Embrace The Red

Adversaries are leveraging widely exposed clear text credentials to gain access to sensitive information.

At times the term “harvesting credentials” is used when red teamers emulate these attacks - which is something that appears to be more opportunistic and I would propose that security teams start to actively hunt for credential exposure that can put their organization at risk – in case you are not yet doing that.

The idea of credential hunting is targeted and focused, leveraging intelligence about systems and combing it with powerful search techniques to identify exposure.

One question that I have gotten a few times about “Cybersecurity Attacks - Red Team Strategies” is around the conceptual attack graphs in “Chapter 3, Measuring an Offensive Security Program”. Specifically, how I create them.

In this post I will briefly go over some of the reasons for creating them, and also how I create them and share a template for others to use and adjust.

I’m not a graphic designer, so I’m sure there are better ways of doing this.

After countless evenings and weekends in coffee shops, and multiple vacations with the laptop, I’m excited to announce that my first book has been published. It took 18 months from writing the first words (at Victrola Coffee Roasters on Capitol Hill by the way) to finishing this project just a few days ago.

Looking back its amazing how this all came together. The first intial draft had 100 pages, and in the end it ended up being 524 pages.

Pass the Cookie made it into the latest 2600 magazine! Very excited about this!

I was just walking around Capitol Hill and stopped by Ada’s Technical Books on 15th Avenue - a great coffee shop with lots of technical books. Right after walking in to grab a cup of tea, I saw the latest Hacker Quarterly. A few months back I submitted an article about “Pass the Cookie”, so I had to check, and the article got indeed published!

About 18 years ago I worked on the final year project for my Bachelor’s degree in Computer Science. I had just gotten interested in security and was learning about security principles.

The title of the project was “Web Application Security Principles - Designing Secure Web Based Enterprise Solutions”.

Looking back, a really cool thing was that I had just started working at Microsoft as an Associate Development Consultant and was bold enough to send the paper last minute over to Michael Howard - who responded and indeed reviewed it! That was so cool! :)

This post highlights a simple mitigation to improve the security posture of your organization. The idea is to, by practical means, limit attack surface and prevent spreading of automated malware, as well as limiting lateral movement by adversaries.

Malware can spread fast and damage businesses at scale.

SQL Slammer [1] and WannaCry [2] are two well-known cases that showed how quickly and damaging this can be. Interstingly, both of these disasters were nearly 15 years apart.

Excited to announce the book that I have been working on:

Cybersecurity Attacks - Red Team Strategies

Learn about the foundational tactics, techniques and procedures to elevate your red teaming skills and enhance the overall security posture of your organization by leveraging homefield advantage.

Red Team Strategies covers aspects that are not as commonly discussed in literature, including chapters around building and managing a pen test team. However, there is still plenty of technical content included as well. It is not a typical pen test book that focuses on common tools, or walks the reader through the various stages of a pen test.

MITRE just updated the ATT&CK Framework to include Cloud TTPs.

The update includes techniques for stealing cookies from machines and using them for lateral movement. These are the two techniques I helped contribute to the matrix:

• Credential Access - Steal Web Session Cookie
• Lateral Movement - Web Session Cookie

It was exciting experience to collaborate with MITRE and contribute on this. And kinda cool to see the Pass the Cookie work referenced.

Recently Coinbase published a well written blog post on how they were under attack. The adversaries exploite Firefox 0-days. Details can be found here. One intersting aspect is the following:

“We have also observed the attackers specifically target cloud services, e.g. gmail and others, via browser session token theft via direct access to browser datastores. This activity also offers the opportunity for behavior-based detection, as relatively few processes should be directly accessing those files.”

For several years I have been using the term Homefield Advantage in the context of running a security program, especially in regards to certain aspects of red teaming. Homefield Advantage describes well what a mature security program has to realize and leverage.

Wikipedia describes “home advantage” in team sports and highlights some of the benefits:

“This benefit has been attributed to psychological effects supporting fans have on the competitors or referees; to psychological or physiological advantages of playing near home in familiar situations; to the disadvantages away teams suffer from changing time zones or climates, or from the rigors of travel; and, in some sports, to specific rules that favor the home team directly or indirectly.” (Wikipedia, 2019)

Today I finalized moving the blog and publishing to Hugo. It was pretty straight forward and I decided to move things into a master branch on github, and publish via the docs/ folder features of Github pages.

One thing every red team should attempt early on and regularly is to perform some password spray testing across their organization to identify and help remediate usage of weak passwords.

In the past I have done this on Windows a lot, but now I built a simple version for it for Bash to run it also from a Mac.

Check it out: Bash Spray

Ideally, a script like bashspray.sh is integrated into your response pipelines, and SOC, Blue Team as well as account owner get notified - so they change their password right away, and any SOC investigation can be performed if necessary.

Did you ever have to interact with Active Directory on a MAC?

If yes, this post might be interesting for you. I am pretty new to the Mac and basic things I know how to do on Windows need some research to figure out. This time around I explore Active Directory/LDAP Server interactions.

• First, there is the Directory Utility on MacOS which can be quite useful.
• Second, there is Apache’s - Directory Studio - which is pretty amazing and feature rich.
• Third, you might want to write your own tools or scripts.

There are ldap commands that allow you to do most tasks in automated fashion.

The Google Login Flow leaks additional email account information to unauthenticated users. I discovered this in the Google Account Login flow while building KoiPhish.

I reported this issue to Google and they looked into it and after a about 5 weeks of back and forth they decided that this is not an issue worth fixing. After asking if I can post about it publicly I got Google’s okay.

The idea for Lyrebird came from observing that sometimes when someone forgets lock their workstation, someone else might mess with their computer. Since I wanted to learn more on how to program a webcam and take pictures - I figured why not create a little tool that takes a screenshot and uses the webcam to take pictures of anyone that interacts with the computer while I’m gone.

The way this work is simple, start Lyrebird. It will take a screenshot of the current desktop and then enter its observation mode.

KoiPhish is a simple yet beautiful relay proxy idea.

The idea for this little project goes back many years. Since I started learning Golang I figured it would be good exercise to finally go ahead an implement it. So, last December during the 35C3 (which is always inspiring congress) I wrote it up.

It relays requests a client makes to the KoiPish to the actual target and responses are sent back to the client. On the way in and out common links are overwritten in order to not break the user experience and functionality.

Just a list of useful notes when dealing with Macs. I’m pretty new to Macs and there might be other, better solutions to the challenges I had to sovle but these worked for me and I’m learning. :)

After pivoting on a target host and elevating to root it seems not possible to gain access to other keychains easily. It requires to know the password of the other account still. Just running

An adversary can pivot from a compromised host to Web Applications and Internet Services by stealing authentication cookies from browsers and related processes. At the same time this technique bypasses most multi-factor authentication protocols.

The reason for this is that the final authentication token that the attacker steals is issued after all factors have been validated. Many users persist cookies that are valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk and also in process memory. Additionally other applications on the targets machine might store sensitive authentication tokens in memory (e.g. apps which authenticate to cloud services). This pivoting technique can be extended to bearer tokens, JWT and the likes. Pass the Cookie is a post-exploitation technique to perform session hijacking.