Andreas Happe: Everything
Using WSL2 to hide from EDR
TL;DR WSL2 seems to be one big lolbin when it comes to EDR Scenario/Background During a recent assumed-breach pen-test assignment I was stranded as a low-level user on a fully-updated Windows 10 Enterprise system (10.0.19045) including a deployed CrowdStrike Falcon EDR suite (6.49.16303.0). As I respect CrowdStrike I did not want to execute any malicious scripts on the host, so what to do? WSL2 to the rescue! Installation was done quite comfortable through the company’s Software Center, no local administrative rights required.
Active Directory: Using LDAP Queries for Stealthy Enumeration
During a recent assumed-breach pen-test assignment I ran into a problem: the customer had an up to date Windows Active Directory environment, CrowdStrike was rolled out as an EDR and a dedicated Incident Response Team was monitoring for alerts.. and I needed some Active Directory Enumeration to be done before I was planning out my next steps. I assumed, which later proved correctly, that just starting BloodHound or GetUserSPN.py would trigger defenders and defences.
Enumerating User-Accessible Directories within Windows Network Shares
During a recent security assignment I came upon a projects folder stored on a Microsoft Active Directory server and accessible thought the network (SMB/CIFS). It had the commonly used layout of a single subdirectory per project, users should only be able to access their corresponding projects and this is configured through ACLs. Initial tests did indicate that the access rights were given away sloppily as I was able to access some of those subdirectories.
Trying my hand with hacking Active Directories with responder, mitm6, ntlmrelayx and crackmapexec
So a customer of mine thought about ordering a Red Team Assessment and wanted me to go through their local network beforehands — no need to make it too easy for the red teamers. The customer’s network was a typical windows network, dated but kept up to date by two admins. Microsoft Defender was rolled out at all clients, and on some servers. A laptop with Kali Linux was connected to the local network, this was my starting point.
Building a 4G/LTE router+accesspoint using hostapd, network-manager and modemmanager
So I’ve been using a Raspberry Pi 4b+ together with a WaveShare LTE Modem as 4G router/access-point for my home network setup. I do like my hardware to be quiet and thus fan-less, alas the Raspberry Pi 4b+ gets a tad on the warm side. So this was a perfect opportunitiy to play around with an older Raspberry Pi 3b+ which should use approx. 20-25% less power (both, during idle and load) and with “new” software.
What is AppSec anyways?
AppSec includes all tasks that (hopefully) introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance. To contrast AppSec with a traditional penetration-test: the latter tries to find vulnerabilities within an already existing application while AppSec focuses upon preventing vulnerabilities from entering the application code in the first place.
Secure Software Development Lifecycle Basics
Recently I had a couple of customers that needed some guidance about secure software development. I assume that this happens because I am a developer gone pen-tester so I’ve seen both side of the “problem”. Of course, suggestions differ between software stacks and the overall customer professionalism level, but there is a common starting ground that should be suitable for any professional software project. Without those, anything more advanced would be built upon shaky grounds.
HTTP Header Security
During a recent presentation on HTTP Header Security I was asked for a “simple” flow chart with directions which headers can be used without too many problems. The result was this: What was the reasoning? Initially, basic headers that unify browser behavior are set. They control behavior that is already set when using modern browsers (e.g., Referrer-Policy) or unify non-standard behavior (e.g, X-Content-Type-Options: nosniff). The basic idea behind those headers is, that web developers need to make sure that their website works with those anyway (otherwise people using modern browsers might complain) so it makes sense to take care of those situations during development.
Book Updates and Blog Posts..
Given that I’ve spent more time in my flat (hello, COVID-19) I also spent more time looking at my book shelf.. and wasn’t too happy with it: in hindsight, some of the books I’ve read are way to pretentious and the books I remember as life-changing were mostly read on my kindle anyways. Speaking of Kindles, my first kindle (must be bought around 2008 in the United States) was stored between the books.
Running OWASP Juice Shop with Root-the-Box on Google Cloud Platform
So I am back at teaching web application security. This time I wanted to setup a CTF challenge for my students. To not reinvent the wheel, or rather, to stand on the shoulders of giants I am reusing the OWASP Juice Shop vulnerable web app in its CTF mode. Normally I would teach at a (physical) lab which would make the setup easy: all students are situated in the same physical room, I can setup the game server on my laptop and distribute virtual machines containing the vulnerable web app over the local network.