense platform. Now about the course content, this is an AWS cloud pen-testing course  and as they mentioned on their website, the syllabus of this boot-camp focuses on the teaching you the fundamentals and exploits for the 5 most commonly used components

AWS Cloud Pentesting : Overly Permissive Permission

Most of the attacks targeting AWS are based on exploiting the extensive permissions attached to the roles/accounts. This can be considered as a mis-configuration because the administrator was not following the principle of least privilege while creating roles and permissions. Assume a scenario, Where there is a user in AWS who has the permission to attach user policy. The same user can elevate the privilege because it has the access to attach policies in to it. The user can even gain administrative privileges by exploiting this mis-configuration. The user can search for the ARN for the Administrator role and can try to attach the role to the same user. First list the permission for the user, aws iam list-attached-user-policies --user-name USER1 Note down the policy ARN. And do more research on it , in search of any overly permissive permissions.  aws iam get-policy --policy-arn arn:aws:iam::11223344556:policy/Service   Look for the currently using policy version. Once we identified th

PentesterAcademy Vulnerable Servers II Lab Write-Up | metasploit-pivoting

PentesterAcademy Vulnerable Servers II Lab Write-Up | metasploit-pivoting Lab Link : https://attackdefense.pentesteracademy.com/challengedetails?cid=1747 Vulnerable Servers II is a lab from PentesterAcademy, which is rated as easy. The lab topology shows two machines which means, there are two targets and the attacker has to perform pivoting in order to hack and get the flag from the target machine. First Select the nearest Server and Click on Run the lab.   Once the lab is up, a web based terminal will be opened in the Web Browser. Firstly, check the IP address of the attacking machine.  We can see that, there are two interfaces. And as per the instructions, the first target machine should be 192.17.147.3. Let’s perform an Nmap scan of the target. The scan result shows that TCP port 8080 is open and is running an Apache Tomcat webserver/Coyote JSP engine 1.1. Let’s try to connect the webserver using netcat.   We can see that the Webserver is running OpenKM, a Document

Introducing Pre-Security Learning Path from TryHackMe.

Are you interested in learning cybersecurity and having the big question "Where to start?". Well, few months ago, i also had the same question in my mind. Do i need to learn programming languages first, or web applications or networking ??? That's where i want to talk about the popular learning platform Tryhackme . TryHackMe is an online platform that helps people to learn cybersecurity, especially penetration testing by doing hands-on labs.  There are multiple learning paths available on the platform and based on your knowledge and skill, you can select the most suitable one. If you want to learn cybersecurity from the scratch, then you can explore each learning path, finish the rooms (Rooms are a set of learning exercises with an objective) and proceed to the next. But before diving deep, one must understand the technology and basics first. Introducing the Pre Security learning path . This path consists of 40 hours of content and will teach the necessary technical knowl

PrintNightmare (CVE-2021-1675) PoC exploit Walkthrough

I am not an exploit developer but was interested to see how this vulnerability can be exploited. So i tried to replicate the infamous PrintNightmare vulnerability using the following PoCs ( https://github.com/cube0x0/CVE-2021-1675 ) and ( https://github.com/rapid7/metasploit-framework/pull/15385 ) However i had trouble with the new metasploit module (auxiliary/admin/dcerpc/cve_2021_1675_printnightmare) and i couldn't able to exploit the machine successfully. So i tried the second PoC from cube0x0. This one has done the magic. I just followed the guidelines with couple of tweaks. First of all, i installed the impacket (cube0x0 version) which will install the required modules and files. After that i set up a samba share with an anonymous login. This is required for hosting the dll file. I edited the smb.conf with the following settings. [global]     map to guest = Bad User     server role = standalone server     usershare allow guests = yes     idmap config * : backend = tdb     s

Comparison between CEH Practical and eJPT

This month, i have done two certification exams. Certified Ethical Hacker (CEH) Practical and eLearn Security Junior Penetration Tester (eJPT). These were not actually in my plan however when i received the free vouchers, i thought of giving the exams.  So in this post, i am going to give a detailed comparison between the two certification exams.  Certified Ethical Hacker (CEH) Practical I went for the CEH practical exam with an aversion, but i found it not bad. Mostly the basic topics are validated in the exams. However for really really beginners, they might find the practical exam as useful. Most of the guys attempting this exam might sign up for iclass/ilabs for their exam preparation. But in my opinion, that is not necessary. The best alternative exam prep option is to sign up for Tryhackme and then learn + practice. As i mentioned earlier, i got the free voucher and therefore i didn't go through the ilabs/iclass. In the exam, there are some questions based on cryptographic,

[FIX] Can't locate Net/SNMP.pm in @INC (you may need to install the Net::SNMP module)

I was trying to use the snmpenum.pl in my lab and encountered this error. Can't locate Net/SNMP.pm in @INC (you may need to install the Net::SNMP module) I searched over the internet for the fix , but couldn't able to find something direct. However, going through some of the stackoverflow pages, i fixed it and is explained below. 1) First install the required packages related to snmp utilities. sudo apt-get install libsnmp-perl 2) Install the SNMP module for perl. perl -MCPAN -e 'install Net::SNMP' That's it. And i was able to run the script.

Pivoting via Meterpreter [metasploit v6.x]

Pivoting is a technique used during Pentesting. The attacker gain access on one of the remote machine in the target network segment and use that machine to move around another network. Pivoting is useful in a scenario where you don't have direct access to a remote network. For example, the attacker can access the DMZ server but not the Internal Server segment. But DMZ server can communicate with Internal Server Segment. In such scenario, firstly the attacker gain access to the DMZ server and then use the DMZ server as a foothold to gain access to the Internal Server Segment. Note that the older versions of metasploit supports MSF scripts but the latest version (metasploit 6.x) doesn't support it. So lets see how to perform pivoting using the newer versions of Metasploit. For the illustration, i assume that the attacker has been gained the access to one of the remote machine and now he needs to move around. After establishing a meterpreter shell, background it. Since msfscripts

Configure Internet Explorer (IE) Mode in Microsoft Edge Browser.

The Internet Explorer 11 desktop application will be retired and go out of support on June 15, 2022. Organizations with websites optimized for Internet Explorer may consider configuring IE mode in Microsoft Edge.  If you are configuring IE mode for an enterprise, you may refer the step by step guide from Microsoft. To configure IE mode on your windows machine, follow the below steps. 1) Open Microsoft Edge browser 2) Go to Settings 3) Click on Default Browser option 4) On the right pane, you can see " Allow sites to be reloaded in Internet Explorer mode ". Toggle the button to ON  5) Restart Edge. 6) Now access any website. 7) To view the website in Internet Explorer Mode, click on Settings > More Tools > Reload in Internet Explorer Mode 8) Now the Website will be reloaded in IE mode. You can also see the settings from IE icon next to the address bar. 9) To exit IE mode, click on Settings > More Tools > Exit Internet Explorer Mode  

UDP is connection-less, then how Nmap identifies open/closed UDP ports??

When a packet is sent to an open UDP port, default behavior should be no response, Simply because UDP is a connection-less protocol. When this happens, Nmap or port scanning scripts  refers to the port as being open|filtered. It could be open or behind the firewall. However, if it gets a UDP response which is very unusual in UDP, then the port is marked as open. Then how Nmap or other port scanning scripts confirms whether there is an open UDP port exists??? For this, one should know about the relation between UDP and ICMP. You may refer to this post to understand. When a packet is sent to a closed UDP port, the target responds with an ICMP (ping) packet containing a message that the port is unreachable. Using ICMP error codes, nmap identifies and confirms the closed ports.

HTB Bastion : CIFS share / mount .VHD tips

To mount a share to your working machine, use the following command. There are some prerequisites for CIFS mount and for mounting the .VHD files. Normally comes preinstalled with you Kali/Linux Distro. However, i am listing it down. apt-get install libguestfs-tools apt-get install cifs-utils Now to mount a remote share,   #sudo mount -t cifs //<Remote_Machine_IP>/<Path>/ <Mount_Path> -o rw eg: mount -t cifs //10.10.10.1/Backups/ /mnt/nfs -o rw To check the .VHD filesystem, we can use guestfish. sudo guestfish --ro -a <file.vhd> ><fs> run ><fs> list-filesystems /dev/sda1: ntfs Guestfish shell runs only specific commands. However, run and list-filesystems commands are enough to get you the required information.In the above example, we can identify that the filesystem is NTFS and the partition /dev/sda1. Now mount the .VHD file using guestmount. #guestmount -a <File.vhd> -m <device_file_partition> --ro <Mount_Path> --ro = readonl

[FIX] Fingerprint reader not working properly??

The fingerprint reader on my laptop was not working properly since last couple of month. Suspecting after some update from Microsoft. It was not completely working, sometimes it work perfectly and often sometimes not. Especially after my laptop goes sleep. So i uninstalled and reinstalled the driver with the latest update, did some googling and couldn't get a solution. However, i though of checking the power management settings. And unchecked the "Allow the computer to turn off this device to save power" under the device's power management (From Device Manager). The issue is fixed and the fingerprint reader is working fine. Thought of sharing this as some of my friends had the same issue. Also i can see a lot of queries in the internet regarding this fingerprint reader malfunction. Always keep your OS and the drivers up to date and don't download any third party tools to fix issues with your machine.

Unable to locate package linux-headers / E: Unable to locate package linux-headers-5.10.0-kali5-amd64

While compiling programs, you may encounter this particular error. E: Unable to locate package linux-headers-5.10.0-kali5-amd64 I encountered this while compiling a C code. To fix this, i first updated my Kali machine (v2020.2a).  sudo apt update -y && apt upgrade -y && apt dist-upgrade   Rebooted. Then installed the headers.   sudo apt install linux-headers-$(uname -r)  

Different CTF a.k.a Adana Room from TryHackMe [THM] Writeup

Room link : https://tryhackme.com/room/adana Excellent room. Spend much time on Recon and Enum. The room developer has also put a sweet spot rabbit hole. The WordPress. I am not making this write-up in detail. You perform the initial nmap scan, get couple of open ports and services. Then perform a dirbuster or gobuster scan. You get the secret directory. Announcement. In the Announcement directory, you can see an image and a word-list. As common with THM, we can easily assume that there might be some kind of stenography involved. And yes, but with a point. I used steghide and exif tools at first but you need to use brute-force method to crack the hidden data. Also the hint is given on the room poster. Anyway. Use Stegbrute to crack the image. Stegbrute gives an output file and its encrypted. Do a Base64 conversion to decode and here it is, the FTP credentials. Decode using icyberchef.  Now we have the FTP creds and let's try it. Well, the directory structe looks like the web folde