Embrace The Red

This post is part of a series about Offensive BPF. Click the “ebpf” tag to see all related posts.

It has been a while that we posted something in the “Offensive BPF” series. But recently there have been a couple of new cool ebpf based tools, such as TripleCross, boopkit and pamspy.

So, I thought it be quite fitting to do another post in the Offensive BPF series to keep raising awareness.

A few weeks back we discussed a backdoor PAM module to grab authtok tokens (e.g. SSH passwords) when someone logs on to a machine. In this post we will build an eBPF program using bpftrace to do the same. Kudos for the idea using eBPF go to citronneur.

Pluggable Authentication Modules (PAM) on Unix based systems are useful to change logon behavior and enforce authentication via various means.

In “Red Team Strategies” the chapter “Protecting the Pentester” walks the reader through the configuration of a PAM module to get notified in real-time via a pop-up when someone logs on to the machine (e.g. system compromise).

But there are also bad things that can be done with PAM (especially post-exploitation) and this is what this post is about.

As the saying goes, a picture is worth a thousand words.

In order to improve your documentation and uplevel red team and pentest reporting, it’s useful to add date and time information to screenshots and script logs.

This helps the Blue Team (and yourself) reviewing past activity, reports and when deconflicting activity is required. Depending on the shell that is used there are different ways to go about it. Let’s cover three common ones.

In this post, we’ll examine how GPT-3 could be used by red teams or adversaries to perform successful phishing attacks. We’ll also discuss some potential countermeasures that organizations can take to protect themselves against this type of threat.

GPT-3 is a neural network-based machine learning system that was developed by OpenAI, a research lab focused on artificial intelligence. It is designed to generate text that sounds realistic and human-like, and it has been trained on a large corpus of text, including billions of words from the internet.

Information for red teaming macOS and info on real world TTPs are still a bit sparse. That makes it difficult for defenders to know what attackers do on macOS compared to Windows. Some organizations might have a bigger blind spot when it comes to macOS.

This post describes how an adversary can grab hashes from a macOS machine, how to convert it to a hashcat friendly format and use hashcat to crack it.

After a bit of a delay my Flipper Zero finally arrived in the mail. If you are not familiar with Flipper Zero at all, check out the original Kickstarter page from a few years back.

This is what the package looks like after opening. It contains the device, a USB cable, a quick start manual (mostly pointing you to the Flipper Zero website), and a Flipper “Hack the planet” sticker.

One area that I have encountered quite often over the years is that during recon phase of a bug bounty hunt or pentest a set of AWS access keys are being discovered.

Let’s say you found 50 AWS access keys by drooling and hunting through public Github repos and using other nifty tricks and means.

How do you go about checking their validity? And what do they have access to and provide the Bug Bounty Program or Blue Team the dates, times, and IP address when those keys were used?

Although Gitlab is not as popular as Github, it’s common to run across it these days. Especially after Microsoft acquired Github it seemed more individuals and organizations flocked over to Gitlab.

In this post I want to document a couple of recon commands that are useful post-exploitation, and for blue teamers to watch out for.

Let’s assume one has access to a Gitlab Token as a precursor. Let’s walk through some interesting commands and script snippets to leverage to find out more.

The last weeks of 2021 got quite interesting for security professionals and software engineers.

Apache’s log4j library and its now prominent Java Naming and Directory Interface support, which enables easy remote code execution, made the news across the industry.

What makes Log4Shell scary is the widespread adoption of the Log4j library amongst Java applications, and the ease of remote exploitation.

A dangerous combination.

Patches got released, bypasses were discovered more patches were released and so forth.

Cybersecurity breaches follow common patterns and stages - from an initial Beachhead to accomplishing Objectives.

This video gives an overview of the anatomy of a compromise:

Cheers.

@wunderwuzzi23

This post is part of a series about Offensive BPF to learn how BPFs use will impact offensive security, malware, and detection engineering.

Click the “ebpf” tag to see all relevant posts.

So far in this Offensive BPF series the focus was on bpftrace to build and run BPF programs.

The next thing I wanted to investigate is what options are available to modify data structures during BPF execution. This is where I hit limitations with bpftrace.

This post is part of a series about Offensive BPF that I’m working on to learn how BPFs use will impact offensive security, malware, and detection engineering.

Click the “ebpf” tag to see all relevant posts.

One of the issues I ran into when trying out sslsniff-bpfcc was that it did not work with Firefox or Chrome traffic.

This post is about me learning how to hook user space APIs with bpftrace using uprobes.

Today you are in for a special treat. Did you know that an adversary can hide a smaller image within a larger one?

This video demonstrates how a small image becomes magically visible when the computer resizes the large image, and also how to mitigate the vulnerability.

This is possible when vulnerable code uses insecure interpolation.

If you like this one check out the overall Machine Learning Attack Series.

Tabnabbing is a web application security vulnerability that can be used to perform phishing attacks, so its important to be aware of it as a developer and penetration tester.

It is easy to mitigate and in this short video we cover both attacks and mitigations.

Thanks for reading and happy hacking!

@wunderwuzzi23

This post is part of a series about Offensive BPF that I’m working on to learn about BPF to understand attacks and defenses. Click the “ebpf” tag to see all relevant posts.

In the previous posts I spend time learning about bpftrace which is quite powerful. This post is focused on basics and using existing BPF tools, rather then building new BPF programs from scratch.

Performance and observability teams are pushing for BPF tooling to be present in production. Due to its usefulness, this is likely going to increase.

This post is part of a series about Offensive BPF that I’m working on to learn how BPFs use will impact offensive security, malware and detection engineering.

Click the “ebpf” tag to see all relevant posts.

In the last few posts, we talked about a bpftrace and how attackers can use it to their advantage. This post is about my initial ideas and strategies to detecting malicious usage.

There are a set of detection ideas for Blue Teams. Since we primarily talked about bpftrace so far, let’s explore that angle.

This post is part of a series about Offensive BPF that I’m working on to learn how BPFs use will impact offensive security, malware and detection engineering. Click the “ebpf” tag to see all relevant posts.

In the last post we talked about a basic bpftrace script to install a BPF program that runs commands upon connecting from a specific IP with a specific magic source port.

This post will dive into this idea more by leveraging more a complex solution.

This post is part of a series about Offensive BPF that I’m working on to learn about BPF to understand attacks and defenses, click the “ebpf” tag to see all relevant posts.

I’m learning BPF to understand how its use will impact offensive security, malware, and detection engineering.

One offsec idea that quickly comes to mind with BPF is to observe network traffic and act upon specific events. So, I wanted to see if/how bpftrace, a popular tool for running BPF programs, can be used to create potential backdoors, and what evidence to look for as defenders.

Over the last few years eBPF has gained a lot of traction in the Linux community and beyond.

eBPF’s offensive usage is also slowly getting more attention. So, I decided to dive into the topic from a red teaming point of view to learn about it to raise awareness and share the journey.

Similar to the format of my Machine Learning Attack Series, there will be a serious of posts around BPF usage in offensive settings, and also how its misuse can be detected.

In this 25 minute video I’m explaining the foundations of Web Application Security.

The video covers the basic building blocks of web applications, such as HTML, HTTP, JavaScript and Cookies. Furthermore core web applications security concepts such as the Same-Origin Policy are discussed in detail.

The goal is to provide foundational knowledge to help grasp security vulnerabilities, such as XSS, CSRF, SQLi, tab-nabbing, etc. later on.

In the past I have trained and presented content like this to thousands of engineers at large organizations and cloud providers, hence its quite optimized for best learning and comprehension outcome.